Re: [Samba] Compile 3.5.4 on Opensolaris snv_134
Hi! Here's comparison of "net ads join" output, between my first build of samba 3.5.4 that gave "pkcs 11 error" and second build, that is failing with "rpc: Logon failure". Can anyone comment on differences. I'm starting to think, that the "diff -u" output say's that 2nd build is failing sooner than the first build did. As you can see there's a lot of missing lines with "sasl", "ldap" and "krb5". MMM On 07/16/10 04:34 PM, Gaiseric Vandal wrote: Which version of Samba? I had more trouble with Samba 3.5.x. And I have never managed to get Samba to compile with sun cc. I figured Samba was written with gcc in mind. The "failed to lookup DC info for domain 'mydomain.COM' over rpc: Logon failure' " message is interesting - not sure if you are getting login errors before lookup errors. Is you samba server configure to use your AD server as the DNS server? What version of windows is the AD server? What domain/foreset mode is your AD server in? In the "windows" world clients can locate the the login server via specific resource records in DNS. I don't know if Samba does this do or is still relying on netbios.I had one AD domain that was in NT4-compatibility mode and one AD domain that was in Windows 2003 native mode.Changing the client DNS settings on the samba machine seemed to help with locating the "2003 native" mode. DC. On 07/16/2010 05:29 AM, Marcis Lielturks wrote: Hi! First of all, thanks for replies to all ;)! Using GCC was a fail for me - too much errors and 2 additional things must be compiled (tdb & talloc) . I only managed to compile using Sun's cc and gmake and will stick to them. I'm a bit further now. Now I don't get PKCS 11 erros, when trying to do "net ads join". I recompiled openldap with slapd (but with null backend) and "-lpkcs11" in LDFLAGS (I think this is what helped). However now I'm getting following when doing "net ads join" [2010/07/16 12:16:54, 3] param/loadparm.c:9158(lp_load_ex) lp_load_ex: refreshing parameters [2010/07/16 12:16:54, 3] param/loadparm.c:4929(init_globals) Initialising global parameters [2010/07/16 12:16:54, 2] param/loadparm.c:4785(max_open_files) rlimit_max: rlimit_max (256) below minimum Windows limit (16384) [2010/07/16 12:16:54.047848, 3] ../lib/util/params.c:550(pm_process) params.c:pm_process() - Processing configuration file "/opt/samba/lib/smb.conf" [2010/07/16 12:16:54.047875, 3] param/loadparm.c:7842(do_section) Processing section "[global]" [2010/07/16 12:16:54.048365, 2] lib/interface.c:338(add_interface) added interface e1000g0:3 ip=192.168.0.84 bcast=192.168.0.255 netmask=255.255.255.0 [2010/07/16 12:16:54.048517, 1] libnet/libnet_join.c:1947(libnet_Join) libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx in: struct libnet_JoinCtx dc_name : NULL machine_name : 'SAMBA-DEV' domain_name : * domain_name : 'mydomain.COM' account_ou : NULL admin_account: 'Administrator' admin_password : * machine_password : NULL join_flags : 0x0023 (35) 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT 0: WKSSVC_JOIN_FLAGS_DEFER_SPN 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE os_version : NULL os_name : NULL create_upn : 0x00 (0) upn : NULL modify_config: 0x00 (0) ads : NULL debug: 0x01 (1) use_kerberos : 0x00 (0) secure_channel_type : SEC_CHAN_WKSTA (2) [2010/07/16 12:17:00.052208, 2] libads/cldap.c:97(ads_cldap_netlogon) cldap_netlogon() failed: NT_STATUS_IO_TIMEOUT [2010/07/16 12:17:00.141661, 3] libsmb/cliconnect.c:2201(cli_start_connection) Connecting to host=BORED.mydomain.com [2010/07/16 12:17:00.141828, 3] lib/util_sock.c:974(open_socket_out_send) Connecting to 192.168.0.94 at port 445 [2010/07/16 12:17:00.143207, 3] libsmb/cliconnect.c:991(cli_session_setup_spnego) Doing spnego session setup (blob length=107) [2010/07/16 12:17:00.143274, 3] libsmb/cliconnect.c:1019(cli_session_setup_spnego) got OID=1.2.840.48018.1.2.2 got OID=1.2.840.113
Re: [Samba] How to regenerate passdb.tdb
Hi all again, seems like there is some strange complications going on. Now I get a tens of strange warning from logcheck everyday: localhost smbd[32215]: pam_unix(samba:session): session opened for user someuser by anotheruser(uid=0) localhost smbd[32215]: pam_unix(samba:session): session opened for user user10 by someuser(uid=0) localhost smbd[32215]: pam_unix(samba:session): session opened for user user3 by user21(uid=0) etc.etc... I could confirm that the user did open a connection at that particular time, but I am expecting the connection would be opened "by root (uid=0)" instead of by some restricted user. However, from my observation, there weren't any security bleach nor any real problem functionally. Each user is still bounded by his/her permission granted. Can I safely ignore those strange log, or is something really going very wrong? Thanks for all input, Abe On Mon, Jul 12, 2010 at 11:11 PM, Abe Lau > wrote: > On Fri, Jul 9, 2010 at 10:43 AM, Abe Lau > > > wrote: > >> On Fri, Jul 9, 2010 at 8:26 AM, Gaiseric Vandal < >> gaiseric.van...@gmail.com> wrote: >> >>> On 07/08/2010 05:43 PM, Jeremy Allison wrote: >>> On Thu, Jul 08, 2010 at 11:32:32AM +1000, Abe Lau wrote: > Hi, > I was having problem with the tdbsam backend in which a particular user > got > listed twice with pdbedit. > (http://www.mail-archive.com/samba@lists.samba.org/msg109110.html) > > Without much hope in fixing it, I am planning to re-generating > passdb.tdb on > my PDC by: > (1)exporting tdbsam to smbpasswd backend > (2)delete passdb.tdb > (3)re-import smbpasswd to tdbsam backend > > If you do this you lose a lot of the extra data that tdbsam stores that smbpasswd does not. Jeremy. >>> Does "tdbdump passdb.tbd" show the user listed twice? >>> >>> Maybe you can use tdbtool to edit a copy of the file. The man page for >>> tdbbackup indicates it can check for corruption (but not fix it.) >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >> >> Yes, it seems to have appeared twice >> >> `tdbdump passdb.tdb` gives >> { >> key(13) = "RID_03e9\00" >> data(5) = "usera\00" >> } >> >> { >> key(10) = "USER_usera\00" >> data(180) = >> "\00\00\00\00\FF\FF\FF\7F\FF\FF\FF\7F\00\00\00\00\B2c6L\00\00\00\00\FF\FF\FF\7F\05\00\00\00nick\00\04\00\00\00ORL\00\01\00\00\00\00\01\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\01\00\00\00\00\01\00\00\00\00\00\00\00\00\01\00\00\00\00T\04\00\00\01\02\00\00\00\00\00\00\10\00\00\00<\03\0C\8C\98\89\87\DC+\CE\0Ax)JP\01\00\00\00\00\10\00\00\00\A8\00\15\00\00\00 >> \00\00\00\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\EC\04\00\00" >> } >> .. >> { >> key(13) = "RID_0454\00" >> data(5) = "usera\00" >> } >> >> I have tried using tdbbackup -v, but it didn't indicate any corruption. I >> may try tdbtool on a copy of passdb.db and see how it goes. Thanks for the >> suggestion. >> > > Just tried using tdbtool and removed one of the duplicated RID key of > usera. I randomly picked one, because I am really not sure which one is > correct (or if it even matters). Now, pdbedit does not display 2 duplicated > entries. I hope that is the solution, and the problem won't come back > again. will report back in case this leads to other complications. > > Just a side note, according to the old man page of tdbtool ( > http://www.samba.org/samba/docs/man/manpages-3/tdbtool.8.html), there is > an option "check" to verify the integrity of tdb file, but my copy from > Debian Lenny doesn't have it! > > I wonder if there is any other better integrity checking tool for the tdb, > apart from tdbbackup, which didn't ever report any problem in my case all > the way anyway! > > Thanks all for the help, > Abe > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + Winbind + Windows 2003 AD
I accidentally deleted the first set of messages in my email for this thread, but does your DNS resolve properly? What does your resolv.conf look like? Also, what do these files look like: krb5.conf smb.conf There's an option in smb.conf, winbind enum users, which needs to be set in order for getent to function properly. There is a corresponding option for groups as well. Look at them and let us know. > Date: Mon, 19 Jul 2010 01:12:41 +0200 > From: h...@semark.dk > To: esiot...@gmail.com > CC: samba@lists.samba.org > Subject: Re: [Samba] Samba + Winbind + Windows 2003 AD > > Hi Micheal > > Sorry for not sending that information in the first place, but I though > that it was so basic that it wasn't necessary. > > My nsswitch.conf: > # cat /etc/nsswitch.conf > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: compat winbind > group: compat winbind > shadow: compat winbind > > hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 > networks: files > > services: db files > ethers: db files > protocols: db files > rpc:db files > > netgroup: nis > > I will mean that it is the way to do this (and it works just fine on the > UNIX servers that run there own Domain Controller) > > Med Venlig Hilsen / Best Regards > Henrik Dige Semark > > Den 18-07-2010 17:03, Michael Wood skrev: > > On 18 July 2010 01:34, Henrik Dige Semark wrote: > > > >> Hey out there. > >> > >> I have to join my UNIX server with an existing Win2k3 AD network. > >> > >> My system info: > >> Debian Lenny > >> Samba - 3.4.8 > >> Winbind - 3.4.8 > >> > >> Windows Server 2003 with 2000-style-AD > >> > >> My problem is that, I have en UNIX server that have to run auth up against > >> our existing windows 2003 AD. > >> > >> I have successfully joined my UNIX server to the AD, without problems. > >> # net ads join -U Administrator > >> Enter Administrator's password: > >> Using short domain name -- TEST > >> Joined 'MAIL' to realm 'TEST.LOCAL' > >> > >> My Samba config: http://pastebin.com/ZqaA0Ypn > >> > >> After the join I'm able to lookup peoples with > >> # wbinfo -u > >> > > [...] > > > >> # wbinfo -g > >> > > [...] > > > >> Now the problem, getent only returns the local users and not the users from > >> the AD > >> The funny thing is that if a user is local on the UNIX and in the AD, I can > >> login with the password from both local and AD, so I know that it can > >> lookup > >> people and passwords > >> > >> # getent passwd hs ; echo $? > >> 2 > >> > >> When I debug on getent it returns 2, witch means that it can't find the > >> user. > >> > > Do you have winbind specified in your nsswitch.conf file as mentioned here: > > > > http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html#id2654732 > > > > _ The New Busy is not the old busy. Search, chat and e-mail from your inbox. http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_3 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + Winbind + Windows 2003 AD
Hi Micheal Sorry for not sending that information in the first place, but I though that it was so basic that it wasn't necessary. My nsswitch.conf: # cat /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat winbind group: compat winbind shadow: compat winbind hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 networks: files services: db files ethers: db files protocols: db files rpc:db files netgroup: nis I will mean that it is the way to do this (and it works just fine on the UNIX servers that run there own Domain Controller) Med Venlig Hilsen / Best Regards Henrik Dige Semark Den 18-07-2010 17:03, Michael Wood skrev: On 18 July 2010 01:34, Henrik Dige Semark wrote: Hey out there. I have to join my UNIX server with an existing Win2k3 AD network. My system info: Debian Lenny Samba - 3.4.8 Winbind - 3.4.8 Windows Server 2003 with 2000-style-AD My problem is that, I have en UNIX server that have to run auth up against our existing windows 2003 AD. I have successfully joined my UNIX server to the AD, without problems. # net ads join -U Administrator Enter Administrator's password: Using short domain name -- TEST Joined 'MAIL' to realm 'TEST.LOCAL' My Samba config: http://pastebin.com/ZqaA0Ypn After the join I'm able to lookup peoples with # wbinfo -u [...] # wbinfo -g [...] Now the problem, getent only returns the local users and not the users from the AD The funny thing is that if a user is local on the UNIX and in the AD, I can login with the password from both local and AD, so I know that it can lookup people and passwords # getent passwd hs ; echo $? 2 When I debug on getent it returns 2, witch means that it can't find the user. Do you have winbind specified in your nsswitch.conf file as mentioned here: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html#id2654732 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] User security and public shares
2010/7/18 Lord Devi : > have tried to create a configuration in which two shares exist ( [data], and > [apps] ) that require user authentication to access. While at the same time > there exists a share, [public] which I want to be browseable and connectable > by everyone with NO password. read "map to guest" in man smb.conf -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + Winbind + Windows 2003 AD
On 18 July 2010 01:34, Henrik Dige Semark wrote: > Hey out there. > > I have to join my UNIX server with an existing Win2k3 AD network. > > My system info: > Debian Lenny > Samba - 3.4.8 > Winbind - 3.4.8 > > Windows Server 2003 with 2000-style-AD > > My problem is that, I have en UNIX server that have to run auth up against > our existing windows 2003 AD. > > I have successfully joined my UNIX server to the AD, without problems. > # net ads join -U Administrator > Enter Administrator's password: > Using short domain name -- TEST > Joined 'MAIL' to realm 'TEST.LOCAL' > > My Samba config: http://pastebin.com/ZqaA0Ypn > > After the join I'm able to lookup peoples with > # wbinfo -u [...] > # wbinfo -g [...] > > Now the problem, getent only returns the local users and not the users from > the AD > The funny thing is that if a user is local on the UNIX and in the AD, I can > login with the password from both local and AD, so I know that it can lookup > people and passwords > > # getent passwd hs ; echo $? > 2 > > When I debug on getent it returns 2, witch means that it can't find the > user. Do you have winbind specified in your nsswitch.conf file as mentioned here: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html#id2654732 -- Michael Wood -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + Winbind + Windows 2003 AD
Hi Tobias To be honest I don't really know that mutch about the Windows AD, I'm not an Windows guy, when I talked with the Windows AD Administrator he told my that it was an RFC2307 schema and not an old SFU, but I have just now logged on to the AD server and it doesn't seams like any schemas is loaded at all. My winbind debugging: http://pastebin.com/WjDRvp8q Winbind debugging while getent passwd USER: http://pastebin.com/0B24yePY I don't know way there is a lot of UVROOT.LOCAL, my server is only joined to UNDERVISNING.LOCAL, but the windows AD server do know UVROOT also. -- Med Venlig Hilsen / Best Regards Henrik Dige Semark Den 18-07-2010 08:58, Mucke, Tobias, FCI4 skrev: Hi Henrik, I am also fighting with Winbind for a few days now experiencing some weird behaviour. Regarding your explanation I assume you have SFU running in your AD Domain. Do you really have a RFC2307 complaint schema in AD or do you still stick to SFU schema? For debugging the winbind it was helpful to me to start it in a shell as a foreground process with debugging on, e. g. /usr/sbin/winbindd -SFi -d3 Now you should be able to see the different Winbind behaviour regarding the login and getent. Good luck. Tobias Mucke LFK-Lenkflugkörpersysteme GmbH Serverpool, FCI4 Landshuter Straße 26, 85716 Unterschleißheim, GERMANY Phone: +49 89 3179 8438 Fax: +49 89 3179 8927 Mobile: +49 170 635 3830 E-Mail: tobias.mu...@mbda-systems.de http://www.mbda.net Chairman of the Supervisory Board: Antoine Bouvier Managing Director: Werner Kaltenegger Registered Office: Schrobenhausen Commercial Register: Amtsgericht Ingolstadt, HRB 4365 -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Henrik Dige Semark Sent: Sunday, July 18, 2010 1:35 AM To: samba@lists.samba.org Subject: [Samba] Samba + Winbind + Windows 2003 AD Hey out there. I have to join my UNIX server with an existing Win2k3 AD network. My system info: Debian Lenny Samba - 3.4.8 Winbind - 3.4.8 Windows Server 2003 with 2000-style-AD My problem is that, I have en UNIX server that have to run auth up against our existing windows 2003 AD. I have successfully joined my UNIX server to the AD, without problems. # net ads join -U Administrator Enter Administrator's password: Using short domain name -- TEST Joined 'MAIL' to realm 'TEST.LOCAL' My Samba config: http://pastebin.com/ZqaA0Ypn After the join I'm able to lookup peoples with # wbinfo -u [...] XX hds XXX [...] # wbinfo -g [...] bg XX bg hds bg XXX [...] Now the problem, getent only returns the local users and not the users from the AD The funny thing is that if a user is local on the UNIX and in the AD, I can login with the password from both local and AD, so I know that it can lookup people and passwords # getent passwd hs ; echo $? 2 When I debug on getent it returns 2, witch means that it can't find the user. I know there can be a problem with this if the resolv-names is not working # ping addc.UNDERVISNING.LOCAL PING addc.birke-gym.dk (10.3.17.1) 56(84) bytes of data. 64 bytes from bgdc.birke-gym.dk (10.3.17.1): icmp_seq=1 ttl=128 time=0.211 ms 64 bytes from bgdc.birke-gym.dk (10.3.17.1): icmp_seq=2 ttl=128 time=0.207 ms # ping mail.UNDERVISNING.LOCAL PING mail.birke-gym.dk (127.0.1.1) 56(84) bytes of data. 64 bytes from mail.birke-gym.dk (127.0.1.1): icmp_seq=1 ttl=64 time=0.099 ms 64 bytes from mail.birke-gym.dk (127.0.1.1): icmp_seq=2 ttl=64 time=0.094 ms Is there anyone that can see where I have done something rung in my samba-config.? -- Med Venlig Hilsen / Best Regards Henrik Dige Semark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Access from an AD group
Hi, I am using samba 3.0.24 Is it possible to grant access to a samba share to an Active Directory group ? I have a samba share, I want an AD group can access it (read) without a password, is it possible ? Thanks for your help -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Compiling and installing Samba 4
I have Samba 3.4.7 configured and running, though I am interested in trying Samba 4. How can I find dependency information for compiling the code? Also, can I install Samba 4 and leave v3.4.7 intact while I evaluate it? Derek -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + Winbind + Windows 2003 AD
Hi Henrik, I am also fighting with Winbind for a few days now experiencing some weird behaviour. Regarding your explanation I assume you have SFU running in your AD Domain. Do you really have a RFC2307 complaint schema in AD or do you still stick to SFU schema? For debugging the winbind it was helpful to me to start it in a shell as a foreground process with debugging on, e. g. /usr/sbin/winbindd -SFi -d3 Now you should be able to see the different Winbind behaviour regarding the login and getent. Good luck. Tobias Mucke LFK-Lenkflugkörpersysteme GmbH Serverpool, FCI4 Landshuter Straße 26, 85716 Unterschleißheim, GERMANY Phone: +49 89 3179 8438 Fax: +49 89 3179 8927 Mobile: +49 170 635 3830 E-Mail: tobias.mu...@mbda-systems.de http://www.mbda.net Chairman of the Supervisory Board: Antoine Bouvier Managing Director: Werner Kaltenegger Registered Office: Schrobenhausen Commercial Register: Amtsgericht Ingolstadt, HRB 4365 -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Henrik Dige Semark Sent: Sunday, July 18, 2010 1:35 AM To: samba@lists.samba.org Subject: [Samba] Samba + Winbind + Windows 2003 AD Hey out there. I have to join my UNIX server with an existing Win2k3 AD network. My system info: Debian Lenny Samba - 3.4.8 Winbind - 3.4.8 Windows Server 2003 with 2000-style-AD My problem is that, I have en UNIX server that have to run auth up against our existing windows 2003 AD. I have successfully joined my UNIX server to the AD, without problems. # net ads join -U Administrator Enter Administrator's password: Using short domain name -- TEST Joined 'MAIL' to realm 'TEST.LOCAL' My Samba config: http://pastebin.com/ZqaA0Ypn After the join I'm able to lookup peoples with # wbinfo -u [...] XX hds XXX [...] # wbinfo -g [...] bg XX bg hds bg XXX [...] Now the problem, getent only returns the local users and not the users from the AD The funny thing is that if a user is local on the UNIX and in the AD, I can login with the password from both local and AD, so I know that it can lookup people and passwords # getent passwd hs ; echo $? 2 When I debug on getent it returns 2, witch means that it can't find the user. I know there can be a problem with this if the resolv-names is not working # ping addc.UNDERVISNING.LOCAL PING addc.birke-gym.dk (10.3.17.1) 56(84) bytes of data. 64 bytes from bgdc.birke-gym.dk (10.3.17.1): icmp_seq=1 ttl=128 time=0.211 ms 64 bytes from bgdc.birke-gym.dk (10.3.17.1): icmp_seq=2 ttl=128 time=0.207 ms # ping mail.UNDERVISNING.LOCAL PING mail.birke-gym.dk (127.0.1.1) 56(84) bytes of data. 64 bytes from mail.birke-gym.dk (127.0.1.1): icmp_seq=1 ttl=64 time=0.099 ms 64 bytes from mail.birke-gym.dk (127.0.1.1): icmp_seq=2 ttl=64 time=0.094 ms Is there anyone that can see where I have done something rung in my samba-config.? -- Med Venlig Hilsen / Best Regards Henrik Dige Semark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba