Re: [Samba] Re: ldapsearch and getent passd/group with nss winbind differs
Andreas Ladanyi wrote: There is one UNIX attribute tab and one Members Of tab. During some tests we discover the following facts = In UNIX attribute tab: winbind is only interested in the UID field - in ldap tree the attribute uidnumber. If you're talking SFU, it doesn't use uidnumber. It uses attribute msSFU30UidNumber and displays UID on the Unix Attributes tab. I don't have a Windows 2003 R2 for comparison. Are you really using SFU (Services For Unix 3.0) or do you have the newer 2003 R2? I use 2003 R2 and did install the Unix plugin for AD schemata extension from Windows component setup. OK. You probably have the rfc2307 attributes. From rfc2307: 2.2. Attributes The attributes and classes defined in this document are summarized below. The following attributes are defined in this document: uidNumber gidNumber gecos homeDirectory loginShell ...(more attributes)... This isn't winbind nss info = sfu template, it's nss info = rfc2307 template SFU is strictly for MS (c) Services for Unix which added alien attribute names to the tree. SFU attributes are named thus: msSFU30UidNumber msSFU30GidNumber msSFU30Gecos msSFU30HomeDirectory msSFU30LoginShell If I remember the idmap_ad code correctly, idmap_ad queries for each style attribute and remembers what it finds. For basic samba functionality, you don't need to know your windows schema extension. The winbind nss plugin will care though. Winbind will pick up the uidNumber for users and the gidNumber for groups but group membership will be determined by the windows group membership. The gid numbers of the windows groups will come from your unix tab. Put another way, winbind will lookup the SIDs of your windows group membership and lookup the gidNumber attribute for those SIDs. You only have to synchronize the unix tab group membership if you are using the windows NFS server. Windows will use those numbers when it exports NFS shares and sets NFS acls. I used perl LDAP scripting to check the synchronization, because I needed NFS shares in windows and wanted the acl permissions consistent. The other attributes from UNIX attribute tab are written to ldap tree, but not used by winbind on linux side. For example we set the following parameter in smb.conf: winbind nss info = sfu Of course we could define our own template bash/home with the template home and template shell parameter, but its better the sfu will work, so we would configure this parameter by the tab. Winbind only uses this parameter when it creates a Unix account. Which shouldn't happen for your AD domain members if your AD is mapped correctly. winbind uses this parameter only if it creates a unix account ? In case if i create a unix account with adduser on terminal ? The mapping seems to be correctly if i have a look at getent passwd + getent group The primary Group is written to the ldap tree but not used by winbind on the unix side. I meant the primary Group text field from: UNIX attribute tab seems to be NOT used by winbind. The primary group which you can set: by clicking the button primary group in Members Of tab IS USED by winbind perfectly. Iam sorry if my explanation wasnt clear at my last posting. # net ads testjoin Join is OK # wbinfo -i forest\\jdoe FOREST\jdoe:*:525:100:John Doe:/home/jdoe:/bin/bash # getent passwd|grep jdoe FOREST\jdoe:*:525:100:John Doe:/home/jdoe:/bin/bash # getent group|grep 100 FOREST\domain users:x:100: You can set the value msSFU30Gecos and winbind will report it, otherwise Display Name is used. In Members Of tab: In this tab you can choose a group from a list and there is a button you could set a Unix primary group by klicking. This will be read by winbind only. But this have no force to the primary group ID on the UNIX attribute tab. What do you say ? Did we configure something wrong ? Is this the normal function ? I needed to use the idmap config values: idmap domains = FOREST idmap config FOREST:readonly = yes idmap config FOREST:backend = ad idmap config FOREST:range = 0 - 2 idmap config FOREST:schema_mode = sfu idmap alloc backend = tdb idmap alloc config:range = 5-50999 and of course in nsswitch.conf: passwd: compat winbind group: compat winbind some people like to use files instead of compat, but that's about NIS semantics and doesn't matter to winbind. winbind separator = / winbind enum users = yes winbind enum groups = yes winbind cache time = 60 idmap backend = ad idmap uid = 6000-27000 idmap gid = 600-7000 template shell = /bin/bash template homedir = /home/%U winbind use default domain = yes winbind refresh tickets = yes allow trusted domains = yes winbind nss info = sfu template Should probably be winbind nss info = rfc2307 template FYI, you've specified
Re: [Samba] Re: ldapsearch and getent passd/group with nss winbind differs
Andreas Ladanyi wrote: Hay Jerry, Gerald (Jerry) Carter schrieb: Andreas Ladanyi wrote: Ok ! Could it be true this behavior is different between security=domain and security=ads ? Because we had to put the user to the group: - first on windows side in ActiveFirectory - second on unix site in AD in the tab Members of so winbind 3.0.24 client recognise the group membership on unix side in security=domain mode. Now we changed to Samba 3.0.31 with security=ads mode and the behavior is a bit different. You lost me here. Maybe due to the fact that I accustomed to the Windows 2003 R2 Unix Attribute tab. The only member of tab I see is to control the Windows group memberships. The reason of my message is a litte confusion: In general you are right ;-) Good thing too, because he's one of the primary samba developers =-O There is one UNIX attribute tab and one Members Of tab. During some tests we discover the following facts = In UNIX attribute tab: winbind is only interested in the UID field - in ldap tree the attribute uidnumber. If you're talking SFU, it doesn't use uidnumber. It uses attribute msSFU30UidNumber and displays UID on the Unix Attributes tab. I don't have a Windows 2003 R2 for comparison. Are you really using SFU (Services For Unix 3.0) or do you have the newer 2003 R2? The other attributes from UNIX attribute tab are written to ldap tree, but not used by winbind on linux side. For example we set the following parameter in smb.conf: winbind nss info = sfu Of course we could define our own template bash/home with the template home and template shell parameter, but its better the sfu will work, so we would configure this parameter by the tab. Winbind only uses this parameter when it creates a Unix account. Which shouldn't happen for your AD domain members if your AD is mapped correctly. The primary Group is written to the ldap tree but not used by winbind on the unix side. # net ads testjoin Join is OK # wbinfo -i forest\\jdoe FOREST\jdoe:*:525:100:John Doe:/home/jdoe:/bin/bash # getent passwd|grep jdoe FOREST\jdoe:*:525:100:John Doe:/home/jdoe:/bin/bash # getent group|grep 100 FOREST\domain users:x:100: You can set the value msSFU30Gecos and winbind will report it, otherwise Display Name is used. In Members Of tab: In this tab you can choose a group from a list and there is a button you could set a Unix primary group by klicking. This will be read by winbind only. But this have no force to the primary group ID on the UNIX attribute tab. What do you say ? Did we configure something wrong ? Is this the normal function ? I needed to use the idmap config values: idmap domains = FOREST idmap config FOREST:readonly = yes idmap config FOREST:backend = ad idmap config FOREST:range = 0 - 2 idmap config FOREST:schema_mode = sfu idmap alloc backend = tdb idmap alloc config:range = 5-50999 and of course in nsswitch.conf: passwd: compat winbind group: compat winbind some people like to use files instead of compat, but that's about NIS semantics and doesn't matter to winbind. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba3.0.22 - net setlocalsid with no effect
Friedrich Strohmaier wrote: Hi Doug, *, again for whatever reason the listmail did not arrive in my mailbox. The private copy did! Hmmm. Doug VanLeuven schrieb: Friedrich Strohmaier wrote: Douglas VanLeuven schrieb: [..] I can't tell what you're trying to do from what you've described. It looks like you set the local machine sid and it worked. It was the SID of the machine acting as PDC .. [..] root# net setlocalsid SID_WANTED root# root# net getlocalsid SID for domain DOMAIN is: SID_WANTED here I read wrong: DOMAIN was'nt the Name of the domain but the pdc's hostname (and netbios name). Might try ~ net rpc getsid Which is supposed to fetch the domain sid into the local secrets.tdb Tried this but it fetched SID_NOT_WANTED into secrets.tdb I've never used these commands. I've always viewed them as either useful for recovery from crash without backup, or setting the SID of a backup samba PDC. Exactly what I want to do.. I used a VM machine, FC5, samba-3.0.23c-1.fc5 because it's the scratch machine I have. Here's what I did to reset the SID of the new PDC (hoping that's what you want to do) #On the PDC, smbd, nmbd, winbind stopped. [EMAIL PROTECTED] ~]# testparm -sv 21|less .. Server role: ROLE_DOMAIN_PDC .. [EMAIL PROTECTED] ~]# service smb start Starting SMB services: [ OK ] Starting NMB services: [ OK ] # List current unwanted SID [EMAIL PROTECTED] ~]# net getlocalsid SID for domain VMPDC is: S-1-5-21-893123068-2258791905-4052818733 [EMAIL PROTECTED] samba]# net rpc info Password: Domain Name: VMWKGP Domain SID: S-1-5-21-893123068-2258791905-4052818733 Sequence number: 1207290693 Num users: 1 Num domain groups: 0 Num local groups: 0 #Change PDC SID to something else [EMAIL PROTECTED] samba]# net setlocalsid S-1-5-21-9-2258791905-4052818733 [EMAIL PROTECTED] samba]# net setdomainsid S-1-5-21-9-2258791905-4052818733 #Restart smbd (and winbind) [EMAIL PROTECTED] samba]# service smb restart Shutting down SMB services:[ OK ] Shutting down NMB services:[ OK ] Starting SMB services: [ OK ] Starting NMB services: [ OK ] #Wait a few seconds for nmbd to settle in [EMAIL PROTECTED] samba]# sleep 5 # New PDC info [EMAIL PROTECTED] samba]# net rpc info Password: Domain Name: VMWKGP Domain SID: S-1-5-21-9-2258791905-4052818733 Sequence number: 1207290486 Num users: 1 Num domain groups: 0 Num local groups: 0 Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind ignores idmap configuration (3.0.28a)
Naadir Jeewa wrote: Sorry, yeah, I have munged it. I did some further checking and found it works fine for the 1 user which is on the home domain. It's users from other trusted domains which are a problem. CLDAP messages are getting rejected by the DCs, but Samba instead says DC not found. I've asked the domain admins if they can change the client signing requirements on the trusted domain I need access to. I don't know what they are, but there seem to be some issues with domain trusts in 3.0.28a. Might be affecting you as well. http://lists.samba.org/archive/samba/2008-April/139651.html Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind ignores idmap configuration (3.0.28a)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Naadir Jeewa wrote: | Hullo, | | After having my Samba server joined to a domain, I'm now having | difficulties configuring winbind. I want to use the idmap_rid backend, | and have recompiled Samba from scratch with the requisite rid.so module. | | However, no matter how idmap domains / idmap config is set up, it | seems to get totally ignored. Here is my smb.conf: | | [global] | | workgroup = DEPARTMENTDOMAIN | | server string = NAS Samba Server Version %v | | log file = /var/log/samba/log.%m | max log size = 50 | | security = ads | realm = DEPARTMENTDOMAIN Unless you munged this for the list, it should be the REALM which is (at least in windows) usually the DNS domain. If you set it to the workgroup name, that would be a reason it can't find the DC. Regards, Doug -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFH9VX7FqWysr/jOHMRAt0qAJ9JXPCuyhblrhzcgGnCP6L4NSlNCQCffbMm +1gShQrurnUegKX7gZ25N9U= =97G2 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba3.0.22 - net setlocalsid with no effect
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Friedrich Strohmaier wrote: | Hi Doug, *, | | Sorry for my late answer - I discovered your mail, which never reached | my box, on gmane.. | | Douglas VanLeuven schrieb: | Friedrich Strohmaier wrote: | | [..] | | I can't tell what you're trying to do from what you've described. | It looks like you set the local machine sid and it worked. | | It was the SID of the machine acting as PDC .. | | The local machine sid will be different than the domain sid. | | That's aparently the one problem I have (which is solving a different | one..) :o)) | | A profile based on the local machine sid won't be a roaming profile it | will be a local profile. | | As long as the local SID differs from the Domain SID?.. | | | [..] | | root# net setlocalsid SID_WANTED | root# | | root# net getlocalsid | SID for domain DOMAIN is: SID_WANTED Might try ~ net rpc getsid Which is supposed to fetch the domain sid into the local secrets.tdb I've never used these commands. I've always viewed them as either useful for recovery from crash without backup, or setting the SID of a backup samba PDC. For a workstation, even if you manage to get the SID's to agree with a prior install, the machine password on the PDC and on the workstation wouldn't agree. If it's new workstation name, there won't be an account for the workstation on the PDC. Why not simply ~ net rpc join and allow the normal mechanisms to work? Regards, Doug -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFH89lNFqWysr/jOHMRApZEAKDE3hUJcF5kRh6S9bYFw0pM6cbHrACgynPv vz7S21UU/gm6SHnfuCeKp+4= =I+qL -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Recovering Windows computer account string
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michael Lueck wrote: | Rich West wrote: | It might be easier to remove the system from the domain and re-add it | to the domain... | | Except I have several copies of this VM saved, so rejoining one fixes | one VM only. | | If it is troublesome to extract the string from Windows, then I will | junk all of the snapshots and start over. | I don't know where it's stored in the windows machine. So I can't help you salvage the current situation. But if you dust the vm's and start over, you'll just run into the same thing again. What you're fighting with the snapshots is the windows machine changes the password every 7-30 days depending on the version service pack. So depending on the timing, a reverted snapshot won't work anymore. Depending on the timing, every snapshot could have a different password. You can disable machine password changing once the machine is joined and functioning. Join the machine and reboot to get the random password change initiated by the system. My dodgy memory says the original password is the netbios name of the machine and is changed on reboot. Key = HLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters Value = DisablePasswordChange REG_DWORD 1 There are some ms articles about this mainly dealing with replication issues, but apply to machine password changing in general. Off the cuff, here's one: http://support.microsoft.com/kb/175468 Regards, Doug -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFH5zW/FqWysr/jOHMRArRjAJ0Uh7wdyVxbpZZcH0q50sutpCJ3PwCgj9nG U7l9mxG6axaUvoHNZQx+s5E= =BfAF -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Joining Domain Problem only with XP SP2
Robert wrote: I've having trouble getting XP SP2's to join a domain. Whenever I try to join, at the point I'm asked for a user name and password with permission to join the domain, I enter root and root's password, then get the dreaded Unknown user or bad password error message. The clients are a mixed bunch with some 98's, 1 Win2K, a few XP SP1 (I know, I know!, but it's not a priority to management who has me fighting other fires), and the rest being XP SP2. I *ONLY* get the error with XP SP2. The Win2K and SP1 all join no problem, so it shouldn't be a problem with the Samba PDC or the config file else none should be joining. The 98's aren't a problem of course. In fact, for reasons I can't figure out, 2 of the SP2's joined too. What is stopping the SP2's from joining? I've tried creating the machine accounts by hand, but that had no effect. I cranked up the logging and it looks to me like root authenticates correctly, but I still get the error. Background: The original Samba PDC machine was getting old so management decided to trash it. I was tasked with putting together a replacement machine. I am using Kubuntu 7.10 (Gutsy) with Samba 3.0.26a. I disconnected the client machines from the domain (switched them to workgroup), then tried to reconnect with the new server online. The old server is physically gone. As I stated, only the XP SP2's are not joining. I'm including my smb.conf, but considering the XP SP1's and the one Win2K (which is actually running as a virtual machine with XP SP2 as a host OS; this XP SP2 won't join) all join, the config file should be correct, and I have a root user in my smbpassword file, and I'm typing the password correctly. Therefore it has to be something to do with the SP2's. Possibly some registry setting??? Right now the XP SP2's are running as workgroup computers. Yes, the old domain and new domain name are the same, but I've already tried changing the new name to something different then joining but with no luck. #=== Global Settings = [global] debug level = 2 workgroup = hap netbios name = linuxII hosts allow = 192.168.1. 127. printcap name = cups load printers = yes printing = cups guest account = pcguest log file = /var/log/samba/log.%m max log size = 50 security = user encrypt passwords = true passdb backend = tdbsam unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n*passwd:*all*authentication*tokens*updated*successfully* username map = /etc/samba/smbusers socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 interfaces = 192.168.1.8/32 127.0.0.1/32 bind interfaces only = true local master = yes os level = 34 domain master = yes preferred master = yes domain logons = yes logon script = home.bat logon path = \\%L\profiles\%U logon home = \\%L\%U logon drive = H: name resolve order = wins lmhosts bcast wins support = yes wins proxy = yes hide dot files = yes deadtime = 15 disable spoolss = yes show add printer wizard = no add machine script = /usr/sbin/useradd -d /dev/null -s /bin/false %u time server = yes # Share Definitions = [homes] comment = Home Directory browseable = no writable = yes # Un-comment the following and create the netlogon directory for Domain Logons [netlogon] comment = Network Logon Service path = /home/netlogon guest ok = yes writable = no #...Lots more shares...snip #=end config file= Since it's just XP SP2, you might want to look at the XP firewall settings that were added by default during the SP2 update. Get there Control Panel/Windows Firewall. In there is file and printer sharing blocking on by default for notebooks and computers directly on the internet. Maybe you already looked at this. Nothing else stands out. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Somebody HELP (wrong uid in lock database)
Marcel Mulder wrote: Hi, Two weeks (18-01-2008) ago I posted a message with uid problems in the lock database, but none seems to care or understand I truly can't understand that I am the only one in the whole world with this problem I have a standard setup of my server running Ubuntu gutsy 7.10 on the amd64 platform using winbind (ADS) for authentication My feeling is that it has to do with the amd64 version of samba but I am not sure. Nope. I'm running Suse 10.3-64 on an amd. By the way, I love this system. 45watt BE-2350, low power 1 Terabyte drive, running 2 Vmware machines and all the energy consumed is 49watts using powernow-k8 and ondemand frequency control with 80+ power supply and it yields 40MB/s samba file transfers on Gigabyte eth. Can someone tell me what is needed or what I have to do to get some answers or hints. This may not be it. But I found nagging little inconsistencies until I got the new idmap syntax down perfect for my environment. This started in 3.0.25 according to the docs. Your smb.conf relies on the defaults which would translate out this way, again according to the docs - I use a different idmap backend. [global] idmap domains = MICROKEY idmap config MICROKEY:default = yes idmap config MICROKEY:backend = tdb idmap config MICROKEY:range = 1 - 2 idmap alloc backend = tdb idmap alloc config:range = 1 - 2 I also didn't see any add user script. So if all your users are added ahead of time, maybe you should consider using a different backend, like idmap_rid or idmap_nss. I use the idmap_ad backend myself. Learn something every day. I didn't know one could use valid users = realm\\user syntax, but it works. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Home directory problem
Anne Wilson wrote: On Thursday 17 January 2008 10:29:26 [EMAIL PROTECTED] wrote: What happens when you browse to \\server\homes ? An error occurred while loading smb://david.lydgate.net/homes: The file or folder smb://david.lydgate.net/homes does not exist. Anne You should be seeing a share called \\server\username The [homes] section: Some modifications are then made to the newly created share: The share name is changed from homes to the located username. If no path was given, the path is set to the user's home directory. Maybe the software you were using before did it different. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] INTERNAL ERROR: Signal 11 in pid xxxx (3.0.26a)
Marcin Kucharczyk wrote: DV You should be able to delete /var/db/samba (plus maybe the pid file) and DV restart samba. Samba will create any tdb files it needs like the DV initial startup. Tried ... reinstall was required Some mor information: It looks like the same or similar problem: http://lists.samba.org/archive/samba/2007-August/134620.html My system works with ayhlion 64 x2, but I had similar problem on single processor configuration: pentium 4 and duron too. The problem apears not only after power failure, but also after samba upgrade from ports - make deinstall reinstall. /var/db/samba need to be deleted before reinstall becase samba 3.0.26a has the problem with start with tdb files form 3.0.23c. Better file a bug report then. https://bugzilla.samba.org/enter_bug.cgi Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Share root directory appears in subdirectories. (Well, can't actually see it but can cd into it, even if its not there.) (Serious bug?)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Wiesner Thomas wrote: Additionally to the problems I reported earlier, I'Ve discovered another problem with my server/client setup. find reports find: WARNING: Hard link count is wrong for ./foo: this may be a bug in your filesystem driver. Automatically turning on find's -noleaf option. Earlier results may have failed to include directories that should have been searched. I'm running samba Version 3.0.25c-SVN-build-23735 on FC5. Ext3 with journaling in ordered mode. No problems with duplicate name subdirs linking back to share point contents. I think you might want to interpret this error message exactly the way it reads. If I saw this on my system, I would lose confidence in the integrity of the filesystem. Regards, Doug -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFHSKZzFqWysr/jOHMRAr73AKDR1HYI5IDdlzdjfbDlu8qO/aHPLQCgrJ4D 6P5Kci7WYqrE9YYoXQzOiAo= =W4jA -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] INTERNAL ERROR: Signal 11 in pid xxxx (3.0.26a)
[EMAIL PROTECTED] wrote: Hello, I have a problem with samba 3.0.26a (from ports) on FreeBSD (amd64, SMP, 6.2 RELEASE). My log.smbd looks like below: --- samba starts normally: [2007/11/24 16:55:22, 0] smbd/server.c:main(944) smbd version 3.0.26a started. Copyright Andrew Tridgell and the Samba Team 1992-2007 --- but an error is reported: [2007/11/24 16:55:22, 0] /usr/ports/net/samba3/work/samba-3.0.26a/source/lib/pidfile.c:pidfile_create(112) ERROR: smbd is already running. File /var/run/smbd.pid exists and process id 1961 is running. --- /var/run/smbd.pid exists, becase the error is created after unexpected system shutdown... What os the unexpected system shutdown? Power failure? Reset button after system freeze? --- next I can see in log.smbd: [2007/11/24 16:59:53, 0] lib/util_tdb.c:tdb_log(662) tdb(/var/db/samba/gencache.tdb): tdb_reopen: open failed (No such file or directory) [2007/11/24 16:59:53, 0] smbd/server.c:open_sockets_smbd(572) tdb_reopen_all failed. [2007/11/24 16:59:53, 0] lib/util.c:smb_panic(1632) PANIC (pid 2621): tdb_reopen_all failed. [2007/11/24 16:59:53, 0] lib/fault.c:fault_report(41) The filesystem didn't flush it's buffers on shutdown. Unexpectedly, files are missing and/or corrupted that should be there on startup. === [2007/11/24 16:59:53, 0] lib/fault.c:fault_report(42) INTERNAL ERROR: Signal 11 in pid 2621 (3.0.26a) Please read the Trouble-Shooting section of the Samba3-HOWTO [2007/11/24 16:59:53, 0] lib/fault.c:fault_report(44) From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf [2007/11/24 16:59:53, 0] lib/fault.c:fault_report(45) === [2007/11/24 16:59:53, 0] lib/util.c:smb_panic(1632) PANIC (pid 2621): internal error [2007/11/24 16:59:53, 0] lib/util_tdb.c:tdb_log(662) tdb(/var/db/samba/gencache.tdb): tdb_reopen: open failed (No such file or directory) [2007/11/24 16:59:53, 0] smbd/server.c:open_sockets_smbd(572) tdb_reopen_all failed. [2007/11/24 16:59:53, 0] lib/util.c:smb_panic(1632) PANIC (pid 2622): tdb_reopen_all failed. [2007/11/24 16:59:53, 0] lib/fault.c:fault_report(41) === [2007/11/24 16:59:53, 0] lib/fault.c:fault_report(42) INTERNAL ERROR: Signal 11 in pid 2622 (3.0.26a) Please read the Trouble-Shooting section of the Samba3-HOWTO [2007/11/24 16:59:53, 0] lib/fault.c:fault_report(44) From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf [2007/11/24 16:59:53, 0] lib/fault.c:fault_report(45) --- the error is repeated about 100 times ... and it is still repeated. Next I can see in the top a lot of run smbd processes. System load grows and smbd makes it unresponsible. Connection with ssh is impossible, I can only use (with problems) console. Command killall -9 smbd helps, system goes back to normal work. I can run samba again but I must use the following procedure: - cd /usr/ports/net/samba3 - make deinstall Samba is now deinstalled. Next I must delete the directory /var/db/samba an I can do: - make reinstall And after start samba works properly until next unexpected system restart :( You need to fix this and ensure you're using a journaled file system with whatever option is available for the safest, most conservative journaling mode. If I do only: - make deinstall reinstall Without deleting /var/db/samba, than the samba will start and procedure described on the start of this message will be repeated :( You should be able to delete /var/db/samba (plus maybe the pid file) and restart samba. Samba will create any tdb files it needs like the initial startup. It is problem with FreeBSD on amd64? Or the problem with samba 3.0.26a? I reverted to samba 3.0.24 to check if the problem back... Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] what is the recommended samba version on solaris?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bai, Junmin wrote: Guys I was so frustrated about installing samba with ADS and winbind support on solaris 8. Just a guess, what version Kerberos are you running on solaris 8? Latest version of Kerberos for solaris is 5 something. http://www.sun.com/software/solaris/encryption/download.xml Regards, Doug -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFHRPbBFqWysr/jOHMRAsfxAKDOL3h08ZBQi9TeubRaIjl5ue8V9QCePBb8 hNLT2Pu0154jz4ZQqvY9yaY= =wipq -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Fileserver integrated into w indows domain, plus linux clients needed
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ben Ladd wrote: Update: Each time we set up a new user on the system, passwords need changing on the AD and the samba server. Is there a way to set permissions for the samba from the AD so that we do not need to go through this rigmarole? (most problematic at the start of a new school year). rig·ma·role (rĭg'mə-rōl') pronunciation also rig·a·ma·role (-ə-mə-rōl') n. 1. Confused, rambling, or incoherent discourse; nonsense. 2. A complicated, petty set of procedures. Most of us here on this list don't consider this an accurate perspective of the documentation. http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/ or the following ubuntu link are pretty well thought out and elucidated. I completed this part of my task - http://ubuntuforums.org/showthread.php?t=280702. It works perfectly for me. I am amazed that I did not find it earlier. My aim is to also have some linux (probably k/ubuntu) boxes that authenticate on the network using standard AD credentials. I have tried in vain to find a way to introduce a single point of authentication, I have looked at kerberos, winbind and LDAP. I consider myself a good network technician, but the introduction of linux into a domain has thrown me. Is there a an easy way to integrate a linux fileserver with a windows controlled domain with both linux and windows clients? Depends on what you mean by easy. A lot of intelligent, committed individuals have done all the hard work of overcoming the barriers erected by Microsoft to true interoperability. All you have to do is fill in a few details nowadays. I think a word that describes this process might be tedious. Do you define tedious as hard? I am probably going to go with a kerberos and winbind mechanism to get this working. Hold out guys - Anything is possible! Follow one of the procedures, get to a point you can say this works, this doesn't, here is the configuration, any suggestions. There was a change in the implementation for winbind backends relatively recently and the documentation (and swat) is behind on this. Idmap_ad, idmap_ldap, idmap_nss, idmap_rid, and idmap_tdb. See: http://us3.samba.org/samba/docs/man/manpages-3/ You'll need to investigate how you want to map windows users and groups to unix users and groups and pick one technique. Look to password sync options to resolve your other issue. Regards, Doug -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFHPKsmFqWysr/jOHMRAmXwAJ0STtXNyq7J1m+yzweKzJwCbslt3ACfToEm yKqkYYwVSFeOMeuBGwj07xk= =lg9m -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Fileserver integrated into windows domain, plus linux clients needed?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mike Cleghorn wrote: Doug, Is the sarcasm and condescension really necessary? I thought the original author was trolling and I bit. Rereading I see he was referring to password changing as rigmarol not configuring samba. So OK, it would seem sarcastic. For the public record, I owe you an apology Ben, my bad. But I won't cop to the condescension. I was being straightforward. Regards, Doug I mean, point him in the direction of the docs by all means (which you did, great) with perhaps an RTFM for good measure but i'm not sure that i'd describe fully integrating Linux logins with AD (which is what i think Ben is trying to do) as fill in a few details. As someone who comes from a Windows background, the first foray into Linux is intimidating at best. This kind of how dare you ask such an elementary question response doesn't help anyone. Ben, Your questions are kind of general. The doco for the most part is a pretty good guide, the samba.org web-site has links to pretty much everything you need. If you have more specific questions, you will (hopefully) get more useful answers. Ben Ladd wrote: Update: Each time we set up a new user on the system, passwords need changing on the AD and the samba server. Is there a way to set permissions for the samba from the AD so that we do not need to go through this rigmarole? (most problematic at the start of a new school year). rig·ma·role (r-g'mY-rMl') pronunciation also rig·a·ma·role (-Y-mY-rMl') n. 1. Confused, rambling, or incoherent discourse; nonsense. 2. A complicated, petty set of procedures. Most of us here on this list don't consider this an accurate perspective of the documentation. http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/ or the following ubuntu link are pretty well thought out and elucidated. I completed this part of my task - http://ubuntuforums.org/showthread.php?t=280702. It works perfectly for me. I am amazed that I did not find it earlier. My aim is to also have some linux (probably k/ubuntu) boxes that authenticate on the network using standard AD credentials. I have tried in vain to find a way to introduce a single point of authentication, I have looked at kerberos, winbind and LDAP. I consider myself a good network technician, but the introduction of linux into a domain has thrown me. Is there a an easy way to integrate a linux fileserver with a windows controlled domain with both linux and windows clients? Depends on what you mean by easy. A lot of intelligent, committed individuals have done all the hard work of overcoming the barriers erected by Microsoft to true interoperability. All you have to do is fill in a few details nowadays. I think a word that describes this process might be tedious. Do you define tedious as hard? I am probably going to go with a kerberos and winbind mechanism to get this working. Hold out guys - Anything is possible! Follow one of the procedures, get to a point you can say this works, this doesn't, here is the configuration, any suggestions. There was a change in the implementation for winbind backends relatively recently and the documentation (and swat) is behind on this. Idmap_ad, idmap_ldap, idmap_nss, idmap_rid, and idmap_tdb. See: http://us3.samba.org/samba/docs/man/manpages-3/ You'll need to investigate how you want to map windows users and groups to unix users and groups and pick one technique. Look to password sync options to resolve your other issue. Regards, Doug -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFHPUftFqWysr/jOHMRAqlbAJ9uMfflkG2BMEcknM9HnhJuGXtaigCgqOUi hzduwfDP9bI/F6RXnvU= =CkBX -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba clients disconnect periodically
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 BIS wrote: Any help Please On Tue, 2007-11-13 at 16:35 -0600, BIS wrote: I am using Samba 3.0.10 with Red hat (4.5) as samba fileserver. It is very basic setup with Ldap setup. All of our desktop (Windows and MAC) clients (250) simultaneously started dropping their connections to our Samba fileserver. Since then, I have tested with RHEL5 and SuSE with Samba 3.0.23c, 24 and 25. None the latested fix this problem. So I downgraded to samba 3.0.10 and it works better but still have problem disconnecting with clients disconnection. The problem has also appeared on clients running disparate operating systems: Mac OS 10.3.9 and 10.4.x, Windows 2000 and Windows XP. (None of our Linux desktops use the CIFS mounts we provide.) I was never able to replicate on Windows Desktop. I've never seen this be anything but a network issue. Switch, hub, network card in the server, etc. Once I had a UPS go bad where it dropped one AC cycle and the network switch wouldn't reboot or register a problem but would lose packets in transit. Just the machines in one building were disconnecting so it pointed to a common network issue. You would want to check the hardware associated with the server if all client machines started showing symptoms. Regards, Doug -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFHO21hFqWysr/jOHMRAoX1AKC+a5pxx3WlgoKRGZ+6YtULhT9o2ACcD09I V8I65agJCF7IRQgzBZSNV6A= =s+8A -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Can't get samba to start.
Samuel Melrose wrote: Hey, I'm having problems with samba. It has never worked properly on my server since I've had it installed.. Its for a home server, running xbox-Linux Fedora Core 6. I've just uninstalled every trace of the old samba, and started a fresh. With the latest samba sources I found on the website. The nmbd starts fine, but smbd never starts, and in the kernel log, I get the following message 5audit(1194957676.859:270): avc: denied { write } for pid=14000 comm=smbd name=secrets.tdb dev=hda2 ino=2490462 scontext=root:system_r:smbd_t:s0 tconte xt=root:object_r:etc_t:s0 tclass=file Looks like you're running selinux in enforcing mode. You'll need to develope your own tageted file overrides to allow samba to write to the necessary files. In the meantime, you can change selinux to permissive mode which only logs the violation. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Can't see or change ACLs on Windows
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Eric Diven wrote: -Original Message- From: Eric Diven Sent: Tuesday, October 30, 2007 11:29 AM To: '[EMAIL PROTECTED]' Subject: RE: [Samba] Can't see or change ACLs on Windows On Tue, Oct 30, 2007 at 10:59:41AM -0400, Eric Diven wrote: Okay, here's what I've figured out from trying to do what you suggested: Well, so far we haven't seen any debug logs. Volker So far, neither have I. I'm getting nothing in the logs on either CentOS or Solaris when I do anything from the windows client. Neither the mtimes nor the file sizes on the logs that get generated at startup are changing, and I'm not getting any new logfiles for client machines that log on: Annoyingly, I'm not getting any logging for clients. Why, I don't know. I see start-up messages correctly in the log.smbd file, including those at log level 10, but not ones from clients. Here are the logging-related lines from smbd.conf # this tells Samba to use a separate log file for each machine # that connects log file = /var/log/samba/log.%m # Put a capping on the size of the log files (in Kb). max log size = 50 ^ From yesterday ^ If I could trouble you with a really stupid question: Do I need to jack the logging up on nmbd to 10 as well? I'm working under the assumption that this is an smbd problem, so that's where I've turned up the logging. We all know of course what happens when you assume ;-) Neither of these lines set the log level. Getting windows acl's is a multi step process. You need a file system capable of supporting extended acl's. I believe you previously said you were using UFS file system. I haven't used UFS since 1987. Man Mount on linux doesn't suggest extended acl's are supported. Are they? Once the file system is capable of supporting extended acl's, you need to mount the filesystem with the appropriate options. By default, considering the age of UFS, I would assume extended acl's aren't supported by default, if they are at all. Once the filesystem is mounted with the right options, then samba has to have been compiled with the correct options, which you've verified. After all that, samba has top be configured correctly to support acl's in windows. Samba can be configured to serve files in ms-dos mode, so it's not a given. Usually, if someone is asked to show the configuration, put out the entire conf file. There's been a lot of dribs and drabs, but much has been missing. First thing I do is run a copy thru testparm. Most of this thread has been like blind mans bluff. Just so you know - a lot of people are using acl's in samba. Regards, Doug -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFHJ2iEFqWysr/jOHMRAhuaAKCZ290GjunbtNKkx9azKVDG0BgIzwCg13Mm fFNoMm3bb1wUPfdQvkrM3w4= =QcZo -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Unusable performance over WAN (part 2)
James Lamanna wrote: On 10/7/07, James Lamanna [EMAIL PROTECTED] wrote: On 10/7/07, Volker Lendecke [EMAIL PROTECTED] wrote: On Sun, Oct 07, 2007 at 09:31:23AM -0700, James Lamanna wrote: Server sends 1500 byte packet Client sends 52 bye ACK Server sends 1500 byte packet Client sends 52 byte ACK etc.. Can anyone think of a reason for this? I did not find a link spontaneously, but Windows sometimes falls back to something that we call rabbit pellet mode. Maybe google shows up something for you. Volker I actually see that behavior using smbclient from a linux machine, so its not necessarily Windows related. -- James I've put some tcpdump logs from my macbook up at: http://emagiccards.com/james/tcpdump-vpn-logs.tar.bz2. It contains 2 files: vpn-wan.log - Transferring a file from my macbook over the WAN (logged in through VPN) vpn-nowan2.log - Transferring a file from my macbook not over the WAN (logging through VPN) (I have separate VPN servers on each size of the WAN). Here are the smbclient outputs: No WAN: getting file \Jun07.xls of size 2321920 as Jun07.xls (23.8 kb/s) (average 23.8 kb/s) Using WAN: getting file \Jun07.xls of size 2321920 as Jun07.xls Short read when getting file \Jun07.xls. Only got 1032192 bytes. Error Call timed out: server did not respond after 2 milliseconds closing remote file (3.9 kb/s) (average 3.9 kb/s I notice the WAN client is negotiating an MSS of 1316 for an MTU of 1356. That used to be an issue with FreeSwan, but I haven't used the IPSEC replacements recently. I've switched to OpenVPN which in their FAQ document several issues surrounding MTU size and MSS. Most VPN providers provide similar FAQ's with their products. One of the previous posts recommended changing the MTU. That might work, but without knowing what kind if VPN you're using and the topology, it's difficult to comment intelligently. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Unusable performance over WAN (part 2)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 James Lamanna wrote: Hi all, Disregard my previous posts, I've consolidated everything here. I'm having terrible performance issues with samba over a WAN (point-to-point T1 link). Doing a copy of a 2MB file from a samba server to a linux client running smbclient takes over 5 minutes. SCPing the same file takes seconds. The server is running samba version 3.0.25c with kernel 2.6.16.18. I've put up a set of debugging logs at: http://emagiccards.com/james/sambalogs.tar.bz2 Inside are 3 files: smb.conf - the configuration of the samba server log.agard - the level 10 debug log of the copy from samba samba-tcpdump.log - a tcpdump log from the client side of the copy Any help to fix this issue would be greatly appreciated since the file server is pretty unusuable over the WAN. If you need any more information, please let me know. It is imperative that I find out what's happening here. Well, there's always paid support. See the samba web site. testparm yeilds 1 error and 1 warning. Unknown parameter encountered: show preserve case Ignoring unknown parameter show preserve case should probably be short preserve case Server's Role (logon server) NOT ADVISED with domain-level security Loaded services file OK. Server role: ROLE_DOMAIN_BDC When I specifically want samba to use an IP address, I use the IP address in the interfaces clause. eth1 can change when replacing network cards. I've used cifs over WAN a lot over the years. It is slower than ftp and scp but there shouldn't be breaks waiting for ACK. You'll not want to hear it, but this is almost always a network issue; card, router, switch, WAN link box, etc. I like larger packets for most of the uses of a server. So I add to socket options SO_SNDBUF=65536 SO_RCVBUF=65536 Regards, Doug -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFHCAU4FqWysr/jOHMRAs5KAKCiRBH5t8Ke5QU0U9sXQ0+mtl8s7ACfa0ce V2/foUb+PpUUiZ/YModZFFQ= =AIJ8 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Linux in a Windows 2k3 domain - odd lockout issue
Christopher Dick wrote: I am currently running an openSuSE 10.2 machine in a Windows 2k3 domain. I have upgraded to Samba 3.0.26a, hoping it would solve my issue, but so far no luck. I was successful in adding my machine to the domain, and the DC logs show repeated successful authentications, and those few typo'd attempts, but nothing that is a sequence of failed logins. I get tickets and can access shares from machines all over the network without needing to re-authenticate. The problem is, at approx. 3:30 every afternoon, the domain controller locks my user ID as if I had failed repeatedly to type in the correct password. Though the DC does not show this in the logs. I only know of logon hours under the user account on the AD. Maybe your systems require a more frequent machine password change than one week. It would be helpful to know what steps you take to re-enable the account or how long you have to wait. Does samba manage the keytab or did you manually add the kerberos keytab principals? Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] kinit works, net join ads fails
eric roseme wrote: I know this sounds a little strange, but I was having the same problem on 3.0.25c, but adding the password to the command line solved it. I have no idea why: net ads join -U administrator%password Eric Roseme Peter Baumgartner wrote: I running 3.0.25c on OpenSolaris. I can succesfully do a kinit and see the ticket via klist, but am unable to join the domain. /usr/sfw/sbin/net -d 5 ads join -U [EMAIL PROTECTED] Also, I just noticed - [EMAIL PROTECTED] isn't a valid format for a samba username. It's the format of the UPN created in AD using the option arg. Then user+DOMAIN (where + is separator) is valid only after joining. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem with two subnets
[EMAIL PROTECTED] wrote: Hello A really annoying question. I'm managing a high school network with two WinXP subnets (192.168.1.X and 192.168.3.X). These subnets are linked by a SUSE 9.3 server with two network cards and a Samba server (version 3.0.12-5 SUSE) acting as PDC. The /etc/smb/smb.conf has next lines: wins support = yes hosts allow = 192.168.3. 192.168.1. 127.0.0.1 interfaces = 192.168.3.2/24 192.168.1.2/24 Now, for the problem: In the morning first hour, the first user must log on at a 192.168.3.X host. If I try first with a 192.168.1.X host, next message appears: --System cannot log you on because Domain x is not available--- Next, I log on at a 192.168.3.X host without any problem, and everything works OK in the two subnets for the rest of the day. Problem repeats netx day, and so on. I can't understand what's the matter. It seems that 192.168.3. subnet acts as a starter for the Samba server, but I don't know why. Please can anyone help me?? Thanks in advance. In netbios, there can only be one interface IP address for any netbios name. Old MS problem, although I don't have any links. I like to assign samba to only one of the interfaces and I assign the same interface to the DNS name. Other interfaces get different DNS names. This is useful in the kerberos world as well as paranoid ssh. smb.conf interfaces = 192.168.3.x, 127.0.0.1 The 127.0.01 address doesn't register in wins or broadcasts and solves some broadcast issues, or at least it did a long time ago and I haven't experimented lately. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Error Joining a Domain
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ian wrote: Hi, Anyone have any idea to the problem below? Sorry if its already been answered. Cheers Ian On 9/11/07, Ian [EMAIL PROTECTED] wrote: Hi, I am trying to join my FreeBSD machine to an AD domain and keep getting the following error when joining the domain using samba 3.0.24 : Failed to set servicePrincipalNames. Please ensure that the DNS domain of this server matches the AD domain, Or rejoin with using Domain Admin credentials. Disabled account for 'S058002' in realm 'DS1.AD.DOMAIN.COM' According to the AD guys the account is not disabled. Here is my smb.conf [global] winbind separator=+ winbind cache time=10 workgroup=DOMAIN realm=DS1.AD.DOMAIN.COM security=ads winbind uid=1-2 winbind gid=1-2 winbind use default domain=yes client ntlmv2 auth=yes I am joining the domain with the following command: /usr/local/bin/net ads join -S hostname.domain.com -w DOMAIN -U username%password and thats what produces the error above. A couple of things regarding this that may or may not help. 1.) I am using this exact same setup on another machine that is running Samba (except that ones version is 3.0.21b) and it works there. 2.) The full hostname is not resolvable if you do an nslookup on both machines, even though the older version connects fine. 3.) I am using kerberos if that makes a difference - although it issues me the ticket just fine! Anyone have any ideas as to what could be wrong? Correctly resolving DNS records are becoming ever more critical to proper operation of windows and cifs in general. Been my experience if DNS doesn't work all one has left is netbios name resolution from broadcasts and wins, both of which are being phased out in preference to DNS. Make sure nslookup works. /etc/resolv.conf - pointed at the right servers A PTR records for the machines in question. Regards, Doug -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFG7SDNFqWysr/jOHMRApyZAKDHKqInjEnn0zgio43613h/JxVVWACglC9l beCIb6GqrwyrM9+9VRGZ92M= =0fVL -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem with Defaulting Groups and AD
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thompson, Jimi wrote: Jerry, I'm really frustrated with SAMBA. All I want to do is have my users I'd like to point out here that you're really frustrated with the default group assigned by Windows Active Directory authenticate using the domain controller, keep them restricted to their own individual folder and disk quota, and have them back up their workstations. The weird group membership that SAMBA is defaulting is pretty much screwing the pooch for me. Trying to over ride the SAMBA default group domain users is not a weird group. It is the default group assigned by every Windows Active Directory everywhere. membership to set it to what I know it needs to be in order for the Unix file permissions to work isn't pointless. It's hard to back up to a Gerry didn't say your goal was pointless, he said your configuration parameter as stated was pointless. server that doesn't think you have write permissions. If you can tell me what I need to do to make it work, I'd be quite happy. Consult the documentation and add a mapping for domain users to an actual group that would have write permission. Try force group = an actual group the users belong to Thanks, Ms. Jimi Thompson, CISSP Manager of Web Operations SMU Cox School of Business CISSP - Certified Information Systems Security Professional I'll control myself. Regards, Doug -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFG4JyoFqWysr/jOHMRAtdCAJ9BPPTDNUhvOcgcNQvBnr9fhXE51gCgy+3+ pudEDdx2pRf8zGuAyQuc1nY= =jlsu -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind partial data
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Simon Chappell wrote: Hello All got a nasty problem that has reared its head this morning. Windows 2003 ADS controller. Samba 3.022 Ubuntu 6.06LTS getent passwd returns users but not all of them. I am missing a couple of hundred. Also if i add a new user they do not appear in getent. however they all show in in wbinfo -u. Just a quick reply. Check in smb.conf winbind enum groups = yes winbind enum users = yes The default changed from yes to no at some point. and check if nscd is running. I don't use it and people have reported problems with caching with it running. Have to go. Regards, Doug -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFG3Ka6FqWysr/jOHMRAl8DAJ9E0GVvbGSQ4Uoli87GITKtbrG4LgCdFP/b t83swZohuPwheLToMXwCmCk= =5wMN -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Samba 18GB file Transfer
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Brad C wrote: Hmm.. this is windows to linux, the file however does copy across to a windows system just fine. does anyone have experience with copying large files using samba? You are using mount -t cifs ? If you're using -t smbfs that could explain your issues. Regards, Doug -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFGzIC5FqWysr/jOHMRAnTXAJ4m3w01z/7EpDpePgZjbexngBaVcACgxc6+ s90UBIwPtHkGiWOk5LyLWLk= =cMdz -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] AD + winbindd(8): group permissions being ignored ? WTF ?
Wilkinson, Alex wrote: 0n Mon, Aug 13, 2007 at 01:44:19AM -0700, Doug VanLeuven wrote: Have a look and see if this report is relevant in your case (it's fairly long): https://bugzilla.samba.org/show_bug.cgi?id=3990 This is my *exact* problem. I am using version 3.0.25a,1.1. And looking at work/samba-3.0.25a/source/smbd/sec_ctx.c it looks like Björn Jacke's patch has not been included. So I proceed to apply the patch myself and run into: # patch -p0 group_fix_patch.txt Hmm... Looks like a unified diff to me... The text leading up to this was: -- |Index: source/smbd/sec_ctx.c |=== |--- source/smbd/sec_ctx.c (Revision 23033) |+++ source/smbd/sec_ctx.c (Arbeitskopie) -- Patching file source/smbd/sec_ctx.c using Plan A... Hunk #1 succeeded at 248 (offset 2 lines). done # #cd /usr/ports/net/samba3/ #make install === Patching for samba-3.0.25a_1,1 === Applying FreeBSD patches for samba-3.0.25a_1,1 1 out of 5 hunks failed--saving rejects to smbd/sec_ctx.c.rej = Patch patch-smbd_sec_ctx.c failed to apply cleanly. = Patch(es) patch-Makefile.in patch-client_client.c patch-configure.in patch-include_includes.h patch-lib_ico nv.c patch-lib_replace_libreplace_cc.m4 patch-nsswitch_pam_winbind.c patch-nsswitch_winbindd.c patch-pam_smbpa ss_pam_smb_auth.c patch-pam_smbpass_pam_smb_passwd.c patch-pam_smbpass_support.c patch-script_installbin.sh.in patch-script_installswat.sh patch-smbd_aio.c applied cleanly. *** Error code 1 I *really* need this patch so that I can manage shared data via AD groups. Can anyone lend a helping hand in making samba compile in FreeBSD ports with the following patch [http://marc.info/?l=samba-technicalm=117976475614078w=2] Hi, I don't use FreeBSD, but it looks like the make first applies FreeBSD patches against the main samba release. What's failing is the patch against the very same file that you patched with group_fix_patch.txt. You need to look at smbd/sec_ctx.c.rej and see if what is failing is an attempt to apply the very same patch a second time. You mentioned you were using 3.0.25a. I believed this fix was applied to 3.0.25b and later. But then again. I've been having some issues with secondary groups in opensuse 10.2, samba 3.0.25b-1.1.72-1411-SUSE-SL10.2 , but haven't isolated what exactly is my issue. On FC-5 samba 3.0.25c-SVN-build-23735 everything seems to be OK. :I use: security = ADS winbind enum users = Yes winbind enum groups = Yes winbind nss info = sfu idmap domains = FOREST, SAMBA idmap config FOREST:readonly = yes idmap config FOREST:schema_mode = sfu idmap config FOREST:backend = ad idmap config SAMBA:readonly = yes idmap config SAMBA:backend = nss The NIS plugin ought to work as well. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] AD + winbindd(8): group permissions being ignored ? WTF ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Wilkinson, Alex wrote: Hi all, I am successfully authenticating FreeBSD 7.0-CURRENT #1: Wed Jul 25 17:31:15 WST 2007 against AD. Users can log in succesfully with home directories being served via amd(8) and NFS. However, I have discovered a potential show-stopper that will force me to abort this mission :( The problem -~-~-~-~-~- In a nutshell: Simple group permissions set with chown(1) are not being honoured. e.g. #touch testing.txt #ls -l !$ -rw-r--r-- 1 root wheel 0 Aug 12 17:49 testing #chmod 770 !$ #ls -l testing.txt -rwxrwx--- 1 root wheel 0 Aug 12 17:49 testing.txt #chown root:scis stl admins testing.txt #ls -l !$ ls -l testing.txt -rwxrwx--- 1 root scis stl admins 0 Aug 12 17:49 testing.txt #su - my_username my__shellecho this sux /var/tmp/testing.txt testing.txt: Permission denied. And I KNOW 150% I am in the the group scis stl admins. The odd thing is, is that chown(1) allows me to give the file testing.txt group memebership, but users in the actual group are not given these permissions. I'm getting kinda desparate now. Have I missed something concetually ? Any insights into this problem whatsoever will be greatly appreciated. Have a look and see if this report is relevant in your case (it's fairly long): https://bugzilla.samba.org/show_bug.cgi?id=3990 Regards, Doug -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFGwBnjFqWysr/jOHMRAsOjAKCOmNUxd1qX8gkomfS+D4f0FbFjmACgraNH q0AlGUfH8cGw0opxo2L8BmI= =D1B1 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Tar with smbclient
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bo Lynch wrote: This is what I get when using the -d 3 switch lp_load: refreshing parameters Initialising global parameters params.c:pm_process() - Processing configuration file /etc/samba/smb.conf Processing section [global] added interface ip=192.168.1.19 bcast=192.168.255.255 nmask=255.255.0.0 Client started (version 3.0.23c-2.el5.2.0.2). resolve_lmhosts: Attempting lmhosts lookup for name servccc0x20 resolve_wins: Attempting wins lookup for name servccc0x20 resolve_wins: WINS server resolution selected and no WINS servers listed. resolve_hosts: Attempting host lookup for name servccc0x20 Connecting to 192.168.1.30 at port 445 error connecting to 192.168.1.30:445 (Connection refused) Connecting to 192.168.1.30 at port 139 cli_session_setup: NT1 session setup failed! session setup failed: NT_STATUS_LOGON FAILURE Any ideas? It's failing to lookup via wins when wins configured. If you've meant to configure wins, it's not happening. I've always used a wins server. Try upping the debug level to get a clue about why the session request is failing. I noticed in your first post you used -A=authfile I thought it was -A authfile or --authentication-file=authfile Maybe it makes a difference for your version. It doesn't on mine. Sorry I can't be more help. What should be happening: resolve_lmhosts: Attempting lmhosts lookup for name gate0x20 resolve_wins: Attempting wins lookup for name gate0x20 resolve_wins: using WINS server 192.168.202.35 and tag 'eth0' Got a positive name query response from 192.168.202.35 ( 192.168.201.25 ) Connecting to 192.168.201.25 at port 445 Doing spnego session setup (blob length=110) got OID=1 2 840 113554 1 2 2 got OID=1 2 840 48018 1 2 2 got OID=1 3 6 1 4 1 311 2 2 10 got principal=cifs/[EMAIL PROTECTED] Regards, Doug -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFGr5FOFqWysr/jOHMRAsaGAJ9kfPdd01opSVtgoOK+tznJlKAECwCeNgAQ vq2jUh7XTBDjbMllvMyCGQg= =MfRo -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Tar with smbclient
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bo Lynch wrote: Just created a new backup server using CentOS 5.0. I am using a auth file to access windows shares for backups. When connecting like this smbclient //server/share -A=/auth/file it works. When I try to tar with smbclient like this smbclinet //server/share -A=/auth/file -Tc /backup/tarfile.tar I get the following message. session_setup_failed : NT_STATUS_LOGON_FAILURE Am I doing something wrong? This worked just find with the older versions of Fedora and CentOS. Works fine with Version 3.0.25b-1.1.72-1411-SUSE-SL10.2 Try -d 3 and redirect error output to a file. Should be able to see what's failing then. Regards, Doug -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFGrk7sFqWysr/jOHMRAozMAJ9meN2kbdADkyAEbgzwnHRLzsCvGQCgxH65 tKvGaD+fMvn/tDeXLj5w0WE= =HL9M -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Error while contacting ADS from Samba server
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Rahul wrote: Hi Doug, Thanks for your timely reply. We have verified the things which you have mentioned in your mail in the security settings but with any combination the result does not change. We have also resolved the invalid parameters and module load warnings that was getting reported in the log file. When we give net rpc join -U Username%password , its joining to the domain. But when we give net ads join -U username%password , its giving problem and reporting the following error Failed to get ldap server info ads_connect: No results returned At this point, verify /etc/krb5.conf I always use this option in smb.conf use kerberos keytab = Yes because it's easier than generating the key on the DC and importing it on the samba server. Samba takes care of the entire process. As I understand it, if you don't use this option, you need to join the linux server to the DC realm to the extent kinit [EMAIL PROTECTED] works before attempting to join samba to the domain. To list the keys currently installed, as root klist -ke With use kerberos keytab = yes your keylist will look something like this: Keytab name: FILE:/etc/krb5.keytab KVNO Principal - -- 2 host/[EMAIL PROTECTED] (DES cbc mode with CRC-32) 2 host/[EMAIL PROTECTED] (DES cbc mode with RSA-MD5) 2 host/[EMAIL PROTECTED] (ArcFour with HMAC/md5) 2 host/[EMAIL PROTECTED] (DES cbc mode with CRC-32) 2 host/[EMAIL PROTECTED] (DES cbc mode with RSA-MD5) 2 host/[EMAIL PROTECTED] (ArcFour with HMAC/md5) 2 [EMAIL PROTECTED] (DES cbc mode with CRC-32) 2 [EMAIL PROTECTED] (DES cbc mode with RSA-MD5) 2 [EMAIL PROTECTED] (ArcFour with HMAC/md5) Regards, Doug -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFGq8csFqWysr/jOHMRAiDWAKCflFgPj9mkygsyEMfAj+A0YerYigCgiXaX MCqMFsIipub+u37C71DwX/U= =Zabs -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind cache problem after upgrade to 3.0.25b.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Simon Ashford wrote: Have just upgraded from 3.0.14a to 3.0.25b. On starting winbindd it puts the following in /var/log/messages: initialize_winbindd_cache: clearing cache and re-creating with version number 1 All the winbind UID/GID mappings are lost and it starts again from scratch. Hence all file ownership / ACLs on this samba server become invalid. Anyone else seen this? Why does it see fit to destroy this important file in such a casual manner?! It didn't even bother to make a backup copy. It's just a cache. Temporary high speed storage of lookups. By default, the data in the cache only lives for 300 seconds before winbind queries the server (again) for current mappings. If you're losing mappings or generating different mappings on a restart, something else is wrong. Not enough info here to make even an educated guess. Regards, Doug -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFGph0SFqWysr/jOHMRAmZtAKDM17bmNAvVBV81y9OOFk9fjNl7rACfRJ0N hEbjP/7p4P/D4p7gcIuGfGA= =BbW/ -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Linux Active Directory Integration Problem
Brijesh Shukla wrote: Hi, I am getting the problem to access shared folder when I am using Dual boot operating System. Let say I have two operating system on the same machine. 1) XP and the name of the machine in xp environment is XYZ 2)Cent OS (Linux) and the name of the machine in Linux environment is ABC both operating system share the same static IP address. Try (if possible) using a different IP address for each machine to eliminate caching issues. Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] XP/W2K on Samba 3
Aaron Kincer wrote: I am having trouble envisioning a network where people are constantly signing onto different computers (outside of schools and libraries). If users move around that much, perhaps a VNC/Citrix/Terminal Services approach would be better. Roaming profiles are a solution to a problem that existed before email boxes measured in hundreds of megabytes or even gigabytes. They will work (for Windows clients), but can bring your network to its knees. And as mentioned, the mixing of client OS has an amusing effect sometimes. Think certificates. Certificates encrypt files, establish VPN's, sign encrypt email, things like that. There are long standing alternatives to local store for email. The main and easiest way to keep one's certificates in windows is to use roaming profiles else manually export and import and manually renew. Actually kind of cutting edge, not a throwback to earlier times. Users don't typically move around, but what if the hard drive fails? Does one roll out windows with something like ghost and consider workstations disposable? If yes, the certificates and any private user data are lost. System admins move around. Want to use the machine in the conference room for a presentation. Frequently easier with roaming profiles. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] wbinfo -u not working against Windows 2003 DC
Alexander van der Leun wrote: Hello all, This is my first post on this list, so please bear with me. :-) I'm managing a couple of Samba servers located at our customers. Since a couple of weeks we have a problem with winbind on one of our samba servers. It runs in a mixed Windows/Samba environment where a W2k3 server is the PDC. As far as I know it runs in mixed mode. Is there any way I can check this (WINS is running btw)? Until today we used samba 3.0.3 on a Fedora Core 2 server, but I have upgraded this to 3.0.23c using a SRPM. The problem as of two weeks is that it no longer looks up domain users from the PDC. Users are no longer of the form DOMAIN\User, but looked like a local account: user, when running smbstatus. The gid is now nobody instead of DOMAIN\Domain Users. I have now upgraded to version 3.0.23c and now it won't let domain users logon to the samba server. Samba had joined the domain and net rpc testjoin returns ok. I've added winbind to /etc/nsswitch.conf: passwd:files winbind shadow:files group: files winbind And libnss_winbind.so exists in /lib: -rwxr-xr-x 1 root root 17972 Sep 29 18:23 /lib/libnss_winbind.so lrwxrwxrwx 1 root root17 Sep 30 15:42 /lib/libnss_winbind.so.2 - libnss_winbind.so When running winbindd -d 2 -i I get: winbindd version 3.0.23c started. Copyright The Samba Team 2000-2004 Processing section [sas] Processing section [printers] added interface ip=172.17.0.247 bcast=172.17.0.255 nmask=255.255.255.0 added interface ip=172.17.0.247 bcast=172.17.0.255 nmask=255.255.255.0 Registered MSG_REQ_POOL_USAGE Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED Added domain SOLINES S-1-5-21-2535601797-1986373083-18572363 Added domain SOLSAMBA S-1-5-21-1760014737-3532484745-1612504851 Added domain BUILTIN S-1-5-32 ads_dns_lookup_srv: Failed to resolve _ldap._tcp.dc._msdcs.solines (Success) ads_connect for domain SOLINES failed: Operations error My question is: when W2K3 is running in mixed mode can I run samba with security=domain, or must I use security=ads? The above situation has always worked. Can anyone give me some advice or is there something I've overlooked?? As far as the users go, I'm seeing the same situation in security=ads mode and idmap backend=ad, and have previously posted but gotten no resolution. As a workaround, I can get users logged on with file access by individually mapping the domain members to the local accounts using usermap. But for your situation, you need to post at least the security, realm, winbind, and idmap backend options you are using to make sense of this. If your Realm is MY.REALM.COM, the DNS record should be _ldap._tcp.dc._msdcs.my.realm.com it's an SRV record that contains the address of the DC. Samba thinks your realm is the domain name right now, maybe because you don't have a realm option in smb.conf. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] idmap ad and sfu anyone?
samba SVN 17972, Linux 2.6.16-1.2096 That should be about the same as 2.0.23c getent passwd works to list domain accounts getent group works to list domain groups kinit works for domain accounts wbinfo -u lists domain user accounts wbinfo -g lists domain group accounts In order to access roaming profiles and any shares from 2000 XP clients, I have to map DOMAIN\username to username in username map. Anyone else running idmap backend=ad and winbind nss info=sfu want to give me a tip? winbind trusted domains and winbind use default domain have no impact on this All the unix attributes are configured in AD, sfu group membership matches unix matches windows membership. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] idmap ad and sfu anyone?
Thorsten Hamester wrote: Hello samba SVN 17972, Linux 2.6.16-1.2096 That should be about the same as 2.0.23c getent passwd works to list domain accounts getent group works to list domain groups kinit works for domain accounts wbinfo -u lists domain user accounts wbinfo -g lists domain group accounts In order to access roaming profiles and any shares from 2000 XP clients, I have to map DOMAIN\username to username in username map. Anyone else running idmap backend=ad and winbind nss info=sfu want to give me a tip? winbind trusted domains and winbind use default domain have no impact on this All the unix attributes are configured in AD, sfu group membership matches unix matches windows membership. Regards, Doug they changed the default value for default domain and enum users to no so you have to define them in the config file winbind use default domain = Yes winbind enum users = Yes winbind enum groups = Yes winbind nss info = RFC2307 winbind use default domain = yes or no makes no difference. I didn't think it was relevant, but winbind enum users and groups are already specified = yes. This problem specifically involves winbind nss info = sfu security = ads idmap backend = ad This worked for about 2 years while I was using the xad padl 3rd party plugin. I'm only having issues since samba rewrote it and bundled it into the main tree and tokenized users groups. Thanks anyway, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Transfer rates faster than 23MBps?
Mark Smith wrote: I also tried your values, with the tcp_window_scaling, with no luck. It's enable by default, but I explicitly set options other options depend on. I set up my test rig again. Host server 2.6.12-1.1376_FC3, samba 3.0.23 Broadcom Nextreme BCM5702X Gigabit, tg3 driver default config Client 2.6.12-1.1381_FC3, samba 3.0.21pre3-SVN-build-11739 Intel Pro/1000, 82546GB Gigabit, e1000 driver default config HD Drives on both are 45-50MBps smbclient 26.7-27.2MBps ftp 25.4 MBps (small window size) Interestingly enough, downloading in the opposite direction, where the Intel card was doing the serving was slightly faster, so hardware does make a difference. smbclient 28.8MBps client win2000 sp4, Intel Pro/1000 ftp 31.2-34.4MBps explorer 26.2-27.0MBps (wall clock on 2Gig transfers) FWIW - I'm used to seeing CIFS performance numbers 5-10% slower than ftp. Using ethereal to capture the start of the transfers, I'm seeing windows ftp negotiate a 256960 window size, which is what I have specified in HKLM/system/currcontrolset/services/tcpip/parameters/TcpWindowSize, but linux samba establishes a window size of whatever is specified for SO_SNDBUF in socket options or by default 8K. So I set SO_SNDBUF=256960 and it gave me the extra large window and raised the speed up to 27.3MBps (1048576 Megs) - not enough to really address your concerns. Maybe it would be different on your system. That's an issue for samba because it should allow for autonegotiation of the window size and I don't know how to set that other than ipv4.tcp_window_scaling=1 (the default). SO_SNDBUF SO_RCVBUF are only limited by the /proc/sys values* *net.core.rmem_max and net.core.wmem_max which you altered after the earlier post. Comparing the linux ftp to linux samba transfer speeds, I don't think the answer lies in samba per se other than how the socket gets set up. And it's not a linux issue either if you're getting those http numbers (I never see anything like that here). Your Redhat is obviously tuned for those types of packets. Maybe you using the in-kernel optimized apache they offer. If so, try a user space apache for comparison. I smacked up against these numbers 2 years ago. Nothing much seems to have changed. The numbers end up in the low to mid 200Mbps on copper Gigabit for user space applications. If you ever fix it, pop me an email please. I figured the answer would be pci-x and 64 bit pci. Higher front side bus speeds. Best of luck, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Transfer rates faster than 23MBps?
OK, I'll top post. I can't let this stand unanswered. I ran a LOT of tests with gigabit copper and windows machines. I never did better than 40 seconds per gig. That was with the Intel cards configured for maximum cpu utilization. 80-90% cpu for 40 sec per gig. On windows. Uploads went half as fast. Asymetric. Of course I only had 32 bit PCI, 2.5Gig processor motherboards with 45MBps drives. Which leads me to my point. One can't rationally compare performance of gigabit ethernet without talking about hardware on the platforms. I wouldn't think you'd have overlooked this, but one can bump up against the speed of the disk drive. Raid has overhead. Have you tried something like iostat? Serial ATA? I seem to recall the folks at Enterasys indicating 300Gbps as a practical upper limit on copper gig. Are you using fiber? 64 bit PCI? Who made which model of the network card? Is it a network card that's well supported in Linux? Can you change the interrupt utilization of the card? What's the CPU utilization on the Redhat machine during transfers? I don't have specific answers for your questions, but one can't just say this software product is slower on gigabit than the other one without talking hardware at the same time. I have lots of memory. I use these configurations in sysctl.conf to up the performance of send/recieve windows on my systems. There's articles out there. I don't have historical references handy. YMMV. net.core.wmem_max = 1048576 net.core.rmem_max = 1048576 net.ipv4.tcp_wmem = 4096 65536 1048575 net.ipv4.tcp_rmem = 4096 524288 1048575 net.ipv4.tcp_window_scaling = 1 Regards, Doug I wanted to follow up to my email to provide at least a partial answer to my problem. The stock RedHat AS4-U3 Samba config has SO_SNDBUF and SO_RCVBUF set to 8k. With this value, I can transfer a 1GB file in about 70-75 seconds, about 14MBps. If I increase those buffers to their max value of 64k, that same 1GB file transfers in 45-50 seconds, about 23MBps. That is the _ONLY_ configuration value I've found that made any difference in my setup. All the other tweaks I'd done, when removed, seemed to make no difference at all. I was playing with oplocks, buffers, max xmit sizes, you name it. But the socket option buffers was the only thing that made a difference. I'm still looking for more speed. I'll report if I find anything else that helps. In response to Jeremy's suggestion of using smbclient, I ran a test from a Linux client using smbclient and it reported a transfer rate of 21MBps, about the same as a normal smbfs mount. I haven't tried porting smbclient to Windows yet, and probably won't until we get more info on what the server is doing. Thanks everyone. -Mark Mark Smith wrote: We use SMB to transfer large files (between 1GB and 5GB) from RedHat AS4 Content Storage servers to Windows clients with 6 DVD burners and robotic arms and other cool gadgets. The servers used to be Windows based, but we're migrating to RedHat for a host of reasons. Unfortunately, the RedHat Samba servers are about 2.5 times slower than the Windows servers. Windows will copy a 1GB file in about 30 seconds, where as it takes about 70 to 75 seconds to copy the same file from a RedHat Samba server. I've asked Dr. Google and gotten all kinds of suggestions, most of which have already been applied by RedHat to the stock Samba config. I've opened a ticket with RedHat. They pointed out a couple errors in my config, but fixing those didn't have any effect. Some tweaking, however, has gotten the transfer speed to about 50 seconds for that 1GB file. But I seem to have hit a brick wall; my fastest time ever was 44 seconds, but typically it's around 50. I know it's not a problem with network or disk; if I use Apache and HTTP to transfer the same file from the same server, it transfers in about 15 to 20 seconds. Unfortunately, HTTP doesn't meet our other requirements for random access to the file. Do you folks use Samba for large file transfers at all? Have you had any luck speeding it up past about 23MBps (the 44 second transfer speed)? Any help you may have would be fantastic. Thanks. -Mark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] accessing windows shared folders from vmware guest linux
pagod wrote: if i try something like this: smbmount //fili/xlibs /mnt/temp -o username=dvergnaud i get the following error: 3600: session setup failed: ERRDOS - ERRnoaccess (Access denied.) SMB connection failed the weird thing is, it all works fine when doing it from another linux computer (where linux runs natively). that means, as i see it, that either there's a problem with VMware and samba working together, or my samba client is not properly configured -- although i'm not aware that it's much configurable... has anyone already had such a problem? or does anyone have an idea what i'm doing wrong? Vmware itself is not a problem. I use it without problem and I believe some of the samba developement is done on vmware machines. Things to check are firewalling on the Linux box, and which of the available vmware network options you used. Bridged, private or NAT. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] ad module, unix/user domain/group oddity, can't use winbind trusted domains only
I've tried everything I can think of. I kept thinking it must be something I needed to configure when I changed over from padl xad to the samba ad builtin module. Everything had been working for the last 2 years. AD. samba, and unix passwords are synchronized. Samba version 3.0.24pre1-SVN-build-18449 smb.conf winbind nss info = sfu idmap backend = ad Without any users defined in passdb.tdb, domain users authenticate, but explorer detail security listings list unix/username DOMAIN/domaingroup If I have users defined in passdb.tdb, then explorer security listings list machinename/username DOMAIN/domaingroup using winbind trusted domains only = yes causes most, maybe all, domain authentication to fail, but I'm still connecting from an XP workgroup notebook. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Can't net ads join
Brian D. McGrew wrote: Trying to do a net ads join, which has always worked fine in the past is now throwing the below errors when I try and rejoin the domain after a Windows server reboot. What am I doing wrong? :b! [2006/08/23 19:45:00, 0] libads/ldap.c:ads_add_machine_acct(1405) ads_add_machine_acct: Host account for mustang already exists - modifying old account [2006/08/23 19:45:00, 0] libads/kerberos.c:get_service_ticket(337) get_service_ticket: kerberos_kinit_password [EMAIL PROTECTED]@MACHINEVISIONPRODUCTS.COM failed: Clock skew too great You need to synchronize the clocks of the machines. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Excel error
Dominic Iadicicco wrote: Hello all, My network users are receiving an error when they try to save changes to an execl file that is stored in a samba share. The error is The file filename.xls may have been changed by another user since you last saved it. In that case, what do you want to do? save a copy or Overwrite changes. Now they can all read and write to this share and it only happens with excel files so far. Word docs and others saves do not generate this error. Now Microsoft claims this is a feature but I have not been able to generate it with a peer to peer share I have setup between two winxp machines. It only happens when they try to save to any share on the samba domain. This server is running RH9 with samba 2.2.7a. The clients are winXP Pro Srv2 with MS office/Excel 2002. Is this a known issue with this old version of samba? Is this a samba issue? If anyone could point me in the right direction I would greatly appreciate it. Also if you need any more info on the setup please let me know. Try this KB article from MS see if it fits. http://support.microsoft.com/kb/324491/ Worked for me a while back. Has to do with network and filesystem latency issues with excel timestamp checking. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Samba instead of SBS2k+3
Przemyslaw Smiejek wrote: W odpowiedzi na pismo z niedziela, 20 sierpnia 2006 14:52 (autor Robert Schetterer publikowane na gmane.network.samba.general, wasz znak: [EMAIL PROTECTED]): Hi, jep samba can act as a win nt (4) domain controller PDC. PDC it's only authorization, as I know. but having Samba in a school enviroment is very typical, there are many special Linux distros for schools which have allready included this look http://www.skolelinux.org and the samba faqs, setting up samba as domain contoller. But I need not only user authorization but also tool to set policy on workstations. But you will make your live much more easier , and save money for the children, if you switch totally to linux. That's impossible. :( There is nothing on windows which is really need to learn for pupils which cant be handeled by modern linux distros. There is, unfortunately. It's Windows. There are many windows programs and many windows users so I have to have Windows on workstations so I need AD to set policy. :( I want to change my AD to Samba, because I have only 20 licenses to SBS2k+3 and I want to add more computers. I see that I have to buy next licenses :( Actually, there is little being done with GPOs that can't be done by registry editing or the older policy editors. What GPOs offer is dynamic application of registry settings, so a student could log in at a computer and get one set of policies and then an auditor could set at the same computer and get a more relaxed set of policies. If your security is more static with one security model per machine, the older policy editors work quite well along with ghosting a prototype machine. There are a lot of advantages to ghosting out an entire classroom at one time. Of course, you can't teach Working with AD. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] XP clients disconnected during trasnfer of larger files tothe samba server
Derrick MacPherson wrote: What am I missing? Is ther esome more info I can add to get someone to respond? Is there a better place to be getting help? No better place. Mostly people only respond when your problem is similar to a problem they themselves have had. I regularly transfer 2 Gig files around and have since forever it seems. But I'll try and give some pointers based on my experience. Firstoff, try and use the defaults unless there is a strong motivating reason to override it. I review the config and periodically experiment with going back to the defaults on the few items I override. The samba team are the experts and they make the defaults work the best overall. You have these two items: wins support = true name resolve order = bcast hosts which says run support for wins, but don't use it to resolve netbios names. Good to use it and point the secondary server at it plus all your windows machines. Right now, you only resolve netbios on the local subnet plus DNS the same as netbios. You also have this use spnego = no From the doco: Unless further issues are discovered with our SPNEGO implementation, there is no reason this should ever be disabled. Have you had an issue? If not, delete it. Another override: oplocks = no Use this to avoid specific issues with specific shares or filetypes. Last, socket endpoint not connected is frequently a hardware issue. I don't know the protocol inside out, but it seems the smb protocol is less forgiving than ftp. Switch and interface card issues during saturation become an issue with smb. Regards, Doug -Original Message- From: Derrick MacPherson Sent: Friday, August 11, 2006 1:23 AM To: Derrick MacPherson; samba@lists.samba.org Subject: RE: [Samba] XP clients disconnected during trasnfer of larger files tothe samba server Any suggestions to look into, or more debug info required? The box is running centos 4.3 final, up to date with the latest versions of CentOS updates,, it's running something like 3.0.10 or .11 - can't recall. 1:22 am. Off to bed... Thanks. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Derrick MacPherson Sent: Thursday, August 10, 2006 5:47 PM To: samba@lists.samba.org Subject: [Samba] XP clients disconnected during trasnfer of larger files tothe samba server i'm having an issue when transferring large files to the samba servers from an xp client - files about 1GB or larger. about 70% into the transfer i get a network share no longer exists error and the transfer fails. I can pull down from the server fine with no issues. The XP machines are authenticating from a different Samba server though the problem is with that machine as well. Error and config posted below: (FYI - transfering same files and such work fine via FTP) My secondary server config: netbios name = 3Dsrv workgroup = VFX security = user server string = %h server (3D FileServer) password server = 192.168.0.210 username map = /etc/samba/smbusers idmap uid = 15000-2 idmap gid = 15000-2 name resolve order = bcast hosts template primary group = Domain Users template shell = /bin/bash winbind separator = + socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=16384 \ SO_RCVBUF=16384 oplocks = no smb log - i think this is relevant, though not sure: 2006/08/10 11:53:56, 0] lib/util_sock.c:get_peer_addr(1000) getpeername failed. Error was Transport endpoint is not connected [2006/08/10 11:53:56, 0] lib/util_sock.c:get_peer_addr(1000) getpeername failed. Error was Transport endpoint is not connected [2006/08/10 11:53:56, 0] lib/:util_sock.c:write_socket_data(430) write_socket_data: write failure. Error = Connection reset by peer [2006/08/10 11:53:56, 0] lib/util_sock.c:write_socket(455) write_socket: Error writing 4 bytes to socket 24: ERRNO = Connection reset by peer Primary server config: [global] name resolve order = bcast hosts passwd chat debug = yes idmap gid = 15000-2 passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew \sUNIX\spassword:* %n\n passwd program = /usr/bin/passwd %u netbios name = 2DSRV printing = CUPS idmap uid = 15000-2 logon script = logon.bat workgroup = VFX os level = 128 printcap name = CUPS security = user add machine script = /usr/sbin/useradd -s /bin/false/ -d /var/lib/nobody %u delete user script = /usr/sbin/userdel -r %u log level = 4 add group script = /usr/sbin/groupadd %g socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192 delete group script = /usr/sbin/groupdel %g
Re: [Samba] Kerberos Keytab Code Update in 3.0.23
Gerald (Jerry) Carter wrote: Yup. That's what I meant. I'll try to repro your results on Monday (if all goes well). Thanks. I started up a machine that was on the shelf. This one had been joined as rc4. I edited krb5.conf and userAccountControl for des only My DHCP registers machines in dyn.ldxnet.com and in-addr.arpa which are dynamically updatable on linux. Then the workstations register an A record in nt.ldxnet.com which is DNS managed by windows 2003 server. I've been adding the dyn.ldxnet.com names to servicePrincipalName because it seems I get best results in mixed DNS domains. Like Mark Twain said After a cat's been burnt on a hot stove, won't sit on a cold one either. Windows 2003 is Capitalizing the first letter in kerbtray and klist, but the salt listed by ethereal is lowercase. Browsing from windows domain machines work and smbclient -k works after kinit. This combination runs des only. Not that old either. Maybe you could back trace the changes. Check out the keytab listing below. Let me know if there is a stress test for this you'd like me to run. Thats all for tonight - Doug Linux lex 2.6.12-1.1381_FC3 Samba version 3.0.21pre3-SVN-build-11739 krb5-workstation-1.3.6-7 openldap-2.2.29-1.FC3 /etc/krb5.conf [libdefaults] dns_lookup_realm = false dns_lookup_kdc = true default_realm = NT.LDXNET.COM default_keytab_name = FILE:/etc/krb5.keytab default_tgs_enctypes = des-cbc-md5 des-cbc-crc default_tkt_enctypes = des-cbc-md5 des-cbc-crc permitted_enctypes = des-cbc-md5 des-cbc-crc [EMAIL PROTECTED] ~]# klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal -- 3 host/[EMAIL PROTECTED] (DES cbc mode with RSA-MD5) (Yes, I edited out all but one entry. At first glance it looks like you're right) [EMAIL PROTECTED] ~]# kinit Password for [EMAIL PROTECTED]: [EMAIL PROTECTED] ~]# smbclient -k -Llex OS=[Unix] Server=[Samba 3.0.21pre3-SVN-build-11739] Sharename Type Comment - --- print$ Disk Printer Drivers testDisk Temporary file space tempDisk Temporary file space IPC$IPC IPC Service (lex) ADMIN$ IPC IPC Service (lex) rootDisk Home Directories OS=[Unix] Server=[Samba 3.0.21pre3-SVN-build-11739] Server Comment ---- WorkgroupMaster ---- FOREST RANGER1 ldp.exe on domain controller, entry for des-only lex workstation Getting 1 entries: Dn: CN=lex,CN=Computers,DC=nt,DC=ldxnet,DC=com 5 objectClass: top; person; organizationalPerson; user; computer; 1 cn: lex; 1 distinguishedName: CN=lex,CN=Computers,DC=nt,DC=ldxnet,DC=com; 1 instanceType: 0x4 = ( IT_WRITE ); 1 whenCreated: 11/24/2005 00:27:22 Pacific Standard Time Pacific Daylight Time; 1 whenChanged: 07/24/2006 12:08:07 Pacific Standard Time Pacific Daylight Time; 1 uSNCreated: 931987; 1 uSNChanged: 1128498; 1 name: lex; 1 objectGUID: fa853706-780c-46ac-aaf8-deffbdd4cc20; 1 userAccountControl: 0x211000 = ( UF_WORKSTATION_TRUST_ACCOUNT | UF_DONT_EXPIRE_PASSWD | UF_USE_DES_KEY_ONLY ); 1 badPwdCount: 0; 1 codePage: 0; 1 countryCode: 0; 1 badPasswordTime: 01/01/1601 00:00:00 UNC ; 1 lastLogoff: 01/01/1601 00:00:00 UNC ; 1 lastLogon: 07/25/2006 02:45:36 Pacific Standard Time Pacific Daylight Time; 1 localPolicyFlags: 0; 1 pwdLastSet: 11/24/2005 00:27:22 Pacific Standard Time Pacific Daylight Time; 1 primaryGroupID: 515; 1 objectSid: S-1-5-21-484763869-746137067-1343024091-1234; 1 accountExpires: 09/14/30828 02:48:05 UNC ; 1 logonCount: 30; 1 sAMAccountName: lex$; 1 sAMAccountType: 805306369; 1 operatingSystem: Samba; 1 operatingSystemVersion: 3.0.21pre3-SVN-build-11739; 1 dNSHostName: lex.dyn.ldxnet.com; 1 userPrincipalName: HOST/[EMAIL PROTECTED]; 6 servicePrincipalName: HOST/lex.dyn.ldxnet.com; CIFS/lex.dyn.ldxnet.com; CIFS/lex.nt.ldxnet.com; CIFS/lex; HOST/lex.nt.ldxnet.com; HOST/lex; 1 objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=nt,DC=ldxnet,DC=com; 1 isCriticalSystemObject: FALSE; 1 lastLogonTimestamp: 07/24/2006 12:08:07 Pacific Standard Time Pacific Daylight Time; --- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba ldap / password (smbpasswd)
oly wrote: hi i have set up samba as a pdc with ldap but i am having problems with passwords they do not seem to be taken from ldap instead i have to run smbpasswd username to allow a user to login. this directory will have around 800 users when complete and the ldap is also used for other authentication like to websites and other resources like jabber they all work fine it is only the windows login that needs smbpasswd. i have two accounts working the root and nobody accounts but none of the others do they have the samba scheme on ll accounts but this does not help. any ideas as to why or how i can find where the problem is the failed logins do not seem to be logged any where and the failure message for winodws is invalid username or password. Have you set passdb backend in smb.conf? Might help to let the list know what version samba you're running, what your smb.conf is, etc. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Kerberos Keytab Code Update in 3.0.23
Gerald (Jerry) Carter wrote: (a) deriving the DES salt (b) generating the keytab file (c) optionally creating the UPN as part of the join. Please give it a whirl and let me know how it goes. Our Krb5 code is over 3 years old spreading about multiple MIT and heimdal versions. It's time for some spring cleaning but I don't want to loose functionality if we can help it. Jerry, 2003 Enterprise server security = ADS idmap backend = ad winbind nss info = template sfu I joined an FC3 using rc4 all is smooth and browsable. I then removed support for rc4 in enctypes in /etc/krb5.conf. Edited the machine acct and added the flag for des_only. The domain controller can't browse the samba server. Get the pasword dialog box. This method used to work. I'll get an older version of samba and verify that with the current 2003 including current SP and security patches. I then commented out the defines in /usr/include/krb5.h for ENCTYPE_ARCFOUR. Then configure make to have a version of samba where the ifdefs would trigger for des-only code. This version won't join the domain. I can try net keytab add on permutations, but don't have the time until this weekend. Des only may be a dinosaur for most modern kerberos, but it might be important to eliminate dependency on rc4. I've been told longhorn will include encryption types that use salts and depending on the admin environment they may want to run non-rc4. There may also be legacy consideration where the kerberos server is unix based. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Kerberos Keytab Code Update in 3.0.23
Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Doug, Thanks for testing this. OK. I then removed support for rc4 in enctypes in /etc/krb5.conf. Edited the machine acct and added the flag for des_only. The domain controller can't browse the samba server. Get the password dialog box. This method used to work. I'll get an older version of samba and verify that with the current 2003 including current SP and security patches. Did you enable the DES trick in the Windows 2003 registry ? Otherwise Windows 2003 will always use RC4-HMAC regardless of the DES_ONLY flag. That's what I've found at least. Do you mean KdcUseRequestedEtypesForTickets = 1 in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kdc ? If so, since 2004, plus the then hotfix. If not, then you'll have to let me know what the trick is :-) Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Kerberos Keytab Code Update in 3.0.23
Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Doug VanLeuven wrote: Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Doug, File a bug report if you believe this to be true. I'm not at 3.0.23 right now and don't have the time to try it here. I wouldn't want to lose this. I did see a mention they dropped support of joins from machines where the domain differs from the realm, but haven't had time to check this. There has been a rewrite of the ads join code since 3.0.22. Doug, You should probably review my comments to Scott. Keytab support is being rewritten, not dropped. I was saying dns domain not equal realm dropped and rewrite ads join code No it wasn't. I run with this on a daily basis. Perhaps something else is attributing to your failures. First, I'm not having failures. I was commenting information I believed I read. So what did you mean in this post: http://marc.theaimsgroup.com/?l=sambam=115193492903190w=2 qoute: You were right. ( as usual.. ) I had the wrong FQDN on the samba server. After reconfiguring my network and I got the FQDN back from 'hostname' the join worked as planned. For the record, this is what WinXP does as well. You cannot join a WinXP box to a domain using a non-admin account if the client's FQDN is outside the AD domain. I agree this is a change from previous Samba version, but then previous Samba releases always required domain admin creds to join. endquote Did you mean if one joins with non-admin credentials it no longer works, but if one's credentials are administrative it still works? I understand previously joined machines still work. Not trying to be a wise guy, just trying to understand. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Kerberos Keytab Code Update in 3.0.23
Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Doug, File a bug report if you believe this to be true. I'm not at 3.0.23 right now and don't have the time to try it here. I wouldn't want to lose this. I did see a mention they dropped support of joins from machines where the domain differs from the realm, but haven't had time to check this. There has been a rewrite of the ads join code since 3.0.22. Doug, You should probably review my comments to Scott. Keytab support is being rewritten, not dropped. I was saying dns domain not equal realm dropped and rewrite ads join code Just that windows doesn't guarantee case in names. For example, on my login, the current tickets show up as HOST/[EMAIL PROTECTED] host/[EMAIL PROTECTED] HOST/[EMAIL PROTECTED] HOST/[EMAIL PROTECTED] Your tickets where? From kerbtray.exe? Or on a Unix box? kerbtray klist I just an not seeing this case permutation you claim. NT40 sidhistory migration to 2000 AD then standard 2000 AD upgraded to 2003 standard AD then 2003 standard upgraded to 2003 enterprise. What is the list of SPNs for that Samba account in AD? samba 3.0.23, created account in AD SPN's CIFS/stor CIFS/stor.nt.ldxnet.com HOST/STOR HOST/stor.nt.ldxnet.com klist on 2003 server Server: cifs/[EMAIL PROTECTED] KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) End Time: 7/18/2006 18:53:02 Renew Time: 7/25/2006 8:53:02 Can you tell what applications are generating these requests so I can reproduce it? Domain controller browsing to stor's shares. PS: I asked out Apache guy (at Centeris) who is working with mod_auth_kerb and he claims that krb5 authentication to http://SerVer.ExaMple.COM still gets a ticket for HTTP/server.example.com which supports my theory about tickets based on SPN values. Yes, it works with rc4-hmac. But it's been coming back to me. It didn't work with des-cbc-md5 until the permutations were added. How soon we forget. It's really difficult to test des-only now. Have to join with rc4, then hand edit with adsi.exe in the AD, then remove the rc4 from krb5.conf and reboot the machine to purge the caches, because samba set's the des-only on a compile time flag. For information, here's the list of tickets on the domain controller after browsing an older, running samba server joined years ago, and a win2000 workstation: Cached Tickets: (6) Server: krbtgt/[EMAIL PROTECTED] KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) End Time: 7/18/2006 18:53:02 Renew Time: 7/25/2006 8:53:02 (win2000 workstation) Server: cifs/[EMAIL PROTECTED] KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) End Time: 7/18/2006 18:53:02 Renew Time: 7/25/2006 8:53:02 (FC3 - krb5 1.3.6) Server: cifs/[EMAIL PROTECTED] KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) End Time: 7/18/2006 18:53:02 Renew Time: 7/25/2006 8:53:02 (Domain controller) Server: ldap/ranger1.nt.ldxnet.com/[EMAIL PROTECTED] KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) End Time: 7/18/2006 18:53:02 Renew Time: 7/25/2006 8:53:02 (FC4 - long running samba currently at 3.0.23pre2-SVN-build-15985) Server: cifs/[EMAIL PROTECTED] KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) End Time: 7/18/2006 18:53:02 Renew Time: 7/25/2006 8:53:02 (Domain controller) Server: host/[EMAIL PROTECTED] KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) End Time: 7/18/2006 18:53:02 Renew Time: 7/25/2006 8:53:02 Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Kerberos Keytab Code Update in 3.0.23
Scott Armstrong wrote: First thing - I'd like to say a big THANK YOU to the developers. I just upgraded to samba-3.0.23 and I've noticed an alarming issue with respect to my configuration. I've been using the built-in keytab management and it looks like the updated code no longer creates the userPrincipal in Active Directory. Whether this is an issue for others or not, it would be nice to have seen a reference to it in the release notes. Since having the user principal in the keytab and a cron job to renew the ticket are critical for me to use pam_krb5, I'm going to attempt to figure out what code needs to be added back from 3.0.22. In the defense of the authors, examining a Win2k3 server does not show the userPrincipal value being set, although I sort of considered this functionality to be the primary aim in using Samba for the keytab management. File a bug report if you believe this to be true. I'm not at 3.0.23 right now and don't have the time to try it here. I wouldn't want to lose this. I did see a mention they dropped support of joins from machines where the domain differs from the realm, but haven't had time to check this. There has been a rewrite of the ads join code since 3.0.22. While I'm on my soap box, would it be possible to hear some clarification on the value of some of the principals created in the keytab (MIT Kerberos)? When I look at Active Directory using ADSI Edit, I see 4 servicePrincipal values created as a result of net ads join - host/host, host/fqdn, cifs/host, cifs/fqdn. When I use ktutil to view the keys in the table, I'm confronted with output that doesn't make any sense to me. Note that I've substituted generic host/domain/realm info and I've forcibly constrained the encryption types to rc4-hmac and des-cbc-md5 slot KVNO Principal - 12 host/[EMAIL PROTECTED] 22 host/[EMAIL PROTECTED] 32 cifs/[EMAIL PROTECTED] 42 cifs/[EMAIL PROTECTED] 52 [EMAIL PROTECTED] 62 [EMAIL PROTECTED] 72 [EMAIL PROTECTED] 82 [EMAIL PROTECTED] 92 host/[EMAIL PROTECTED] 102 host/[EMAIL PROTECTED] 112 host/[EMAIL PROTECTED] 122 host/[EMAIL PROTECTED] 132 host/[EMAIL PROTECTED] 142 host/[EMAIL PROTECTED] 152 HOST/[EMAIL PROTECTED] 162 HOST/[EMAIL PROTECTED] 172 HOST/[EMAIL PROTECTED] 182 HOST/[EMAIL PROTECTED] 192 HOST/[EMAIL PROTECTED] 202 HOST/[EMAIL PROTECTED] 212 HOST/[EMAIL PROTECTED] 222 HOST/[EMAIL PROTECTED] 232 cifs/[EMAIL PROTECTED] 242 cifs/[EMAIL PROTECTED] 252 cifs/[EMAIL PROTECTED] 262 cifs/[EMAIL PROTECTED] 272 cifs/[EMAIL PROTECTED] 282 cifs/[EMAIL PROTECTED] 292 CIFS/[EMAIL PROTECTED] 302 CIFS/[EMAIL PROTECTED] 312 CIFS/[EMAIL PROTECTED] 322 CIFS/[EMAIL PROTECTED] 332 CIFS/[EMAIL PROTECTED] 342 CIFS/[EMAIL PROTECTED] 352 CIFS/[EMAIL PROTECTED] 362 CIFS/[EMAIL PROTECTED] 372 cifs/[EMAIL PROTECTED] 382 cifs/[EMAIL PROTECTED] 392 CIFS/[EMAIL PROTECTED] 402 CIFS/[EMAIL PROTECTED] 412 host/[EMAIL PROTECTED] 422 host/[EMAIL PROTECTED] 432 HOST/[EMAIL PROTECTED] 442 HOST/[EMAIL PROTECTED] No offense intended, but what is the purpose of adding the variations of case especially with respect to the FQDN? When I look at the tickets that are the result of making connections from one Win2K3 server to another, the principals simply reflect the form of the requests - ie \\FOO yields principal cifs/[EMAIL PROTECTED], \\foo.bar.com yields principal cifs/[EMAIL PROTECTED] What am I missing? Just that windows doesn't guarantee case in names. For example, on my login, the current tickets show up as HOST/[EMAIL PROTECTED] host/[EMAIL PROTECTED] HOST/[EMAIL PROTECTED] HOST/[EMAIL PROTECTED] I rarely see any cifs tickets. Notice the uppercase machine name and lower case domain name combo. One ticket has the lowercase host and the rest are uppercase HOST. I'm also seeing Foo (first letter uppercase) generated by a 2003 enterprise server for a samba A/D member. I have a personally patched version of samba to help accomodate this machine. Consider yourself lucky to only have the two variations. When samba manages the keytab, it has to generate enough combinations to cover the majority of know variations for a worldwide installed base of windows machines. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Kerberos Keytab Code Update in 3.0.23
No offense intended, but what is the purpose of adding the variations of case especially with respect to the FQDN? Too much guessing IMO. True. Very true. But I'll chime in with we got there after numerous authentication failures at different sites. It always seemed there had to be a different way, because the MS writeup of creating a user account, generating a keytab, and exporting to the target system prior to the join worked with only 1 entry. A UPN. I tried real hard, but was unable to ever generate a keytab UPN on a machine account. I argued it was overkill at the time, but Redhat's enterprise issues went away. It was one of their people did the basic patch with Jeremy heavily editing. When I look at the tickets that are the result of making connections from one Win2K3 server to another, the principals simply reflect the form of the requests - ie \\FOO yields principal cifs/[EMAIL PROTECTED], \\foo.bar.com yields principal cifs/[EMAIL PROTECTED] What am I missing? My experience has been that the principals in the service ticket match the SPN values in AD. I don't see all of this case permutation people are claiming. The patch is a work in progress so any feedback would be appreciated. Jerry, Give me a couple days to get samba current across multiple servers, then I'll remove and re-add one of the old problem servers and diagnose what I get. I may even go so far as to create a brand new server in vm and join it and access it from various unix and windows A/D platforms. Am I right in understanding the rewrite will require the in-addr.arpa to resolve to the same dns domain as the realm? Ticket case variations are what show up when clients access the samba servers using klist or kerbtray. It could be a case of because they exist, they get used. Except for the first letter upcase, all others downcase. I traced that using ethereal, patched samba to generate it in the keytab, and things started working. I remember distinctly. Unless Jeremy did something behind the scenes at the same time that I downloaded using svn. As in private/secrets.tdb. Magic there. FWIW - my experience with windows is that it was written with a certain amount of heuristics, in that a learned behavior will continue to be used until it fails at which time the code falls into a different procedure that, if successful, will be used until it fails, etc. This is why users document different behaviors in what appears on the surface the same environment. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Re: setting up Samba server as a PDC
Eric Evans wrote: I'm STILL having difficulty getting my PC client to connect to the domain. I've got the IP address of the Samba server entered into the list of WINS servers in the network control panel on the client machine. And I've got a machine account set up for the client machine (with a $ sign at the end of the machine name) in /etc/passwd and smbpasswd on the Samba server. I'm still getting network path not found when I try to connect to the domain on the PC. Hi Eric, why not start by posting your smb.conf? OK, here it is: [global] netbios name = pleiades workgroup = PLAB domain logons = yes socket address = 128.253.175.155 I'd take this out. This is a fine tuning option for complicated setups. If you have multiple interfaces and you want to listen on just one, try interfaces = socket options = TCP_NODELAY I'd take this out as well. It's the default. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Sorry for all the messages, I'm just trying to get a few answers here
Eric Evans wrote: Hello Craig et al, I didn't think it was possible that you would refute everything that I said without checking a single bit of information but you definitely did that. Jeez, what did I say that was objectionable? I believe that everything I said was factual, and I certainly didn't think I was contesting anything that you said. I'm really really not trying to get into an argument here. I'm just trying to find out what's going on. It's obvious that you merely want to debate and that your request for help wasn't really a desire to learn anything or fix anything...just a soapbox. Not at all, that is absolutely not the case. I'm way, way too busy to waste time in needless debates. I'm in a bind here, I'm under a lot of pressure and I'm just trying to clarify some things so I can get things working ASAP. Please let me summarize the points that I'm confused about: 1. Why do I need to use wins support in my smb.conf? I don't see the point of this since it seems to me we are not using WINS. Windows can resolve netbios names by client broadcasts, but only on the local subnet. Since even small networks seem to grow beyond this, most people use WINS to resolve names. Besides, it's faster and generates less network traffic. In addition, as the smb.conf doco states, browsing over multiple subnets will not work without it. Your ipconfig indicates you have a multiple subnet network, so you need WINS for the windows machines to resolve netbios names. To get samba to be the WINS server, use this line: wins support = yes Someone correct me if I'm wrong, then point samba at itself (I've been using windows servers for WINS) wins server = 127.0.0.1 Default for how samba resolves netbios names: name resolve order = lmhosts host wins bcast At your stage, I wouldn't worry about changing it unless your netbios machine names are wildly different than the DNS names. 2. If I don't have access to the DHCP server to modify its configuration, how can I accomplish Craig's suggestion of putting the IP address of my Samba server in the WINS server list on the DHCP server, and how can I define the node type? Surely there must be other Samba users who don't have configuration access to their DHCP server. How do they deal with this? Then in each windows client, under network properties, Internet Protocol (TCP/IP), advanced properties, WINS tab (whew) add the IP address of the samba server. You can do this even if you are getting everything else from DHCP and have no control over what DHCP sources. Otherwise, run the WINS server on samba and have the DHCP server provide the WINS addresses during registration. Once the DHCP machine is configured, force a renewal on the client or reboot to load it into the client. Once you get the bugs worked out, your own people ought to do this for you. 3. Why is my windows client trying to send to a WINS server anyway? see above It won't try unless configured to. 4. The [homes] share, at least in Samba 2, always had a special meaning. It was always interpreted by Samba as mapping to the user's home directory. Does Samba 3 no longer give this special meaning to the [homes] share? It shows up as the users name. 5. PDC or BDC was not necessary in Samba 2 to connect to the [homes] directory. Why is it necessary in Samba 3? Are there any other special shares in Samba that one MUST have PDC or BDC access in order to use? Been so long since I ran a standalone samba workstation, I can't answer thet. I'm truly sorry if I've caused anyone any aggravation. I'm just trying to figure out what's going on, and I hoping I won't have to tell my boss that we can no longer use Samba after we've been using it without any problems for the past 3 years, and that I have no idea why it's not working! From one crusty old guy to another. I spent a couple months planning for the migration from 2.x to 3.x more than 2 years ago. That included a test development system to experiment on before any users were subjected to my learning curve. Won't get much sympathy for self inflicted injuries here. Regards, Doug PS - You could have migrated your server with just about an identical configuration to the 2.2 one and had just about identical characteristics. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Updating to Samba 3
EHines wrote: John H Terpstra wrote: On Friday 07 July 2006 19:27, Craig White wrote: On Fri, 2006-07-07 at 16:54 -0700, Huck wrote: This link may be of some assistance to those updating from Samba 2. http://www.phptr.com/articles/article.asp?p=419048rl=1 Since the official Samba documentation is authoritative and actually covers this subject, pointing to another 3rd party for reference is likely to cause confusion...especially when a confused administrator hasn't consumed the official documentation to begin with. Craig Well, actually, the PHPTR link points to an older copy of the official documentation. Best advice for newbies is to point them at: http://www.samba.org/samba/docs/Samba3-ByExample.pdf The PDF is easier to read for many, but the HTML link is preferred by others. http://www.samba.org/samba/docs/Samba3-ByExample.html Craig, You've been fielding a lot of activity for a while now - you know the ropes. Advanced users should consult the HOWTO, and a newbie would easily get lost in the wild woods there. Despite that, most newbies apparently want to master brain surgery before they ever attempt the basics. Cheers, John T. But, but, if we master the brain surgery right off the bat, doesn't this have the basics subsumed in it, and wouldn't this, then, be a more efficient use of everyone's time? The journey of a thousand steps would be immeasurably shortened if we could only skip all that middle part and go right to the last step :^) Yes, you would volunteer for brain surgery if the physician skipped all that pre-med stuff. Right? Eric Hines Couldn't help myself - Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Sorry for all the messages, I'm just trying to get a few answers here
Craig White wrote: On Fri, 2006-07-07 at 19:10 -0700, Doug VanLeuven wrote: Someone correct me if I'm wrong, then point samba at itself (I've been using windows servers for WINS) wins server = 127.0.0.1 you're wrong - wins support = yes is sufficient Thanks for the correction. PS - You could have migrated your server with just about an identical configuration to the 2.2 one and had just about identical characteristics. One of the dangers of a mail list is getting wildly different answers based upon people's recollection of documentation that has continually evolved/improved and thus in many respects, answers that deter someone from checking the smb.conf man page or the official how-to or even the simplified by example is likely counter-productive. Craig, I'm not sure if you're dumping on me now or not. Even samba 2 required WINS to function across subnets. FWIW, if what was said is true and it worked in samba 2, then either: 1. samba 2 was working on one subnet, and it was migrated to samba3 at the same time the network was expanded. 2. samba 2 was working with enough addresses in lmhosts files to allow basic connectivity from windows clients. Either way, it was probably a stand-alone workstation. I think it's accurate to say samba 3 can be configured to be a stand-alone workstation and that the configuration files would be very similar. Then now. One of the things that became apparent to me as I switched from Samba 2.2.x to Samba 3.0.x was that even though many of the directives seemed to stay the same, their meaning changed enough to force you to rethink the configuration - which I guess is the main point of upgrading/reading the documentation. The fact that the documentation covers the situation of upgrading from Samba 2 to Samba 3 seems to re-enforce the notion that the documentation is the place to start and if/when things aren't working as expected, then post up but it seems certain that if you follow the documentation, most things are going to work without much fuss. I agree completely. But if one didn't really want any of the newer functionality, one could emulate the older methods easier, perhaps, than assimilating the newer concepts. Ergo the PS. Maybe I should have said if one has an insufficient amount of time and willingness to study the documentation available for samba as a PDC, perhaps one should scale down one's goals to a more realistically achievable workgroup member. You know, given the time constraints and motivational factors :-) When you get someone that lacks a commitment to the configuration that they desire to achieve and then it appears that a combination of 1) not understanding Windows Networking technology, 2) not digesting the documentation, 3) sheer frustration evidenced by massive changes to smb.conf file, that all are working against the administrator and then it would seem the best course of action is to suggest to this administrator that he review the documentation. I'll second that. In this particular instance, the OP wants to stop logging errors about WINS server and when I tell the OP that he should put 'wins support = yes' in his smb.conf and that all goes away, he says I'm not using a WINS server and I don't need a WINS server. That's when I knew it was time to remove myself from help mode and suggest that OP rely upon documentation. If you gave a poll, I'm sure you'd find lots of goodwill from people you've helped in the past. I just thought I'd try from a different (dangerous) perspective ;-). Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Suse 10.1 with samba servers 3.0.22 3.0.23rc3 only seen by Suse 10.1 samba client as cifs
Thomas Garson wrote: Questions: Has there been some kind of hidden parameter relatively recently added to samba 3 that identifies shares as cifs or smbfs? Is the Linux client programmed to react to this? Are these protocols becoming mutually exclusive? If any of this is true, where is the documentation? Why me? smbfs has been replaced in the linux kernel by cifs, so smbfs is no longer being kept up to date. cifs is now a mount option in newer releases. cifs is Common Internet File System. It's based on the SMB protocol. Hasn't been a secret. Didn't make the front page of the NY Times though. http://us1.samba.org/samba/docs/man/manpages-3/mount.cifs.8.html Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Failed to set servicePrincipalNames 3.023rc3
Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Henrik, You were right. ( as usual.. ) I had the wrong FQDN on the samba server. After reconfiguring my network and I got the FQDN back from 'hostname' the join worked as planned. For the record, this is what WinXP does as well. You cannot join a WinXP box to a domain using a non-admin account if the client's FQDN is outside the AD domain. I agree this is a change from previous Samba version, but then previous Samba releases always required domain admin creds to join. Any predictions on how this will effect existing machines that are in a different FQDN? I have some systems in this state. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba]Permission issue
TSZ wrote: Michael Gasch napisał(a): and you can solve this with the sticky bit http://docsrv.sco.com:507/en/OSAdminG/ssC.stickydirs.html you could also try to play with map read only (S) parameter. Thank you for your help and link. I know the sticky bit, but I don't know how to implement it for new files created in folder for everyone. I've tried with the sticky bit for this folder and create mask = 4555, but it doesn't work. Jeremy Allison wrote: On Sat, Jul 01, 2006 at 12:20:42AM +0200, TSZ wrote: Hello, I am beginner of Samba, but today I have made update of Samba to RC3. I have two users:root and tomek. tomek is in linux groups: smbadmins, smbusers and nothing more. There is a folder for everyone and file made by the root in it: total 4 -rw--- 1 root root 1195 Jul 1 00:11 group.txt User tomek is not able to read the file, but is able to delete it, why? I have no entries in group map. Because in UNIX, permission to delete a file is granted by the permissions on the directory containing it, not on the file itself. From man chmod: STICKY DIRECTORIES When the sticky bit is set on a directory, files in that directory may be unlinked or renamed only by root or their owner. Without the sticky bit, anyone able to write to the directory can delete or rename files. The sticky bit is commonly found on directories, such as /tmp, that are world-writable. What this means is the sticky bit has to be set on the parent directory, which in your case is the directory being shared. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba-3.0.22 with Heimdal Kerberos - compilation problem
Logan Shaw wrote: On Sat, 24 Jun 2006, Doug VanLeuven wrote: Nir Barkan wrote: I'm trying to compile samba-3.0.22 with Heimdal Kerberos on Solaris 8 When I configure compile from non -standard libs, I explicitly set the paths required. Some people like to put it on the command line, but I created a shell script to invoke configure with my required options and compiler flags. These are commented on at the end of output from ./configure --help #!/bin/sh export LIBS=-L/usr/local/ldap/lib -L/usr/local/lib export CFLAGS=-O2 -L/usr/local/ldap/include -I/usr/local/include ^^ -I/usr/local/ldap/include export CPPFLAGS=-I/usr/local/ldap/include ./configure \ (flag1=opt) \ (flag2=opt) On Solaris, you may want to do a -R for every -L you do (if using shared libraries); this will embed the path into the executable so that you don't have to LD_LIBRARY_PATH nonsense. To the original person with the problem: if you could post your compiler command line (the gcc or cc that actually generates that error message), that might help, since it would be nice to see what -I arguments and so on that the Makefile is passing it. Also, by the way, export FOO=bar isn't legal Bourne shell syntax. It works in ksh and bash, but in sh you need FOO=bar ; export FOO or similar. Of course, on a Linux system /bin/sh often is something other than straight Bourne shell, but if you're relying on non-Bourne shell features, you should put #!/bin/bash or something. Not that it matters a whole heck of a lot in a script that is designed to wrap configure, though... OK OK, I stand corrected. It's just that it's been years since I worked on a system that doesn't link sh to ksh or bash. I forgot the original vi would bring one out of insert mode if one tried to move past the ends of the line too. Thanks for the tip about the -R (-rpath) in LIBS. I've just been plugging away with the LD_LIBRARY_PATH or OS equivalent. Just never occurred to me. I'll try that someday. If one overrides for configure, in samba compiles, the Makefile gets setup correctly to just run make later. So it does matter. At least I can correct the typo in the CFLAGS. No matter how many times I look at cut paste, I usually miss something before posting. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba-3.0.22 with Heimdal Kerberos - compilation problem
Nir Barkan wrote: Hi All, I'm trying to compile samba-3.0.22 with Heimdal Kerberos on Solaris 8 configure works fine but make fails I am running configure with the option --with-krb5=/opt/local which is where I have heimdal installed. The problem is that after running make, it still tries to use the include files from SUN that are in /usr/ and this screws up the compile. /opt/local/include/gssapi.h:623: conflicting types for `gss_inquire_context' /usr/include/gssapi/gssapi.h:551: previous declaration of `gss_inquire_context' snip declaration of `gss_unseal' make: *** [dynconfig.o] Error 1 Any Ideas how to solve this? When I configure compile from non -standard libs, I explicitly set the paths required. Some people like to put it on the command line, but I created a shell script to invoke configure with my required options and compiler flags. These are commented on at the end of output from ./configure --help #!/bin/sh export LIBS=-L/usr/local/ldap/lib -L/usr/local/lib export CFLAGS=-O2 -L/usr/local/ldap/include -I/usr/local/include export CPPFLAGS=-I/usr/local/ldap/include ./configure \ (flag1=opt) \ (flag2=opt) Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Export Samba mount using nfs
Luis Rodrigues wrote: Hello, I have an Lacie NAS disk attached to an Gigabit network. Since it only exports samba I mounted on one of my gigabit Linux boxes with smbmount //lacie/terabyte /TERABYTE -o defaults,username=genuser,password=genuser Hi Luis, Although I don't use it, I've seen numerous posts about smbfs filesystems not being supported anymore, and there are no more code fixes for it. Have you tried the replacement filesystem cifs? My understanding is cifs accomplishes the same goals and is supported in the kernel. See the command mount.cifs in the doco. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Windows XP and Samba 3.0.22 -- don't mix?
Ryan Steele wrote: All, I desperately need a resolution to this issue. I've asked once (about a day or two ago), but I haven't heard anything back. The only reason I press the issue is I may because without a quick resolution, I may be forced to switch over to AD (cry!). I submitted a request via Bugzilla but I saw a slightly similar problem with 3.0.20a that still hasn't been resolved, so I thought this might be a quicker route? Here's a synopsis: (snip shows that there is still a connection open to this folder an smbstatus confirms After a few minutes, the user for that pid changes to root, and the process just sits in there forever, sucking up 0.9% of memory. This happens with EVERY share Windows opens, and when it gets in this state, I can't open any new shares. I've tried using the deadtime option to kill these...no dice, they still hang around. In fact, the only thing that gets rid of them is a 'killall -9 smbd'. So, basically I'm stuck with restarting Samba every time too many files/folders get opened on the server...in a production environment! Is this a bug in 3.0.22? Is there some option that is needed to kill Windows connections to Samba servers? This is most troublesome! I run XP SP2 clients connecting to FC4. I do my own compilations of samba from svn. Currently Version 3.0.23pre2-SVN-build-15985. I use this line in smb.conf: socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY SO_SNDBUF=65536 SO_RCVBUF=65536 Maybe the lack of the keepalive is working against you. Nothing else stands out to me. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Removing Samba+LDAP, replacing W2k3+AD
Collins, Kevin wrote: Four years ago, I migrated our network from Windows NT based servers to Linux, Samba+LDAP based setups. This setup has worked fine. Last year, we replaced our Exchange 5.5 server - the last real Windows server - with Scalix. This last decision has come back to bite me. You may find it is more cost justified to replace Scalix with some other opensource exchange. I can't find my reference links right now, but there have lately been breakthroughs in compatibility from multiple organizations. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: Fwd: [Samba] Re: Getting NTLM group info about user
Volker Lendecke wrote: On Tue, Jun 06, 2006 at 12:02:42PM -0400, Jeremiah Martell wrote: wbinfo -t checking the trust secret via RPC calls succeeded wbinfo -r test Could not get groups for user test wbinfo -a test%test challenge/response password authentication succeeded wbinfo -r test Could not get groups for user test Yes, that looks correct. The idea is that this does work. But please also try 3.0.23rc1 if you can. Hi Volker, I don't have 3.0.23rc1, but svn from just a few days ago. [EMAIL PROTECTED] ~]# smbd -V Version 3.0.23pre2-SVN-build-15985 [EMAIL PROTECTED] ~]# wbinfo -a doug% plaintext password authentication succeeded challenge/response password authentication succeeded [EMAIL PROTECTED] ~]# wbinfo -r doug Could not get groups for user doug I also tried wbinfo -K administrator%xx -r doug plaintext kerberos password authentication for [administrator%xx] succeeded (requesting cctype: FILE) credentials were put in: FILE:/tmp/krb5cc_0 plaintext kerberos password authentication for [administrator%xx] succeeded (requesting cctype: KCM) no credentials cached plaintext kerberos password authentication for [administrator%xx] succeeded (requesting cctype: KCM:0) no credentials cached plaintext kerberos password authentication for [administrator%xx] succeeded (requesting cctype: Garbage) no credentials cached plaintext kerberos password authentication for [administrator%xx] succeeded (requesting cctype: (null)) no credentials cached plaintext kerberos password authentication for [administrator%xx] succeeded (requesting cctype: 0) no credentials cached Could not get groups for user doug Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Can one set limits on new core dump?
Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 James, This was your change right ? Doug, I'm more interested in why winbindd is seg faulting in the SAMBA_3_0 tree. Can you give me more details? Jerry, I was wrong before. Please read. Sometime in the last 8 months, idmap_ad doesn't build by default anymore. My memory being what it is, I wouldn't swear it ever did, but I thought it used to. samba Version 3.0.23pre2-SVN-build-15864 FC4 - Linux 2.6.16-1.2096_FC4smp gcc-4.0.2-8.fc4 Configure.log configure:48191: checking how to build idmap_ldap configure:48219: result: static configure:48228: checking how to build idmap_tdb configure:48256: result: static configure:48265: checking how to build idmap_rid configure:48297: result: not configure:48302: checking how to build idmap_ad configure:48330: result: not if I define it static, with --with-static-modules=idmap_ad I get a build error: sam/idmap.o(.text+0x2d7): In function `idmap_init': idmap.c: undefined reference to `idmap_ad_init' collect2: ld returned 1 exit status make: *** [bin/net] Error 1 make: *** Waiting for unfinished jobs pam_smbpass/support.c: In function '_smb_verify_password': pam_smbpass/support.c:401: warning: pointer targets in passing argument 2 of 'si d_to_uid' differ in signedness Linking bin/testparm sam/idmap.o(.text+0x2d7): In function `idmap_init': idmap.c: undefined reference to `idmap_ad_init' collect2: ld returned 1 exit status make: *** [bin/winbindd] Error 1 if I define it shared, with --with-shared-modules=idmap_ad I get a clean build, but then I start core dumping again. May 31 01:19:14 gate winbindd[5355]: [2006/05/31 01:19:14, 0] lib/fault.c:fault_report(41) May 31 01:19:14 gate winbindd[5355]: === May 31 01:19:14 gate winbindd[5355]: [2006/05/31 01:19:14, 0] lib/fault.c:fault_report(42) May 31 01:19:14 gate winbindd[5355]: INTERNAL ERROR: Signal 6 in pid 5355 (3.0.23pre2-SVN-build-15864) May 31 01:19:14 gate winbindd[5355]: Please read the Trouble-Shooting section of the Samba3-HOWTO May 31 01:19:14 gate winbindd[5355]: [2006/05/31 01:19:14, 0] lib/fault.c:fault_report(44) May 31 01:19:14 gate winbindd[5355]: May 31 01:19:14 gate winbindd[5355]: From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf May 31 01:19:14 gate winbindd[5355]: [2006/05/31 01:19:14, 0] lib/fault.c:fault_report(45) May 31 01:19:14 gate winbindd[5355]: === May 31 01:19:14 gate winbindd[5355]: [2006/05/31 01:19:14, 0] lib/util.c:smb_panic(1592) May 31 01:19:14 gate winbindd[5355]: PANIC (pid 5355): internal error May 31 01:19:14 gate winbindd[5355]: [2006/05/31 01:19:14, 0] lib/util.c:log_stack_trace(1699) May 31 01:19:14 gate winbindd[5355]: BACKTRACE: 27 stack frames: May 31 01:19:14 gate winbindd[5355]:#0 /usr/local/samba3/sbin/winbindd(log_stack_trace+0x26) [0xdd5496] May 31 01:19:14 gate winbindd[5355]:#1 /usr/local/samba3/sbin/winbindd(smb_panic+0x5e) [0xdd535e] May 31 01:19:14 gate winbindd[5355]:#2 /usr/local/samba3/sbin/winbindd [0xdc3cac] May 31 01:19:14 gate winbindd[5355]:#3 /usr/local/samba3/sbin/winbindd [0xdc3cba] May 31 01:19:14 gate winbindd[5355]:#4 [0x2cf420] May 31 01:19:14 gate winbindd[5355]:#5 /lib/libc.so.6(abort+0xf8) [0x3b2678] May 31 01:19:14 gate winbindd[5355]:#6 /usr/local/samba3/sbin/winbindd [0xdda5cf] May 31 01:19:14 gate winbindd[5355]:#7 /usr/local/samba3/sbin/winbindd(talloc_free+0x2a) [0xddacc0] May 31 01:19:14 gate winbindd[5355]:#8 /usr/local/samba3/sbin/winbindd(ads_check_posix_schema_mapping+0x711) [0xea8726] May 31 01:19:14 gate winbindd[5355]:#9 /usr/local/samba3/sbin/winbindd [0xd7fb76] May 31 01:19:14 gate winbindd[5355]:#10 /usr/local/samba3/sbin/winbindd [0xd823ae] May 31 01:19:14 gate winbindd[5355]:#11 /usr/local/samba3/sbin/winbindd [0xd6d43f] May 31 01:19:14 gate winbindd[5355]:#12 /usr/local/samba3/sbin/winbindd [0xd6d8e6] May 31 01:19:14 gate winbindd[5355]:#13 /usr/local/samba3/sbin/winbindd [0xd704ba] May 31 01:19:14 gate winbindd[5355]:#14 /usr/local/samba3/sbin/winbindd(winbindd_dual_list_trusted_domains+0x98) [0xd78336] May 31 01:19:14 gate winbindd[5355]:#15 /usr/local/samba3/sbin/winbindd [0xd841c9] May 31 01:19:14 gate winbindd[5355]:#16 /usr/local/samba3/sbin/winbindd [0xd854c4] May 31 01:19:14 gate winbindd[5355]:#17 /usr/local/samba3/sbin/winbindd [0xd83e2c] May 31 01:19:14 gate winbindd[5355]:#18 /usr/local/samba3/sbin/winbindd(async_request+0x14e) [0xd83a96] May 31 01:19:14 gate winbindd[5355]:#19 /usr/local/samba3/sbin/winbindd(init_child_connection+0x219) [0xd6a439] May 31 01:19:14 gate winbindd[5355]:#20 /usr/local/samba3/sbin/winbindd(async_domain_request+0xf3) [0xd83f76] May 31 01:19:14 gate winbindd[5355]:#21 /usr/local/samba3/sbin/winbindd [0xd69ec3] May 31 01:19:14 gate
Re: [Samba] Can one set limits on new core dump?
Gautier, B (Bob) wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of Doug VanLeuven Sent: 31 May 2006 09:56 /usr/local/samba3/sbin/winbindd [0xdda5cf] May 31 01:19:14 gate winbindd[5355]:#7 /usr/local/samba3/sbin/winbindd(talloc_free+0x2a) [0xddacc0] May 31 01:19:14 gate winbindd[5355]:#8 /usr/local/samba3/sbin/winbindd(ads_check_posix_schema_mapping +0x711) [0xea8726] May 31 01:19:14 gate winbindd[5355]:#9 This looks very much like a buglet in the new rfc2307 code that I mailed gd about the other day. The SysAdmins here have blocked my access to bugzilla at the moment so I can't file patches the right way. :-( Jerry asked me to comment in the bug report. I could forward the patch. Can you give me the bug report number. I found 3751, but don't know if it's appropriate there. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Can one set limits on new core dump?
Guenther Deschner wrote: I just fixed this today in subversion (http://websvn.samba.org/cgi-bin/viewcvs.cgi?rev=15980view=rev) Let me know if you still see problems with that. Hi, Updated to svn 15985, running 1/2 hour now, no more core dumps. Thanks Guenther! Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Need help on winbind nss info = template sfu
According to the doco, winbind nss info = template sfu requires idmap backend = idmap_ad which has been depreciated to idmap backend = ad but, [2006/05/30 13:43:23, 1] nsswitch/winbindd.c:main(953) winbindd version 3.0.23pre2-SVN-build-15864 started. Copyright The Samba Team 2000-2004 [2006/05/30 13:43:23, 0] sam/idmap.c:idmap_init(152) idmap_init: could not load remote backend 'ad' I can't find any ad.so module in source. What am I doing wrong? Is the doco out of sync? wbinfo -g returns the sfu mapped groups. wbinfo -r user fails. FC4 2.6.16-1.2096_FC4smp samba Version 3.0.23pre2-SVN-build-15864 Used to work. Don't know when it quit working because if the users own the directory, they can read and write files. The only issue is for group write permissions where others don't have write permission where the user is not the owner. Haven't been collaborating much lately. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] no route to host
Alessio Bandini wrote: Hello, First of all sorry for my English. I am experiencing with Samba and I have a problem. I have an old server (OLD) with Red Hat 9 and Samba 2.2.7a that is working well. Now I try to start up a new server (NEW) with Red Hat Enterprise 4 and Samba 3.0.22. If I try to connect from NEW to itself by using smbclient I got the shared resources list correctly. If I try to connect to NEW from OLD, always using smbclient, I receive the message: added interface ip=XXX.XXX.XXX.XXX bcast=XXX.XXX.X.255 nmask=255.255.255.0 error connecting to YYY.YYY.YYY.YYY:139 (No route to host) If you have a firewall on the new server that rejects access to port 139, one would expect this behavior. There should be a firewall setup program. Make sure to allow access to smb ports 137-138 and 445. I've not used RH Enterprise 4, but Fedora, an offshoot, the rpm is system-config-securitylevel and so is the command name to run the program. Error connecting to YYY.YYY.YYY.YYY (No route to host) Connection to YYY.YYY.YYY.YYY failed Supposing that XXX.XXX.XXX.XXX is the OLD server address and YYY.YYY.YYY.YYY is the NEW server address. I try to find in documentation and in other resources but I found nothing. Could you help me. Thank you. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Can one set limits on new core dump?
James Peach wrote: On Mon, 15 May 2006 09:40 pm, Doug VanLeuven wrote: James Peach wrote: On Sat, 13 May 2006 12:16 am, Gerald (Jerry) Carter wrote: James, This was your change right ? Yup. It's deliberately not configurable so that we can always get *something* that might help with fault diagnosis. Is there a chance for some kind of compromise? Of course. winbindd cranked out hundreds of core dumps in less time than it took to get a cup of coffee. Do you have some core-naming facility that renames the core files something other than core? I'm trying to understand why you ended up with more that one core file I running FC4, I didn't invoke any core naming facility, but sometimes Fedora adds functionality I'm not aware of. The samba core dumps for winbindd ended up core.pid Partial list [EMAIL PROTECTED] var]# l cores/winbindd total 18076 -rw--- 1 root root 1069056 May 12 03:22 core.19692 -rw--- 1 root root 1028096 May 12 03:22 core.19693 -rw--- 1 root root 1044480 May 12 03:22 core.19696 -rw--- 1 root root 1028096 May 12 03:22 core.19697 -rw--- 1 root root 1044480 May 12 03:23 core.19703 -rw--- 1 root root 1028096 May 12 03:23 core.19704 -rw--- 1 root root 1044480 May 12 03:23 core.19710 -rw--- 1 root root 1028096 May 12 03:23 core.19711 -rw--- 1 root root 1175552 May 12 03:24 core.19714 -rw--- 1 root root 1163264 May 12 03:24 core.19715 -rw--- 1 root root 1122304 May 12 02:03 core.6081 -rw--- 1 root root 1081344 May 12 02:03 core.6082 -rw--- 1 root root 1097728 May 12 02:04 core.6090 -rw--- 1 root root 1081344 May 12 02:04 core.6091 -rw--- 1 root root 1097728 May 12 02:04 core.6101 -rw--- 1 root root 1081344 May 12 02:04 core.6102 -rw--- 1 root root 1224704 May 12 02:04 core.6111 log.winbindd-idmap: [2006/05/12 03:22:12, 0] lib/fault.c:fault_report(42) INTERNAL ERROR: Signal 11 in pid 19692 (3.0.23pre2-SVN-build-15162) Please read the Trouble-Shooting section of the Samba3-HOWTO [2006/05/12 03:22:12, 0] lib/fault.c:fault_report(44) From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf [2006/05/12 03:22:12, 0] lib/fault.c:fault_report(45) === [2006/05/12 03:22:12, 0] lib/util.c:smb_panic(1592) PANIC (pid 19692): internal error [2006/05/12 03:22:12, 0] lib/util.c:log_stack_trace(1699) BACKTRACE: 24 stack frames: #0 /usr/local/samba3/sbin/winbindd(log_stack_trace+0x26) [0x837b1a] #1 /usr/local/samba3/sbin/winbindd(smb_panic+0x5e) [0x8379e2] #2 /usr/local/samba3/sbin/winbindd [0x826420] #3 /usr/local/samba3/sbin/winbindd [0x82642e] #4 [0x110420] #5 /usr/local/samba3/sbin/winbindd(sid_binstring+0x1d) [0x8325a5] #6 /usr/local/samba3/lib/idmap/ad.so [0xb684f3] #7 /usr/local/samba3/sbin/winbindd(idmap_set_mapping+0x26c) [0x9044c9] #8 /usr/local/samba3/sbin/winbindd(winbindd_dual_idmapset+0xb0) [0x7e86c2] #9 /usr/local/samba3/sbin/winbindd [0x7e7155] #10 /usr/local/samba3/sbin/winbindd [0x7e8135] #11 /usr/local/samba3/sbin/winbindd [0x7e6db8] #12 /usr/local/samba3/sbin/winbindd(async_request+0x14e) [0x7e6a22] #13 /usr/local/samba3/sbin/winbindd [0x7e8373] #14 /usr/local/samba3/sbin/winbindd(idmap_sid2gid_async+0xd1) [0x7e8f0b] #15 /usr/local/samba3/sbin/winbindd [0x7eb780] #16 /usr/local/samba3/sbin/winbindd [0x7e96b4] #17 /usr/local/samba3/sbin/winbindd [0x7e8277] #18 /usr/local/samba3/sbin/winbindd [0x7e6d73] #19 /usr/local/samba3/sbin/winbindd [0x7c6988] #20 /usr/local/samba3/sbin/winbindd [0x7c7560] #21 /usr/local/samba3/sbin/winbindd(main+0x641) [0x7c7eac] #22 /lib/libc.so.6(__libc_start_main+0xdf) [0x1c1d7f] #23 /usr/local/samba3/sbin/winbindd [0x7c6125] [2006/05/12 03:22:12, 0] lib/fault.c:dump_core(164) dumping core in /usr/local/samba3/var/cores/winbindd [2006/05/12 03:22:13, 0] lib/fault.c:fault_report(41) My vmware machines all died for lack of temporary file space. Ultimately, it required a reboot to get back to normal because a lot of daemons require var space. If it's repeatable, the common process is to re-enable core dumps and run a monitored test. Unfortunately not all problems are easily repeatable, and not all I was going to say If a problem doesn't repeat, was it really a problem? but I noticed you said easily. Look, I just bought a 1984 Corvette. Bright red. I love that car. Needs some TLC, but I'm going to love fixing it. I'm having a real hard time being serious here. sites have people with the time and expertise to be able to do this sort of testing. Barring a compromise, I'll have to investigate and probably recommend hard limits be inherited in the startup files. Otherwise, run the risk of having samba take down the entire machine for the benefit of the developers on a Murphey. The way I've done it for 30 years is limit core dumps for normal day to day, re-enable it during problem determination. I could certainly add
Re: [Samba] Can one set limits on new core dump?
James Peach wrote: On Sat, 13 May 2006 12:16 am, Gerald (Jerry) Carter wrote: James, This was your change right ? Yup. It's deliberately not configurable so that we can always get *something* that might help with fault diagnosis. Is there a chance for some kind of compromise? winbindd cranked out hundreds of core dumps in less time than it took to get a cup of coffee. My vmware machines all died for lack of temporary file space. Ultimately, it required a reboot to get back to normal because a lot of daemons require var space. If it's repeatable, the common process is to re-enable core dumps and run a monitored test. Barring a compromise, I'll have to investigate and probably recommend hard limits be inherited in the startup files. Otherwise, run the risk of having samba take down the entire machine for the benefit of the developers on a Murphey. The way I've done it for 30 years is limit core dumps for normal day to day, re-enable it during problem determination. I long for the days long, long ago and far, far away where there was a presumption of intelligence. Maybe it's better this way and I need to just fade away. I don't know. Doug, I'm more interested in why winbindd is seg faulting in the SAMBA_3_0 tree. Can you give me more details? Agreed. Please let's get a backtrace at least: gdb `which winbindd` /path/to/core/file (gdb) where (quit) It was an old xos idmap_ad ad.so in samba/lib which I deleted. Still, why did samba load it instead of the internal ad module? Still interested? If so, I have to find a copy on an old DVD backup disc. Doug VanLeuven wrote: Sorry Jeff, been there, done that, if you'd read the whole post. Jeff Saxton wrote: man ulimit hint: ulimit -c This probably won't work because in fault.c we explicitly set the core size to 16MiM (IIRC). Doug VanLeuven wrote: Hi all, Is there anyway to limit the new core dumping panics? Can't find anything on it. (If I'd only looked in that ...) Was my mistake, but winbindd filled up an entire volume and froze out every process writing to that drive. You should only get 1 core file per daemon unless you have some system-specific core file naming facility enabled. If winbind is dumping core often it should always be in LOGBASE/cores/winbindd/core. I started it from a shell and my soft limit is already zero. (ulimit -S -c 0) ^^ FC4 2.6.16-1.2069 smp, gcc 4.0.2-8 samba 3.0.23pre2-SVN-build-15162 Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Can one set limits on new core dump?
Hi all, Is there anyway to limit the new core dumping panics? Can't find anything on it. (If I'd only looked in that ...) Was my mistake, but winbindd filled up an entire volume and froze out every process writing to that drive. I started it from a shell and my soft limit is already zero. (ulimit -S -c 0) FC4 2.6.16-1.2069 smp, gcc 4.0.2-8 samba 3.0.23pre2-SVN-build-15162 Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Can one set limits on new core dump?
Sorry Jeff, been there, done that, if you'd read the whole post. Jeff Saxton wrote: man ulimit hint: ulimit -c Doug VanLeuven wrote: Hi all, Is there anyway to limit the new core dumping panics? Can't find anything on it. (If I'd only looked in that ...) Was my mistake, but winbindd filled up an entire volume and froze out every process writing to that drive. I started it from a shell and my soft limit is already zero. (ulimit -S -c 0) ^^ FC4 2.6.16-1.2069 smp, gcc 4.0.2-8 samba 3.0.23pre2-SVN-build-15162 Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: newbie question reguarding kerberos tickets
Simo, I'm Doug 2. Do you know how to initiate speedy renewal of the tickets for the instance of a hibernated client that sleeps thru and well past the lifetime of the ticket? I agree that the ticket renewal happens automagically. But for a while after waking up, the client can't access the shares and it's enough of an issue with users to force turning off hibernation and run them 24 hrs a day. Sorry for being off-topic to the original post. Trigger word was ticket lifetime. Doug2 simo wrote: Doug, you don't need any login to make samba work in an AD environment. At the join samba creates a machine account in a domain, and stores the machine password in the secrets.tdb file. When samba needs to do some operation with the domain it just need to use that account to request tickets from the KDC. It is just like any other windows host out there. Simo. On Fri, 2006-05-12 at 08:23 -0500, Doug Tucker wrote: I'm not sure I follow. By client, you mean my samba server that is joined to AD? I've been running without a ticket at all for 2 weeks now, and have yet to see a single problem. What type of bad behaviour should I be looking for? We're using win2k3 AD, samba 3.0.22, and all winXP desktop clients. Sorry if I'm being a pain, I'm just a bit confused here, as I can't find any documentation on this subject. All I see is in the installation instructions that you have to do the kinit [EMAIL PROTECTED] and log in which gives you a ticket. My issue is my windows guys aren't very bright and didn't even know that their AD ran anything called kerberos, and don't know how to change the ticket lifetime. That concerned me because I don't want to have to set up a cron to auto login every 24hours, so I put it on the backburner, the ticket expired, I come back and everything is still working fine. Which got me thinking about it's validity, which started me down this path I have digressed to, just deleting the ticket, rebooting the machine to remove anything from memory, resume testing, and the whole thing still works like a charm. And so far, all I'm getting here from this user group is everyone seems to feel like this ticket is necessary, yet no one is taking a shot at why I'm working just fine. I'm just concerned about going production if this is really necessary, but so far from what I've seen, the ticket is not needed at all. Anyone else try running in this type of environment without one? On Thu, 2006-05-11 at 21:17 -0700, Doug VanLeuven wrote: When using domain logons, after resuming from a hibernate that exceeded the lifetime of the Kerberos ticket, the client doesn't immediately renew the ticket. It will auto renew, but I've not determined the amount of time it takes. Is there a way to force the client to renew the ticket? Short of rebooting, that is. Things don't work very well until it's renewed. Trying to go green. Samba client and/or XP/2000 client? Regards, Doug simo wrote: Samba stores the machine password and obtains tickets from the KDC when needed. Simo. On Thu, 2006-05-11 at 16:53 -0500, Doug Tucker wrote: Thanks. But again, is the ticket even needed? I deleted the darn thing, rebooted to make sure it wasn't cached in memory somewhere, and everything seems to be working perfectly. If it is indeed needed, and I need to extend the period, is there any directions on how to do that on the windows side? On Thu, 2006-05-11 at 23:07 +0200, Blaž Primc wrote: Hi, the period for which the ticket is valid can be set in Windows Server. Best regards, Blaž. Doug Tucker wrote: I recently joined a samba 3.0.22 server to AD. When I did the kinit, the AD gave me a 24 hour ticket with a 1 week renewal. Setting -r and -l to 365d did not change anything, the ticket still came back the same. However, my question is in reguard to whether this is really even needed? First, I deleted the ticket, and everything seemed to continue to work perfectly. Now, I let the ticket expire for a couple of weeks now, and yet, the samba server is working fine and users still authenticate against AD just fine. Am I missing something, or is the creation of that ticket not even needed? Thank you for your assistance. doug... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Can one set limits on new core dump?
Jerry, Mostly my fault. I switched over from idmap_ad from xos to the relatively new option idmap backend = ad several months ago around svn 12802 or maybe even earlier. Didn't delete the old ad.so in lib/idmap so I could go back if I wanted. Then forgot about it. I've been running svn 12802 without any issue, but last night I went to svn 15162 and filled up the volume with core dumps while I was getting some coffee. Everything is OK now that I deleted it. Of course, you might be curious why it loaded? I still have some cores and panic output. And of course I'm curious why you're overriding my ulimit, and what I might do to override your override during normal operations. Regards, Doug Gerald (Jerry) Carter wrote: Doug, I'm more interested in why winbindd is seg faulting in the SAMBA_3_0 tree. Can you give me more details? Doug VanLeuven wrote: Sorry Jeff, been there, done that, if you'd read the whole post. Jeff Saxton wrote: man ulimit hint: ulimit -c Doug VanLeuven wrote: Hi all, Is there anyway to limit the new core dumping panics? Can't find anything on it. (If I'd only looked in that ...) Was my mistake, but winbindd filled up an entire volume and froze out every process writing to that drive. I started it from a shell and my soft limit is already zero. (ulimit -S -c 0) ^^ FC4 2.6.16-1.2069 smp, gcc 4.0.2-8 samba 3.0.23pre2-SVN-build-15162 Regards, Doug - -- = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEZJi2IR7qMdg1EfYRAlO+AJ0S+ZK2nQdjqGykHsZzmnJHBfJf1gCcDElY DXjzwAdrOrf/Eh23lXwDMtA= =06ek -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: newbie question reguarding kerberos tickets
When using domain logons, after resuming from a hibernate that exceeded the lifetime of the Kerberos ticket, the client doesn't immediately renew the ticket. It will auto renew, but I've not determined the amount of time it takes. Is there a way to force the client to renew the ticket? Short of rebooting, that is. Things don't work very well until it's renewed. Trying to go green. Samba client and/or XP/2000 client? Regards, Doug simo wrote: Samba stores the machine password and obtains tickets from the KDC when needed. Simo. On Thu, 2006-05-11 at 16:53 -0500, Doug Tucker wrote: Thanks. But again, is the ticket even needed? I deleted the darn thing, rebooted to make sure it wasn't cached in memory somewhere, and everything seems to be working perfectly. If it is indeed needed, and I need to extend the period, is there any directions on how to do that on the windows side? On Thu, 2006-05-11 at 23:07 +0200, Blaž Primc wrote: Hi, the period for which the ticket is valid can be set in Windows Server. Best regards, Blaž. Doug Tucker wrote: I recently joined a samba 3.0.22 server to AD. When I did the kinit, the AD gave me a 24 hour ticket with a 1 week renewal. Setting -r and -l to 365d did not change anything, the ticket still came back the same. However, my question is in reguard to whether this is really even needed? First, I deleted the ticket, and everything seemed to continue to work perfectly. Now, I let the ticket expire for a couple of weeks now, and yet, the samba server is working fine and users still authenticate against AD just fine. Am I missing something, or is the creation of that ticket not even needed? Thank you for your assistance. doug... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ACL Support in Samba 3.0.20b
[EMAIL PROTECTED] wrote: My agency is migrating from Solaris PCnetlink to Samba 3.0.20b for file and print sharing. Samba is installed on Solaris 9 (which I just recently inherited). Is there any way to tell if Samba was compiled with ACL support? I am having some trouble matching permissions from windows to Unix. Hi, smbd -b will print the build environment I was curious myself, so I compiled an otherwise identical non-acl version and diffed the smbd -b outputs. 3c3 Built on:Mon Jan 9 23:00:58 PST 2006 --- Built on:Sat Apr 15 11:04:25 PDT 2006 258a259 HAVE_NO_ACLS 264d264 HAVE_POSIX_ACLS Good luck, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Where can I find explanation for smbstatus locking table values?
Zoran Ljubisic wrote: Hi all, In table: Locked files: PidDenyMode Access R/WOplock Name -- 28938 DENY_NONE 0x2019f RDWR EXCLUSIVE+BATCH /posao/backup/evident/2006//PODUZECA/PODATCI/P013/Kalkulac/Zaglav.dbf Fri Mar 24 14:09:37 2006 Where can I find what different values of Access (0x2019f) od R/W (RDWR) or Oplock (EXCLUSIVE+BATCH) means? Zoran Hi Zoran, It's a Microsoft thing. Here's a link to a general overview of CIFS that explains oplocks, exclusive oplocks, batch oplocks, and other related stuff. http://www.microsoft.com/mind/1196/cifs.asp Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] 3.0.21c and big wmv or mpg files
Tom Peters wrote: At 10:40 PM 3/29/2006 +0200, you wrote: Hi @all, are there any problems known with 3.0.21c and bigger video files (mpg and wmv greater than 700 MB)? Received the information that these files cannot copied from XP to Samba (W2K is okay). Error message is the well known: [2006/03/28 18:03:36, 0] lib/util_sock.c:get_peer_addr(1225)getpeername failed. Error was Transport endpoint is not connected I chased this elusive problem for a year. I'm still running 3.09-2.3 but I see it on other versions. Tell me, do you get this problem when you drag/n/drop a file into a folder on the samba share? And can you prevent this problem from occurring by the following procedure? Click in the target window on the samba machine (this is on the XP desktop). Press F5 to refresh the view. Wait about a second. Immediately start your copy. When I do this, the errors, preterviously reported to the desktop and to my server log, don't occur. I've been told that it's a WinXP only issue, that it attempts to connect on ports 445 and 139 nearly simultaneously, and then proceeds to talk over whichever one answers first. I'm told that Win2k clients won't have this problem, and Win98 clients don't use port 445 so it doesn't arise there.ou can take my word for it, Anyone have evidence to the contrary (so far)? Hi Tom, If you can take my word for it, I just drag dropped a 2 Gig file from XP SP2 to Samba version 3.0.22pre1-SVN-build-12802 on FC3 2.6.12-1.1381_FC3smp without issue. I do this pretty frequently moving vmware machines around and organizing ghost images. I run a 2003 AD domain, but the XP machine is just a workgroup member of the domain. although samba is a domain member. But I recall doing this on an XP full domain member last year. During the transfer: PID Username Group Machine --- 9040 doug doug pine (192.168.200.14) Service pid machine Connected at --- public 9040 pine Fri Mar 31 19:55:00 2006 Locked files: PidDenyMode Access R/WOplock SharePath Name -- 9040 DENY_ALL 0x30196 WRONLY EXCLUSIVE+BATCH /home/public doug/sda-s003.vmdk Fri Mar 31 20:09:26 2006 9040 DENY_NONE 0x20089 RDONLY NONE /home/public doug Fri Mar 31 19:55:05 2006 9040 DENY_NONE 0x11RDONLY NONE /home/public doug Fri Mar 31 19:55:05 2006 And when done: -rw-rw-rw- 1 doug doug 2125135872 Mar 15 11:56 /home/public/doug/sda-s003.vmdk I did it once, deleted it, waited about 20 min and did it again. Ports in use with the XP machine: tcp0 0 192.168.200.25:445 192.168.200.14:1736 ESTABLISHED where samba is running on 192.168.200.25. Perhaps relevant config option: socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY SO_SNDBUF=65536 SO_RCVBUF=65536 I did notice that when I first migrated from samba 2 to samba 3 back around 3.0.9 at first the client machines continued to connect on port 139, but gradually over a period of time that changed until the connections are now nearly all port 445 and all the domain members list as IP numbers instead of netbios names. I've seen this behavior in windows clients where they remember connection details and continue to use them until some event or loss of connectivity causes the client to start over in the list. Usually it learns the new connection details at that time. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Access shares over IPSEC
Barry, Christopher wrote: You could be SOL then. -Original Message- From: Michael Voss [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 28, 2006 10:30 AM To: Barry, Christopher Subject: AW: [Samba] Access shares over IPSEC Hm, but i don't no where i can this make. We connect over an IPSec-Client and here is it impossible to make WINS-entry. I become a local Ip (i.e. 192.168.10.50) and that's all. I can't see my details of the IPSec connection. I have a internet connection via UMTS and with ipconfig /all I see only the details of the UMTS-internet connection. Well it's not the preferred method, but lmhosts can do the job. windir/system32/drivers/etc/lmhosts Add any machine names that are needed. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba PDC/Windows BDC domain sync
James F. Hranicky wrote: I have everything in place to move to a Samba/Heimdal/OpenLDAP auth database and have just discovered that some of the Windows products we use are required to run on a domain controller. Since domain sync doesn't work between Samba and NT4 it looks like I'm stuck: either ditch all the software we run on domain controllers, stay with our current 2-auth-db system, or move at least our Windows machines to AD, none of which I want to do. I appears that XAD 2.0 may be able to do what I want, and I'm checking on it's availablity, but I was wondering if anyone has any bright ideas for getting the Samba PDC to do what I want. Right now it looks like the best thing to do is to hack up a sync tool for WinNT - OpenLDAP to keep the passwords in sync. Hi James, Would you mind letting us know what product requires to be installed on a domain controller? I, for one, would like to shy away from ever evaluating their product. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba PDC/Windows BDC domain sync
James F. Hranicky wrote: On Thursday 23 March 2006 13:09, Doug VanLeuven wrote: Hi James, Would you mind letting us know what product requires to be installed on a domain controller? I, for one, would like to shy away from ever evaluating their product. Desktop Authority: http://downloads.cybis.co.uk/scriptlogic/Desktop_Authority_7_Release_Notes.pdf E-Policy Orchestrator https://delta.ist.utl.pt/bin_software/ePO_36_InstallationGuide_EN.pdf Unless I'm mistaken, these both require running on a domain controller of some kind. Hi Jim, Actually, both strongly recommend -not- installing on a domain controller. I can see where it used to be a requirement, but they advise member servers now. Desktop Authority page 2 and ePolicy page 6. Scriptlogic supports NT40 domains and should work on a 2000SP2 or greater member server. ePolicy just states it needs to be installed on windows 2000SP3 or later including 2003 Web server (which would never be a PDC). They just want a trust relationship with the PDC although I don't see whether or not NT style PDC is supported. I'd check with the vendors, but you may be able to accommodate samba3 as a NT40 style PDC with both those products. If ePolicy is tightly integrated to AD, I don't think that will be supported till samba4. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] chown DOMAIN+mylogin /dir fails (Please help)
David Shapiro wrote: What is the KRB5A option going to provide? The daemon winbindd resolves uid/gid to sids and vice versa The AIX WINBIND provides authentication services by calling a PDC The AIX KRB5A provides authentication services by Kerberos and can use a windows AD server. IBM has a writeup. Only thing I would add to it - it is possible to make it work with samba managing the system keytab. I looked back on your posts, and I'm unclear on what your environment is. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] libldap not found
David Shapiro wrote: Why does it need a shared library? Can't it use static? David I see in /usr/local/openldap/lib: drwxr-sr-x 10 root system 512 Feb 7 15:22 .. -rw-r--r-- 1 root system 293847 Feb 8 14:58 liblber-2.3.a lrwxrwxrwx 1 root system 13 Feb 12 23:01 liblber.a - liblber-2.3.a -rw-r--r-- 1 root system 868 Feb 8 14:58 liblber.la -rw-r--r-- 1 root system 3909639 Feb 8 14:58 libldap-2.3.a lrwxrwxrwx 1 root system 13 Feb 12 23:01 libldap.a - libldap-2.3.a -rw-r--r-- 1 root system 952 Feb 8 14:58 libldap.la -rw-r--r-- 1 root system 4247339 Feb 8 14:58 libldap_r-2.3.a lrwxrwxrwx 1 root system 15 Feb 12 23:01 libldap_r.a - libldap_r-2.3.a -rw-r--r-- 1 root system 962 Feb 8 14:58 libldap_r.la openldap was buildt with: env CC=gcc -D_LINUX_SOURCE_COMPAT -D_THREAD_SAFE \ CPPFLAGS=-I/usr/local/bdb/include -I/usr/local/cyrus-sasl/include -I/usr/local/ssl/include \ LDFLAGS=-L/usr/local/ssl/lib -L/usr/local/bdb/lib -L/usr/local/cyrus-sasl/lib -lpthread \ try adding -L/usr/local/openldap/lib Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] chown DOMAIN+mylogin /dir fails (Please help)
David Shapiro wrote: I only see winbind_nss_aix.po, but I do not see the .c file. NIS ALL works, but LDAP and WINBIND both do not. Hi Dave, I'm having to work from memory as the work I did on AIX ended last June. In addidtion, when I formulated the phase transitions from samba 2.x nt40 style member to samba 3.x AD member, it was 2003 and at that time, winbindd on AIX wouldn't support returning sufficient information to allow managing user and group accounts using the -R option to chuser, chgroup, mkuser, mkgroup, rmuser, rmgroup. That's why the writeups say /usr/lib/security/methods.cfg WINBIND: options=authonly and KRB5A: options=authonly So NIS and LDAP can be used to maintain the user and group attributes but winbind and kerberos were only used to authenticate an existing user defined locally or in NIS/LDAP, where LDAP is the AIX native LDAP security model. If NIS works and LDAP and WINBIND don't, it looks like you've implemented NIS but not LDAP and WINBIND is configured to authonly. If winbind's capable of returning sufficient information to satisfy lsuser, remove the authonly option. I figured you'd look thru winbind_nss_aix.c and make a determiniation whether or not that was possible with your version of samba. Regards, Doug David Shapiro Unix Team Lead 919-765-2011 Doug VanLeuven [EMAIL PROTECTED] 2/9/2006 11:03:38 PM David Shapiro wrote: What can I look at to understand why chown keeps saying user does not exist. wbinfo -u/-g returns the user information klist -v shows kerberos is working net ads join works fine wbinfo -t shows secret is fine aix does not have getent so I can't run getent passwd -- is there something equivalent on aix? Closest you're going to get is lsuser -R load_module lsuser -R NIS ALL lsuser -R LDAP ALL lsuser -R WINBIND ALL and of course lsgroup -R load_module /usr/lib/security/methods.cfg has: WINBIND: program = /usr/lib/security/WINBIND (set with chmod 444) options =authonly Authonly means it's not capable of supplying any user information. I don't know that's true anymore. Look in source/nsswitch/winbind_nss_aix.c Available methods are at the end of the file. Not all methods are implemented, and not all methods implemented return a valid answere. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Fwd: WINBIND security methods does not load
David Shapiro wrote: Hmm, I am not sure why this worked, but I moved my WINBIND stanza in /usr/lib/security/methods.cfg up in the file prior to the PAM stanza, and save it. After this, I was able to load the module. Any ideas on why this worked? Because aix will scan methods.cfg sequentially starting with the first entry and use the first one that satisfies the options defined in /etc/security. You don't really need pam and it makes a lot of sense to get pam working on aix without samba first if you want to go that way. Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] chown DOMAIN+mylogin /dir fails (Please help)
David Shapiro wrote: What can I look at to understand why chown keeps saying user does not exist. wbinfo -u/-g returns the user information klist -v shows kerberos is working net ads join works fine wbinfo -t shows secret is fine aix does not have getent so I can't run getent passwd -- is there something equivalent on aix? Closest you're going to get is lsuser -R load_module lsuser -R NIS ALL lsuser -R LDAP ALL lsuser -R WINBIND ALL and of course lsgroup -R load_module /usr/lib/security/methods.cfg has: WINBIND: program = /usr/lib/security/WINBIND (set with chmod 444) options =authonly Authonly means it's not capable of supplying any user information. I don't know that's true anymore. Look in source/nsswitch/winbind_nss_aix.c Available methods are at the end of the file. Not all methods are implemented, and not all methods implemented return a valid answere. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ADS and samba domain member: ads_connect: Cannot resolve network address for KDC in requ
David Shapiro wrote: /etc/host, resolv.conf are fine. nsswitch.conf does not exist on aix systems, but I did add the winbindd entry where aix expects it.I guess we will see if people respond, but I noticed nobody answered this type of question in the past... Not that many people using AIX. Dimitri Yioulos [EMAIL PROTECTED] 2/2/2006 10:18 AM On Thursday February 02 2006 8:49 am, David Shapiro wrote: Is there no fix for thi? Nobody answers this for me or other people asking this question. I really need help with this. Is there anything I can be looking at? I would am not getting past doing a simple kinit [EMAIL PROTECTED] It gives me the Cannot resolve network address for KDC as well. Does ads not like krb5? Does it need krb4? Why doesn't kerberos provide any messages in the logs? Any suggestions on ways to figure out what is going on? I tried truss, but that does not show much other than I do see it looking in /etc/krb5.conf and /usr/local/etc/krb5.conf. I can use tcpdump, but I am not sure what AIX wants krb5.conf in /etc/krb5/krb5.conf. Doesn't hurt to use a symbolic link: cd /etc mkdir krb5 cd /etc/krb5.conf ln -s krb5.conf ../krb5.conf to be looking for? Dimitri Yioulos [EMAIL PROTECTED] 2/1/2006 10:15:49 AM On Wednesday February 01 2006 9:41 am, David Shapiro wrote: Hello, I am having a problem getting my server to join our realm as a domain member server. I have read through google, yahoo, and this list, but I cannot find the answer yet. When I run: net join ads -Uadministrator and try to login it gives the following error: kerberos_kinit_password [EMAIL PROTECTED] failed: Cannot resolve network address for KDC in requested realm [2006/02/01 09:33:46, 0] ../utils/net_ads.c:ads_startup(191) ads_connect: Cannot resolve network address for KDC in requested realm The details of my setup are: aix 5.2.0.7 libiconv-1.9.1 autoconf-2.59 libiodbc-3.52.4 bison-2.0 m4-1.4.3 db-4.4.20 mysql-connector-odbc-3.51.12 krb Not good enough. You need to specify what version Kerberos. Also it looks like you may be using the linux affinity toolkit. Did you compile your own Kerberos? samba-3.0.21a ../configure --prefix=/usr/local/samba --with-ads --with-ldap --with-winbind --with-acl-support --with-utmp --with-quotas --with-sendfile-support openldap-2.3.19 ./configure --enable-crypt --without-cyrus-sasl unixODBC-2.2.11 gcc 3.3.2 /etc/krb5.conf: [libdefaults] default_realm = MYREALM.COM default_etypes = des-cbc-crc des-cbc-md5 default_etypes_des = des-cbc-crc des-cbc-md5 The way it works is this. If you override the defaults if your version of Kerberos doesn't support rc4-hmac (1.3.4), you must not specify it (doh). else if your version of Kerberos supports rc4-hmac (=1.3.4), you must specify rc4-hmac as one of the allowable enctypes else userAccountControl in ldap doesn't get set up in agreement with your manual krb5 spec on net join. My current 1.3.6 and previous versions of Kerberos use these parameters default_tgs_enctypes default_tkt_enctypes permitted_enctypes enctypes not etypes ticket_lifetime = 24000 clockskew = 300 dns_lookup_realm = false dns_lookup_kdc = false [realms] MYREALM.COM = { kdc = myadsserver.mydomain.com default_domain = mydomain.com } [domain_realm] .mydomain.com = MYREALM.COM While it's not be impossible to have a different REALM than domain name, MS doesn't do it and you're asking for extra problems. MS sometimes makes assumptions that have to be worked around. For a first time test, try [libdefaults] default_realm = MYDOMAIN.COM ... {realms] MYDOMAIN.COM = { ... Probably already too late. In krb5.conf, try this: [realms] YOURDOMAIN.COM = { default_domain = yourdomain.com kdc = xxx.xxx.xxx.xxx (my note - use ip address of AD server) admin_server = xxx.xxx.xxx.xxx (my note - use ip address of AD server) } HTH. Dimitri David, Firstly, be mindful that the list is made up of volunteers who do their best to provide answers as quickly as possible. Sometimes you may have to wait a bit longer, but I've always found these folks to be most kind and helpful. Give 'em a chance. I've come up on deadlines, come to the end of my rope, and not had the budget for paid assistance, and asked the same question out of desperation. Always punish myself afterwards. Bad Doug Bad Dog. Now, after that mild rebuke: I have little experience with AIX; my responses are based on my work with Samba on Linux. That said, I believe that you should have nsswitch.conf and resolv.conf files on the system. Are these configured correctly? Is pam.d/login configured correctly? Dimitri Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] windows env variable for USERDOMAIN is wrong
Greg Fischer wrote: Hi all, I just setup my Samba PDC. Mostly everything works, but I am wondering why on some clients, they have the wrong USERDOMAIN environment variable. (when you run 'set' in win xp cmd) The domain name is MEIDLING, and the user and computer are joined ok. But in set, it shows USERDOMAIN as the Server name. Which is MAIN. How do I change that? As far as I know, when the environment variable USERDOMAIN is set to the machine name, it means you have logged in locally to the machine instead of on the domain. Not a samba problem. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Performance Problem / failed to verify PAC server signature
Christoph Kaegi wrote: On 23.11-02:22, Doug VanLeuven wrote: Well, no. Maybe. Yes. Been a while since I confronted moving between des arc4. in source/libads/ldap.c #ifndef ENCTYPE_ARCFOUR_HMAC acct_control |= UF_USE_DES_KEY_ONLY; #endif I have in source/include/config.h: /* Whether the ENCTYPE_ARCFOUR_HMAC_MD5 key type is available */ /* #undef HAVE_ENCTYPE_ARCFOUR_HMAC_MD5 */ Heimdal kerberos defines rc4-hmac this way. From MIT site: Supported Encryption Types arcfour-hmac rc4-hmac arcfour-hmac-md5 RC4 with HMAC/MD5 These are all synonyms. And my MIT 1.4 says in krb5.h: [...] #define CKSUMTYPE_HMAC_SHA1_96_AES128 0x000f #define CKSUMTYPE_HMAC_SHA1_96_AES256 0x0010 #define CKSUMTYPE_HMAC_MD5_ARCFOUR -138 /*Microsoft md5 hmac cksumtype*/ [...] That last define of CKSUMTYPE_HMAC_MD5_ARCFOUR seems doesn't look promising. About 20 lines before that you should see #define ENCTYPE_ARCFOUR_HMAC0x0017 #define ENCTYPE_ARCFOUR_HMAC_EXP 0x0018 So your compiled samba will have rc4-hmac support. Does that mean, that my Kerberos library doesn't support the encryption type that I need? (I checked also krb5-1.4.3, which has the same definition) So my experience is if it is defined in the include file at compile time, all accounts are created arc4 capable. I don't see any flags in the smbd -b build options that confirm this either way What is an arc4 capable Unix account? Not arc4 capable Unix, arc4-hmac capable Windows computer account. This is the default state of windows accounts and a flag is neccessary to force des-only usage. In Active Directory In domain wherever computer accounts get setup cn=computer name userAccountControl: 0x11000 The two set bits mean: UF_WORKSTATION_TRUST_ACCOUNT | UF_DONT_EXPIRE_PASSWD This account is arc4 capable. An account that is des only has this value: userAccountControl: 0x211000 UF_WORKSTATION_TRUST_ACCOUNT | UF_DONT_EXPIRE_PASSWD | UF_USE_DES_KEY_ONLY userAccountControl exists in user accounts too. ktpass.exe: +des (des only - default for command) -des (not des only) Also, I use this samba option: use kerberos keytab = yes Which means samba creates /etc/krb5.keytab entries for you when you join the domain. If you use that option, your keytab file will probably only have des entries in it from when you joined and only des-cbc-crc and des-cbc-md5 were allowed. I rejoined, deleted the AD computer account, recreated it several times. All funny things are happening, including: -- 8 -- [2005/11/23 14:32:47, 0] lib/fault.c:fault_report(36) === [2005/11/23 14:32:47, 0] lib/fault.c:fault_report(37) INTERNAL ERROR: Signal 11 in pid 20569 (3.0.21rc1) Please read the Trouble-Shooting section of the Samba3-HOWTO [2005/11/23 14:32:47, 0] lib/fault.c:fault_report(39) From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf [2005/11/23 14:32:47, 0] lib/fault.c:fault_report(40) === [2005/11/23 14:32:47, 0] lib/util.c:smb_panic2(1554) PANIC: internal error -- 8 -- after a successful join... Bummer, shouldn't happen. But it could be the kerberos. I was curious, so I dragged out an old des only machine used in testing last year. RH9 with a custom 1.3.5 MIT kerberos. Ethereal traces on port 88 show machine using only des Compiled and installed samba 3.0.21pre3 SVN 11739 Ran it in des-only mode without issue, but had no easy way to check redirected folders. Then I converted it to your system of using a ktpass.exe generated keytab using rc4-hmac. Stopped samba edit smb.conf and remove use kerberos keytab = yes Deleted the existing computer account in AD Deleted the existing mapped user account in AD Deleted /etc/krb5.keytab Edit krb5.conf and add rc4-hmac as -first- enctype in list for default_tgs_enctypes, default_tkt_enctypes, permitted_enctypes Deleted samba's private.tdb Deleted samba's winbindd_cache.tdb (just in case) Created a new windows user account to be used for mapping in ktpass.exe Ran ktpass.exe on domain controller with -DesOnly Read the new keytab and write /etc/krb5.conf with it Run net ads join Ethereal trace on port 88 show rc4-hmac negotiated tickets Using a ktpass.exe generated keytab, the AD computer account and the AD mapped user account attribute userAccountControl must agree on the flag UF_USE_DES_KEY_ONLY. They either both indicate it or they both don't indicate it, but they can't be mixed. We'll be enjoying Thanksgiving holiday here. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Performance Problem / failed to verify PAC server signature
Doug VanLeuven wrote: Then I converted it to your system of using a ktpass.exe generated keytab using rc4-hmac. Stopped samba edit smb.conf and remove use kerberos keytab = yes Deleted the existing computer account in AD Deleted the existing mapped user account in AD Deleted /etc/krb5.keytab Edit krb5.conf and add rc4-hmac as -first- enctype in list for default_tgs_enctypes, default_tkt_enctypes, permitted_enctypes Deleted samba's private.tdb Deleted samba's winbindd_cache.tdb (just in case) Created a new windows user account to be used for mapping in ktpass.exe Ran ktpass.exe on domain controller with -DesOnly Read the new keytab and write /etc/krb5.conf with it Typo: should be /etc/krb5.keytab Run net ads join Ethereal trace on port 88 show rc4-hmac negotiated tickets Using a ktpass.exe generated keytab, the AD computer account and the AD mapped user account attribute userAccountControl must agree on the flag UF_USE_DES_KEY_ONLY. They either both indicate it or they both don't indicate it, but they can't be mixed. We'll be enjoying Thanksgiving holiday here. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Performance Problem / failed to verify PAC server signature
Christoph Kaegi wrote: On 22.11-09:35, Doug VanLeuven wrote: Hm, how can I determine, if I use DES keys? I have the following in krb5.conf (if that is what you mean): -- 8 -- default_tkt_enctypes = des-cbc-crc, des-cbc-md5 default_tgs_enctypes = des-cbc-crc, des-cbc-md5 -- 8 -- I derived this from google knowledge, but I'll change this gladly if you tell me it is wrong. Kerberos is MIT Kerbers5 1.4 With Kerberos 1.4 you should include rc4-hmac in the list of enctypes. It is the native mode of windows. Thanks! I added this to my /etc/krb5.conf. It didn't help my problem though. Any more hints? Well, no. Maybe. Yes. Been a while since I confronted moving between des arc4. in source/libads/ldap.c #ifndef ENCTYPE_ARCFOUR_HMAC acct_control |= UF_USE_DES_KEY_ONLY; #endif So my experience is if it is defined in the include file at compile time, all accounts are created arc4 capable. I don't see any flags in the smbd -b build options that confirm this either way You could check (if your computer joined a long time ago) using ldp.exe which translates the flags into english. cn=your computer,cn=Computers,cn=your domain userAccountControl 0x0020ADS_UF_USE_DES_KEY_ONLY Subtract that out to clear the bit, if set, which it might be, depending on how long ago you joined. I use adsiedit.msc which presents the flag in decimal. Also, I use this samba option: use kerberos keytab = yes Which means samba creates /etc/krb5.keytab entries for you when you join the domain. If you use that option, your keytab file will probably only have des entries in it from when you joined and only des-cbc-crc and des-cbc-md5 were allowed. You can generate a new set of keys with this command net ads changetrustpw Or you can delete the computer account on the domain controller, delete the existing keytab entries (or the keytab file if no other keys are present), and rejoin the domain. I got leary of changetrustpw because sometimes it would hang in the kerberos libraries in version krb5 1.3.4 if one ran the command several times in a short period of time. Once was always OK. FWIW I believe it hangs trying to delete older key versions that are still current and in use. If you don't use that option and you manually created the keytab entry with ktpass.exe, then you'd know if you used /DesOnly and if you did, you'd need to cut a new keytab that wasn't des only. Any way you edit or update, there is caching of tickets going on. I remember after one long night of updating kerberos and rejoining the domain, nothing worked. The machine beat me. Next day I thought lets try it one more time. Worked like a charm without modification. Kerberos hammered home the lesson that patience is a virtue. Never did come up with a deterministic method to compute the time to outlive the cache. Don't know if it's cached in samba secrets or the windows domain controller. Luck, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Performance Problem / failed to verify PAC server signature
Christoph Kaegi wrote: On 22.11-10:58, Guenther Deschner wrote: -- 8 -- [2005/11/21 16:09:28, 3] libsmb/clikrb5.c:smb_krb5_verify_checksum(695) smb_krb5_verify_checksum: krb5_c_verify_checksum() failed: Bad encryption type [2005/11/21 16:09:28, 2] libads/authdata.c:check_pac_checksum(666) check_pac_checksum: PAC Verification failed: Bad encryption type (-1765328196) [2005/11/21 16:09:28, 0] libads/authdata.c:decode_pac_data(876) decode_pac_data: failed to verify PAC server signature [2005/11/21 16:09:28, 3] libads/kerberos_verify.c:ads_verify_ticket(416) ads_verify_ticket: failed to decode PAC_DATA: NT_STATUS_ACCESS_DENIED -- 8 -- First of all: are you sure you are running Samba 3.0.20? The PAC verification code is not in any of the 3.0.20/a/b tarball releases (just accidentially in the 3.0.20a subversion tags directory) but only in the 3.0.21 series of pre-releases/rcs. The production Server runs 3.0.20, but the test Server, where I analyzed this and where the logs are coming from is 3.0.21rc1 indeed. Sorry for the confusion. But in both cases, the behaviour on the network is the same (STATUS_LOGON_FAILUREs with a certain delay, depending on load) Then you most probably are forced to use DES keys when authenticating with Kerberos on your OS, right? PAC verification must then fail due to a bug in Windows (which fails to put DES-based checksum into the PAC signatures), so we can't verify the signature. What exact Kerberos library are you using (version) ? Hm, how can I determine, if I use DES keys? I have the following in krb5.conf (if that is what you mean): -- 8 -- default_tkt_enctypes = des-cbc-crc, des-cbc-md5 default_tgs_enctypes = des-cbc-crc, des-cbc-md5 -- 8 -- I derived this from google knowledge, but I'll change this gladly if you tell me it is wrong. Kerberos is MIT Kerbers5 1.4 With Kerberos 1.4 you should include rc4-hmac in the list of enctypes. It is the native mode of windows. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Windows AD w/ Windows Services for Unix?
Jason Gerfen wrote: I can authenticate users on a default setup of Windows 2000 using 'Security = ADS'. However if I install Windows Services for Unix (http://www.microsoft.com/windowsserversystem/sfu/productinfo/features/default.mspx) I am not able to authenticate or view users from different Organizational Units in the default domain. ??? With a 2000 or 2003 Windows AD controller, I've run SFU 3.0 3.5 on both client and server without side effects. I use: winbind nss info = template sfu security = ADS winbind trusted domains only = yes idmap backend = ad on the samba member servers. Perhaps you mean you're running samba PDC and using SFU on a client workstation? In that case, I would assume, for it to work, you would need to run an ldap backend and extend the schema for SFU. Then fill out the unix values. Anyone ever done that? Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Windows AD w/ Windows Services for Unix?
Jason Gerfen wrote: Doug VanLeuven wrote: Jason Gerfen wrote: I can authenticate users on a default setup of Windows 2000 using 'Security = ADS'. However if I install Windows Services for Unix (http://www.microsoft.com/windowsserversystem/sfu/productinfo/features/default.mspx) I am not able to authenticate or view users from different Organizational Units in the default domain. ??? With a 2000 or 2003 Windows AD controller, I've run SFU 3.0 3.5 on both client and server without side effects. I use: winbind nss info = template sfu security = ADS winbind trusted domains only = yes idmap backend = ad on the samba member servers. Perhaps you mean you're running samba PDC and using SFU on a client workstation? In that case, I would assume, for it to work, you would need to run an ldap backend and extend the schema for SFU. Then fill out the unix values. Anyone ever done that? Regards, Doug Odd, I attempted your suggestions: % testparm Load smb config files from /etc/samba/smb.conf Unknown parameter encountered: winbind nss info Ignoring unknown parameter winbind nss info You must be using an older version of samba. I don't recall exactly when that was introduced. Somewhere around 3.0.14 maybe. Probably wouldn't find the ad loadable module either. They came in at the same time. The first scenario is correct, a ROLE_DOMAIN_MEMBER that authenticates file shares using nsswitch and winbind against the Windows 2000 domain. Prior to the XAD idmap_ad being pushed into samba, I compiled it and included it myself on older versions (and had to patch it too). Prior to samba 3.0 I was using SFU to export NFS shares on windows servers using user and group mapping. Unix had NIS then LDAP for auth. Only way I made the SFU/NIS/LDAP work with samba. You'll need to get current. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] AD Question
Jason Gerfen wrote: I have a question regarding joining a Samba 3 machine to a Windows 2000 Domain using ADS authentication. I have been able to join the machine to the domain, enumerate users with getent and wbinfo -u. The problem I am having is with a Windows 2000 default domain setup an AD object is created: CN=Users,DC=Domain,DC=Com Generally all users created belong in this container. I am able to enumerate every user account in the domain EXCEPT this one? Can someone help me with this? [smb.conf] [global] workgroup = SCL realm = SCL.UTAH.EDU server string = new-odin.domain.com My experience is the realm is the DC parts of the ldap container. So your realm should be DOMAIN.COM, the same as in krb5.conf. I'm thinking your samba box has an older DNS domain name that's not the same as your win2000 DNS domain name. You may be past the planning testing stage, but I found the easiest way to introduce the win2000 domain was as a subdomain of any existing domain I already was authoritative for. So if you're authoritative for UTAH.EDU than your win2000 domain and realm would be something like scl.utah.edu or nt.utah.edu with a legacy domain name of SCL. Then you can allow windows server to run it's own DNS and delegate the subdomain with glue from your existing servers. There are a -lot- of realm subdomains and SRV records generated by windows that make the system easier to integrate. Like if you ever get into mail routing with the windows machines, you'll find MS believes the domain name should be an official ICANN domain and it's kind of difficult to alias. Not impossible, but if the windows realm could be a real delegated domain, since you appear to have one, the future would be much easier. Regards, Doug security = ADS update encrypted = Yes password server = * password level = 20 preferred master = No domain master = No idmap uid = 500-50 idmap gid = 500-50 winbind separator = / winbind cache time = 5 winbind use default domain = Yes winbind nested groups = Yes [odin] comment = ODIN path = /odin read only = No inherit acls = Yes [krb5.conf] [libdefaults] default_realm = DOMAIN.COM clockskew = 300 [realms] DOMAIN.COM = { kdc = 10.10.1.95 default_domain = domain.com admin_server = 10.10.1.95 } [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log [domain_realm] .domain.com = DOMAIN.COM domain.com = DOMAIN.COM [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 0 } Any help is appreciated. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba