Re: [Samba] NTLMv2 issues
yes I did Which one to use Thanks - Original Message - From: Andrew Bartlett [mailto:abart...@samba.org] Sent: Friday, April 13, 2012 03:55 PM To: Chu, Ronald Cc: samba@lists.samba.org. samba@lists.samba.org Subject: Re: NTLMv2 issues On Fri, 2012-04-13 at 19:41 +, Chu, Ronald wrote: hey all. we are running samba 3.5.4 on AIX but when client upgrade to Win 7.. none of the client on window can see the share drive on AIX. the error said window cannot access servername .. i know it is group policy causing the problem and once i took out computer configuration - windows settings - security settings - local policies - security options - network security:minimum security for NTLMSSP based client to not defined.. it started working.. unfortunate, it is group policy that we can't disabled it or changeing it for everyone.. Do you guys have any idea where i can fix the problem? Are you using 'security=server'? security=server is incompatible with ntlmv2. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] NTLMv2 issues
Do you have any document for setting up in smb.conf Thanks - Original Message - From: Chu, Ronald Sent: Saturday, April 14, 2012 12:27 PM To: 'abart...@samba.org' abart...@samba.org Cc: 'samba@lists.samba.org' samba@lists.samba.org Subject: Re: NTLMv2 issues yes I did Which one to use Thanks - Original Message - From: Andrew Bartlett [mailto:abart...@samba.org] Sent: Friday, April 13, 2012 03:55 PM To: Chu, Ronald Cc: samba@lists.samba.org. samba@lists.samba.org Subject: Re: NTLMv2 issues On Fri, 2012-04-13 at 19:41 +, Chu, Ronald wrote: hey all. we are running samba 3.5.4 on AIX but when client upgrade to Win 7.. none of the client on window can see the share drive on AIX. the error said window cannot access servername .. i know it is group policy causing the problem and once i took out computer configuration - windows settings - security settings - local policies - security options - network security:minimum security for NTLMSSP based client to not defined.. it started working.. unfortunate, it is group policy that we can't disabled it or changeing it for everyone.. Do you guys have any idea where i can fix the problem? Are you using 'security=server'? security=server is incompatible with ntlmv2. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] issue with samba on NTLMv2
hey all. we are running samba 3.5.4 on AIX but when client upgrade to Win 7.. none of the client on window can see the share drive on AIX. the error said window cannot access servername .. i know it is group policy causing the problem and once i took out computer configuration - windows settings - security settings - local policies - security options - network security:minimum security for NTLMSSP based client to not defined.. it started working.. unfortunate, it is group policy that we can't disabled it or changeing it for everyone.. Do you guys have any idea where i can fix the problem? thanks ronald chu Charles Schwab -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] issue with win7 access samba server running on AIX
hey all. we are running samba 3.5.4 on AIX but when client upgrade to Win 7.. none of the client on window can see the share drive on AIX. the error said window cannot access servername .. i know it is group policy causing the problem and once i took out computer configuration - windows settings - security settings - local policies - security options - network security:minimum security for NTLMSSP based client to not defined.. it started working.. unfortunate, it is group policy that we can't disabled it or changeing it for everyone.. Do you guys have any idea where i can fix the problem? thanks ronald chu Charles Schwab -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Winbind errors result in no logins!
Everyone, We are currently seeing a very strange problem on our server. Everything will be running along smoothly and then all of a sudden, nobody will be able to login. Looking through the logs reveals the following messages... Apr 24 10:55:15 LINUX-1 httpd2-prefork: pam_winbind(httpd): pam_winbind_request: read from socket failed! Apr 24 10:55:15 LINUX-1 httpd2-prefork: pam_winbind(httpd): internal module error (retval = 3, user = 'NA\nda') Apr 24 10:55:15 LINUX-1 httpd2-prefork: pam_winbind(httpd): [pamh: 0xa0c91c0] LEAVE: pam_sm_authenticate returning 3 Apr 24 10:55:17 LINUX-1 httpd2-prefork: pam_winbind(httpd): pam_winbind_request: read from socket failed! Apr 24 10:55:17 LINUX-1 httpd2-prefork: pam_winbind(httpd): internal module error (retval = 3, user = 'na\sja') Apr 24 10:55:17 LINUX-1 httpd2-prefork: pam_winbind(httpd): [pamh: 0x9c58c68] LEAVE: pam_sm_authenticate returning 3 Apr 24 10:55:31 LINUX-1 httpd2-prefork: pam_winbind(httpd): [pamh: 0x9c58630] ENTER: pam_sm_authenticate (flags: 0x0001) Also, once the problem begins, the CPU goes to 95%+ for winbind! The apache2_error log shows errors like this... [Fri Apr 24 16:08:08 2009] [error] [client 192.xxx.xxx.xxx] PAM: user 'na\\naj' - not authenticated: Error in service module [Fri Apr 24 16:08:15 2009] [error] [client 172.xxx.xxx.xxx] PAM: user 'na\\sja' - not authenticated: Error in service module [Fri Apr 24 16:08:29 2009] [error] [client 192.xxx.xxx.xxx] PAM: user 'na\\nda' - not authenticated: Error in service module [Fri Apr 24 16:09:48 2009] [error] [client 192.xxx.xxx.xxx] PAM: user 'na\\nda' - not authenticated: Error in service module Restarting the winbind and smb services clears up the problem immediately, but we can't seem to figure out what is going on. Does anyone have any suggestions of things to try? Have any of you seen this before? Thanks, Ron -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Problem with alternate domains and winbind
My apologies for sending this again, but I sent it late last night and was hoping someone from the morning crowd may be able to help. I am seeing a strange problem with my domain controllers as they relate to winbind. From time to time, I lose my connection to the alternate domains. I really need some help figuring this out as I have gone as far as I can. I would be very appreciative of any ideas anyone may have. Our primary domain is NA. I need to also be able to authenticate users in others domains such as EU, LAC, and AP. They are all trusted domains and this has worked in the past. No changes, that I am aware of, have been made to the domains. For background, I am running samba-3.2.7-0.1.135. When I issue to wbinfo -online-status command, I get the following: (truncated to show the relevant portions) USTR-LINUX-1:~ # wbinfo --online-status BUILTIN : online USTR-LINUX-1 : online NA : online AP : online EU : online LAC : online To further investigate those domains, I run the -domain-info switch against the domain and get the following: USTR-LINUX-1:~ # wbinfo --domain-info=NA Name : NA Alt_Name : na.uis.unisys.com SID : S-1-5-21-725345543-2052111302-527237240 Active Directory : Yes Native: Yes Primary : Yes USTR-LINUX-1:~ # wbinfo --domain-info=EU Name : EU Alt_Name : eu.uis.unisys.com SID : S-1-5-21-606747145-879983540-1177238915 Active Directory : Yes Native: No Primary : No USTR-LINUX-1:~ # wbinfo --domain-info=AP Name : AP Alt_Name : ap.uis.unisys.com SID : S-1-5-21-57989841-507921405-527237240 Active Directory : Yes Native: No Primary : No USTR-LINUX-1:~ # wbinfo --domain-info=LAC Name : LAC Alt_Name : lac.uis.unisys.com SID : S-1-5-21-1085031214-1454471165-1644491937 Active Directory : Yes Native: No Primary : No However, when I try to retrieve the DC names, only the NA domain returns anything: USTR-LINUX-1:~ # wbinfo --getdcname=NA USEA-NADC3 USTR-LINUX-1:~ # wbinfo --getdcname=EU Could not get dc name for EU The log.wb-EU shows the following: [2009/01/15 22:11:11, 5] winbindd/winbindd_cache.c:get_cache(178) get_cache: Setting ADS methods for domain EU [2009/01/15 22:11:11, 10] winbindd/winbindd_cache.c:fetch_cache_seqnum(405) fetch_cache_seqnum: invalid data size key [SEQNUM/EU] [2009/01/15 22:11:11, 10] winbindd/winbindd_cache.c:wcache_tdc_fetch_domain(3863) wcache_tdc_fetch_domain: Searching for domain EU [2009/01/15 22:11:11, 10] winbindd/winbindd_cache.c:wcache_tdc_fetch_domain(3878) wcache_tdc_fetch_domain: Found domain EU [2009/01/15 22:11:11, 3] winbindd/winbindd_ads.c:sequence_number(1215) ads: fetch sequence_number for EU [2009/01/15 22:11:11, 10] winbindd/winbindd_cache.c:wcache_tdc_fetch_domain(3863) wcache_tdc_fetch_domain: Searching for domain EU [2009/01/15 22:11:11, 10] winbindd/winbindd_cache.c:wcache_tdc_fetch_domain(3878) wcache_tdc_fetch_domain: Found domain EU [2009/01/15 22:11:11, 10] winbindd/winbindd_ads.c:ads_cached_connection(45) ads_cached_connection [2009/01/15 22:11:11, 1] libsmb/clikrb5.c:ads_krb5_mk_req(680) ads_krb5_mk_req: krb5_get_credentials failed for usea-eud...@eu.uis.unisys.com (Cannot contact any KDC for requested realm) [2009/01/15 22:11:11, 0] libads/sasl.c:ads_sasl_spnego_bind(819) kinit succeeded but ads_sasl_spnego_krb5_bind failed: Cannot contact any KDC for requested realm [2009/01/15 22:11:11, 1] winbindd/winbindd_ads.c:ads_cached_connection(127) ads_connect for domain EU failed: Cannot contact any KDC for requested realm [2009/01/15 22:11:11, 10] winbindd/winbindd_cache.c:refresh_sequence_number(526) refresh_sequence_number: failed with NT_STATUS_UNSUCCESSFUL [2009/01/15 22:11:11, 10] winbindd/winbindd_cache.c:store_cache_seqnum(456) store_cache_seqnum: success [EU][4294967295 @ 1232075471] [2009/01/15 22:11:11, 10] winbindd/winbindd_cache.c:refresh_sequence_number(538) refresh_sequence_number: EU seq number is now -1 [2009/01/15 22:11:11, 1] winbindd/winbindd_user.c:winbindd_dual_userinfo(150) error getting user info for sid S-1-5-21-606747145-879983540-1177238915-173280 [2009/01/15 22:11:11, 10] winbindd/winbindd_cache.c:cache_store_response(2423) Storing response for pid 30838, len 3496 [2009/01/15 22:14:45, 4] winbindd/winbindd_dual.c:fork_domain_child(1238) child daemon request 46 [2009/01/15 22:14:45, 10] winbindd/winbindd_dual.c:child_process_request(453) child_process_request: request fn GETUSERDOMGROUPS [2009/01/15 22:14:45, 10] winbindd/winbindd_cache.c:refresh_sequence_number(490) refresh_sequence_number: EU time ok [2009/01/15 22:14:45, 10] winbindd/winbindd_cache.c:refresh_sequence_number(538) refresh_sequence_number: EU seq number is now -1 [2009/01/15 22:14:45, 10] winbindd/winbindd_cache.c:cache_store_response(2423)
[Samba] Problem with alternate domains and winbind
I am seeing a strange problem with my domain controllers as they relate to winbind. From time to time, I lose my connection to the alternate domains. I really need some help figuring this out as I have gone as far as I can. I would be very appreciative of any ideas anyone may have. Our primary domain is NA. I need to also be able to authenticate users in others domains such as EU, LAC, and AP. They are all trusted domains and this has worked in the past. No changes, that I am aware of, have been made to the domains. For background, I am running samba-3.2.7-0.1.135. When I issue to wbinfo -online-status command, I get the following: (truncated to show the relevant portions) USTR-LINUX-1:~ # wbinfo --online-status BUILTIN : online USTR-LINUX-1 : online NA : online AP : online EU : online LAC : online To further investigate those domains, I run the -domain-info switch against the domain and get the following: USTR-LINUX-1:~ # wbinfo --domain-info=NA Name : NA Alt_Name : na.uis.unisys.com SID : S-1-5-21-725345543-2052111302-527237240 Active Directory : Yes Native: Yes Primary : Yes USTR-LINUX-1:~ # wbinfo --domain-info=EU Name : EU Alt_Name : eu.uis.unisys.com SID : S-1-5-21-606747145-879983540-1177238915 Active Directory : Yes Native: No Primary : No USTR-LINUX-1:~ # wbinfo --domain-info=AP Name : AP Alt_Name : ap.uis.unisys.com SID : S-1-5-21-57989841-507921405-527237240 Active Directory : Yes Native: No Primary : No USTR-LINUX-1:~ # wbinfo --domain-info=LAC Name : LAC Alt_Name : lac.uis.unisys.com SID : S-1-5-21-1085031214-1454471165-1644491937 Active Directory : Yes Native: No Primary : No However, when I try to retrieve the DC names, only the NA domain returns anything: USTR-LINUX-1:~ # wbinfo --getdcname=NA USEA-NADC3 USTR-LINUX-1:~ # wbinfo --getdcname=EU Could not get dc name for EU The log.wb-EU shows the following: [2009/01/15 22:11:11, 5] winbindd/winbindd_cache.c:get_cache(178) get_cache: Setting ADS methods for domain EU [2009/01/15 22:11:11, 10] winbindd/winbindd_cache.c:fetch_cache_seqnum(405) fetch_cache_seqnum: invalid data size key [SEQNUM/EU] [2009/01/15 22:11:11, 10] winbindd/winbindd_cache.c:wcache_tdc_fetch_domain(3863) wcache_tdc_fetch_domain: Searching for domain EU [2009/01/15 22:11:11, 10] winbindd/winbindd_cache.c:wcache_tdc_fetch_domain(3878) wcache_tdc_fetch_domain: Found domain EU [2009/01/15 22:11:11, 3] winbindd/winbindd_ads.c:sequence_number(1215) ads: fetch sequence_number for EU [2009/01/15 22:11:11, 10] winbindd/winbindd_cache.c:wcache_tdc_fetch_domain(3863) wcache_tdc_fetch_domain: Searching for domain EU [2009/01/15 22:11:11, 10] winbindd/winbindd_cache.c:wcache_tdc_fetch_domain(3878) wcache_tdc_fetch_domain: Found domain EU [2009/01/15 22:11:11, 10] winbindd/winbindd_ads.c:ads_cached_connection(45) ads_cached_connection [2009/01/15 22:11:11, 1] libsmb/clikrb5.c:ads_krb5_mk_req(680) ads_krb5_mk_req: krb5_get_credentials failed for usea-eud...@eu.uis.unisys.com (Cannot contact any KDC for requested realm) [2009/01/15 22:11:11, 0] libads/sasl.c:ads_sasl_spnego_bind(819) kinit succeeded but ads_sasl_spnego_krb5_bind failed: Cannot contact any KDC for requested realm [2009/01/15 22:11:11, 1] winbindd/winbindd_ads.c:ads_cached_connection(127) ads_connect for domain EU failed: Cannot contact any KDC for requested realm [2009/01/15 22:11:11, 10] winbindd/winbindd_cache.c:refresh_sequence_number(526) refresh_sequence_number: failed with NT_STATUS_UNSUCCESSFUL [2009/01/15 22:11:11, 10] winbindd/winbindd_cache.c:store_cache_seqnum(456) store_cache_seqnum: success [EU][4294967295 @ 1232075471] [2009/01/15 22:11:11, 10] winbindd/winbindd_cache.c:refresh_sequence_number(538) refresh_sequence_number: EU seq number is now -1 [2009/01/15 22:11:11, 1] winbindd/winbindd_user.c:winbindd_dual_userinfo(150) error getting user info for sid S-1-5-21-606747145-879983540-1177238915-173280 [2009/01/15 22:11:11, 10] winbindd/winbindd_cache.c:cache_store_response(2423) Storing response for pid 30838, len 3496 [2009/01/15 22:14:45, 4] winbindd/winbindd_dual.c:fork_domain_child(1238) child daemon request 46 [2009/01/15 22:14:45, 10] winbindd/winbindd_dual.c:child_process_request(453) child_process_request: request fn GETUSERDOMGROUPS [2009/01/15 22:14:45, 10] winbindd/winbindd_cache.c:refresh_sequence_number(490) refresh_sequence_number: EU time ok [2009/01/15 22:14:45, 10] winbindd/winbindd_cache.c:refresh_sequence_number(538) refresh_sequence_number: EU seq number is now -1 [2009/01/15 22:14:45, 10] winbindd/winbindd_cache.c:cache_store_response(2423) Storing response for pid 30838, len 3496 The logs are similar for the other domains. What can I do to get this working? The linux server
Re: [Samba] SMBD panic with INTERNAL ERROR: Signal 6 for ARM 922T
On Wed, Oct 15, 2008 at 3:41 PM, Jeremy Allison [EMAIL PROTECTED] wrote: On Wed, Oct 15, 2008 at 03:36:06PM -0400, James Ronald wrote: I am trying to get SAMBA to run on a custom ARM 922T compatible micro controller. It does not matter how I try to start smbd (smbd -D -d10 or smbd i -d10) smbd keeps panicking at the same point with an INTERNAL ERROR: Signal 6. I have spent over a day trying to figure out what could be wrong but I am having no success. If someone could at least give me a clue as to what smbd is trying to do at this point it would be greatly appreciated. Can you get a gdb backtrace with symbols on this platform ? Jeremy. Jeremy, Here are the results from the backtrace. # ./gdb-arm GNU gdb 6.6 Copyright (C) 2006 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type show copying to see the conditions. There is absolutely no warranty for GDB. Type show warranty for details. This GDB was configured as arm-linux-uclibcgnueabi. (gdb) file /tmp/sda1/smbd Reading symbols from /tmp/sda1/smbd...done. Using host libthread_db library /lib/libthread_db.so.1. (gdb) (gdb) (gdb) attach 374 Attaching to program: /tmp/sda1/smbd, process 374 Reading symbols from /lib/libcrypt.so.0...done. Loaded symbols for /lib/libcrypt.so.0 Reading symbols from /lib/libresolv.so.0...done. Loaded symbols for /lib/libresolv.so.0 Reading symbols from /lib/libdl.so.0...done. Loaded symbols for /lib/libdl.so.0 Reading symbols from /lib/libgcc_s.so.1...done. Loaded symbols for /lib/libgcc_s.so.1 Reading symbols from /lib/libc.so.0...done. Loaded symbols for /lib/libc.so.0 Reading symbols from /lib/ld-uClibc.so.0...done. Loaded symbols for /lib/ld-uClibc.so.0 0x4005ddd4 in wait4 () from /lib/libc.so.0 (gdb) tb Breakpoint 1 at 0x4005ddd4 (gdb) bt #0 0x4005ddd4 in wait4 () from /lib/libc.so.0 #1 0x40084964 in system () from /lib/libc.so.0 #2 0x001e5d20 in smb_panic (why=0x2d7930 internal error) at lib/util.c:1639 Backtrace stopped: frame did not save the PC (gdb) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] SMBD panic with INTERNAL ERROR: Signal 6 for ARM 922T
I am trying to get SAMBA to run on a custom ARM 922T compatible micro controller. It does not matter how I try to start smbd (smbd -D -d10 or smbd i -d10) smbd keeps panicking at the same point with an INTERNAL ERROR: Signal 6. I have spent over a day trying to figure out what could be wrong but I am having no success. If someone could at least give me a clue as to what smbd is trying to do at this point it would be greatly appreciated. Thanks, Jim Ronald = # testparm Load smb config files from /etc/samba/smb.conf Processing section [Share] Loaded services file OK. Server role: ROLE_STANDALONE Press enter to see a dump of your service definitions [global] netbios name = Server netbios aliases = Server0 server string = Server interfaces = 192.168.0.200/255.255.255.0 security = SHARE null passwords = Yes smb passwd file = /etc/smbpasswd guest account = root log level = 10 log file = /var/log/samba.log max log size = 100 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No os level = 0 preferred master = No fake oplocks = Yes magic script = automagic.run [Share] comment = File Share path = /tmp username = root read only = No create mask = 0776 directory mask = 0770 === # smbd -i -d10 Maximum core file size limits now 16777216(soft) -1(hard) get_current_groups: user is in 2 groups: 0, 10 smbd version 3.0.28a started. Copyright Andrew Tridgell and the Samba Team 1992-2008 uid=0 gid=0 euid=0 egid=0 Build environment: Built by:[EMAIL PROTECTED] Built on:Wed Oct 15 13:37:49 EDT 2008 Built using: /home/jronald/phoenix/trunk/buildroot-21758/build_arm/staging_dir/usr/bin/arm-linux-uclibcgnueabi-gcc Build host: Linux jronald-desktop 2.6.24-21-generic #1 SMP Mon Aug 25 17:32:09 UTC 2008 i686 GNU/Linux SRCDIR: /home/jronald/phoenix/trunk/buildroot-21758/build_arm/samba-3.0.28a/source BUILDDIR: /home/jronald/phoenix/trunk/buildroot-21758/build_arm/samba-3.0.28a/source Paths: SBINDIR: /usr/local/samba/sbin BINDIR: /usr/local/samba/bin SWATDIR: /usr/local/samba/swat CONFIGFILE: /etc/samba/smb.conf LOGFILEBASE: /var/log/samba LMHOSTSFILE: /etc/samba/lmhosts LIBDIR: /usr/local/samba/lib SHLIBEXT: so LOCKDIR: /var/cache/samba PIDDIR: /var/run SMB_PASSWD_FILE: /etc/samba/smbpasswd PRIVATE_DIR: /etc/samba System Headers: HAVE_SYS_CDEFS_H HAVE_SYS_FCNTL_H HAVE_SYS_IOCTL_H HAVE_SYS_IPC_H HAVE_SYS_MMAN_H HAVE_SYS_MOUNT_H HAVE_SYS_PARAM_H HAVE_SYS_PRCTL_H HAVE_SYS_QUOTA_H HAVE_SYS_RESOURCE_H HAVE_SYS_SELECT_H HAVE_SYS_SHM_H HAVE_SYS_SOCKET_H HAVE_SYS_STATFS_H HAVE_SYS_STATVFS_H HAVE_SYS_STAT_H HAVE_SYS_SYSCALL_H HAVE_SYS_SYSLOG_H HAVE_SYS_SYSMACROS_H HAVE_SYS_TIME_H HAVE_SYS_TYPES_H HAVE_SYS_UIO_H HAVE_SYS_UNISTD_H HAVE_SYS_UN_H HAVE_SYS_VFS_H HAVE_SYS_WAIT_H HAVE_SYS_XATTR_H Headers: HAVE_ALLOCA_H HAVE_ARPA_INET_H HAVE_ASM_TYPES_H HAVE_ASM_UNISTD_H HAVE_CTYPE_H HAVE_DIRENT_H HAVE_DLFCN_H HAVE_FCNTL_H HAVE_FLOAT_H HAVE_FNMATCH_H HAVE_GLOB_H HAVE_GRP_H HAVE_LANGINFO_H HAVE_LASTLOG_H HAVE_LIMITS_H HAVE_LINUX_INOTIFY_H HAVE_LOCALE_H HAVE_MEMORY_H HAVE_MNTENT_H HAVE_NETDB_H HAVE_NETINET_IN_H HAVE_NETINET_IN_SYSTM_H HAVE_NETINET_IP_H HAVE_NETINET_TCP_H HAVE_NET_IF_H HAVE_PWD_H HAVE_RPC_RPC_H HAVE_SETJMP_H HAVE_SHADOW_H HAVE_STDARG_H HAVE_STDBOOL_H HAVE_STDINT_H HAVE_STDIO_H HAVE_STDLIB_H HAVE_STRINGS_H HAVE_STRING_H HAVE_SYSCALL_H HAVE_SYSLOG_H HAVE_TERMIOS_H HAVE_TERMIO_H HAVE_TIME_H HAVE_UNISTD_H HAVE_UTIME_H UTMP Options: HAVE_UTMP_H HAVE_UT_UT_ADDR HAVE_UT_UT_EXIT HAVE_UT_UT_HOST HAVE_UT_UT_ID HAVE_UT_UT_NAME HAVE_UT_UT_PID HAVE_UT_UT_TIME HAVE_UT_UT_TV HAVE_UT_UT_TYPE HAVE_UT_UT_USER PUTUTLINE_RETURNS_UTMP WITH_UTMP HAVE_* Defines: HAVE_ASPRINTF HAVE_ASPRINTF_DECL HAVE_ATEXIT HAVE_BOOL HAVE_CHMOD HAVE_CHOWN HAVE_CHROOT HAVE_COMPARISON_FN_T HAVE_COMPILER_WILL_OPTIMIZE_OUT_FNS HAVE_CONNECT HAVE_CREAT64 HAVE_CRYPT HAVE_DECL_ASPRINTF HAVE_DECL_RL_EVENT_HOOK HAVE_DECL_SNPRINTF HAVE_DECL_VASPRINTF HAVE_DECL_VSNPRINTF HAVE_DIRENT_D_OFF HAVE_DLCLOSE HAVE_DLERROR HAVE_DLOPEN HAVE_DLSYM HAVE_DUP2 HAVE_ENDMNTENT HAVE_ERRNO_DECL HAVE_EXECL HAVE_FCHMOD HAVE_FCHOWN HAVE_FCNTL_LOCK HAVE_FGETXATTR HAVE_FLISTXATTR HAVE_FOPEN64 HAVE_FREMOVEXATTR HAVE_FSEEKO64 HAVE_FSETXATTR HAVE_FSID_INT HAVE_FSTAT HAVE_FSTAT64 HAVE_FSYNC HAVE_FTELLO64 HAVE_FTRUNCATE HAVE_FTRUNCATE64 HAVE_FUNCTION_MACRO
[Samba] Server crash - Is it a Kernel or Samba problem?
Yesterday I had an unexpected server crash. Here is what appeared in the logs: Oct 9 20:16:21 USTR-LINUX-1 [powersaved][11654]: resmgr: server response code 200 Oct 9 20:16:53 USTR-LINUX-1 last message repeated 19 times Oct 9 20:17:26 USTR-LINUX-1 last message repeated 13 times Oct 9 20:17:26 USTR-LINUX-1 kernel: Unable to handle kernel paging request at virtual address 00100104 Oct 9 20:17:26 USTR-LINUX-1 kernel: printing eip: Oct 9 20:17:26 USTR-LINUX-1 kernel: c0134d50 Oct 9 20:17:26 USTR-LINUX-1 kernel: *pde = 09044001 Oct 9 20:17:26 USTR-LINUX-1 kernel: Oops: 0002 [#1] Oct 9 20:17:26 USTR-LINUX-1 kernel: SMP Oct 9 20:17:26 USTR-LINUX-1 kernel: CPU:2 Oct 9 20:17:26 USTR-LINUX-1 kernel: EIP:0060:[c0134d50]Tainted: G U Oct 9 20:17:26 USTR-LINUX-1 kernel: EFLAGS: 00010002 (2.6.5-7.286-bigsmp SLES9_SP3_BRANCH-20070531101258) Oct 9 20:17:26 USTR-LINUX-1 kernel: EIP is at free_uid+0x20/0x50 Oct 9 20:17:26 USTR-LINUX-1 kernel: eax: 00100100 ebx: ecd84500 ecx: ecd84514 edx: 00200200 Oct 9 20:17:26 USTR-LINUX-1 kernel: esi: c9460af8 edi: 0009 ebp: 000a esp: cf66beb0 Oct 9 20:17:26 USTR-LINUX-1 kernel: ds: 007b es: 007b ss: 0068 Oct 9 20:17:26 USTR-LINUX-1 kernel: Process smbd (pid: 29272, threadinfo=cf66a000 task=ec3c4010) Oct 9 20:17:26 USTR-LINUX-1 kernel: Stack: c677d708 c0135f64 cf66bf28 cf66bf28 ec3c4010 ec3c4554 Oct 9 20:17:26 USTR-LINUX-1 kernel:c0137c22 cf66a000 083d7520 cf66bfc4 e000 c0137ffa 2411f3bd cf66a000 Oct 9 20:17:26 USTR-LINUX-1 kernel:ec3c4554 cf66bfc4 cf66bf28 cf66a000 083d7520 cf66bfc4 ec3c4554 c010847a Oct 9 20:17:26 USTR-LINUX-1 kernel: Call Trace: Oct 9 20:17:26 USTR-LINUX-1 kernel: [c0135f64] __dequeue_signal+0x184/0x1a0 Oct 9 20:17:26 USTR-LINUX-1 kernel: [c0137c22] dequeue_signal+0x62/0xa0 Oct 9 20:17:26 USTR-LINUX-1 kernel: [c0137ffa] get_signal_to_deliver+0x7a/0x3d0 Oct 9 20:17:26 USTR-LINUX-1 kernel: [c010847a] do_signal+0x8a/0x640 Oct 9 20:17:26 USTR-LINUX-1 kernel: [c0140874] ckrm_invoke_event_cb_chain+0x24/0x30 Oct 9 20:17:26 USTR-LINUX-1 kernel: [c013ab2c] sys_setresuid+0x1dc/0x240 Oct 9 20:17:26 USTR-LINUX-1 kernel: [c0108a67] do_notify_resume+0x37/0x40 Oct 9 20:17:26 USTR-LINUX-1 kernel: [c0109256] work_notifysig+0x13/0x15 Oct 9 20:17:26 USTR-LINUX-1 kernel: Oct 9 20:17:26 USTR-LINUX-1 kernel: Code: 89 50 04 89 02 89 da c7 43 14 00 01 10 00 c7 41 04 00 02 20 Oct 10 00:24:53 USTR-LINUX-1 syslogd 1.4.1: restart. My question is is this a kernel or a samba problem? Has anyone experience this before? I do know that the server was under considerable SMB load (a build was being generated on another computer and written to this server) when the oops occurred. I am running SUSE SLES 9 SP4. Kernel is 2.6.5-7.286-bigsmp. Any help would be appreciated. Thanks! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Server crash - Is it a Kernel or Samba problem?
Do you have any suggestions on how I may track this down. Obviously, the logs are sparse. Has anyone else reported a similar problem? -Original Message- From: Volker Lendecke [mailto:[EMAIL PROTECTED] Sent: Friday, October 10, 2008 3:19 PM To: Trimble, Ronald D Cc: samba@lists.samba.org Subject: Re: [Samba] Server crash - Is it a Kernel or Samba problem? On Fri, Oct 10, 2008 at 11:22:58AM -0500, Trimble, Ronald D wrote: Oct 9 20:17:26 USTR-LINUX-1 kernel: Call Trace: Oct 9 20:17:26 USTR-LINUX-1 kernel: [c0135f64] __dequeue_signal+0x184/0x1a0 Oct 9 20:17:26 USTR-LINUX-1 kernel: [c0137c22] dequeue_signal+0x62/0xa0 Oct 9 20:17:26 USTR-LINUX-1 kernel: [c0137ffa] get_signal_to_deliver+0x7a/0x3d0 Oct 9 20:17:26 USTR-LINUX-1 kernel: [c010847a] do_signal+0x8a/0x640 Oct 9 20:17:26 USTR-LINUX-1 kernel: [c0140874] ckrm_invoke_event_cb_chain+0x24/0x30 Oct 9 20:17:26 USTR-LINUX-1 kernel: [c013ab2c] sys_setresuid+0x1dc/0x240 Oct 9 20:17:26 USTR-LINUX-1 kernel: [c0108a67] do_notify_resume+0x37/0x40 Oct 9 20:17:26 USTR-LINUX-1 kernel: [c0109256] work_notifysig+0x13/0x15 Oct 9 20:17:26 USTR-LINUX-1 kernel: Oct 9 20:17:26 USTR-LINUX-1 kernel: Code: 89 50 04 89 02 89 da c7 43 14 00 01 10 00 c7 41 04 00 02 20 Oct 10 00:24:53 USTR-LINUX-1 syslogd 1.4.1: restart. My question is is this a kernel or a samba problem? Has anyone experience this before? I do know that the server was under considerable SMB load (a build was being generated on another computer and written to this server) when the oops occurred. I am running SUSE SLES 9 SP4. Kernel is 2.6.5-7.286-bigsmp. Kernel crashes are a kernel problem, or maybe flaky hardware. Samba might put a load on the kernel that only few other applications do, but it is a kernel problem. Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Winbind problem with more details.
Thanks for all of the helpful advice Ross. I will certainly make some of these changes in the future in a controlled manner. As it turns out, one of our in-house developers has found the problem and submitted a bug against winbind for it. https://bugzilla.samba.org/show_bug.cgi?id=5264 His current patch is against the mod_auth_pam module, which is fine for us. It took the better part of an entire week and many difference debugging builds to figure out exactly what was going on. -Original Message- From: Ross S. W. Walker [mailto:[EMAIL PROTECTED] Sent: Friday, February 15, 2008 2:26 PM To: Trimble, Ronald D; Herb Lewis Cc: samba@lists.samba.org Subject: RE: [Samba] Winbind problem with more details. Trimble, Ronald D wrote: Ross, do you have any links to document what you are saying about the password server being set to a domain? I have found several examples of it listing multiple DCs, but not a domain name. Well you could read this mind numbing white paper, http://technet2.microsoft.com/windowsserver/en/library/19a63021-cc53-4ded-a7a3-abaf82e7fb7c1033.mspx?mfr=true or just look at your DNS zone, You will notice for each forward zone for each domain that the DCs in those domains acting as DNS servers register their IP addresses under the zone name, like such: IN A X.X.X.X IN A X.X.X.X IN A X.X.X.X This by nature will force a round-robin lookup for all A queries of the domain name. Windows 2000/2003 goes a step further by ordering the results based on the originating IP and the site networks you configured in sites and services, making sure it delivers IP addresses in your subnet first, filtering out any DC that is reported as down. Try it out with nslookup. Now if you have Unix DNS servers this will of course not happen, you will get round-robin without the filtering or ordering. -Ross -Original Message- From: Ross S. W. Walker [mailto:[EMAIL PROTECTED] Sent: Friday, February 15, 2008 12:06 PM To: Trimble, Ronald D; Herb Lewis Cc: samba@lists.samba.org Subject: RE: [Samba] Winbind problem with more details. Trimble, Ronald D wrote: Here you go... I forgot to ask which version of samba your now running, but assuming it is something around '3.0.25', then here is my suggestion config. If it is an earlier version let me know. [global] workgroup = NA realm = NA.UIS.UNISYS.COM netbios name = ustr-linux-1 server string = USTR-LINUX-1 Samba Server encrypt passwords = yes security = ADS password server = 192.xx.xxx.xxx I believe for an AD domain, if you set the password server equal to the local domain name it will round-robin query the closest domain controller. Test it out, it will eliminate the single point of failure if it works in your environment. passdb backend = smbpasswd I tend to use tdb for my passwd backend, especially if the number of users is large, tdb can speed lookups tremendously. log level = 2 winbind:10 ads:10 auth:10 syslog = 0 log file = /var/log/samba/%m.log # debug level = 10 max log size = 5000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 I see no idmap entries here, and don't understand how winbind is working at all without them, maybe some old compatibility feature... I suggest, and of course I don't know your full topology, so it will most definitely need adjusting: idmap domains = default NA idmap config default:default = yes idmap config NA:backend = rid idmap config NA:range = 16777216 - 33554431 Is that id range valid? I have never used anything over 99, it seems very oddly arbitrary, but I suppose you have a reason... Normally I allocate a 10 id range per domain, so NA would have range 10 - 19, domain NA2 would have 20 - 29 and so on, makes it easier to determine the RID if the base of the range is on a power of ten and if you have multiple domains. idmap alloc backend = tdb idmap uid = 9 - 9 idmap gid = 9 - 9 This section here is for local mappings, BUILTINs and such, I set it as the default, but I'm sure other people will have their preferences or recommendations. winbind use default domain = no winbind enum users = no winbind enum groups = no template homedir = /home/%D/%U template shell = /bin/bash admin users = root, NA\TRIMBLRD, +NA\EPS Admin nt acl support = yes map acl inherit = yes Notice I removed these lines: winbind uid = 16777216-33554431 winbind gid = 16777216-33554431 This is old depreciated syntax, the syntax is now 'idmap uid', and it applies to id domains not explicitly configured with the 'id config' directive. snip Let me know if that helps
RE: [Samba] Winbind problem with more details.
-Original Message- From: Ross S. W. Walker [mailto:[EMAIL PROTECTED] Sent: Thursday, February 14, 2008 4:37 PM To: Ross S. W. Walker; Trimble, Ronald D; Herb Lewis Cc: samba@lists.samba.org Subject: RE: [Samba] Winbind problem with more details. Ross S. W. Walker wrote: Trimble, Ronald D wrote: Just an FYI... this is not a local group but an AD Domain Local group. We are using Domain Local groups since they can contain users from other domains. Are all these users members of the same domain? If not, do you have the 'allow trusted domains = yes' option set? What does your idmap setup look like? After reading more carefully I have more questions below... -Original Message- From: Herb Lewis [mailto:[EMAIL PROTECTED] Sent: Thursday, February 14, 2008 3:08 PM To: Trimble, Ronald D Cc: samba@lists.samba.org Subject: Re: [Samba] Winbind problem with more details. you will notice that the SID type for the requested group is 4 which we see from smb.h is SID_NAME_ALIAS /* local group */ Trimble, Ronald D wrote: Everyone, One of our developers was kind enough to insert some bug checking into the mod_auth_pam and mod_auth_sys_group so that we could see a little more of what was going on with our authentication failures. Here is what we just saw. Two of our users NA\connelmp and NA\guminssa both started getting messages that they were not part of the required group. Here is the log for you all to see... These users started getting messages, this means it was working correctly for a while? Yes, it was working for quite some time. And throughout any given day it will work and then stop and then begin working again... all without intervention. When did it stop working? We had a system crash several weeks ago. At that point we upgraded to the latest levels of samba as recommended by Novell. It has not been consistent in performance since. Did anything change around that time that could impact this? Yes, we upgraded samba. From /var/log/apache2/error_log Maybe /var/log/messages, or /var/log/samba/... may have more detail as to why things aren't working. snip lots of sid stuff Can anyone shed some light on what is going on here? This problem has been driving me crazy for several weeks now and I could use all the help I could get. I have a full compliment of logs to go along with all the above information if anyone would be so kind as to take a look. I can make it worth your while... I have a code for two free movie tickets on fandango.com if you can help me solve this. Not much, but better then an email saying thanks. :) Try running your SID output with nscd shut down and see if that is affecting it, otherwise I would start looking at what changed in your environment that might have caused this. I will look into disabling NSCD as you suggested. Maybe permissions on the AD object? Permissions have not changed. The computer object representing this box has adequate rights to query all group objects in AD? The server is a member of the domain and thus has all the rights it needs to query the domain. Just throwing out some ideas here. -Ross __ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Winbind problem with more details.
The users who are failing are all in the same domain. What are you referring to in terms of the idmap? -Original Message- From: Ross S. W. Walker [mailto:[EMAIL PROTECTED] Sent: Thursday, February 14, 2008 4:26 PM To: Trimble, Ronald D; Herb Lewis Cc: samba@lists.samba.org Subject: RE: [Samba] Winbind problem with more details. Trimble, Ronald D wrote: Just an FYI... this is not a local group but an AD Domain Local group. We are using Domain Local groups since they can contain users from other domains. Are all these users members of the same domain? If not, do you have the 'allow trusted domains = yes' option set? What does your idmap setup look like? -Ross -Original Message- From: Herb Lewis [mailto:[EMAIL PROTECTED] Sent: Thursday, February 14, 2008 3:08 PM To: Trimble, Ronald D Cc: samba@lists.samba.org Subject: Re: [Samba] Winbind problem with more details. you will notice that the SID type for the requested group is 4 which we see from smb.h is SID_NAME_ALIAS /* local group */ Trimble, Ronald D wrote: Everyone, One of our developers was kind enough to insert some bug checking into the mod_auth_pam and mod_auth_sys_group so that we could see a little more of what was going on with our authentication failures. Here is what we just saw. Two of our users NA\connelmp and NA\guminssa both started getting messages that they were not part of the required group. Here is the log for you all to see... From /var/log/apache2/error_log [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: YES, na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: YES, na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: YES, na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] CHKAUTH: is NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] CHKAUTH: NO, NA\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members) [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: NA\\connelmp not in required group(s). [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] CHKAUTH: is NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] CHKAUTH: NO, NA\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members) [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: NA\\connelmp not in required group(s). [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] CHKAUTH: NO, na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: na\\connelmp not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63] CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63] CHKAUTH: NO, na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: na\\connelmp not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: NO, na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: na\\connelmp not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008
RE: [Samba] Winbind problem with more details.
Here you go... [global] workgroup = NA realm = NA.UIS.UNISYS.COM netbios name = ustr-linux-1 server string = USTR-LINUX-1 Samba Server encrypt passwords = yes security = ADS password server = 192.xx.xxx.xxx passdb backend = smbpasswd log level = 2 winbind:10 ads:10 auth:10 syslog = 0 log file = /var/log/samba/%m.log # debug level = 10 max log size = 5000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 winbind use default domain = no winbind uid = 16777216-33554431 winbind gid = 16777216-33554431 winbind enum users = no winbind enum groups = no template homedir = /home/%D/%U template shell = /bin/bash admin users = root, NA\TRIMBLRD, +NA\EPS Admin nt acl support = yes map acl inherit = yes -Original Message- From: Ross S. W. Walker [mailto:[EMAIL PROTECTED] Sent: Friday, February 15, 2008 11:09 AM To: Trimble, Ronald D; Herb Lewis Cc: samba@lists.samba.org Subject: RE: [Samba] Winbind problem with more details. Trimble, Ronald D wrote: The users who are failing are all in the same domain. What are you referring to in terms of the idmap? Are you using the old 'idmap backend = rid...' or the newer 'idmap domains = ...' and the 'idmap config DOM: backend = ...' setup? Maybe if you can post the [global] section of your smb.conf substituting any proprietary information first of course. -Ross -Original Message- From: Ross S. W. Walker [mailto:[EMAIL PROTECTED] Sent: Thursday, February 14, 2008 4:26 PM To: Trimble, Ronald D; Herb Lewis Cc: samba@lists.samba.org Subject: RE: [Samba] Winbind problem with more details. Trimble, Ronald D wrote: Just an FYI... this is not a local group but an AD Domain Local group. We are using Domain Local groups since they can contain users from other domains. Are all these users members of the same domain? If not, do you have the 'allow trusted domains = yes' option set? What does your idmap setup look like? -Ross -Original Message- From: Herb Lewis [mailto:[EMAIL PROTECTED] Sent: Thursday, February 14, 2008 3:08 PM To: Trimble, Ronald D Cc: samba@lists.samba.org Subject: Re: [Samba] Winbind problem with more details. you will notice that the SID type for the requested group is 4 which we see from smb.h is SID_NAME_ALIAS /* local group */ Trimble, Ronald D wrote: Everyone, One of our developers was kind enough to insert some bug checking into the mod_auth_pam and mod_auth_sys_group so that we could see a little more of what was going on with our authentication failures. Here is what we just saw. Two of our users NA\connelmp and NA\guminssa both started getting messages that they were not part of the required group. Here is the log for you all to see... From /var/log/apache2/error_log [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: YES, na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: YES, na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: YES, na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] CHKAUTH: is NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] CHKAUTH: NO, NA\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members) [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: NA\\connelmp not in required group(s). [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] CHKAUTH: is NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] CHKAUTH: NO, NA\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members) [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: NA\\connelmp not in required group(s). [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] CHKAUTH: NO, na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130
RE: [Samba] Winbind problem with more details.
That is a lot of good information... let me give it a shot on a test system to see what happens. -Original Message- From: Ross S. W. Walker [mailto:[EMAIL PROTECTED] Sent: Friday, February 15, 2008 12:06 PM To: Trimble, Ronald D; Herb Lewis Cc: samba@lists.samba.org Subject: RE: [Samba] Winbind problem with more details. Trimble, Ronald D wrote: Here you go... I forgot to ask which version of samba your now running, but assuming it is something around '3.0.25', then here is my suggestion config. If it is an earlier version let me know. [global] workgroup = NA realm = NA.UIS.UNISYS.COM netbios name = ustr-linux-1 server string = USTR-LINUX-1 Samba Server encrypt passwords = yes security = ADS password server = 192.xx.xxx.xxx I believe for an AD domain, if you set the password server equal to the local domain name it will round-robin query the closest domain controller. Test it out, it will eliminate the single point of failure if it works in your environment. passdb backend = smbpasswd I tend to use tdb for my passwd backend, especially if the number of users is large, tdb can speed lookups tremendously. log level = 2 winbind:10 ads:10 auth:10 syslog = 0 log file = /var/log/samba/%m.log # debug level = 10 max log size = 5000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 I see no idmap entries here, and don't understand how winbind is working at all without them, maybe some old compatibility feature... I suggest, and of course I don't know your full topology, so it will most definitely need adjusting: idmap domains = default NA idmap config default:default = yes idmap config NA:backend = rid idmap config NA:range = 16777216 - 33554431 Is that id range valid? I have never used anything over 99, it seems very oddly arbitrary, but I suppose you have a reason... Normally I allocate a 10 id range per domain, so NA would have range 10 - 19, domain NA2 would have 20 - 29 and so on, makes it easier to determine the RID if the base of the range is on a power of ten and if you have multiple domains. idmap alloc backend = tdb idmap uid = 9 - 9 idmap gid = 9 - 9 This section here is for local mappings, BUILTINs and such, I set it as the default, but I'm sure other people will have their preferences or recommendations. winbind use default domain = no winbind enum users = no winbind enum groups = no template homedir = /home/%D/%U template shell = /bin/bash admin users = root, NA\TRIMBLRD, +NA\EPS Admin nt acl support = yes map acl inherit = yes Notice I removed these lines: winbind uid = 16777216-33554431 winbind gid = 16777216-33554431 This is old depreciated syntax, the syntax is now 'idmap uid', and it applies to id domains not explicitly configured with the 'id config' directive. snip Let me know if that helps. -Ross __ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Winbind problem with more details.
Just an FYI, we are currently on 3.0.28. This server was built when 3.0 was just coming around. -Original Message- From: Ross S. W. Walker [mailto:[EMAIL PROTECTED] Sent: Friday, February 15, 2008 12:30 PM To: Ross S. W. Walker; Trimble, Ronald D; Herb Lewis Cc: samba@lists.samba.org Subject: RE: [Samba] Winbind problem with more details. Ross S. W. Walker wrote: Trimble, Ronald D wrote: Here you go... I forgot to ask which version of samba your now running, but assuming it is something around '3.0.25', then here is my suggestion config. If it is an earlier version let me know. I just realized that your config is pre-RID mapping so your uid/gid base is in a single tdb file that if lost or broken will seriously mess up your user base! If that is the case then I suggest this: idmap domains = default idmap config default:default = yes idmap alloc backend = tdb idmap uid = 16777216 - 33554431 idmap gid = 16777216 - 33554431 Forget this: idmap config NA:backend = rid idmap config NA:range = 16777216 - 33554431 But remove these: winbind uid = 16777216-33554431 winbind gid = 16777216-33554431 Backup your tdb cache directory and smb.conf first though to be on the safe side. -Ross [global] workgroup = NA realm = NA.UIS.UNISYS.COM netbios name = ustr-linux-1 server string = USTR-LINUX-1 Samba Server encrypt passwords = yes security = ADS password server = 192.xx.xxx.xxx I believe for an AD domain, if you set the password server equal to the local domain name it will round-robin query the closest domain controller. Test it out, it will eliminate the single point of failure if it works in your environment. passdb backend = smbpasswd I tend to use tdb for my passwd backend, especially if the number of users is large, tdb can speed lookups tremendously. log level = 2 winbind:10 ads:10 auth:10 syslog = 0 log file = /var/log/samba/%m.log # debug level = 10 max log size = 5000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 I see no idmap entries here, and don't understand how winbind is working at all without them, maybe some old compatibility feature... I suggest, and of course I don't know your full topology, so it will most definitely need adjusting: idmap domains = default NA idmap config default:default = yes idmap config NA:backend = rid idmap config NA:range = 16777216 - 33554431 Is that id range valid? I have never used anything over 99, it seems very oddly arbitrary, but I suppose you have a reason... Normally I allocate a 10 id range per domain, so NA would have range 10 - 19, domain NA2 would have 20 - 29 and so on, makes it easier to determine the RID if the base of the range is on a power of ten and if you have multiple domains. idmap alloc backend = tdb idmap uid = 9 - 9 idmap gid = 9 - 9 This section here is for local mappings, BUILTINs and such, I set it as the default, but I'm sure other people will have their preferences or recommendations. winbind use default domain = no winbind enum users = no winbind enum groups = no template homedir = /home/%D/%U template shell = /bin/bash admin users = root, NA\TRIMBLRD, +NA\EPS Admin nt acl support = yes map acl inherit = yes Notice I removed these lines: winbind uid = 16777216-33554431 winbind gid = 16777216-33554431 This is old depreciated syntax, the syntax is now 'idmap uid', and it applies to id domains not explicitly configured with the 'id config' directive. snip Let me know if that helps. -Ross __ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba __ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified
RE: [Samba] Winbind problem with more details.
Ross, do you have any links to document what you are saying about the password server being set to a domain? I have found several examples of it listing multiple DCs, but not a domain name. -Original Message- From: Ross S. W. Walker [mailto:[EMAIL PROTECTED] Sent: Friday, February 15, 2008 12:06 PM To: Trimble, Ronald D; Herb Lewis Cc: samba@lists.samba.org Subject: RE: [Samba] Winbind problem with more details. Trimble, Ronald D wrote: Here you go... I forgot to ask which version of samba your now running, but assuming it is something around '3.0.25', then here is my suggestion config. If it is an earlier version let me know. [global] workgroup = NA realm = NA.UIS.UNISYS.COM netbios name = ustr-linux-1 server string = USTR-LINUX-1 Samba Server encrypt passwords = yes security = ADS password server = 192.xx.xxx.xxx I believe for an AD domain, if you set the password server equal to the local domain name it will round-robin query the closest domain controller. Test it out, it will eliminate the single point of failure if it works in your environment. passdb backend = smbpasswd I tend to use tdb for my passwd backend, especially if the number of users is large, tdb can speed lookups tremendously. log level = 2 winbind:10 ads:10 auth:10 syslog = 0 log file = /var/log/samba/%m.log # debug level = 10 max log size = 5000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 I see no idmap entries here, and don't understand how winbind is working at all without them, maybe some old compatibility feature... I suggest, and of course I don't know your full topology, so it will most definitely need adjusting: idmap domains = default NA idmap config default:default = yes idmap config NA:backend = rid idmap config NA:range = 16777216 - 33554431 Is that id range valid? I have never used anything over 99, it seems very oddly arbitrary, but I suppose you have a reason... Normally I allocate a 10 id range per domain, so NA would have range 10 - 19, domain NA2 would have 20 - 29 and so on, makes it easier to determine the RID if the base of the range is on a power of ten and if you have multiple domains. idmap alloc backend = tdb idmap uid = 9 - 9 idmap gid = 9 - 9 This section here is for local mappings, BUILTINs and such, I set it as the default, but I'm sure other people will have their preferences or recommendations. winbind use default domain = no winbind enum users = no winbind enum groups = no template homedir = /home/%D/%U template shell = /bin/bash admin users = root, NA\TRIMBLRD, +NA\EPS Admin nt acl support = yes map acl inherit = yes Notice I removed these lines: winbind uid = 16777216-33554431 winbind gid = 16777216-33554431 This is old depreciated syntax, the syntax is now 'idmap uid', and it applies to id domains not explicitly configured with the 'id config' directive. snip Let me know if that helps. -Ross __ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Winbind problem with more details.
You are 100% correct. I did have a situation several weeks ago where I was forced to delete the cache and as a result I had to go through the entire file structure to reset all the ACLs. It was a mess, but thankfully I have a very simple security model. -Original Message- From: Ross S. W. Walker [mailto:[EMAIL PROTECTED] Sent: Friday, February 15, 2008 12:30 PM To: Ross S. W. Walker; Trimble, Ronald D; Herb Lewis Cc: samba@lists.samba.org Subject: RE: [Samba] Winbind problem with more details. Ross S. W. Walker wrote: Trimble, Ronald D wrote: Here you go... I forgot to ask which version of samba your now running, but assuming it is something around '3.0.25', then here is my suggestion config. If it is an earlier version let me know. I just realized that your config is pre-RID mapping so your uid/gid base is in a single tdb file that if lost or broken will seriously mess up your user base! If that is the case then I suggest this: idmap domains = default idmap config default:default = yes idmap alloc backend = tdb idmap uid = 16777216 - 33554431 idmap gid = 16777216 - 33554431 Forget this: idmap config NA:backend = rid idmap config NA:range = 16777216 - 33554431 But remove these: winbind uid = 16777216-33554431 winbind gid = 16777216-33554431 Backup your tdb cache directory and smb.conf first though to be on the safe side. -Ross [global] workgroup = NA realm = NA.UIS.UNISYS.COM netbios name = ustr-linux-1 server string = USTR-LINUX-1 Samba Server encrypt passwords = yes security = ADS password server = 192.xx.xxx.xxx I believe for an AD domain, if you set the password server equal to the local domain name it will round-robin query the closest domain controller. Test it out, it will eliminate the single point of failure if it works in your environment. passdb backend = smbpasswd I tend to use tdb for my passwd backend, especially if the number of users is large, tdb can speed lookups tremendously. log level = 2 winbind:10 ads:10 auth:10 syslog = 0 log file = /var/log/samba/%m.log # debug level = 10 max log size = 5000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 I see no idmap entries here, and don't understand how winbind is working at all without them, maybe some old compatibility feature... I suggest, and of course I don't know your full topology, so it will most definitely need adjusting: idmap domains = default NA idmap config default:default = yes idmap config NA:backend = rid idmap config NA:range = 16777216 - 33554431 Is that id range valid? I have never used anything over 99, it seems very oddly arbitrary, but I suppose you have a reason... Normally I allocate a 10 id range per domain, so NA would have range 10 - 19, domain NA2 would have 20 - 29 and so on, makes it easier to determine the RID if the base of the range is on a power of ten and if you have multiple domains. idmap alloc backend = tdb idmap uid = 9 - 9 idmap gid = 9 - 9 This section here is for local mappings, BUILTINs and such, I set it as the default, but I'm sure other people will have their preferences or recommendations. winbind use default domain = no winbind enum users = no winbind enum groups = no template homedir = /home/%D/%U template shell = /bin/bash admin users = root, NA\TRIMBLRD, +NA\EPS Admin nt acl support = yes map acl inherit = yes Notice I removed these lines: winbind uid = 16777216-33554431 winbind gid = 16777216-33554431 This is old depreciated syntax, the syntax is now 'idmap uid', and it applies to id domains not explicitly configured with the 'id config' directive. snip Let me know if that helps. -Ross __ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba __ This e-mail, and any attachments thereto, is intended only for use by the addressee(s
RE: [Samba] Winbind problem with more details.
Yes, I will probably give this a try, but I will have to wait until the weekend to do so. Having to rebuild permissions during production hours would be far too stressful. -Original Message- From: Ross S. W. Walker [mailto:[EMAIL PROTECTED] Sent: Friday, February 15, 2008 2:29 PM To: Trimble, Ronald D; Herb Lewis Cc: samba@lists.samba.org Subject: RE: [Samba] Winbind problem with more details. Trimble, Ronald D wrote: You are 100% correct. I did have a situation several weeks ago where I was forced to delete the cache and as a result I had to go through the entire file structure to reset all the ACLs. It was a mess, but thankfully I have a very simple security model. I would seriously think about using idmap_rid as it will make sure if you need to re-create your maps your UIDs and GIDs will be identical each time and on each server. Of course doing so will force you to have to reset ACLs in your file structure again... :-( -Ross -Original Message- From: Ross S. W. Walker [mailto:[EMAIL PROTECTED] Sent: Friday, February 15, 2008 12:30 PM To: Ross S. W. Walker; Trimble, Ronald D; Herb Lewis Cc: samba@lists.samba.org Subject: RE: [Samba] Winbind problem with more details. Ross S. W. Walker wrote: Trimble, Ronald D wrote: Here you go... I forgot to ask which version of samba your now running, but assuming it is something around '3.0.25', then here is my suggestion config. If it is an earlier version let me know. I just realized that your config is pre-RID mapping so your uid/gid base is in a single tdb file that if lost or broken will seriously mess up your user base! If that is the case then I suggest this: idmap domains = default idmap config default:default = yes idmap alloc backend = tdb idmap uid = 16777216 - 33554431 idmap gid = 16777216 - 33554431 Forget this: idmap config NA:backend = rid idmap config NA:range = 16777216 - 33554431 But remove these: winbind uid = 16777216-33554431 winbind gid = 16777216-33554431 Backup your tdb cache directory and smb.conf first though to be on the safe side. -Ross [global] workgroup = NA realm = NA.UIS.UNISYS.COM netbios name = ustr-linux-1 server string = USTR-LINUX-1 Samba Server encrypt passwords = yes security = ADS password server = 192.xx.xxx.xxx I believe for an AD domain, if you set the password server equal to the local domain name it will round-robin query the closest domain controller. Test it out, it will eliminate the single point of failure if it works in your environment. passdb backend = smbpasswd I tend to use tdb for my passwd backend, especially if the number of users is large, tdb can speed lookups tremendously. log level = 2 winbind:10 ads:10 auth:10 syslog = 0 log file = /var/log/samba/%m.log # debug level = 10 max log size = 5000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 I see no idmap entries here, and don't understand how winbind is working at all without them, maybe some old compatibility feature... I suggest, and of course I don't know your full topology, so it will most definitely need adjusting: idmap domains = default NA idmap config default:default = yes idmap config NA:backend = rid idmap config NA:range = 16777216 - 33554431 Is that id range valid? I have never used anything over 99, it seems very oddly arbitrary, but I suppose you have a reason... Normally I allocate a 10 id range per domain, so NA would have range 10 - 19, domain NA2 would have 20 - 29 and so on, makes it easier to determine the RID if the base of the range is on a power of ten and if you have multiple domains. idmap alloc backend = tdb idmap uid = 9 - 9 idmap gid = 9 - 9 This section here is for local mappings, BUILTINs and such, I set it as the default, but I'm sure other people will have their preferences or recommendations. winbind use default domain = no winbind enum users = no winbind enum groups = no template homedir = /home/%D/%U template shell = /bin/bash admin users = root, NA\TRIMBLRD, +NA\EPS Admin nt acl support = yes map acl inherit = yes Notice I removed these lines: winbind uid = 16777216-33554431 winbind gid = 16777216-33554431 This is old depreciated syntax, the syntax is now 'idmap uid', and it applies to id domains not explicitly configured with the 'id config' directive. snip Let me know if that helps. -Ross
[Samba] Winbind problem with more details.
Everyone, One of our developers was kind enough to insert some bug checking into the mod_auth_pam and mod_auth_sys_group so that we could see a little more of what was going on with our authentication failures. Here is what we just saw. Two of our users NA\connelmp and NA\guminssa both started getting messages that they were not part of the required group. Here is the log for you all to see... From /var/log/apache2/error_log [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: YES, na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: YES, na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: YES, na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] CHKAUTH: is NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] CHKAUTH: NO, NA\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members) [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: NA\\connelmp not in required group(s). [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] CHKAUTH: is NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] CHKAUTH: NO, NA\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members) [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: NA\\connelmp not in required group(s). [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] CHKAUTH: NO, na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: na\\connelmp not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63] CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63] CHKAUTH: NO, na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: na\\connelmp not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: NO, na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: na\\connelmp not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: NO, na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: na\\connelmp not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:25:25 2008] [error] [client 192.63.212.63] CHKAUTH: is NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:25:25 2008] [error] [client 192.63.212.63] CHKAUTH: NO, NA\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members) [Thu Feb 14 13:25:25 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: NA\\connelmp not in required group(s). [Thu Feb 14 13:26:29 2008] [error] [client 192.63.212.139] CHKAUTH: is na\\guminssa a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:26:29 2008] [error] [client 192.63.212.139] CHKAUTH: NO, na\\guminssa is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members) [Thu Feb 14 13:26:29 2008] [error] [client 192.63.212.139] CHKAUTH: GROUP: na\\guminssa not in required group(s). [Thu Feb
RE: [Samba] Winbind problem with more details.
Just an FYI... this is not a local group but an AD Domain Local group. We are using Domain Local groups since they can contain users from other domains. -Original Message- From: Herb Lewis [mailto:[EMAIL PROTECTED] Sent: Thursday, February 14, 2008 3:08 PM To: Trimble, Ronald D Cc: samba@lists.samba.org Subject: Re: [Samba] Winbind problem with more details. you will notice that the SID type for the requested group is 4 which we see from smb.h is SID_NAME_ALIAS /* local group */ Trimble, Ronald D wrote: Everyone, One of our developers was kind enough to insert some bug checking into the mod_auth_pam and mod_auth_sys_group so that we could see a little more of what was going on with our authentication failures. Here is what we just saw. Two of our users NA\connelmp and NA\guminssa both started getting messages that they were not part of the required group. Here is the log for you all to see... From /var/log/apache2/error_log [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: YES, na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: YES, na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: YES, na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] CHKAUTH: is NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] CHKAUTH: NO, NA\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members) [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: NA\\connelmp not in required group(s). [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] CHKAUTH: is NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] CHKAUTH: NO, NA\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members) [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: NA\\connelmp not in required group(s). [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] CHKAUTH: NO, na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: na\\connelmp not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63] CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63] CHKAUTH: NO, na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: na\\connelmp not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: NO, na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: na\\connelmp not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: NO, na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: na\\connelmp not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:25:25 2008] [error] [client 192.63.212.63] CHKAUTH: is NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:25:25 2008] [error] [client 192.63.212.63
RE: [Samba] Winbind problem with more details.
So what does that tell me? -Original Message- From: Herb Lewis [mailto:[EMAIL PROTECTED] Sent: Thursday, February 14, 2008 3:08 PM To: Trimble, Ronald D Cc: samba@lists.samba.org Subject: Re: [Samba] Winbind problem with more details. you will notice that the SID type for the requested group is 4 which we see from smb.h is SID_NAME_ALIAS /* local group */ Trimble, Ronald D wrote: Everyone, One of our developers was kind enough to insert some bug checking into the mod_auth_pam and mod_auth_sys_group so that we could see a little more of what was going on with our authentication failures. Here is what we just saw. Two of our users NA\connelmp and NA\guminssa both started getting messages that they were not part of the required group. Here is the log for you all to see... From /var/log/apache2/error_log [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: YES, na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: YES, na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: YES, na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] CHKAUTH: is NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] CHKAUTH: NO, NA\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members) [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: NA\\connelmp not in required group(s). [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] CHKAUTH: is NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] CHKAUTH: NO, NA\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members) [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: NA\\connelmp not in required group(s). [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] CHKAUTH: NO, na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: na\\connelmp not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63] CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63] CHKAUTH: NO, na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: na\\connelmp not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: NO, na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: na\\connelmp not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: NO, na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: na\\connelmp not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/ticket/130 [Thu Feb 14 13:25:25 2008] [error] [client 192.63.212.63] CHKAUTH: is NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR? [Thu Feb 14 13:25:25 2008] [error] [client 192.63.212.63] CHKAUTH: NO, NA\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members) [Thu Feb 14 13:25:25 2008] [error
[Samba] Problem with winbind not seeing a user as part of a group
Everyone, Here is a challenge for all of you samba experts! Lately I have been seeing a problem where winbind is not correctly identifying a user as a member of a group he most certainly belong to. This is with a Domain Local group so I know samba should support it. Users access a HTTPS (SSL) webpage that is secured by a Domain Local group. Sometimes they get in, others they don't. Here are some examples from the logs. /var/log/apache2/error_log [Tue Feb 12 18:54:52 2008] [error] [client 172.xx.xxx.xxx] GROUP: NA\\selltc not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/browser/trunk/common/include/channels [Tue Feb 12 18:55:00 2008] [error] [client 172.xx.xxx.xxx] GROUP: NA\\selltc not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/browser/trunk/common/include/channels [Tue Feb 12 18:56:12 2008] [error] [client 172.xx.xxx.xxx] GROUP: NA\\selltc not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/browser/trunk/common/include/channels However a little later it is mysteriously working again... /var/log/apache2/access_log 172.xx.xxx.xxx - NA\\selltc [12/Feb/2008:20:02:37 -0500] GET /scm/spar/trac/chrome/common/css/trac.css HTTP/1.1 304 - 172.xx.xxx.xxx - NA\\selltc [12/Feb/2008:20:02:37 -0500] GET /scm/spar/trac/chrome/common/css/browser.css HTTP/1.1 304 - 172.xx.xxx.xxx - NA\\selltc [12/Feb/2008:20:02:37 -0500] GET /scm/spar/trac/chrome/common/css/diff.css HTTP/1.1 304 - Now obviously my example doesn't have the user accessing the same link, but it doesn't matter. Winbind went from identifying the user as not in the group to then identifying him as in the group and nothing changed! This is happening several times a day and is driving us insane. What can I do to figure this out? Has anyone else seen this? Here is what is going on in the /var/log/samba/log.wb-NA (our domain) log at that time for that user. [2008/02/12 18:54:52, 10] nsswitch/winbindd_dual.c:child_process_request(479) process_request: request fn PAM_AUTH [2008/02/12 18:54:52, 3] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1341) [10824]: dual pam auth NA\selltc [2008/02/12 18:54:52, 10] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1364) winbindd_dual_pam_auth: domain: NA last was online [2008/02/12 18:54:52, 10] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_samlogon(1127) winbindd_dual_pam_auth_samlogon [2008/02/12 18:54:52, 10] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1416) winbindd_dual_pam_auth_samlogon succeeded [2008/02/12 18:54:52, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(472) refresh_sequence_number: NA time ok [2008/02/12 18:54:52, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(506) refresh_sequence_number: NA seq number is now 271835101 [2008/02/12 18:54:52, 10] nsswitch/winbindd_cache.c:wcache_save_name_to_sid(823) wcache_save_name_to_sid: NA\SELLTC - S-1-5-21-725345543-2052111302-527237240-26405 (NT_STATUS_OK) [2008/02/12 18:54:52, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(472) refresh_sequence_number: NA time ok [2008/02/12 18:54:52, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(506) refresh_sequence_number: NA seq number is now 271835101 [2008/02/12 18:54:52, 10] nsswitch/winbindd_cache.c:centry_expired(546) centry_expired: Key PWD_POL/NA for domain NA is good. [2008/02/12 18:54:52, 10] nsswitch/winbindd_cache.c:wcache_fetch(630) wcache_fetch: returning entry PWD_POL/NA for domain NA [2008/02/12 18:54:52, 10] nsswitch/winbindd_cache.c:password_policy(2108) lockout_policy: [Cached] - cached info for domain NA status: NT_STATUS_OK [2008/02/12 18:54:52, 5] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1546) Setting unix username to [NA\selltc] [2008/02/12 18:54:52, 5] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1578) Plain-text authentication for user NA\selltc returned NT_STATUS_OK (PAM: 0) Please let me know if you can help me figure this out. Thanks, Ron -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Problem with winbind not seeing a user as part of a group
That may be possible, but like I said, sometimes it works and sometimes it doesn't. Sometimes the span between the two is only a few seconds. From: Scott Lovenberg [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 12, 2008 10:05 PM To: Trimble, Ronald D Cc: samba@lists.samba.org Subject: Re: [Samba] Problem with winbind not seeing a user as part of a group Trimble, Ronald D wrote: I have never explored those options. We have auth fall through turned off. If the authentication fails, they get a 401 message indicating they don't have permissions. Here is an example from our vhosts.conf... Location /scm/spar/svn DAV svn SVNPATH /scm/spar/svn SVNPathAuthz off AuthPAM_Enabled on AuthPAM_FallThrough off AuthType Basic AuthName SPAR Subversion require group NA\USTR-LINUX-1-SPAR LimitExcept GET PROPFIND OPTIONS REPORT require group NA\USTR-LINUX-1-SPAR /LimitExcept /Location Location /scm/spar/trac SetHandler mod_python PythonHandler trac.web.modpython_frontend PythonOption TracEnv /scm/spar/trac PythonOption TracUriRoot /scm/spar/trac AuthPAM_Enabled on AuthPAM_FallThrough off AuthType Basic AuthName SPAR Trac require group NA\USTR-LINUX-1-SPAR /Location From: Scott Lovenberg [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 12, 2008 9:27 PM To: Trimble, Ronald D Cc: samba@lists.samba.orgmailto:samba@lists.samba.org Subject: Re: [Samba] Problem with winbind not seeing a user as part of a group Trimble, Ronald D wrote: It looks like it is only happening when apache2 is involved. Although, other login methods are far less common. I have a suspicion it may be related to the mod_auth_pam module but what I don't understand is why it is happening. Mod_auth_pam makes dozens of requests to winbind for each session. Why do some work and others don't? Could it be that winbind is overwhelmed and thus doesn't return anything? -Original Message- From: Scott Lovenberg [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 12, 2008 9:09 PM To: Trimble, Ronald D Cc: samba@lists.samba.orgmailto:samba@lists.samba.org Subject: Re: [Samba] Problem with winbind not seeing a user as part of a group Trimble, Ronald D wrote: Everyone, Here is a challenge for all of you samba experts! Lately I have been seeing a problem where winbind is not correctly identifying a user as a member of a group he most certainly belong to. This is with a Domain Local group so I know samba should support it. Users access a HTTPS (SSL) webpage that is secured by a Domain Local group. Sometimes they get in, others they don't. Here are some examples from the logs. /var/log/apache2/error_log [Tue Feb 12 18:54:52 2008] [error] [client 172.xx.xxx.xxx] GROUP: NA\\selltc not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/browser/trunk/common/include/channe ls [Tue Feb 12 18:55:00 2008] [error] [client 172.xx.xxx.xxx] GROUP: NA\\selltc not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/browser/trunk/common/include/channe ls [Tue Feb 12 18:56:12 2008] [error] [client 172.xx.xxx.xxx] GROUP: NA\\selltc not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/browser/trunk/common/include/channe ls However a little later it is mysteriously working again... /var/log/apache2/access_log 172.xx.xxx.xxx - NA\\selltc [12/Feb/2008:20:02:37 -0500] GET /scm/spar/trac/chrome/common/css/trac.css HTTP/1.1 304 - 172.xx.xxx.xxx - NA\\selltc [12/Feb/2008:20:02:37 -0500] GET /scm/spar/trac/chrome/common/css/browser.css HTTP/1.1 304 - 172.xx.xxx.xxx - NA\\selltc [12/Feb/2008:20:02:37 -0500] GET /scm/spar/trac/chrome/common/css/diff.css HTTP/1.1 304 - Now obviously my example doesn't have the user accessing the same link, but it doesn't matter. Winbind went from identifying the user as not in the group to then identifying him as in the group and nothing changed! This is happening several times a day and is driving us insane. What can I do to figure this out? Has anyone else seen this? Here is what is going on in the /var/log/samba/log.wb-NA (our domain) log at that time for that user. [2008/02/12 18:54:52, 10] nsswitch/winbindd_dual.c:child_process_request(479) process_request: request fn PAM_AUTH [2008/02/12 18:54:52, 3] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1341) [10824]: dual pam auth NA\selltc [2008/02/12 18:54:52, 10] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1364) winbindd_dual_pam_auth: domain: NA last was online [2008/02/12 18:54:52, 10] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_samlogon(1127
RE: [Samba] Problem with winbind not seeing a user as part of a group
I have never explored those options. We have auth fall through turned off. If the authentication fails, they get a 401 message indicating they don't have permissions. Here is an example from our vhosts.conf... Location /scm/spar/svn DAV svn SVNPATH /scm/spar/svn SVNPathAuthz off AuthPAM_Enabled on AuthPAM_FallThrough off AuthType Basic AuthName SPAR Subversion require group NA\USTR-LINUX-1-SPAR LimitExcept GET PROPFIND OPTIONS REPORT require group NA\USTR-LINUX-1-SPAR /LimitExcept /Location Location /scm/spar/trac SetHandler mod_python PythonHandler trac.web.modpython_frontend PythonOption TracEnv /scm/spar/trac PythonOption TracUriRoot /scm/spar/trac AuthPAM_Enabled on AuthPAM_FallThrough off AuthType Basic AuthName SPAR Trac require group NA\USTR-LINUX-1-SPAR /Location From: Scott Lovenberg [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 12, 2008 9:27 PM To: Trimble, Ronald D Cc: samba@lists.samba.org Subject: Re: [Samba] Problem with winbind not seeing a user as part of a group Trimble, Ronald D wrote: It looks like it is only happening when apache2 is involved. Although, other login methods are far less common. I have a suspicion it may be related to the mod_auth_pam module but what I don't understand is why it is happening. Mod_auth_pam makes dozens of requests to winbind for each session. Why do some work and others don't? Could it be that winbind is overwhelmed and thus doesn't return anything? -Original Message- From: Scott Lovenberg [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 12, 2008 9:09 PM To: Trimble, Ronald D Cc: samba@lists.samba.orgmailto:samba@lists.samba.org Subject: Re: [Samba] Problem with winbind not seeing a user as part of a group Trimble, Ronald D wrote: Everyone, Here is a challenge for all of you samba experts! Lately I have been seeing a problem where winbind is not correctly identifying a user as a member of a group he most certainly belong to. This is with a Domain Local group so I know samba should support it. Users access a HTTPS (SSL) webpage that is secured by a Domain Local group. Sometimes they get in, others they don't. Here are some examples from the logs. /var/log/apache2/error_log [Tue Feb 12 18:54:52 2008] [error] [client 172.xx.xxx.xxx] GROUP: NA\\selltc not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/browser/trunk/common/include/channe ls [Tue Feb 12 18:55:00 2008] [error] [client 172.xx.xxx.xxx] GROUP: NA\\selltc not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/browser/trunk/common/include/channe ls [Tue Feb 12 18:56:12 2008] [error] [client 172.xx.xxx.xxx] GROUP: NA\\selltc not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/browser/trunk/common/include/channe ls However a little later it is mysteriously working again... /var/log/apache2/access_log 172.xx.xxx.xxx - NA\\selltc [12/Feb/2008:20:02:37 -0500] GET /scm/spar/trac/chrome/common/css/trac.css HTTP/1.1 304 - 172.xx.xxx.xxx - NA\\selltc [12/Feb/2008:20:02:37 -0500] GET /scm/spar/trac/chrome/common/css/browser.css HTTP/1.1 304 - 172.xx.xxx.xxx - NA\\selltc [12/Feb/2008:20:02:37 -0500] GET /scm/spar/trac/chrome/common/css/diff.css HTTP/1.1 304 - Now obviously my example doesn't have the user accessing the same link, but it doesn't matter. Winbind went from identifying the user as not in the group to then identifying him as in the group and nothing changed! This is happening several times a day and is driving us insane. What can I do to figure this out? Has anyone else seen this? Here is what is going on in the /var/log/samba/log.wb-NA (our domain) log at that time for that user. [2008/02/12 18:54:52, 10] nsswitch/winbindd_dual.c:child_process_request(479) process_request: request fn PAM_AUTH [2008/02/12 18:54:52, 3] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1341) [10824]: dual pam auth NA\selltc [2008/02/12 18:54:52, 10] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1364) winbindd_dual_pam_auth: domain: NA last was online [2008/02/12 18:54:52, 10] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_samlogon(1127) winbindd_dual_pam_auth_samlogon [2008/02/12 18:54:52, 10] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1416) winbindd_dual_pam_auth_samlogon succeeded [2008/02/12 18:54:52, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(472) refresh_sequence_number: NA time ok [2008/02/12 18:54:52, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(506) refresh_sequence_number: NA seq number is now 271835101 [2008/02/12
RE: [Samba] Problem with winbind not seeing a user as part of a group
It looks like it is only happening when apache2 is involved. Although, other login methods are far less common. I have a suspicion it may be related to the mod_auth_pam module but what I don't understand is why it is happening. Mod_auth_pam makes dozens of requests to winbind for each session. Why do some work and others don't? Could it be that winbind is overwhelmed and thus doesn't return anything? -Original Message- From: Scott Lovenberg [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 12, 2008 9:09 PM To: Trimble, Ronald D Cc: samba@lists.samba.org Subject: Re: [Samba] Problem with winbind not seeing a user as part of a group Trimble, Ronald D wrote: Everyone, Here is a challenge for all of you samba experts! Lately I have been seeing a problem where winbind is not correctly identifying a user as a member of a group he most certainly belong to. This is with a Domain Local group so I know samba should support it. Users access a HTTPS (SSL) webpage that is secured by a Domain Local group. Sometimes they get in, others they don't. Here are some examples from the logs. /var/log/apache2/error_log [Tue Feb 12 18:54:52 2008] [error] [client 172.xx.xxx.xxx] GROUP: NA\\selltc not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/browser/trunk/common/include/channe ls [Tue Feb 12 18:55:00 2008] [error] [client 172.xx.xxx.xxx] GROUP: NA\\selltc not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/browser/trunk/common/include/channe ls [Tue Feb 12 18:56:12 2008] [error] [client 172.xx.xxx.xxx] GROUP: NA\\selltc not in required group(s)., referer: https://ustr-linux-1/scm/spar/trac/browser/trunk/common/include/channe ls However a little later it is mysteriously working again... /var/log/apache2/access_log 172.xx.xxx.xxx - NA\\selltc [12/Feb/2008:20:02:37 -0500] GET /scm/spar/trac/chrome/common/css/trac.css HTTP/1.1 304 - 172.xx.xxx.xxx - NA\\selltc [12/Feb/2008:20:02:37 -0500] GET /scm/spar/trac/chrome/common/css/browser.css HTTP/1.1 304 - 172.xx.xxx.xxx - NA\\selltc [12/Feb/2008:20:02:37 -0500] GET /scm/spar/trac/chrome/common/css/diff.css HTTP/1.1 304 - Now obviously my example doesn't have the user accessing the same link, but it doesn't matter. Winbind went from identifying the user as not in the group to then identifying him as in the group and nothing changed! This is happening several times a day and is driving us insane. What can I do to figure this out? Has anyone else seen this? Here is what is going on in the /var/log/samba/log.wb-NA (our domain) log at that time for that user. [2008/02/12 18:54:52, 10] nsswitch/winbindd_dual.c:child_process_request(479) process_request: request fn PAM_AUTH [2008/02/12 18:54:52, 3] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1341) [10824]: dual pam auth NA\selltc [2008/02/12 18:54:52, 10] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1364) winbindd_dual_pam_auth: domain: NA last was online [2008/02/12 18:54:52, 10] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_samlogon(1127) winbindd_dual_pam_auth_samlogon [2008/02/12 18:54:52, 10] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1416) winbindd_dual_pam_auth_samlogon succeeded [2008/02/12 18:54:52, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(472) refresh_sequence_number: NA time ok [2008/02/12 18:54:52, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(506) refresh_sequence_number: NA seq number is now 271835101 [2008/02/12 18:54:52, 10] nsswitch/winbindd_cache.c:wcache_save_name_to_sid(823) wcache_save_name_to_sid: NA\SELLTC - S-1-5-21-725345543-2052111302-527237240-26405 (NT_STATUS_OK) [2008/02/12 18:54:52, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(472) refresh_sequence_number: NA time ok [2008/02/12 18:54:52, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(506) refresh_sequence_number: NA seq number is now 271835101 [2008/02/12 18:54:52, 10] nsswitch/winbindd_cache.c:centry_expired(546) centry_expired: Key PWD_POL/NA for domain NA is good. [2008/02/12 18:54:52, 10] nsswitch/winbindd_cache.c:wcache_fetch(630) wcache_fetch: returning entry PWD_POL/NA for domain NA [2008/02/12 18:54:52, 10] nsswitch/winbindd_cache.c:password_policy(2108) lockout_policy: [Cached] - cached info for domain NA status: NT_STATUS_OK [2008/02/12 18:54:52, 5] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1546) Setting unix username to [NA\selltc] [2008/02/12 18:54:52, 5] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1578) Plain-text authentication for user NA\selltc returned NT_STATUS_OK (PAM: 0) Please let me know if you can help me figure this out. Thanks, Ron Does authentication ever fail like this from another login point (from a desktop login, or other PAM settings)? Or only when apache is involved? -- To unsubscribe from this list go to the following URL and read
[Samba] KRB KDC problem
Can someone help me figure out what is going on here? For quite some time now,
our implementation of Samba has been humming along without problems. Now all
of a sudden I am unable to get valid sequence numbers for one of our domains.
Here are the details...
From /var/log/samba/log.wb-EU
[2008/02/06 10:41:41, 1] libsmb/clikrb5.c:ads_krb5_mk_req(602)
ads_krb5_mk_req: krb5_get_credentials failed for [EMAIL PROTECTED] (Cannot
contact any KDC for requested realm)
[2008/02/06 10:41:41, 1] libsmb/clikrb5.c:ads_krb5_mk_req(602)
ads_krb5_mk_req: krb5_get_credentials failed for [EMAIL PROTECTED] (Cannot
contact any KDC for requested realm)
[2008/02/06 10:41:41, 1] nsswitch/winbindd_ads.c:ads_cached_connection(128)
ads_connect for domain EU failed: Cannot contact any KDC for requested realm
[2008/02/06 10:41:41, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(494)
refresh_sequence_number: failed with NT_STATUS_UNSUCCESSFUL
[2008/02/06 10:41:41, 10] nsswitch/winbindd_cache.c:store_cache_seqnum(438)
store_cache_seqnum: success [EU][4294967295 @ 1202312501]
[2008/02/06 10:41:41, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(506)
refresh_sequence_number: EU seq number is now -1
[2008/02/06 10:41:41, 10] nsswitch/winbindd_cache.c:cache_store_response(2268)
Storing response for pid 29455, len 3240
From /etc/hosts
192.61.58.35USEA-EUDC2 USEA-EUDC2.eu.uis.unisys.com
From /etc/krb5.conf
[libdefaults]
default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
default_realm = NA.UIS.UNISYS.COM
dns_lookup_kdc = true
[realms]
NA.UIS.UNISYS.COM = {
kdc = 192.63.225.68:88
admin_server = 192.63.225.68:749
}
EU.UIS.UNISYS.COM = {
kdc = 192.61.58.35:88
admin_server =192.61.58.35:749
}
AP.UIS.UNISYS.COM = {
kdc = 192.61.58.61:88
admin_server = 192.61.58.61:749
}
LAC.UIS.UNISYS.COM = {
kdc = 192.61.146.131:88
admin_server = 192.61.146.131:749
}
[domain_realm]
.na.uis.unisys.com = NA.UIS.UNISYS.COM
na.uis.unisys.com = NA.UIS.UNISYS.COM
.eu.uis.unisys.com = EU.UIS.UNISYS.COM
eu.uis.unisys.com = EU.UIS.UNISYS.COM
.ap.uis.unisys.com = AP.UIS.UNISYS.COM
ap.uis.unisys.com = AP.UIS.UNISYS.COM
.lac.uis.unisys.com = LAC.UIS.UNISYS.COM
lac.uis.unisys.com = LAC.UIS.UNISYS.COM
Here is a sample of running the sequence wbinfo command...
LINUX-1:/etc/samba # wbinfo --sequence
LAC : 2115985
EU : DISCONNECTED
AP : DISCONNECTED
UIS : 74810628
BUILTIN : 1202313222
USTR-LINUX-1 : 1202313222
NA : 271239463
Any help would be much appreciated. Thanks!
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Problem with SMBFS vs CIFS
Hello, I have the following Samba RPMs installed... samba-client-3.0.26a-0.5 samba-3.0.26a-0.5 samba-pdb-3.0.26a-0.5 yast2-samba-server-2.9.33-0.3 kdebase3-samba-3.2.1-68.62 samba-winbind-3.0.26a-0.5 yast2-samba-client-2.9.18-0.3 samba-python-3.0.26a-0.5 I used to be able to do a mount with -t smbfs, but not I get this message whenever I try it. Version 3.0.26a-0.5-1590-SUSE-SLES9 Please be aware that smbfs is deprecated in favor of cifs How do I get this back to using SMBFS? Thanks, Ron -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] How do I force other domains to work?
I am trying to get the other domains in my tree to work with my samba implementation. I have copied all the necessary config files from another samba server that does work. On this server however, I get strange results from the wbinfo -sequence command. linux:/ # wbinfo --sequence LAC : DISCONNECTED EU : DISCONNECTED AP : DISCONNECTED UIS : DISCONNECTED M1016 : 1 BUILTIN : 1 NA : 51137274 All the other domains are Disconnected (-1) if you look in the logs. I desperately need these to get connected so I can authenticate their users. What could be wrong? Thanks, Ron -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Cannot connect to other domains...
Everyone, I am trying to connect my server to another AD domain, but it will not make the connection. I have successfully joined it to one domain in AD and I want it to authenticate users from another domain in the same tree. When I run the command wbinfo -sequence, I get disconnected messages for all the domains except my home domain. I have my krb5.conf file configured exactly as I do on another server that works perfectly. Can anyone point me to my problem? Here is a small piece of the log.wb-EU file... [2006/09/27 08:47:37, 5] nsswitch/winbindd_cm.c:set_dc_type_and_flags(870) set_dc_type_and_flags: Could not open a connection to EU: (NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) [2006/09/27 08:47:37, 10] nsswitch/winbindd_cache.c:cache_store_response(1493) Storing response for pid 7561, len 1300 [2006/09/27 08:47:37, 10] nsswitch/winbindd_dual.c:dual_client_read(53) client_read: read 1828 bytes. Need 0 more for a full request. [2006/09/27 08:47:37, 4] nsswitch/winbindd_dual.c:fork_domain_child(479) child daemon request 32 [2006/09/27 08:47:37, 10] nsswitch/winbindd_dual.c:child_process_request(352) process_request: request fn SHOW_SEQUENCE [2006/09/27 08:47:37, 3] nsswitch/winbindd_misc.c:winbindd_dual_show_sequence(331) [ 7556]: show sequence [2006/09/27 08:47:37, 5] nsswitch/winbindd_cache.c:get_cache(137) get_cache: Setting MS-RPC methods for domain EU [2006/09/27 08:47:37, 10] nsswitch/winbindd_cache.c:fetch_cache_seqnum(276) fetch_cache_seqnum: invalid data size key [SEQNUM/EU] [2006/09/27 08:47:37, 10] nsswitch/winbindd_rpc.c:sequence_number(749) rpc: fetch sequence_number for EU [2006/09/27 08:47:37, 8] nsswitch/winbindd_cm.c:connection_ok(806) Connection to for domain EU has NULL cli! [2006/09/27 08:47:39, 10] nsswitch/winbindd_cache.c:store_cache_seqnum(329) store_cache_seqnum: success [EU][4294967295 @ 1159372059] [2006/09/27 08:47:39, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(387) refresh_sequence_number: EU seq number is now -1 [2006/09/27 08:47:39, 10] nsswitch/winbindd_cache.c:cache_store_response(1493) Storing response for pid 7561, len 1300 [2006/09/27 08:49:52, 10] nsswitch/winbindd_dual.c:dual_client_read(53) client_read: read 1828 bytes. Need 0 more for a full request. [2006/09/27 08:49:52, 4] nsswitch/winbindd_dual.c:fork_domain_child(479) child daemon request 32 [2006/09/27 08:49:52, 10] nsswitch/winbindd_dual.c:child_process_request(352) process_request: request fn SHOW_SEQUENCE [2006/09/27 08:49:52, 3] nsswitch/winbindd_misc.c:winbindd_dual_show_sequence(331) [ 7556]: show sequence [2006/09/27 08:49:52, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(359) refresh_sequence_number: EU time ok [2006/09/27 08:49:52, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(387) refresh_sequence_number: EU seq number is now -1 [2006/09/27 08:49:52, 10] nsswitch/winbindd_cache.c:cache_store_response(1493) Storing response for pid 7561, len 1300 Thanks, Ron -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Other domain sequence numbers are -1
I posted this yesterday, but didn't get any responses. Can anyone help
me out?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Trimble, Ronald D
Sent: Thursday, September 21, 2006 9:39 AM
To: samba@lists.samba.org
Subject: [Samba] Other domain sequence numbers are -1
Everyone,
I have configured a new SLES 10 server exactly the same as I
had previously configured a SLES 9 server. The only difference is the
version of samba. On the SLES 10 server, I am running the 3.0.23c
level, the SLES 9 server is behind a little. My problem is with
connecting to other AD domains. Only my default domain has a valid
sequence number. All the other domains are showing up as a -1. This
information was retrieved from the logs since the wbinfo -sequence
command times out.
Here are the relevant pieces of information. Can someone
suggest what I may be doing wrong? This is very confusing to me since
it works perfectly on my SLES 9 server and I copied the configuration
from there.
Thanks,
Ron
From krb5.conf:
[libdefaults]
default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
default_realm = NA.UIS.UNISYS.COM
dns_lookup_kdc = true
[realms]
NA.UIS.UNISYS.COM = {
kdc = 192.63.225.67:88
admin_server = 192.63.225.67:749
}
EU.UIS.UNISYS.COM = {
kdc = 192.61.146.133:88
admin_server = 192.61.146.133:749
}
AP.UIS.UNISYS.COM = {
kdc = 192.61.146.132:88
admin_server = 192.61.146.132:749
}
LAC.UIS.UNISYS.COM = {
kdc = 192.61.146.131:88
admin_server = 192.61.146.131:749
}
[domain_realm]
.na.uis.unisys.com = NA.UIS.UNISYS.COM
na.uis.unisys.com = NA.UIS.UNISYS.COM
.eu.uis.unisys.com = EU.UIS.UNISYS.COM
eu.uis.unisys.com = EU.UIS.UNISYS.COM
.ap.uis.unisys.com = AP.UIS.UNISYS.COM
ap.uis.unisys.com = AP.UIS.UNISYS.COM
.lac.uis.unisys.com = LAC.UIS.UNISYS.COM
lac.uis.unisys.com = LAC.UIS.UNISYS.COM
From smb.conf:
[global]
workgroup = NA
realm = NA.UIS.UNISYS.COM
netbios name = M1016
encrypt passwords = yes
security = ADS
password server = 192.63.225.67 192.63.225.68
passdb backend = smbpasswd
log level = 2 winbind:10 ads:10 auth:10
syslog = 0
log file = /var/log/samba/%m.log
max log size = 5000
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
winbind use default domain = no
winbind uid = 16777216-33554431
winbind gid = 16777216-33554431
winbind enum users = no
winbind enum groups = no
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Other domain sequence numbers are -1
Everyone,
I have configured a new SLES 10 server exactly the same as I
had previously configured a SLES 9 server. The only difference is the
version of samba. On the SLES 10 server, I am running the 3.0.23c
level, the SLES 9 server is behind a little. My problem is with
connecting to other AD domains. Only my default domain has a valid
sequence number. All the other domains are showing up as a -1. This
information was retrieved from the logs since the wbinfo -sequence
command times out.
Here are the relevant pieces of information. Can someone
suggest what I may be doing wrong? This is very confusing to me since
it works perfectly on my SLES 9 server and I copied the configuration
from there.
Thanks,
Ron
From krb5.conf:
[libdefaults]
default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
default_realm = NA.UIS.UNISYS.COM
dns_lookup_kdc = true
[realms]
NA.UIS.UNISYS.COM = {
kdc = 192.63.225.67:88
admin_server = 192.63.225.67:749
}
EU.UIS.UNISYS.COM = {
kdc = 192.61.146.133:88
admin_server = 192.61.146.133:749
}
AP.UIS.UNISYS.COM = {
kdc = 192.61.146.132:88
admin_server = 192.61.146.132:749
}
LAC.UIS.UNISYS.COM = {
kdc = 192.61.146.131:88
admin_server = 192.61.146.131:749
}
[domain_realm]
.na.uis.unisys.com = NA.UIS.UNISYS.COM
na.uis.unisys.com = NA.UIS.UNISYS.COM
.eu.uis.unisys.com = EU.UIS.UNISYS.COM
eu.uis.unisys.com = EU.UIS.UNISYS.COM
.ap.uis.unisys.com = AP.UIS.UNISYS.COM
ap.uis.unisys.com = AP.UIS.UNISYS.COM
.lac.uis.unisys.com = LAC.UIS.UNISYS.COM
lac.uis.unisys.com = LAC.UIS.UNISYS.COM
From smb.conf:
[global]
workgroup = NA
realm = NA.UIS.UNISYS.COM
netbios name = M1016
encrypt passwords = yes
security = ADS
password server = 192.63.225.67 192.63.225.68
passdb backend = smbpasswd
log level = 2 winbind:10 ads:10 auth:10
syslog = 0
log file = /var/log/samba/%m.log
max log size = 5000
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
winbind use default domain = no
winbind uid = 16777216-33554431
winbind gid = 16777216-33554431
winbind enum users = no
winbind enum groups = no
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] NET ADS JOIN error
Can anyone shed some light on this error? I can't seem to find any information as to why it is failing. Thanks. USTR-MINT-A-1:~ # net ads join United States\Tredyffrin\Resources\Servers -U trimblrd trimblrd's password: Failed to pre-create the machine object in OU United States\Tredyffrin\Resources\Servers. I have tried two different domain admin accounts and I get the same error each time. It strange since the object already exists in AD. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] NET ADS JOIN error
I get the same error either way. -Original Message- From: Howard Wilkinson [mailto:[EMAIL PROTECTED] Sent: Friday, July 14, 2006 11:16 AM To: Trimble, Ronald D; samba@lists.samba.org Subject: RE: [Samba] NET ADS JOIN error Check that the backslashes are not being interpolated by the shell you may want to try. net ads join United States\\Tredyffrin\\Resource\\Servers -U trimblrd Howard. Coherent Technology Limited, 23 Northampton Square, Finsbury, London EC1V 0HL, United Kingdom Telephone: +44 20 76907075 Fax: +44 20 79230110 Mobile: +44 7980 639379 Company Email: [EMAIL PROTECTED] Website: http://www.cohtech.com http://www.cohtech.com/ From: [EMAIL PROTECTED] on behalf of Trimble, Ronald D Sent: Fri 2006-07-14 16:06 To: samba@lists.samba.org Subject: [Samba] NET ADS JOIN error Can anyone shed some light on this error? I can't seem to find any information as to why it is failing. Thanks. USTR-MINT-A-1:~ # net ads join United States\Tredyffrin\Resources\Servers -U trimblrd trimblrd's password: Failed to pre-create the machine object in OU United States\Tredyffrin\Resources\Servers. I have tried two different domain admin accounts and I get the same error each time. It strange since the object already exists in AD. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] How do I troubleshoot this panic?
It looks like the latest release does work. Thanks for the help guys! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Trimble, Ronald D Sent: Tuesday, July 11, 2006 3:49 PM To: Gerald (Jerry) Carter Cc: samba@lists.samba.org; [EMAIL PROTECTED] Subject: RE: [Samba] How do I troubleshoot this panic? We most certainly have users with more than 20 to 25 AD groups. I will give the latest release a try. -Original Message- From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 11, 2006 3:49 PM To: Trimble, Ronald D Cc: [EMAIL PROTECTED]; samba@lists.samba.org Subject: Re: [Samba] How do I troubleshoot this panic? -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Trimble, Ronald D wrote: I tried ext3 on another server... a fresh install of SUSE Linux 10.1. Another panic. Here are the details... This has got to be the static group list bug. Do you have users in more that say 20 - 25 groups in AD ? Could you try the 3.0.23 SuSE rpms on samba.org ? Thanks. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEtACnIR7qMdg1EfYRAr1YAKDzQI0fSdNe6Hffv7RZSPQSRpZOrACeLDN5 bjddzQCN/5YcP4SrUmwgm6g= =rn0N -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] How do I troubleshoot this panic?
I tried ext3 on another server... a fresh install of SUSE Linux 10.1. Another panic. Here are the details... === [2006/07/11 15:33:03, 0] lib/fault.c:fault_report(37) INTERNAL ERROR: Signal 6 in pid 3586 (3.0.22-11-SUSE-CODE10) Please read the Trouble-Shooting section of the Samba3-HOWTO [2006/07/11 15:33:03, 0] lib/fault.c:fault_report(39) From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf [2006/07/11 15:33:03, 0] lib/fault.c:fault_report(40) === [2006/07/11 15:33:03, 0] lib/util.c:smb_panic2(1554) PANIC: internal error [2006/07/11 15:33:03, 0] lib/util.c:smb_panic2(1562) BACKTRACE: 26 stack frames: #0 /usr/sbin/winbindd(smb_panic2+0x8a) [0x800b699a] #1 /usr/sbin/winbindd(smb_panic+0x19) [0x800b6bf9] #2 /usr/sbin/winbindd [0x800a0f52] #3 [0xe420] #4 /lib/libc.so.6(abort+0x103) [0xb7ca2ea3] #5 /lib/libc.so.6 [0xb7cd6f8b] #6 /lib/libc.so.6(__chk_fail+0x41) [0xb7d48b31] #7 /lib/libc.so.6 [0xb7d48533] #8 /lib/libc.so.6(__snprintf_chk+0x37) [0xb7d48417] #9 /usr/sbin/winbindd [0x8004163a] #10 /usr/sbin/winbindd(tdb_traverse+0xf0) [0x800cdc90] #11 /usr/sbin/winbindd(wcache_flush_cache+0xc0) [0x8003e220] #12 /usr/sbin/winbindd [0x8003e43b] #13 /usr/sbin/winbindd [0x80042eff] #14 /usr/sbin/winbindd [0x80058dc5] #15 /usr/sbin/winbindd(run_events+0x6d) [0x800d15fd] #16 /usr/sbin/winbindd [0x80057f90] #17 /usr/sbin/winbindd(async_domain_request+0x58) [0x80059788] #18 /usr/sbin/winbindd(do_async_domain+0xb0) [0x8005cfe0] #19 /usr/sbin/winbindd(winbindd_lookupname_async+0xe6) [0x8005de76] #20 /usr/sbin/winbindd(winbindd_getpwnam+0x2ad) [0x80035d7d] #21 /usr/sbin/winbindd [0x80032327] #22 /usr/sbin/winbindd [0x80033ab8] #23 /usr/sbin/winbindd(main+0x830) [0x80032dc0] #24 /lib/libc.so.6(__libc_start_main+0xdc) [0xb7c8e87c] #25 /usr/sbin/winbindd [0x80031541] -Original Message- From: Volker Lendecke [mailto:[EMAIL PROTECTED] On Behalf Of Volker Lendecke Sent: Friday, July 07, 2006 10:22 AM To: Trimble, Ronald D Cc: Gerald (Jerry) Carter; samba@lists.samba.org Subject: Re: [Samba] How do I troubleshoot this panic? On Fri, Jul 07, 2006 at 10:17:13AM -0400, Trimble, Ronald D wrote: ReiserFS is a problem? It's the default. I would imagine you would be seeing tons of complaints if it was due to the fs, don't you agree? Just try ext3. Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] How do I troubleshoot this panic?
We most certainly have users with more than 20 to 25 AD groups. I will give the latest release a try. -Original Message- From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 11, 2006 3:49 PM To: Trimble, Ronald D Cc: [EMAIL PROTECTED]; samba@lists.samba.org Subject: Re: [Samba] How do I troubleshoot this panic? -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Trimble, Ronald D wrote: I tried ext3 on another server... a fresh install of SUSE Linux 10.1. Another panic. Here are the details... This has got to be the static group list bug. Do you have users in more that say 20 - 25 groups in AD ? Could you try the 3.0.23 SuSE rpms on samba.org ? Thanks. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEtACnIR7qMdg1EfYRAr1YAKDzQI0fSdNe6Hffv7RZSPQSRpZOrACeLDN5 bjddzQCN/5YcP4SrUmwgm6g= =rn0N -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] How do I troubleshoot this panic?
Deleting that file seemed to have done the trick. What does that file do? What made you suspect this? -Original Message- From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] Sent: Friday, July 07, 2006 7:47 AM To: Trimble, Ronald D Cc: samba@lists.samba.org Subject: Re: [Samba] How do I troubleshoot this panic? -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Trimble, Ronald D wrote: I have a server that has a smb_panic every time I start/restart the winbind service. How do I go about fixing this? Here is the output from the winbind log file. === INTERNAL ERROR: Signal 6 in pid 3835 (3.0.22-11-SUSE-CODE10) Please read the Trouble-Shooting section of the Samba3-HOWTO From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf === PANIC: internal error BACKTRACE: 23 stack frames: #0 /usr/sbin/winbindd(smb_panic2+0x8a) [0x800b699a] #1 /usr/sbin/winbindd(smb_panic+0x19) [0x800b6bf9] #2 /usr/sbin/winbindd [0x800a0f52] #3 [0xe420] #4 /lib/libc.so.6(abort+0x103) [0xb7d7dea3] #5 /lib/libc.so.6 [0xb7db1f8b] #6 /lib/libc.so.6(__chk_fail+0x41) [0xb7e23b31] #7 /lib/libc.so.6 [0xb7e23533] #8 /lib/libc.so.6(__snprintf_chk+0x37) [0xb7e23417] #9 /usr/sbin/winbindd [0x8004163a] #10 /usr/sbin/winbindd(tdb_traverse+0xf0) [0x800cdc90] #11 /usr/sbin/winbindd(wcache_flush_cache+0xc0) [0x8003e220] You can recompile with --enable-debug and run winbindd -d 10 -i under gdb. Looking at the backtrace, I think if you delete winbindd_cache.tdb, you might be ok. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFErkm2IR7qMdg1EfYRAiriAKDHiDyg0XIDDZzmCuKulBDfiAkLtgCgwQj7 gJgA+cUA0o4LXbJC3AseaZk= =L/DI -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] How do I troubleshoot this panic?
Maybe I jumped the gun a little too soon Jerry. After successfully logging into the server a few times, it has stopped working again. That file has been recreated. I am using the default SUSE Linux 10.1 install. Any other ideas? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Trimble, Ronald D Sent: Friday, July 07, 2006 9:58 AM To: Gerald (Jerry) Carter Cc: samba@lists.samba.org Subject: RE: [Samba] How do I troubleshoot this panic? Deleting that file seemed to have done the trick. What does that file do? What made you suspect this? -Original Message- From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] Sent: Friday, July 07, 2006 7:47 AM To: Trimble, Ronald D Cc: samba@lists.samba.org Subject: Re: [Samba] How do I troubleshoot this panic? -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Trimble, Ronald D wrote: I have a server that has a smb_panic every time I start/restart the winbind service. How do I go about fixing this? Here is the output from the winbind log file. === INTERNAL ERROR: Signal 6 in pid 3835 (3.0.22-11-SUSE-CODE10) Please read the Trouble-Shooting section of the Samba3-HOWTO From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf === PANIC: internal error BACKTRACE: 23 stack frames: #0 /usr/sbin/winbindd(smb_panic2+0x8a) [0x800b699a] #1 /usr/sbin/winbindd(smb_panic+0x19) [0x800b6bf9] #2 /usr/sbin/winbindd [0x800a0f52] #3 [0xe420] #4 /lib/libc.so.6(abort+0x103) [0xb7d7dea3] #5 /lib/libc.so.6 [0xb7db1f8b] #6 /lib/libc.so.6(__chk_fail+0x41) [0xb7e23b31] #7 /lib/libc.so.6 [0xb7e23533] #8 /lib/libc.so.6(__snprintf_chk+0x37) [0xb7e23417] #9 /usr/sbin/winbindd [0x8004163a] #10 /usr/sbin/winbindd(tdb_traverse+0xf0) [0x800cdc90] #11 /usr/sbin/winbindd(wcache_flush_cache+0xc0) [0x8003e220] You can recompile with --enable-debug and run winbindd -d 10 -i under gdb. Looking at the backtrace, I think if you delete winbindd_cache.tdb, you might be ok. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFErkm2IR7qMdg1EfYRAiriAKDHiDyg0XIDDZzmCuKulBDfiAkLtgCgwQj7 gJgA+cUA0o4LXbJC3AseaZk= =L/DI -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] How do I troubleshoot this panic?
Sure. I will download it and give it a try. I will let you know what I find out. -Original Message- From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] Sent: Friday, July 07, 2006 10:27 AM To: Trimble, Ronald D Cc: [EMAIL PROTECTED]; samba@lists.samba.org Subject: Re: [Samba] How do I troubleshoot this panic? -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Volker Lendecke wrote: On Fri, Jul 07, 2006 at 10:17:13AM -0400, Trimble, Ronald D wrote: ReiserFS is a problem? It's the default. I would imagine you would be seeing tons of complaints if it was due to the fs, don't you agree? Just try ext3. Although I am not a fan of reiserfs either, this may be a problem related to the number of groups. It depends on what patches SuSE included in their 10.1 samba rpms. Would you mind trying the 3.0.23rc3 release first? cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFErm9HIR7qMdg1EfYRAiurAJ9ScBkZaB8+GL9GbfvMQAokFJwVEQCgioyd G8A8JHTFEsE/LfJBh0i5yfA= =QM74 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] How do I troubleshoot this panic?
I have a server that has a smb_panic every time I start/restart the winbind service. How do I go about fixing this? Here is the output from the winbind log file. === [2006/07/06 14:04:26, 0] lib/fault.c:fault_report(37) INTERNAL ERROR: Signal 6 in pid 3835 (3.0.22-11-SUSE-CODE10) Please read the Trouble-Shooting section of the Samba3-HOWTO [2006/07/06 14:04:26, 0] lib/fault.c:fault_report(39) From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf [2006/07/06 14:04:26, 0] lib/fault.c:fault_report(40) === [2006/07/06 14:04:26, 0] lib/util.c:smb_panic2(1554) PANIC: internal error [2006/07/06 14:04:26, 0] lib/util.c:smb_panic2(1562) BACKTRACE: 23 stack frames: #0 /usr/sbin/winbindd(smb_panic2+0x8a) [0x800b699a] #1 /usr/sbin/winbindd(smb_panic+0x19) [0x800b6bf9] #2 /usr/sbin/winbindd [0x800a0f52] #3 [0xe420] #4 /lib/libc.so.6(abort+0x103) [0xb7d7dea3] #5 /lib/libc.so.6 [0xb7db1f8b] #6 /lib/libc.so.6(__chk_fail+0x41) [0xb7e23b31] #7 /lib/libc.so.6 [0xb7e23533] #8 /lib/libc.so.6(__snprintf_chk+0x37) [0xb7e23417] #9 /usr/sbin/winbindd [0x8004163a] #10 /usr/sbin/winbindd(tdb_traverse+0xf0) [0x800cdc90] #11 /usr/sbin/winbindd(wcache_flush_cache+0xc0) [0x8003e220] #12 /usr/sbin/winbindd [0x8003e43b] #13 /usr/sbin/winbindd [0x80042eff] #14 /usr/sbin/winbindd [0x80058dc5] #15 /usr/sbin/winbindd(run_events+0x6d) [0x800d15fd] #16 /usr/sbin/winbindd [0x80057f90] #17 /usr/sbin/winbindd(init_child_connection+0x2a3) [0x8003c463] #18 /usr/sbin/winbindd(async_domain_request+0xb6) [0x800597e6] #19 /usr/sbin/winbindd(rescan_trusted_domains+0x110) [0x8003cc60] #20 /usr/sbin/winbindd(main+0x66d) [0x80032bfd] #21 /lib/libc.so.6(__libc_start_main+0xdc) [0xb7d6987c] #22 /usr/sbin/winbindd [0x80031541] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] AD users from different AD domains - update
I am also waiting for this to be fixed. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lionel Déruaz Sent: Wednesday, May 10, 2006 9:16 AM To: samba@lists.samba.org Subject: [Samba] AD users from different AD domains - update hello in a previous post, i was describing the behaviour with samba 3.0.21rc1 (winbind in particular) : - We have a single AD forest, whith different domains, A B. - The group, in domain A, we use for our authentication process contains user from the 2 domains A B. While using wbinfo, i cannot succeed to get a positive answer when i ask if a user from domain B belongs or not to the group. (but the user belongs to this group) In other words, i would like to know if it is possible to check the membership of a user in a group of another AD domain ? This was supposed to be linked to the bug#3530. Does anyone know if this issue is solved on new version , or if a patch exists ? Thanks in advance -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] AD users from different AD domains - update
Volker, I know you and I have been over this in the past, but I have a few questions based on this thread. If winbind does correctly list the groups, why does it not correctly tell you that the user is indeed a member of that group? Are you saying that if you were an admin in all domains it would work? What if the server was not merely a member server? Would it work then? I am not trying to be a pain, I am just looking for solutions to a problem that lots of other Windows admins like myself see as a huge issue. Sincerely, Ron -Original Message- From: Volker Lendecke [mailto:[EMAIL PROTECTED] On Behalf Of Volker Lendecke Sent: Wednesday, May 10, 2006 11:17 AM To: Trimble, Ronald D Cc: samba@lists.samba.org Subject: Re: [Samba] AD users from different AD domains - update On Wed, May 10, 2006 at 11:00:44AM -0400, Trimble, Ronald D wrote: In other words, i would like to know if it is possible to check the membership of a user in a group of another AD domain ? No, it is not. The only operation regarding group membership that is doable reliably is getting the list of groups a user is member of directly while this user is logging in. Anything beyond that like asking the same question without having logged in, getting a list of members of a group, getting lists of users and groups and so on will sooner or later fail if you are not administrator of all domains in question. Winbind is not made for being admin in all domains, and this is nothing that you _want_ winbind on a member server to be. Please look at the explanations in bug #3530. Don't wait for this to be fixed. Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Excessive traffic causing slow logons
Your crystal ball must be pretty good because changing the winbind enum user and group entries to no did the trick. The man page isn't very specific about this change. Are they any downsides to this setting? -Original Message- From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] Sent: Thursday, May 04, 2006 2:05 PM To: Trimble, Ronald D Cc: samba@lists.samba.org Subject: Re: [Samba] Excessive traffic causing slow logons -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Trimble, Ronald D wrote: I am seeing some extremely slow logons to my SUSE servers. All are configured exactly the same. When I attempt to log on, I can enter my domain (AD) account without any problems. I then enter my password and sit and wait for several minutes until it eventually takes me to my desktop. In attempting to debug the problem, we have been able to see millions of calls to the domain controller. They all look similar to this... As you can imagine, we see millions of these over the 4 to 5 minutes it takes to log on. On the Windows side, the domain controller does not report any errors in the logs. You mention LDAP traffic but you say nothing about what the traffic is actually doing nor do you give any details of how you server is configured. You could be using nss_ldap for all I know. Just gazing into my crystal ball, I would ask whether or not you have set 'winbind enum users = no' and 'winbind enum groups = no'? If not, then do this first. Then it would helpful to know more about your server. ... Can anyone help me with this issue? This issue is very quickly making us think twice about continuing to use Samba. That's your call. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEWkJUIR7qMdg1EfYRAmwXAJ4sP/Xfo/iVNppMH7LiZDWyWR9ZWQCgzAs1 apb03AgWO5h+/NTuTZy0Bds= =LeHR -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Excessive traffic causing slow logons
In any event thanks for your help! -Original Message- From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] Sent: Friday, May 05, 2006 10:54 AM To: Trimble, Ronald D Cc: samba@lists.samba.org Subject: Re: [Samba] Excessive traffic causing slow logons -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Trimble, Ronald D wrote: Your crystal ball must be pretty good because changing the winbind enum user and group entries to no did the trick. I thought that might help. Which is why are changing the default in 3.0.23 :-) The man page isn't very specific about this change. Are they any downsides to this setting? It disables support for setpwent()/getpwent()/endpwent() functionality. So apps that try to enumerate all users or groups will break. Running 'id user' will fail. But running 'id' as the user will work. Most apps just use getpwnam() or getgrnam() anyways. The NSS interface is a little too narrow for real searching. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEW2cKIR7qMdg1EfYRAvCPAKDQRytsJR4CCgMgjHbRMlcC/csPfQCfZvgV oR/BWRwRwutM63DjfxW2hzE= =9dHG -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Excessive traffic causing slow logons
I am seeing some extremely slow logons to my SUSE servers. All are configured exactly the same. When I attempt to log on, I can enter my domain (AD) account without any problems. I then enter my password and sit and wait for several minutes until it eventually takes me to my desktop. In attempting to debug the problem, we have been able to see millions of calls to the domain controller. They all look similar to this... 16:19:31.943556 IP USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695 ustr-nadc1.na.uis.unisys.com.ldap: P 6096:6369(273) ack 7014 win 16080 nop,nop,timestamp 89505560 7529129 16:19:31.944886 IP ustr-nadc1.na.uis.unisys.com.ldap USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695: P 7014:7391(377) ack 6369 win 64170 nop,nop,timestamp 7529129 89505560 16:19:31.945122 IP USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695 ustr-nadc1.na.uis.unisys.com.ldap: P 6369:6647(278) ack 7391 win 16080 nop,nop,timestamp 89505561 7529129 16:19:31.946500 IP ustr-nadc1.na.uis.unisys.com.ldap USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695: P 7391:7778(387) ack 6647 win 65535 nop,nop,timestamp 7529129 89505561 16:19:31.946733 IP USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695 ustr-nadc1.na.uis.unisys.com.ldap: P 6647:6919(272) ack 7778 win 16080 nop,nop,timestamp 89505563 7529129 16:19:31.948064 IP ustr-nadc1.na.uis.unisys.com.ldap USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695: P 7778:8152(374) ack 6919 win 65263 nop,nop,timestamp 7529129 89505563 16:19:31.948298 IP USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695 ustr-nadc1.na.uis.unisys.com.ldap: P 6919:7194(275) ack 8152 win 16080 nop,nop,timestamp 89505565 7529129 16:19:31.949678 IP ustr-nadc1.na.uis.unisys.com.ldap USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695: P 8152:8532(380) ack 7194 win 64988 nop,nop,timestamp 7529129 89505565 16:19:31.949913 IP USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695 ustr-nadc1.na.uis.unisys.com.ldap: P 7194:7466(272) ack 8532 win 16080 nop,nop,timestamp 89505566 7529129 16:19:31.951244 IP ustr-nadc1.na.uis.unisys.com.ldap USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695: P 8532:8905(373) ack 7466 win 64716 nop,nop,timestamp 7529129 89505566 16:19:31.951478 IP USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695 ustr-nadc1.na.uis.unisys.com.ldap: P 7466:7729(263) ack 8905 win 16080 nop,nop,timestamp 89505568 7529129 16:19:31.953003 IP ustr-nadc1.na.uis.unisys.com.ldap USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695: P 8905:9186(281) ack 7729 win 64453 nop,nop,timestamp 7529129 89505568 16:19:31.953098 IP USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695 ustr-nadc1.na.uis.unisys.com.ldap: P 7729:7736(7) ack 9186 win 16080 nop,nop,timestamp 89505569 7529129 16:19:31.953117 IP USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695 ustr-nadc1.na.uis.unisys.com.ldap: F 7736:7736(0) ack 9186 win 16080 nop,nop,timestamp 89505569 7529129 16:19:31.953252 IP USTR-MINT-A-2.NA.UIS.UNISYS.COM.40696 ustr-nadc1.na.uis.unisys.com.ldap: S 1051543388:1051543388(0) win 5840 mss 1460,sackOK,timestamp 89505570 0,nop,wscale 0 16:19:31.953592 IP ustr-nadc1.na.uis.unisys.com.ldap USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695: . ack 7737 win 64446 nop,nop,timestamp 7529129 89505569 16:19:31.954376 IP ustr-nadc1.na.uis.unisys.com.ldap USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695: F 9186:9186(0) ack 7737 win 64446 nop,nop,timestamp 7529129 89505569 16:19:31.954391 IP USTR-MINT-A-2.NA.UIS.UNISYS.COM.40695 ustr-nadc1.na.uis.unisys.com.ldap: . ack 9187 win 16080 nop,nop,timestamp 89505571 7529129 16:19:31.954817 IP ustr-nadc1.na.uis.unisys.com.ldap USTR-MINT-A-2.NA.UIS.UNISYS.COM.40696: S 702706062:702706062(0) ack 1051543389 win 16384 mss 1460,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK 16:19:31.954830 IP USTR-MINT-A-2.NA.UIS.UNISYS.COM.40696 ustr-nadc1.na.uis.unisys.com.ldap: . ack 1 win 5840 nop,nop,timestamp 89505571 0 16:19:31.954959 IP USTR-MINT-A-2.NA.UIS.UNISYS.COM.40696 ustr-nadc1.na.uis.unisys.com.ldap: P 1:91(90) ack 1 win 5840 nop,nop,timestamp 89505571 0 As you can imagine, we see millions of these over the 4 to 5 minutes it takes to log on. On the Windows side, the domain controller does not report any errors in the logs. I have turned the debug level of winbind up to 10 and have some very extensive logs showing what is going on. Unfortunately, I cannot interpret all of this myself. Can anyone help me with this issue? This issue is very quickly making us think twice about continuing to use Samba. Thanks, Ron -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Excessive traffic causing slow logons
USTR-MINT-A-2:~ # rpm -qa |grep samba samba-client-3.0.20b-3.4 yast2-samba-server-2.9.33-0.3 samba-3.0.20b-3.4 samba-pdb-3.0.20b-3.4 yast2-samba-client-2.9.17-1.3 samba-winbind-3.0.20b-3.4 kdebase3-samba-3.2.1-68.46 We do have some SuSE support, but I am not sure how far that will get me since they will just point me back to samba. How would you suggest I proceed? -Original Message- From: Jeremy Allison [mailto:[EMAIL PROTECTED] Sent: Thursday, May 04, 2006 10:28 AM To: Trimble, Ronald D Cc: samba@lists.samba.org Subject: Re: [Samba] Excessive traffic causing slow logons On Thu, May 04, 2006 at 10:21:18AM -0400, Trimble, Ronald D wrote: I am seeing some extremely slow logons to my SUSE servers. All are configured exactly the same. When I attempt to log on, I can enter my domain (AD) account without any problems. I then enter my password and sit and wait for several minutes until it eventually takes me to my desktop. In attempting to debug the problem, we have been able to see millions of calls to the domain controller. They all look similar to this... What version of Samba ? Do you have SuSE support ? This is the sort of thing we track down for customers Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Excessive traffic causing slow logons
I have already gone this route. Our DC is also a DNS server and the entries are all there. What's really interesting that through all of the requests, the DC acks every single one. -Original Message- From: Gerald Drouillard [mailto:[EMAIL PROTECTED] Sent: Thursday, May 04, 2006 12:53 PM To: Trimble, Ronald D Cc: samba@lists.samba.org Subject: Re: [Samba] Excessive traffic causing slow logons Trimble, Ronald D wrote: I am seeing some extremely slow logons to my SUSE servers. All are configured exactly the same. When I attempt to log on, I can enter my domain (AD) account without any problems. I then enter my password and sit and wait for several minutes until it eventually takes me to my desktop. In attempting to debug the problem, we have been able to see millions of calls to the domain controller. They all look similar to this... You may want to look at the DNS/DHCP server. If there is a 2003 DC and it is not the DNS/DHCP server then things can slow down. I believe it is a reverse DNS issue. -- Regards -- Gerald Drouillard Technology Architect Drouillard Associates, Inc. http://www.Drouillard.ca -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Slow logon
I have several servers that take an exceptionally long time to sign onto our Windows domain. It is not unheard of for it to take upwards of 3 or 4 minutes. The server is a member of the domain and the users are using an AD account to sign onto the server locally. Were could I being to look to resolve this issue? Thanks, Ron -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Bad Password
Everyone, I am going nuts trying to figure this problem out. I have successfully joined a SUSE 10 server to our domain and configured samba for ADS authentication. This exact setup works on all my other servers. On this one, I keep getting access denied when entering my domain password despite the fact that I have tried it literally dozens of times. I am 100% confident I am entering the password correctly. It appears winbind is not sending the password to the domain in the proper manner. Can anyone help me? Thanks, Ron Here is what is in the log.wb-NA file after I enter my password... [2006/04/26 11:09:15, 10] nsswitch/winbindd_dual.c:child_process_request(359) process_request: request fn LOOKUPNAME [2006/04/26 11:09:15, 3] nsswitch/winbindd_async.c:winbindd_dual_lookupname(695) [ 8465]: lookupname NA\trimblrd [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(359) refresh_sequence_number: NA time ok [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(387) refresh_sequence_number: NA seq number is now 24046271 [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:centry_expired(416) centry_expired: Key NS/NA/TRIMBLRD for domain NA expired [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:wcache_fetch(473) wcache_fetch: entry NS/NA/TRIMBLRD expired for domain NA [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:name_to_sid(975) name_to_sid: [Cached] - doing backend query for name for domain NA [2006/04/26 11:09:15, 3] nsswitch/winbindd_rpc.c:msrpc_name_to_sid(257) rpc: name_to_sid name=NA\trimblrd [2006/04/26 11:09:15, 3] nsswitch/winbindd_rpc.c:msrpc_name_to_sid(265) name_to_sid [rpc] trimblrd for domain NA [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:wcache_save_name_to_sid(614) wcache_save_name_to_sid: TRIMBLRD - S-1-5-21-725345543-2052111302-527237240-26634 [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:cache_store_response(1493) Storing response for pid 8466, len 1304 [2006/04/26 11:09:15, 10] nsswitch/winbindd_dual.c:dual_client_read(53) client_read: read 1828 bytes. Need 0 more for a full request. [2006/04/26 11:09:15, 4] nsswitch/winbindd_dual.c:fork_domain_child(486) child daemon request 48 [2006/04/26 11:09:15, 10] nsswitch/winbindd_dual.c:child_process_request(359) process_request: request fn DUAL_USERINFO [2006/04/26 11:09:15, 3] nsswitch/winbindd_user.c:winbindd_dual_userinfo(146) [ 8465]: lookupsid S-1-5-21-725345543-2052111302-527237240-26634 [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(359) refresh_sequence_number: NA time ok [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(387) refresh_sequence_number: NA seq number is now 24046271 [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:centry_expired(416) centry_expired: Key U/S-1-5-21-725345543-2052111302-527237240-26634 for domain NA expired [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:wcache_fetch(473) wcache_fetch: entry U/S-1-5-21-725345543-2052111302-527237240-26634 expired for domain NA [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:query_user(1105) sid_to_name: [Cached] - doing backend query for info for domain NA [2006/04/26 11:09:15, 3] nsswitch/winbindd_ads.c:query_user(396) ads: query_user [2006/04/26 11:09:15, 7] nsswitch/winbindd_ads.c:ads_cached_connection(48) Current tickets expire at 1146099562, time is now 1146064155 [2006/04/26 11:09:15, 3] nsswitch/winbindd_ads.c:query_user(442) ads query_user gave TRIMBLRD [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(359) refresh_sequence_number: NA time ok [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(387) refresh_sequence_number: NA seq number is now 24046271 [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:wcache_save_user(653) wcache_save_user: S-1-5-21-725345543-2052111302-527237240-26634 (acct_name TRIMBLRD) [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:cache_store_response(1493) Storing response for pid 8466, len 1304 [2006/04/26 11:09:15, 10] nsswitch/winbindd_dual.c:dual_client_read(53) client_read: read 1828 bytes. Need 0 more for a full request. [2006/04/26 11:09:15, 4] nsswitch/winbindd_dual.c:fork_domain_child(486) child daemon request 18 [2006/04/26 11:09:15, 10] nsswitch/winbindd_dual.c:child_process_request(359) process_request: request fn LOOKUPSID [2006/04/26 11:09:15, 3] nsswitch/winbindd_async.c:winbindd_dual_lookupsid(589) [ 8465]: lookupsid S-1-5-21-725345543-2052111302-527237240-26634 [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(359) refresh_sequence_number: NA time ok [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(387) refresh_sequence_number: NA seq number is now 24046271 [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:centry_expired(416)
[Samba] Bad Password
Everyone, I am going nuts trying to figure this problem out. I have successfully joined a SUSE 10 server to our domain and configured samba for ADS authentication. This exact setup works on all my other servers. On this one, I keep getting access denied when entering my domain password despite the fact that I have tried it literally dozens of times. I am 100% confident I am entering the password correctly. It appears winbind is not sending the password to the domain in the proper manner. Can anyone help me? Thanks, Ron Here is what is in the log.wb-NA file after I enter my password... [2006/04/26 11:09:15, 10] nsswitch/winbindd_dual.c:child_process_request(359) process_request: request fn LOOKUPNAME [2006/04/26 11:09:15, 3] nsswitch/winbindd_async.c:winbindd_dual_lookupname(695) [ 8465]: lookupname NA\trimblrd [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(359) refresh_sequence_number: NA time ok [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(387) refresh_sequence_number: NA seq number is now 24046271 [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:centry_expired(416) centry_expired: Key NS/NA/TRIMBLRD for domain NA expired [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:wcache_fetch(473) wcache_fetch: entry NS/NA/TRIMBLRD expired for domain NA [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:name_to_sid(975) name_to_sid: [Cached] - doing backend query for name for domain NA [2006/04/26 11:09:15, 3] nsswitch/winbindd_rpc.c:msrpc_name_to_sid(257) rpc: name_to_sid name=NA\trimblrd [2006/04/26 11:09:15, 3] nsswitch/winbindd_rpc.c:msrpc_name_to_sid(265) name_to_sid [rpc] trimblrd for domain NA [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:wcache_save_name_to_sid(614) wcache_save_name_to_sid: TRIMBLRD - S-1-5-21-725345543-2052111302-527237240-26634 [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:cache_store_response(1493) Storing response for pid 8466, len 1304 [2006/04/26 11:09:15, 10] nsswitch/winbindd_dual.c:dual_client_read(53) client_read: read 1828 bytes. Need 0 more for a full request. [2006/04/26 11:09:15, 4] nsswitch/winbindd_dual.c:fork_domain_child(486) child daemon request 48 [2006/04/26 11:09:15, 10] nsswitch/winbindd_dual.c:child_process_request(359) process_request: request fn DUAL_USERINFO [2006/04/26 11:09:15, 3] nsswitch/winbindd_user.c:winbindd_dual_userinfo(146) [ 8465]: lookupsid S-1-5-21-725345543-2052111302-527237240-26634 [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(359) refresh_sequence_number: NA time ok [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(387) refresh_sequence_number: NA seq number is now 24046271 [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:centry_expired(416) centry_expired: Key U/S-1-5-21-725345543-2052111302-527237240-26634 for domain NA expired [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:wcache_fetch(473) wcache_fetch: entry U/S-1-5-21-725345543-2052111302-527237240-26634 expired for domain NA [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:query_user(1105) sid_to_name: [Cached] - doing backend query for info for domain NA [2006/04/26 11:09:15, 3] nsswitch/winbindd_ads.c:query_user(396) ads: query_user [2006/04/26 11:09:15, 7] nsswitch/winbindd_ads.c:ads_cached_connection(48) Current tickets expire at 1146099562, time is now 1146064155 [2006/04/26 11:09:15, 3] nsswitch/winbindd_ads.c:query_user(442) ads query_user gave TRIMBLRD [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(359) refresh_sequence_number: NA time ok [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(387) refresh_sequence_number: NA seq number is now 24046271 [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:wcache_save_user(653) wcache_save_user: S-1-5-21-725345543-2052111302-527237240-26634 (acct_name TRIMBLRD) [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:cache_store_response(1493) Storing response for pid 8466, len 1304 [2006/04/26 11:09:15, 10] nsswitch/winbindd_dual.c:dual_client_read(53) client_read: read 1828 bytes. Need 0 more for a full request. [2006/04/26 11:09:15, 4] nsswitch/winbindd_dual.c:fork_domain_child(486) child daemon request 18 [2006/04/26 11:09:15, 10] nsswitch/winbindd_dual.c:child_process_request(359) process_request: request fn LOOKUPSID [2006/04/26 11:09:15, 3] nsswitch/winbindd_async.c:winbindd_dual_lookupsid(589) [ 8465]: lookupsid S-1-5-21-725345543-2052111302-527237240-26634 [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(359) refresh_sequence_number: NA time ok [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(387) refresh_sequence_number: NA seq number is now 24046271 [2006/04/26 11:09:15, 10] nsswitch/winbindd_cache.c:centry_expired(416)
[Samba] Bad password when attempting login to SSH with AD account
Everyone, I have several servers set up, all running the same levels of samba and winbind. I am able to see the domain and authenticate users without any trouble. I am attempting to get integrated logins to work with SSH. I have it working on one server, but two others (with the exact same config) do not work. On the box the works, I get the following message in /var/log/messages when I log in with my domain account. Apr 12 15:28:21 ustr-MINT-A-5 sshd[8643]: Accepted keyboard-interactive/pam for root from 192.63.xxx.xxx port 4102 ssh2 Apr 12 15:28:49 ustr-MINT-A-5 pam_winbind[8668]: user 'NA\trimblrd' granted access Apr 12 15:28:49 ustr-MINT-A-5 pam_winbind[8668]: user 'NA\trimblrd' granted access Apr 12 15:28:49 ustr-MINT-A-5 sshd[8666]: Accepted keyboard-interactive/pam for NA\\trimblrd from 192.63.xxx.xxx port 4104 ssh2 Using the same ID, I get the following messages on the two servers that don't work. Apr 12 15:26:27 ustr-MINT-A-2 sshd[9329]: Invalid user NA\\trimblrd from 192.63.xxx.xxx Apr 12 15:26:29 ustr-MINT-A-2 pam_winbind[9331]: request failed: Wrong Password, PAM error was 7, NT error was NT_STATUS_WRONG_PASSWORD Apr 12 15:26:29 ustr-MINT-A-2 pam_winbind[9331]: user `NA\trimblrd' denied access (incorrect password) Apr 12 15:26:29 ustr-MINT-A-2 sshd[9329]: error: PAM: User not known to the underlying authentication module for illegal user NA\\trimblrd from ustr-trimblrd.na.uis.unisys.com Apr 12 15:26:29 ustr-MINT-A-2 sshd[9329]: Failed keyboard-interactive/pam for invalid user NA\\trimblrd from 192.63.xxx.xxx port 4096 ssh2 Of course you first thought will be that I am entering the wrong password, but I have ruled that out by repeating this process dozens of times with multiple accounts. The strange thing is that AD thinks I really am sending an incorrect password as an my account shows an invalid password attempt in AD. Has anyone seen this problem? Do you know what I may be missing? Thanks in advance, Ron -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Owner changes when modifying Excel Word files
Those settings would definitely work, but not unless you had a share defined for each group. If that is the case, then it would work just fine. Another potential option is to use default ACLs. My original comments were merely to point out that this is exactly the way Samba was supposed to work. -Original Message- From: marcos rocha [mailto:[EMAIL PROTECTED] Sent: Thursday, March 30, 2006 5:18 PM To: Trimble, Ronald D; Ivan Tadic; samba@lists.samba.org Subject: RE: [Samba] Owner changes when modifying Excel Word files what about the following settings: - force user - force group []s Marcos --- Trimble, Ronald D [EMAIL PROTECTED] escreveu: There is not solution and it is by design. You can read all about it on the samba.org page. They have covered it extensively. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ivan Tadic Sent: Tuesday, March 28, 2006 1:46 PM To: samba@lists.samba.org Subject: [Samba] Owner changes when modifying Excel Word files Dear all, I am using Samba 3.0.20-4 SUSE. When a user (under Windows) modifies an Excel or Word file, he/she becomes the owner of that file !!! I have read that this is because Excel Word delete the original file and recreate a new one with the modifications. But I didn't find a solution to prevent this. Thank you in advance for your reply. Ivan Tadic Brussels, Belgium -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba ___ Yahoo! doce lar. Faça do Yahoo! sua homepage. http://br.yahoo.com/homepageset.html -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Owner changes when modifying Excel Word files
There is not solution and it is by design. You can read all about it on the samba.org page. They have covered it extensively. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ivan Tadic Sent: Tuesday, March 28, 2006 1:46 PM To: samba@lists.samba.org Subject: [Samba] Owner changes when modifying Excel Word files Dear all, I am using Samba 3.0.20-4 SUSE. When a user (under Windows) modifies an Excel or Word file, he/she becomes the owner of that file !!! I have read that this is because Excel Word delete the original file and recreate a new one with the modifications. But I didn't find a solution to prevent this. Thank you in advance for your reply. Ivan Tadic Brussels, Belgium -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Trouble with Homes
I am having trouble with getting my Homes section to work properly. When I browse to the server from a Windows client, I can see my home directory. However, when I try to access it, it challenges me for a userID and password. No matter what I enter, I will not allow me access. Can someone point me in the right direction to solve this? Here are the errors... [2006/03/27 11:19:22, 0] smbd/service.c:make_connection(798) 192.63.212.176 (192.63.212.176) couldn't find service . [2006/03/27 11:19:23, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:23, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:32, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) And here is the relevant section of the smb.conf... [homes] comment = Home Directories valid users = %S browseable = No read only = No create mask = 0660 directory mask = 0770 Thanks for the help!!! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Trouble with Homes
I made the changes to my configuration so that it is now [homes] comment = Home Directories valid users = %D\%S browseable = No read only = No create mask = 0660 directory mask = 0770 However, after a forced reload of smb, I still get the same errors. [2006/03/27 11:52:32, 2] param/loadparm.c:do_section(3681) Processing section [homes] [2006/03/27 11:52:32, 2] param/loadparm.c:do_section(3681) Processing section [samba] [2006/03/27 11:52:32, 2] param/loadparm.c:do_section(3681) Processing section [ISOs] [2006/03/27 11:52:32, 2] param/loadparm.c:do_section(3681) Processing section [shared] [2006/03/27 11:52:32, 2] param/loadparm.c:do_section(3681) Processing section [images] [2006/03/27 11:52:32, 2] lib/interface.c:add_interface(81) added interface ip=192.63.225.216 bcast=192.63.225.223 nmask=255.255.255.224 [2006/03/27 11:53:07, 0] smbd/service.c:make_connection(798) 192.63.212.176 (192.63.212.176) couldn't find service . [2006/03/27 11:53:09, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:53:09, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:53:10, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:53:10, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:53:10, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:53:10, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:53:10, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:53:14, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guillermo Gutierrez Sent: Monday, March 27, 2006 11:45 AM To: Craig White; samba@lists.samba.org Subject: RE: [Samba] Trouble with Homes If you are integrating the samba server into a windows domain, you might want to try setting the valid users line like this: valid users = %D\%S that was my problem until I did that. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Craig White Sent: Monday, March 27, 2006 8:34 AM To: samba@lists.samba.org Subject: Re: [Samba] Trouble with Homes On Mon, 2006-03-27 at 11:23 -0500, Trimble, Ronald D wrote: I am having trouble with getting my Homes section to work properly. When I browse to the server from a Windows client, I can see my home directory. However, when I try to access it, it challenges me for a userID and password. No matter what I enter, I will not allow me access. Can someone point me in the right direction to solve this? Here are the errors... [2006/03/27 11:19:22, 0] smbd/service.c:make_connection(798) 192.63.212.176 (192.63.212.176) couldn't find service . [2006/03/27 11:19:23, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:23, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:32, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) And here is the relevant section of the smb.conf... [homes] comment = Home Directories valid users = %S browseable = No read only = No create mask = 0660 directory mask = 0770 try putting a valid path
RE: [Samba] Trouble with Homes
I am not using LDAP, so the SIDs shouldn't be an issue. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Northam Sent: Monday, March 27, 2006 11:49 AM To: Guillermo Gutierrez; Craig White; samba@lists.samba.org Subject: RE: [Samba] Trouble with Homes Check your SID's I had that same problem and samba was advising Auth succeeded but it still wouldn't let me in. Checked my SID's and somewhere down the line I had changed one of my SID's. I corrected that in LDAP and then I was able to login. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guillermo Gutierrez Sent: Monday, March 27, 2006 8:45 AM To: Craig White; samba@lists.samba.org Subject: RE: [Samba] Trouble with Homes If you are integrating the samba server into a windows domain, you might want to try setting the valid users line like this: valid users = %D\%S that was my problem until I did that. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Craig White Sent: Monday, March 27, 2006 8:34 AM To: samba@lists.samba.org Subject: Re: [Samba] Trouble with Homes On Mon, 2006-03-27 at 11:23 -0500, Trimble, Ronald D wrote: I am having trouble with getting my Homes section to work properly. When I browse to the server from a Windows client, I can see my home directory. However, when I try to access it, it challenges me for a userID and password. No matter what I enter, I will not allow me access. Can someone point me in the right direction to solve this? Here are the errors... [2006/03/27 11:19:22, 0] smbd/service.c:make_connection(798) 192.63.212.176 (192.63.212.176) couldn't find service . [2006/03/27 11:19:23, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:23, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:32, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) And here is the relevant section of the smb.conf... [homes] comment = Home Directories valid users = %S browseable = No read only = No create mask = 0660 directory mask = 0770 try putting a valid path that the users have write access to their home... [homes] comment = Home Directories path = /home/samba/homes browseable = no writable = yes valid users = %S create mask = 600 directory mask = 700 # ls -ld /home/samba/homes drwxrwx--- 2 root dom_users 4096 Jun 23 2003 /home/samba/homes maybe even get crazy enough to create directories in /home/samba/homes for each user... Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Trouble with Homes
Domain member. -Original Message- From: Guillermo Gutierrez [mailto:[EMAIL PROTECTED] Sent: Monday, March 27, 2006 12:44 PM To: Trimble, Ronald D; Daniel Northam; Craig White; samba@lists.samba.org Subject: RE: [Samba] Trouble with Homes do you have this samba server as a domain member or is it a standalone? -Original Message- From: Trimble, Ronald D [mailto:[EMAIL PROTECTED] Sent: Monday, March 27, 2006 9:39 AM To: Daniel Northam; Guillermo Gutierrez; Craig White; samba@lists.samba.org Subject: RE: [Samba] Trouble with Homes I am not using LDAP, so the SIDs shouldn't be an issue. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Northam Sent: Monday, March 27, 2006 11:49 AM To: Guillermo Gutierrez; Craig White; samba@lists.samba.org Subject: RE: [Samba] Trouble with Homes Check your SID's I had that same problem and samba was advising Auth succeeded but it still wouldn't let me in. Checked my SID's and somewhere down the line I had changed one of my SID's. I corrected that in LDAP and then I was able to login. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guillermo Gutierrez Sent: Monday, March 27, 2006 8:45 AM To: Craig White; samba@lists.samba.org Subject: RE: [Samba] Trouble with Homes If you are integrating the samba server into a windows domain, you might want to try setting the valid users line like this: valid users = %D\%S that was my problem until I did that. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Craig White Sent: Monday, March 27, 2006 8:34 AM To: samba@lists.samba.org Subject: Re: [Samba] Trouble with Homes On Mon, 2006-03-27 at 11:23 -0500, Trimble, Ronald D wrote: I am having trouble with getting my Homes section to work properly. When I browse to the server from a Windows client, I can see my home directory. However, when I try to access it, it challenges me for a userID and password. No matter what I enter, I will not allow me access. Can someone point me in the right direction to solve this? Here are the errors... [2006/03/27 11:19:22, 0] smbd/service.c:make_connection(798) 192.63.212.176 (192.63.212.176) couldn't find service . [2006/03/27 11:19:23, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:23, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:32, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) And here is the relevant section of the smb.conf... [homes] comment = Home Directories valid users = %S browseable = No read only = No create mask = 0660 directory mask = 0770 try putting a valid path that the users have write access to their home... [homes] comment = Home Directories path = /home/samba/homes browseable = no writable = yes valid users = %S create mask = 600 directory mask = 700 # ls -ld /home/samba/homes drwxrwx--- 2 root dom_users 4096 Jun 23 2003 /home/samba/homes maybe even get crazy enough to create directories in /home/samba/homes for each user... Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Trouble with Homes
So that every person who uses the server can have a home directory without me having to create it by hand. -Original Message- From: Craig White [mailto:[EMAIL PROTECTED] Sent: Monday, March 27, 2006 12:54 PM To: Trimble, Ronald D Cc: Guillermo Gutierrez; Daniel Northam; samba@lists.samba.org Subject: RE: [Samba] Trouble with Homes get rid of the homes definition...why do you need it on a member server? Craig On Mon, 2006-03-27 at 12:44 -0500, Trimble, Ronald D wrote: Domain member. -Original Message- From: Guillermo Gutierrez [mailto:[EMAIL PROTECTED] Sent: Monday, March 27, 2006 12:44 PM To: Trimble, Ronald D; Daniel Northam; Craig White; samba@lists.samba.org Subject: RE: [Samba] Trouble with Homes do you have this samba server as a domain member or is it a standalone? -Original Message- From: Trimble, Ronald D [mailto:[EMAIL PROTECTED] Sent: Monday, March 27, 2006 9:39 AM To: Daniel Northam; Guillermo Gutierrez; Craig White; samba@lists.samba.org Subject: RE: [Samba] Trouble with Homes I am not using LDAP, so the SIDs shouldn't be an issue. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Northam Sent: Monday, March 27, 2006 11:49 AM To: Guillermo Gutierrez; Craig White; samba@lists.samba.org Subject: RE: [Samba] Trouble with Homes Check your SID's I had that same problem and samba was advising Auth succeeded but it still wouldn't let me in. Checked my SID's and somewhere down the line I had changed one of my SID's. I corrected that in LDAP and then I was able to login. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guillermo Gutierrez Sent: Monday, March 27, 2006 8:45 AM To: Craig White; samba@lists.samba.org Subject: RE: [Samba] Trouble with Homes If you are integrating the samba server into a windows domain, you might want to try setting the valid users line like this: valid users = %D\%S that was my problem until I did that. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Craig White Sent: Monday, March 27, 2006 8:34 AM To: samba@lists.samba.org Subject: Re: [Samba] Trouble with Homes On Mon, 2006-03-27 at 11:23 -0500, Trimble, Ronald D wrote: I am having trouble with getting my Homes section to work properly. When I browse to the server from a Windows client, I can see my home directory. However, when I try to access it, it challenges me for a userID and password. No matter what I enter, I will not allow me access. Can someone point me in the right direction to solve this? Here are the errors... [2006/03/27 11:19:22, 0] smbd/service.c:make_connection(798) 192.63.212.176 (192.63.212.176) couldn't find service . [2006/03/27 11:19:23, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:23, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:32, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) And here is the relevant section of the smb.conf... [homes] comment = Home Directories valid users = %S browseable = No read only = No create mask = 0660 directory mask = 0770 try putting a valid path that the users have write access to their home... [homes] comment = Home Directories path = /home/samba/homes browseable = no writable = yes valid users = %S create mask = 600 directory mask = 700 # ls -ld /home/samba/homes drwxrwx--- 2 root dom_users 4096 Jun 23 2003 /home/samba/homes maybe even get crazy enough to create directories in /home/samba/homes for each user... Craig -- To unsubscribe from this list go to the following
RE: [Samba] getting samba to authenticate with kerberos/PAM
No problem. Glad I could point you in the tight direction. -Original Message- From: Guillermo Gutierrez [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 08, 2006 10:08 PM To: Trimble, Ronald D Cc: samba@lists.samba.org Subject: RE: [Samba] getting samba to authenticate with kerberos/PAM well... after some playing around with the example you provided to me, I finally got it to work. I did have to do things a little different, but I finally got it to work. thank you sooo much for your help, here is how my /etc/pam.d/sshd looks: #%PAM-1.0 auth sufficient /lib/security/pam_winbind.so auth sufficient /lib/security/pam_unix.so use_first_pass likeauth nullok auth required /lib/security/pam_shells.so auth required /lib/security/pam_deny.so auth required /lib/security/pam_nologin.so auth required /lib/security/pam_env.so accountsufficient /lib/security/pam_winbind.so accountrequired /lib/security/pam_unix.so accountrequired /lib/security/pam_nologin.so #password required /lib/security/pam_pwcheck.so password required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_unix.so use_first_pass use_authtok sessionrequired /lib/security/pam_stack.so service=system-auth sessionoptional /lib/security/pam_mkhomedir.so skel=/etc/skel umask=0077 I realize that some of these lines might not be needed, I just have to figure out which ones and remove them for clean up. thanks again, Guillermo Gutierrez -Original Message- From: Trimble, Ronald D [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 08, 2006 4:25 PM To: Guillermo Gutierrez Subject: RE: [Samba] getting samba to authenticate with kerberos/PAM Setting up SSH to use AD accounts Follow the directions in the Samba section of this wiki before continuing with these steps since SSH logins will require the use of winbind. Make a backup of all files before editing anything since a mistake in a PAM module could render your machine unuseable. Edit the /etc/pam.d/sshd file. Ours looks like this: #%PAM-1.0 auth required pam_unix2.so # set_secrpc auth required pam_nologin.so auth required pam_env.so account required pam_unix2.so account required pam_nologin.so password required pam_pwcheck.so password required pam_unix2.so use_first_pass use_authtok session optional pam_mkhomedir.so skel=/etc/skel/ umask=0077 session required pam_unix2.so none # trace or debug session required pam_limits.so Next, edit /etc/security/pam_unix2.conf. Ours looks like this: auth: call_modules=winbind account:call_modules=winbind password: blowfish session:none Finally, create the top level home directory and assign the proper permissions. Your default home directories will be created in /home/domain/username. mkdir /home/domain chmod 755 /home/domain When you login via SSH, use your AD account. Remember in Samba we configured the winbind separator to be a '+'. I, for example, would log in as NA+trimblrd and then specify my NA password. Once I do this, a home directory will be created for me. If everything works, your login will look like this. login as: NA+trimblrd Using keyboard-interactive authentication. Password: Last login: Tue Dec 20 12:29:08 2005 from ustr-trimblrd.na.uis.unisys.com [EMAIL PROTECTED]:~ [edit]Logging into the server with an AD account If you want to take this example a step further, you can also configure your server so that you can use your AD account to logon locally of through VNC. To enable this requires modifying only one more file. Edit /etc/pam.d/login. (Remember to make a backup.) Ours looks like this: #%PAM-1.0 auth requisite pam_unix2.sonullok #set_secrpc auth required pam_securetty.so auth required pam_nologin.so auth required pam_env.so auth required pam_mail.so account required pam_unix2.so password required pam_pwcheck.so nullok password required pam_unix2.sonullok use_first_pass use_authtok session optional pam_mkhomedir.soskel=/etc/skel/ umask=0077 session required pam_unix2.sonone # debug or trace session required pam_limits.so session required pam_resmgr.so Now you will be able to log onto the server without the use of a local account. Retrieved from http://ustr-linux-1/wiki/index.php/SSH; -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guillermo Gutierrez Sent: Wednesday, March 08, 2006 6:14 PM To: samba@lists.samba.org Subject: FW: [Samba] getting samba to authenticate with kerberos/PAM ummmis there certain info that I need to be including the first time through? I have been fighting with this problem for a week now and I have
RE: [Samba] problem with winbind separator = \
When I set it up, if you don't use the winbind separator line, it should work with the \. My smb.conf does not have a winbind separator declaration and it works just fine. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guillermo Gutierrez Sent: Friday, March 03, 2006 9:25 AM To: David Shapiro; samba@lists.samba.org; Thomas Limoncelli Subject: RE: [Samba] problem with winbind separator = \ well, I am trying it without the line, I will let you all knowhow it worked. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of David Shapiro Sent: Friday, March 03, 2006 6:22 AM To: samba@lists.samba.org; Thomas Limoncelli Subject: Re: [Samba] problem with winbind separator = \ I had no luck with \ too. I ended up going back to using + David David Shapiro Unix Team Lead 919-765-2011 Thomas Limoncelli [EMAIL PROTECTED] 3/3/2006 9:10 AM Guillermo Gutierrez wrote: I just rebuilt the samba server that I was working on and when I try to add the line winbind separator = \, testparm tells me that its value must be 1 character and then displays its value as the proceeding line. This is the default value, so you may just omit the line altogether. -TL -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Problem with Universal Groups
This is exactly what I am seeing. I think this should be reopened as a bug. I could easily provide all of the diagnostics since I have it set up like this right now. The strange thing is, I can get it to work with Domain Global groups, but not Universal groups which shows the SID properly. Domain Local doesn't work at all unless the user is in the same domain as the group. How do we get this escalated? -Original Message- From: Don Meyer [mailto:[EMAIL PROTECTED] Sent: Thursday, March 02, 2006 6:06 PM To: Trimble, Ronald D; samba@lists.samba.org Subject: Re: [Samba] Problem with Universal Groups Check your winbind group memberships -- I'm willing to bet that your winbind will only show group membership for users in the same domain as the group. We are seeing the same mis-behavior here. Group members from other domains are simply not being enumerated by winbind as a group member (getent group), even though the other-domain user itself is properly listed (getent passwd). I tried to report this as a bug, but it was closed/reopened as a feature request. Discussion was left that I had to prove that the other-domain user can successfully connect to a resource with permissions mapped directly to that other-domain user, but fails to connect to the same resource when permissions are mapped to a domain local group in the local server's domain that contains the other-domain user.(I have yet to create this test-case because of unrelated time-constraints...) Cheers, -D At 02:02 PM 3/2/2006, Trimble, Ronald D wrote: Everyone, With many thank to Jerry, my cross domain authentication is now working. This leads to a new problem. I cannot get samba to authenticate a remote domain user in a Universal group to authenticate properly. Here are the details: USTR-LINUX-1:~ # wbinfo --name-to-sid=NA\\USTR-LINUX-1-REDHAT-READ S-1-5-21-725345543-2052111302-527237240-349134 Domain Group (2) USTR-LINUX-1:~ # wbinfo --name-to-sid=EU\\inblr-auth1 S-1-5-21-606747145-879983540-1177238915-173280 User (1) USTR-LINUX-1:~ # wbinfo --user-domgroups=S-1-5-21-606747145-879983540-1177238915-173280 S-1-5-21-606747145-879983540-1177238915-513 . . . S-1-5-21-606747145-879983540-1177238915-79634 S-1-5-21-606747145-879983540-1177238915-79966 S-1-5-21-725345543-2052111302-527237240-349134 **Here is the group!!** S-1-5-21-725345543-2052111302-527237240-177738 S-1-5-21-725345543-2052111302-527237240-349185 S-1-5-21-725345543-2052111302-527237240-307510 S-1-5-21-725345543-2052111302-527237240-177742 S-1-5-21-606747145-879983540-1177238915-90389 S-1-5-21-606747145-879983540-1177238915-72164 S-1-5-21-606747145-879983540-1177238915-91149 S-1-5-21-606747145-879983540-1177238915-70785 S-1-5-21-606747145-879983540-1177238915-91412 However, when I try to set up a test web page to require group NA\USTR-LINUX-1-REDHAT-READ And then attempt to access the page, I get the following error: error] [client 192.63.xxx.xxx] GROUP: EU\\inblr-auth1 not in required group(s). Does anyone else have something like this working? What am I doing wrong? Thanks, Ron -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba Don Meyer [EMAIL PROTECTED] Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety. -- Benjamin Franklin, 1759 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Problem with Universal Groups
Everyone, With many thank to Jerry, my cross domain authentication is now working. This leads to a new problem. I cannot get samba to authenticate a remote domain user in a Universal group to authenticate properly. Here are the details: USTR-LINUX-1:~ # wbinfo --name-to-sid=NA\\USTR-LINUX-1-REDHAT-READ S-1-5-21-725345543-2052111302-527237240-349134 Domain Group (2) USTR-LINUX-1:~ # wbinfo --name-to-sid=EU\\inblr-auth1 S-1-5-21-606747145-879983540-1177238915-173280 User (1) USTR-LINUX-1:~ # wbinfo --user-domgroups=S-1-5-21-606747145-879983540-1177238915-173280 S-1-5-21-606747145-879983540-1177238915-513 . . . S-1-5-21-606747145-879983540-1177238915-79634 S-1-5-21-606747145-879983540-1177238915-79966 S-1-5-21-725345543-2052111302-527237240-349134 **Here is the group!!** S-1-5-21-725345543-2052111302-527237240-177738 S-1-5-21-725345543-2052111302-527237240-349185 S-1-5-21-725345543-2052111302-527237240-307510 S-1-5-21-725345543-2052111302-527237240-177742 S-1-5-21-606747145-879983540-1177238915-90389 S-1-5-21-606747145-879983540-1177238915-72164 S-1-5-21-606747145-879983540-1177238915-91149 S-1-5-21-606747145-879983540-1177238915-70785 S-1-5-21-606747145-879983540-1177238915-91412 However, when I try to set up a test web page to require group NA\USTR-LINUX-1-REDHAT-READ And then attempt to access the page, I get the following error: error] [client 192.63.xxx.xxx] GROUP: EU\\inblr-auth1 not in required group(s). Does anyone else have something like this working? What am I doing wrong? Thanks, Ron -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Kerberos errors...
I am having issues getting my other domains working on our samba server. They always show up as disconnected when doing a wbinfo -sequence command. If I set up the default realm in krb5.conf to be NA (short for North America), I can authenticate users in NA. If I set is to be EU (Europe) I can authenticate users from Europe. The strange thing is that in either case, I get the following error for the non-default domain: (Cannot contact any KDC for requested realm). This makes no sense to me as I can get it to work as the default realm with the exact same settings. There are no firewalls or anything like that on our domain controllers. Can anyone point me to what I may be doing wrong? This error is absolutely driving me nuts and I would be forever grateful for any assistance. Thanks, Ron -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Is anyone using Samba in a forest to authenticate multiple domains?
I am struggling to get my samba server in ADS mode to authenticate users from other domains in our forest. Is any currently doing this and willing to help me out or perhaps share your config so that I can figure out what I am doing wrong? Thanks, Ron -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Problem authenticating another domain
I am trying to authenticate a user in a domain (EU) other than my default domain (NA). I am at a loss as to what may be wrong at this point. When I run a wbinfo -sequence, I see the following: linux:~ # wbinfo --sequence LAC : DISCONNECTED EU : DISCONNECTED AP : DISCONNECTED UIS : 19895750 TRIMBLRDLINUX : 1 BUILTIN : 1 NA : 15410431 If I try a kinit, here is the output: linux:~ # kinit [EMAIL PROTECTED] [EMAIL PROTECTED]'s Password: kinit: krb5_get_init_creds: unable to reach any KDC in realm eu.uis.unisys.com When I look at the logs for this domain, I see the following. Notice that it is correctly identifying a domain controller in that domain, but starts failing after that. [2006/02/22 15:12:51, 10] libsmb/namequery.c:internal_resolve_name(1145) internal_resolve_name: returning 26 addresses: 129.221.252.21:389 129.221.133.22:389 192.39.63.13:389 129.227.66.176:389 129.227.167.210:389 192.39.98.13:389 129.227.145.14:389 129.227.59.14:389 192.39.48.14:389 192.39.178.4:389 129.227.37.30:389 129.227.207.13:389 192.39.193.60:389 192.39.7.11:389 129.221.130.16:389 192.61.146.133:389 129.227.208.15:389 192.39.239.60:389 129.227.196.10:389 192.39.187.7:389 129.227.28.11:389 192.39.248.10:389 129.227.143.60:389 129.221.130.10:389 192.39.239.30:389 192.39.186.45:389 [2006/02/22 15:12:51, 5] libads/ldap.c:ads_try_connect(123) ads_try_connect: trying ldap server '192.61.146.133' port 389 [2006/02/22 15:12:51, 3] libads/ldap.c:ads_connect(285) Connected to LDAP server 192.61.146.133 [2006/02/22 15:12:51, 3] libads/ldap.c:ads_server_info(2514) got ldap server name [EMAIL PROTECTED], using bind path: dc=EU,dc=UIS,dc=UNISYS,dc=COM [2006/02/22 15:12:51, 4] libads/ldap.c:ads_server_info(2520) time offset is 70 seconds [2006/02/22 15:12:52, 4] libads/sasl.c:ads_sasl_bind(451) Found SASL mechanism GSS-SPNEGO [2006/02/22 15:12:52, 3] libads/sasl.c:ads_sasl_spnego_bind(206) ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2 [2006/02/22 15:12:52, 3] libads/sasl.c:ads_sasl_spnego_bind(206) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 [2006/02/22 15:12:52, 3] libads/sasl.c:ads_sasl_spnego_bind(206) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3 [2006/02/22 15:12:52, 3] libads/sasl.c:ads_sasl_spnego_bind(206) ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 [2006/02/22 15:12:52, 3] libads/sasl.c:ads_sasl_spnego_bind(215) ads_sasl_spnego_bind: got server principal name [EMAIL PROTECTED] [2006/02/22 15:13:04, 1] libsmb/clikrb5.c:ads_krb5_mk_req(394) ads_krb5_mk_req: krb5_get_credentials failed for [EMAIL PROTECTED] (Cannot contact any KDC for requested realm) [2006/02/22 15:13:14, 1] libsmb/clikrb5.c:ads_krb5_mk_req(394) ads_krb5_mk_req: krb5_get_credentials failed for [EMAIL PROTECTED] (Cannot contact any KDC for requested realm) [2006/02/22 15:13:14, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81) ads_connect for domain EU failed: Cannot contact any KDC for requested realm [2006/02/22 15:13:14, 10] nsswitch/winbindd_cache.c:store_cache_seqnum(329) store_cache_seqnum: success [EU][4294967295 @ 1140639194] [2006/02/22 15:13:14, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(387) refresh_sequence_number: EU seq number is now -1 Does anyone see what may be wrong? This problem is driving me nuts. Thanks in advance, Ron -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] authenticate a share access to win2k3 server
I don't understand why you would want to have the user authenticate again. If they are already signed into your domain and they try to access a resource they have permission to, it should just let them in. If they don't have access, it should prompt them for a valid username and password. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Martijn Hazenberg Sent: Thursday, February 16, 2006 6:41 AM To: samba@lists.samba.org Subject: [Samba] authenticate a share access to win2k3 server Hi, I have a samba server sharing some stuff. Now i want to enable access to some share only to SOME users on the domain. this is the smb.conf : [global] netbios name = DATASVR server string = DATASVR socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind gid = 1-2 workgroup = LOKAAL os level = 20 winbind enum groups = yes socket address = 10.0.0.200 password server = * preferred master = no winbind separator = + max log size = 50 log file = /var/log/samba3/log.%m encrypt passwords = yes dns proxy = yes realm = .LOKAAL security = ADS wins server = 10.0.0.201 wins proxy = no [share] comment = stuff path = /raid/stuff writable = yes read only = no valid users = user1 user2 I was hoping that when a user selects the above share, they would get a passwd screen, where they would have to fill in the same passwd as they use for logging in to their xp machines. What would i need to do to accomplish this ? best regards, Martijn -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Authenticating another domain
When I attempt to authenticate a user from another domain, I am seeing some strange issues. My winbindd.log shows that I am indeed already trusting the other domain. (I am a member of the na.uis.unisys.com domain.) However, when I try to gain access to a share where the username EU\INBLR-AUTH1 has access, I get prompted for a username and password over and over. Obviously, it can't authenticate the user. I have included the errors from the appropriate log below. Can anyone point me towards a working solution? From the winbindd.log [2006/02/16 10:18:02, 2] nsswitch/winbindd_util.c:add_trusted_domain(166) Added domain EU eu.uis.unisys.com S-1-5-21-606747145-879983540-1177238915 From the samba log for the machine I am trying to connect from... [2006/02/16 10:26:38, 2] smbd/sesssetup.c:setup_new_vc_session(704) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2006/02/16 10:26:38, 1] smbd/sesssetup.c:reply_spnego_kerberos(263) Username EU\inblr-auth1 is invalid on this system [2006/02/16 10:26:38, 2] smbd/server.c:exit_server(612) Closing connections My smb.conf [global] workgroup = NA realm = NA.UIS.UNISYS.COM netbios name = ustr-linux-1 encrypt passwords = yes security = ADS password server = 192.63.225.67 passdb backend = smbpasswd log level = 2 syslog = 0 log file = /var/log/samba/%m.log max log size = 5000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 # winbind separator = + winbind use default domain = no winbind uid = 16777216-33554431 winbind gid = 16777216-33554431 winbind enum users = yes winbind enum groups = yes template homedir = /home/%D/%U template shell = /bin/bash admin users = root, NA\username, +NA\groupname nt acl support = yes map acl inherit = yes # printer setup load printers = yes use client driver = no printing = cups printcap name = cups printer admin = root, NA\TRIMBLRD, +NA\EPS Admin server string = USTR-LINUX-1 Samba Server -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Authenticating another domain
Running getent passwd EU\\inblr-auth1 doesn't return anything. Although it does work successfully with my NA domain account. The wbinfo --sequence command does reveal a little more information. Here is the output. wbinfo --sequence LAC : DISCONNECTED EU : DISCONNECTED AP : DISCONNECTED UIS : DISCONNECTED USTR-LINUX-1 : 1 BUILTIN : 1 NA : 14462477 How can I get it to connect? -Original Message- From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] Sent: Thursday, February 16, 2006 11:05 AM To: Trimble, Ronald D Cc: samba@lists.samba.org Subject: Re: [Samba] Authenticating another domain -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Trimble, Ronald D wrote: Username EU\inblr-auth1 is invalid on this system figure this out. That is the key. Does getent passwd 'EU\inblr-auth1' return anything? What does wbinfo --sequence show? cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD9KKUIR7qMdg1EfYRApFRAKC2rqZZ3cFZMV5jLfVtON/uD9P5rgCfR5tG fAQ7r9ZXNxRfB1nYcF1qnW0= =oH5D -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Authenticating another domain
on this system [2006/02/16 14:14:58, 2] smbd/server.c:exit_server(612) Closing connections [2006/02/16 14:14:58, 2] smbd/sesssetup.c:setup_new_vc_session(704) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2006/02/16 14:14:58, 1] smbd/sesssetup.c:reply_spnego_kerberos(263) Username EU\inblr-auth1 is invalid on this system [2006/02/16 14:14:58, 2] smbd/sesssetup.c:setup_new_vc_session(704) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2006/02/16 14:14:58, 10] auth/auth_util.c:get_user_groups(681) get_user_groups: winbind_getgroups(NA\ustr-netiq$): result = SUCCESS [2006/02/16 14:14:58, 5] auth/auth_util.c:debug_unix_user_token(473) UNIX token of user 16783538 Primary group is 16777671 and contains 1 supplementary groups Group[ 0]: 16777671 [2006/02/16 14:14:58, 10] auth/auth_util.c:debug_nt_user_token(457) NT user token of user S-1-5-21-3294472140-2299987452-2298777348-33568076 contains 6 SIDs SID[ 0]: S-1-5-21-3294472140-2299987452-2298777348-33568076 SID[ 1]: S-1-5-21-3294472140-2299987452-2298777348-33556343 SID[ 2]: S-1-1-0 SID[ 3]: S-1-5-2 SID[ 4]: S-1-5-11 SID[ 5]: S-1-5-21-725345543-2052111302-527237240-515 SE_PRIV 0x0 0x0 0x0 0x0 [2006/02/16 14:14:58, 1] smbd/sesssetup.c:reply_spnego_kerberos(263) Username EU\inblr-auth1 is invalid on this system [2006/02/16 14:14:58, 5] auth/auth_util.c:free_server_info(1387) attempting to free (and zero) a server_info structure [2006/02/16 14:14:58, 2] smbd/server.c:exit_server(612) Closing connections [2006/02/16 14:14:58, 2] smbd/sesssetup.c:setup_new_vc_session(704) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2006/02/16 14:14:58, 1] smbd/sesssetup.c:reply_spnego_kerberos(263) Username EU\inblr-auth1 is invalid on this system [2006/02/16 14:14:58, 2] smbd/server.c:exit_server(612) Closing connections [2006/02/16 14:15:00, 2] smbd/server.c:exit_server(612) Closing connections My wbinfo --sequence still shows the EU domain as being disconnected. I just found this error in the log.wb-EU file: [2006/02/16 14:51:20, 1] libsmb/clikrb5.c:ads_krb5_mk_req(394) ads_krb5_mk_req: krb5_get_credentials failed for [EMAIL PROTECTED] (Cannot contact any KDC for requested realm) [2006/02/16 14:51:29, 1] libsmb/clikrb5.c:ads_krb5_mk_req(394) ads_krb5_mk_req: krb5_get_credentials failed for [EMAIL PROTECTED] (Cannot contact any KDC for requested realm) [2006/02/16 14:51:29, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81) ads_connect for domain EU failed: Cannot contact any KDC for requested realm -Original Message- From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] Sent: Thursday, February 16, 2006 11:05 AM To: Trimble, Ronald D Cc: samba@lists.samba.org Subject: Re: [Samba] Authenticating another domain -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Trimble, Ronald D wrote: Username EU\inblr-auth1 is invalid on this system figure this out. That is the key. Does getent passwd 'EU\inblr-auth1' return anything? What does wbinfo --sequence show? cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD9KKUIR7qMdg1EfYRApFRAKC2rqZZ3cFZMV5jLfVtON/uD9P5rgCfR5tG fAQ7r9ZXNxRfB1nYcF1qnW0= =oH5D -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] ADS and RPC
I have the same exact problem as Mike, so if anyone has a solution, I too could use the help. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Collins, Mike Sent: Wednesday, February 15, 2006 12:31 PM To: samba@lists.samba.org Subject: [Samba] ADS and RPC I have a problem that recently appeared with ADS authentication. I have a samba server that is an AD member on our domain, ourdomain.edu. We are under a domain that is an empty root, call it 'theirdomain.net'. Also under this root is another domain, call it 'theirdomain.edu. I have found that RPC access has been disabled on the DC's in theirdomain.edu and my samba server can no longer authenticate users on theirdomain.edu. Is there some workaround for this? Samba version 3.0.14a -- Mike Collins Sr. Programmer/Analyst TTUHSC Information Technology 806-743-2870 ext. 271 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] How to Make SMB server authenticate against multiple ADserver
This is from Using Samba... http://www.oreilly.com/catalog/samba/chapter/book/ch06_03.html You can configure Samba to use a separate password server under server-level security with the use of the password server global configuration option, as follows: [global] security = server password server = PHOENIX120 HYDRA134 Note that you can specify more than one machine as the target of the password server ; Samba will move down the list of servers in the event that its first choice is unreachable. The servers identified by the password server option are given as NetBIOS names, not their DNS names or equivalent IP addresses. Also, if any of the servers reject the given password, the connection will automatically fail - Samba will not attempt another server. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Parker, Michael Sent: Wednesday, February 15, 2006 9:35 AM To: samba@lists.samba.org Subject: [Samba] How to Make SMB server authenticate against multiple ADserver I'm new to samba and I'm still trying to figure out the workings. I currently have a few servers setup to authenticate with AD (2003 domain) with winbind. Right now, I have a line in my smb.conf file that states password server = alg-conyers-ad1. I assume this tells it to authenticate against this server only. How do I make it choose a server from DNS or at the least tell it to use other AD servers if this one is offline? My fear is that we'll rely on these servers more, AD1 will fail, and then I'll have to scramble to point my smb servers to use other AD servers. Thanks in advance for your help. Michael -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Autocreate user home directories.
I am trying to set up our samba server to automatically create a users home directory when they browse to it from a Windows computer. Is there a way to do this? I was looking at the root preexec option to try and do this, but I am not sure how to go about it. Has anybody done this? Can someone please help me out? Thanks, Ron -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] SAMBA netbois lookup issues
Not if they are all in the DNS server and the new samba server is not. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Taylor Sent: Monday, February 06, 2006 2:06 PM To: samba@lists.samba.org Subject: RE: [Samba] SAMBA netbois lookup issues My VPN Address is in a Virtual Pool on the Firewall I am using. I am able to connect to any other server other than a Samba server. If it was a network related issue would it not be having a problem on all the servers? James -Original Message- From: Trimble, Ronald D [mailto:[EMAIL PROTECTED] Sent: Friday, February 03, 2006 5:11 PM To: James Taylor Subject: RE: [Samba] SAMBA netbois lookup issues Is your VPN server on the same segment? I only ask because in our company, our VPN segment is isolated with it's own DNS servers. My guess is that when you come in via VPN, you are using a different DNS server and you are not registered. Instead, you are using NetBIOS for name resolution. Try putting an A host record on the DNS server used by your VPN server. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Taylor Sent: Friday, February 03, 2006 6:43 PM To: samba@lists.samba.org Subject: [Samba] SAMBA netbois lookup issues Hi all! I am from the Windows world and am trying to migrate to Linux and have done a fairly good job so far. My recent challenge is that I have built a Samba file/print server that works very well on my internal network but when I VPN into the network remotely I am unable to access the server via it's server name. What is driving me crazy is the fact that the last of my Windows servers is a file/print server as well and I am able to access it without issues. Is this a simple NetBios Port change or is this something else that I am missing? If anyone has some pointers as to what I can do to resolve this issue I would be grateful. Thank you James Taylor -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Cross domain and user home questions.
Thank you in advance for any help anyone may be able to provide with the following issues I am experiencing. The first is authenticating users across domains. I have successfully configured Samba to use an AD domain, but when I try to authenticate another user form another domain in the same tree, I get various errors. Can anyone shed some light on what I may be doing wrong or help me configure this? Here are the important settings from my smb.conf. [global] workgroup = NA realm = NA.UIS.UNISYS.COM netbios name = servername encrypt passwords = yes security = ADS password server = IPaddress passdb backend = smbpasswd log level = 0 syslog = 0 log file = /var/log/samba/%m.log max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 # winbind separator = + winbind use default domain = no winbind uid = 16777216-33554431 winbind gid = 16777216-33554431 winbind enum users = yes winbind enum groups = yes template homedir = /home/%D/%U template shell = /bin/bash admin users = root, IDs nt acl support = yes map acl inherit = yes As you can see from the config, I am a member of the NA domain. I have no issues with users in this domain and everything works as it should. The problem comes when I try to authenticate users of our other domains... for example EU. Our tree looks like this: UIS.UNISYS.COM |_ NA.UIS.UNISYS.COM |_ EU.UIS.UNISYS.COM |_ etc.. The second issue I have is related to user home directories. I have it set up so that when a user views the SMB shares on the server, they can see their home directory. The problem is that if the directory is not created ahead of time, what they are seeing is not real. The directory is not being created automatically. How can I set this up? Here is the [homes] section of my smb.conf. [homes] comment = Home Directories (RW) valid users = %D\%S browseable = No read only = No create mask = 0660 directory mask = 0770 Thanks again for any help you may provide. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Cross domain and user home questions.
I am desperate here guys... can anyone offer me any advice? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Trimble, Ronald D Sent: Friday, February 03, 2006 10:01 AM To: samba@lists.samba.org Subject: [Samba] Cross domain and user home questions. Thank you in advance for any help anyone may be able to provide with the following issues I am experiencing. The first is authenticating users across domains. I have successfully configured Samba to use an AD domain, but when I try to authenticate another user form another domain in the same tree, I get various errors. Can anyone shed some light on what I may be doing wrong or help me configure this? Here are the important settings from my smb.conf. [global] workgroup = NA realm = NA.UIS.UNISYS.COM netbios name = servername encrypt passwords = yes security = ADS password server = IPaddress passdb backend = smbpasswd log level = 0 syslog = 0 log file = /var/log/samba/%m.log max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 # winbind separator = + winbind use default domain = no winbind uid = 16777216-33554431 winbind gid = 16777216-33554431 winbind enum users = yes winbind enum groups = yes template homedir = /home/%D/%U template shell = /bin/bash admin users = root, IDs nt acl support = yes map acl inherit = yes As you can see from the config, I am a member of the NA domain. I have no issues with users in this domain and everything works as it should. The problem comes when I try to authenticate users of our other domains... for example EU. Our tree looks like this: UIS.UNISYS.COM |_ NA.UIS.UNISYS.COM |_ EU.UIS.UNISYS.COM |_ etc.. The second issue I have is related to user home directories. I have it set up so that when a user views the SMB shares on the server, they can see their home directory. The problem is that if the directory is not created ahead of time, what they are seeing is not real. The directory is not being created automatically. How can I set this up? Here is the [homes] section of my smb.conf. [homes] comment = Home Directories (RW) valid users = %D\%S browseable = No read only = No create mask = 0660 directory mask = 0770 Thanks again for any help you may provide. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Trusted domain issues
All,
I have a Samba 3.0.4 server running on AIX 5.2. Samba is configured
with PAM, LDAP and Kerberos. The server has been joined to an existing
Windows 2003 domain, and wbinfo -u and wbinfo -g works fine. Users from
the domain that Samba is a member of can authenticate just fine. The
domain is in a one-way trust relationship with another ADS domain (i.e.
Samba is a member of domain A, users from domain B can access any
machines in domain A, but not vice versa). When a user from domain B
tries to connect to the Samba share, I get a Kerberos error in the
winbindd logs when the Samba server is trying to set up a session with
the DC in domain B.
I had this working, and then I made the mistake of running SWAT, which
blew away my smb.conf file. Can someone tell me if I'm missing
something and if so, what?
Smb.conf:
# Samba config file created using SWAT
# from 162.10.170.129 (162.10.170.129)
# Date: 2005/08/11 14:13:47
# Global parameters
[global]
workgroup = DEVELOPMENT
realm = READING.DEVPORTAL.NET
encrypt passwords = yes
security = ADS
password server = usrd106.reading.devportal.net
winbind uid = 1-2
winbind gid = 1-2
winbind separator = +
use spnego = yes
client use spnego = yes
winbind enum groups = yes
winbind enum users = yes
winbind use default domain = true
[public]
comment = Public data directory
path = /sambapublic
username = @DEVELOPMENT+Domain Users,@CORP+Domain Users
read list = @DEVELOPMENT+Domain Users,@CORP+Domain Users
read only = No
krb5.conf:
[libdefaults]
default_realm = READING.DEVPORTAL.NET
[domain_realm]
.reading.devportal.net = READING.DEVPORTAL.NET
.devportal.net = READING.DEVPORTAL.NET
[realms]
READING.DEVPORTAL.NET = {
kdc = usrd106.reading.devportal.net
default_domain = reading.devportal.net
}
[logging]
kdc = FILE:/var/heimdal/kdc.log
kdc = SYSLOG:INFO
default = SYSLOG:INFO:USER
Winbindd log:
[2005/08/12 09:07:08, 1] nsswitch/winbindd.c:main(843)
winbindd version 3.0.4 started.
Copyright The Samba Team 2000-2004
[2005/08/12 09:07:08, 1]
nsswitch/winbindd_util.c:add_trusted_domain(180)
Added domain DEVELOPMENT READING.DEVPORTAL.NET S-0-0
[2005/08/12 09:07:08, 1] libsmb/clikrb5.c:ads_krb5_mk_req(306)
krb5_cc_get_principal failed (A file or directory in the path name
does not ex
ist.)
[2005/08/12 09:07:08, 1]
nsswitch/winbindd_util.c:add_trusted_domain(180)
Added domain CORP S-1-5-21-2817246239-1260869369-510543907
[2005/08/12 09:07:08, 1]
nsswitch/winbindd_util.c:add_trusted_domain(180)
Added domain OZ S-1-5-21-2070835033-1539587657-2044928816
[2005/08/12 09:07:08, 1]
nsswitch/winbindd_util.c:add_trusted_domain(180)
Added domain BUILTIN S-1-5-32
[2005/08/12 09:07:08, 1]
nsswitch/winbindd_util.c:add_trusted_domain(180)
Added domain FLOATER S-1-5-21-1519954005-851123223-2065552488
[2005/08/12 09:07:20, 1] libsmb/clikrb5.c:ads_krb5_mk_req(314)
krb5_get_credentials failed for [EMAIL PROTECTED] (Unknown
error -1765
328377)
[2005/08/12 09:07:20, 1]
libsmb/cliconnect.c:cli_session_setup_kerberos(541)
spnego_gen_negTokenTarg failed: Unknown error -1765328377
[2005/08/12 09:07:20, 1] libsmb/clikrb5.c:ads_krb5_mk_req(314)
krb5_get_credentials failed for [EMAIL PROTECTED] (Unknown
error -1765
328377)
[2005/08/12 09:07:20, 1] libsmb/clikrb5.c:ads_krb5_mk_req(314)
krb5_get_credentials failed for [EMAIL PROTECTED] (Unknown
error -1765
328377)
...skipping...
Added domain DEVELOPMENT READING.DEVPORTAL.NET S-0-0
[2005/08/12 09:07:08, 1] libsmb/clikrb5.c:ads_krb5_mk_req(306)
krb5_cc_get_principal failed (A file or directory in the path name
does not exist.)
[2005/08/12 09:07:08, 1]
nsswitch/winbindd_util.c:add_trusted_domain(180)
Thanks,
Ron
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] RE: 4GB limit on samba 3.0.4
Here's an update if anyone can help me. The problem only lies between Samba 3.0.4 and NT 4 SP6. If I copy a file that is larger than 4GB from the samba system to the NT system, everything works fine (md5's are correct on both ends). If I copy the file from NT4 to Samba, the file size is correct, but the du command shows only 4096.11 MB being used by the file regardless of how big it is (5GB, 10GB, etc), and the md5sum is incorrect. It ONLY happens between NT4 and Samba; Win2K and Win2K3 are fine. Is this an incompatibility issue? Thanks, Ron Scruggs From: Scruggs, Ronald Sent: Thursday, July 07, 2005 10:32 AM To: 'samba@lists.samba.org' Subject: 4GB limit on samba 3.0.4 Does anyone know anything about a 4GB size limit on Samba 3.0.4 running on AIX 5.2 with a 32-bit kernel? We currently have files being transferred from a Windows 2000 server to an AIX machine, and if the files are larger than 4GB, they are getting mangled. Running samba at a high debug level shows the file pointer rewinding or becoming negative once it reaches 4GB and md5sum indicates that the file has changed. Any ideas? Thanks, Ron Scruggs -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] 4GB limit on samba 3.0.4
Does anyone know anything about a 4GB size limit on Samba 3.0.4 running on AIX 5.2 with a 32-bit kernel? We currently have files being transferred from a Windows 2000 server to an AIX machine, and if the files are larger than 4GB, they are getting mangled. Running samba at a high debug level shows the file pointer rewinding or becoming negative once it reaches 4GB and md5sum indicates that the file has changed. Any ideas? Thanks, Ron Scruggs -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba 3.0.13 ADS domain member on AIX 5.2
All, I'm trying to figure out if I missed some steps in configuring Samba 3.0.13 on AIX 5.2 as a Windows 2003 ADS domain member server of the domain DEVELOPMENT. Samba is compiled with Heimdal Kerberos and openLDAP support, and I successfully joined the ADS domain using net ads join after running a kinit. Kerberos appears to be working, wbinfo -u and wbinfo -g work; net ads status works fine, smbtree works. However, when I try to authenticate to a test share using either a domain user ID or a user ID from another domain (CORP) that has a trust relationship with the domain that the Samba server is joined to, I see NT_STATUS_NO_SUCH_USER in the log.smbd. So, my two questions are: do I need to be running winbindd? Does it have to have PAM support, or is that just for using domain logins on the unix side? smb.conf follows: [global] realm = READING.DEVPORTAL.NET workgroup = DEVELOPMENT password server = usrd106.reading.devportal.net security = ADS encrypt passwords = yes #debug level = 7 winbind separator = + idmap uid = 1-2 idmap gid = 1-2 winbind enum users=yes winbind enum groups=yes client use spnego = yes [public] comment = Public data directory read only = no path = /sambapublic user = @DEVELOPMENT+domain users @CORP+domain users -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Windows 2003 and Samba 3.0.x
My Windows 2003 machines can get to shares on my older Samba servers (2.2.8a), however on newer versions of Samba (3.0.2), I get the following error message: \\servername is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions. The request is not supported. These same shares are accessible via other windows platforms (2000, XP). Is there a version of Samba I should be running? Is there a change I can make to my Windows 2003 machines to fix this? Thanks in advance, Ron -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Networkbrowsing with different subnetmasks
Dear all, I have a workgroup withonly windows 200 workstations in it and one Samba version 2.212 The network is bridged with a subnet mask 255.255.255.240 From the WAN side you get: Internet Modem/router first NIC firewall and out to LAN via second NIC Because the second NIC has no IP address the browsing is done by the first NIC avoiding that the information is not going out to the WAN by making the firewall rules. Altough i did make the sentence inside the firewall pass any from any i did not get the name of the server vissible in the workgroup. Only the win2K workstations where visible The IP parameters where set to subnetmask 255.255.255.240 this includes all the workstations and the first NIC from the firewall. After changing the subnetmask to 255.255.255.0 i see the server joining the workgroup and I could access him. Could someone give me a answer on the following question: Is browsing from samba only on the address xxx.xxx.xxx.255 and not on lower address if used with different subnetmask? Like subnetmask =255.255.255.240 = 15 IP addresses per group browse adress first group = xxx.xxx.xxx.15 second group = xxx.xxx.xxx.31 third group = xxx.xxx.xxx.47 and so on until xxx.xxx.xxx.255 Regards, Ronald RiemVis -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Administrator
Hi there I have a question and it appears it cannot be done on Samba 3 and higher. I want to have administrator rights on each pc in my network. I notice that Domain Admin Groups was removed. I never used this feature so would not know exactly what it does. However since I am now using Samba 3 it wont really be of any use to me. Is there a way, without having to goto each computer and allow domain users to have administrator rights ? I am supporting clients and some of them have 150 pc's, I cant see myself having to go to 150 machines to allow the administrator admin privelages etc. I also install a software (anti virus) that requires admin rights, this is done automatically through the network, however not when you don't have actual admin privies. If it cannot be done, could someone here who is into development possibly look into the source and try to get it to work ? Thanks Ronald James NetXactics Tel: +27 21 680-5069 Fax: +27 21 680-5011 http://www.netxactics.co.za http://www.netxactics.co.za/ Sophos - protecting businesses against viruses and spam -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Newbie needs help with failed RAID5 disk
I was hoping someone could either help me or point me in the direction of a resource. I have searched the web for any howto on repairing a failed array, but keep coming up short. I have a home file server running a RAID 5 array that now will not mount my array. I believe it is telling me there is a problem with the second drive. The basics: RedHat 8.0 kernel 2.4.20-28.8 don't know the samba version system is a PIII 600 with 3 Maxtor 80 GB drives all three drives are recognized by the BIOS The Grub loader comes up, but the system hangs when I try to bot the OS. Following are some of the errors that show up. I can't scroll up to see more as the system is frozen. I have all my family photos on here and would really like to preserve them. The timing is ironic. On the day the system failed I was building a new windows machine with a DVD burner to backup my data - all I needed was one more day! Any help would be greatly appreciated. Ron md0: 2 data -disks, max readahead per data-disk: 256 raid5:L device hdf1 operational as raid disk 1 raid5: not enough operational divices for md0 (2/3 failed) RAID5 conf printout: --- rd:3 wd:1 fd:2 disk 0, s:0, o:0, n:0 rd:0 us:1 dev:[dev 00:00] disk 1, s:0, o:0, n:0 rd:0 us:1 dev:hdf1 disk 2, s:0, o:0, n:0 rd:0 us:1 dev:[dev 00:00] raid5: failed to run raid set md0 md: pers-run() failed ... md :do_md_run() returned -22 md: md0 stopped. md: unbindhdf1,0) md: ...autorun DONE. Creating block devices Creating root device Mounting rtto filesystem EXT3-fs: unable to read superblock mount: error 22 mounting ext3 pivotrot: pivot_root(/sysroot,/sysroot/initrd) failed: 2 umount /initrd/proc failed: 2 Freeing unused kernel memory: 128k freed Kernel panic: No init found. Try passing init= option to kernel. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] client access denied
Running TRU64 5.1+ on client servers.Client has dedicated network. Samba configured and running on both servers.Windows 2000 clients on same subnet mask as the servers connect to the shares without any problems but those on other subnet mask cannot connect even though they can see the servers in network neighbourhood. security=share Message produced when trying to connect is : //servername is not accessible There are currently no logon servers available to service the logon request. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] MSDOS Client very slow with writing
Hello all, I am using MSDOS client together with Samba version 3.020 running on a freebsd server version 4.8. I can write fromout this client with 1 Mbyte/min as maximum speed using GHOST. The CPU load from the freebsd server is nearly zero. When using Windows as system i can copy with a speed of 150Mbyte /min to the same Samba server. What must i check or change to get approx. the same speed when using the DOS client. Regards, Ronald RiemVis -- Outgoing mail is certified Virus Free. Checked by AVG Anti-Virus (http://www.grisoft.com). Version: 7.0.230 / Virus Database: 262.6.5 - Release Date: 31/03/04 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Looking for patch for Stack-based buffer overflow where?
To All: I need to find the Samba patch for the stack-based buffer overflow. I'm running Samba version 2.2.2. Thanks for your help, Ron -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Looking for patch for Stack-based buffer overflow where?
To All: I need to find the Samba patch for the stack-based buffer overflow. I'm running Samba version 2.2.2. Thanks for your help, Ron -- -- *** Ron Rough Lockheed Martin Technology Services Systems Administrator Department 221 RAIF Dryden Flight Research Center Phone: (661) 276-7513 Fax: (661) 276-2792 *** -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Looking for patch for Stack-based buffer overflow where?
To All: I need to find the Samba patch for the stack-based buffer overflow. I'm running Samba version 2.2.2. Thanks for your help, Ron -- *** Ron Rough Lockheed Martin Technology Services Systems Administrator Department 221 RAIF Dryden Flight Research Center Phone: (661) 276-7513 Fax: (661) 276-2792 *** -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Stack-based buffer overflow
To All: I need to find the Samba patch for the stack-based buffer overflow. I'm running Samba version 2.2.2. Thanks for your help, Ron -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: solaris swat problem
ok guys, figured it out. this says its all. 1198: execve(/usr/local/sbin/swat, 0x0002C408, 0xFFBEFDE8) argc = 1 21198: chdir(/opt/samba/2.2.7a/swat) Err#2 ENOENT we are using 2.2.8 going to fix. :) Ronald [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] To All, ok. now i have problem and dont know why swats not loading up. It used to work but now its not loading up at all. we upgrade to 2.2.8 and it worked fine for about a week. and then one day i went to check it out and nothing. rebooted the box the other day and still nothing. even though wouldnt have been the solution. i looked in /etc/services and /etc/inetd.conf. and everything is setup fine. i can do a netstat -an and it shows port 901 is listening. swat is in its right path i just dont have a clue where else to look. i check the logs but there really isnt much in there either. Any help would be much helpful. if anyone needs more .nfo please drop me a email. Thanks everyone and anyone for there help. Ronald [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SCO OpenServer 5.0.6a and missing libncurses.so.4 (fwd)
You can download Ncurses for SCO OpenServer via ftp://ftp2.caldera.com/pub/skunkware/osr5/vols/ncurses-4.2-VOLS.tar This is a tar archive of media images suitable for installation with the SCO Software Manager (/etc/custom). Cheers, Ron Record [EMAIL PROTECTED] re: Date: Wed, 26 Feb 2003 15:54:59 + From: Simon Hobson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [Samba] SCO OpenServer 5.0.6a and missing libncurses.so.4 I've downloaded Samba 2.2.6 (binaries) from SCOs Skunkware site, but when I try and run smbclient I get a message : dynamic linker : smbclient : error opening /usr/local/lib/libncurses.so.4 Killed I've checked and there is no libncurses.so.4 (or libncurses.anything for that matter) on the system. I've also failed to find anything relevant in either the list archive or SCOs site. Could someone point me in the direction of the missing file (ie where I can get it from), and, is this specific to the OS, or would the same library from (for example) a Linux system do ? -- Ronald Joe Record, Open Source Architect, SCO E-mail: [EMAIL PROTECTED] Voice: 831-427-7604 FAX: 831-427-5417 USPS: 400 Encinal Street, Santa Cruz, California 95061 WWW:http://ronrecord.com -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Need solution to Printers window access denied, unable toconnect message.
Note1: It does take about a minute for the opening message to be replaced by the ready message But I guess it is authenticating with the NT PDC during this time delay. can anyone confirm this. i have been wondering why its now taking a minute. Ronnie Tim Kubricht [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi, I hope this is the right list to submit this request to I have the following problem with samba 2.2.2 that I upgraded to samba 2.2.7 to try to see if the problem would go away. But I still have the following problem: When I open the Start-Settings-Printers window It shows the printers that I have connected to from the samba print server printer_name on samba_ip_address It shows opening at 1st then changes to access denied, unable to connect and never shows the ready message that I used to get from a samba 1.9.15p8 server that I updated. * Can someone help me to get rid of the access denied messages from the Printers window? The following is what I have: My OS is Solaris 8 my PCs are either WinNT4 or Win2000 I have set up smb.conf as you can see below With it I can use dos to run net view and it works as expected I can open Network Neighborhood and find my samba print server and it will list all the printer shares along with the Printers folder. If I double click the Printers folder: I can get a list of all the printers and the number of documents that are currently being printed on each printer and If I double-click on a specific printer I can get the name of the job and person that is printing on the queue. This works as expected. I did not see this error in any of the Archives or the troubleshooting section that I found or in any of the 3 books I have. I need your expertise in solving this feature. Thanks, Tim ___ smb.conf:# Samba config file created using SWAT # Date: 2003/02/19 10:54:34 # Global parameters [global] workgroup = Name_Of_My_Workgroup server string = Samba %v on %h security = SERVER encrypt passwords = Yes map to guest = Bad User-- used and not used this option password server = #PDC-Address# #BDC-Address# username map = /usr/local/samba/lib/username.map log file = /usr/local/samba/var/log.samba max log size = 50 printcap name = /etc/samba-printcap os level = 10 preferred master = False local master = No domain master = False dns proxy = No wins server = #Primary-WINs-Address# guest account = ftp -- local acct I also tried lp account hosts allow = ###.###. ###.###. 127. ###=2 subnets at my site printing = bsd [printers] comment = All Printers path = /var/spool/pc-spool -- priv=rwxrwxrwt owner=lp read only = No guest ok = Yes printable = Yes browseable = No -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Interesting problem with samba and .ntprofile
To ANYONE that can help :), we where using samba version 2.0.7 and everything worked great. we just upgraded to version 2.2.7a. and now we get this weird/wicked problem. sometimes when a user logs out and then trys to log back in it says //servername/.ntprofile/share/file cannot be copied over. i can delete the file and then another file cant be copied over. i at times cant delete the folder or file. windows will say access denied source file is in use. i cant even delete the file when i boot up into safe mode. i have to change the permissions all over just to be able to delete it. it only happens to a few people. now the thing is if i go to a different win2k machine the profile will download file and it will save fine. something is happening since we went to the new version of samba and i cant seem to figure it out. if you need more help or .information please send a email to [EMAIL PROTECTED] Thank you to all smb.conf = workgroup = ??? (our workgroup) security = DOMAIN encrypt passwords = Yes password server = PDC (our pdc) passwd chat = *login*password* %o\n *New*password* %n\n *new*password* %n\n *changed* debug level = 0 max disk size = 1000 logon script = scripts\%U.bat logon path = \\%N\%U\.ntprofile logon home = \\%N\%U\.wprofile homedir map = auto_home NIS homedir = Yes create mask = 0664 directory mask = 0775 hide files = /DesktopFolderDB/TrashFor%m/resource.frk/ delete readonly = Yes -- Ronald Rusnak Wall Street Source 212-479-1451 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Not able to login to Samba P
To all, i have a simulur problem. whenever i log into samba. it tries to copy the profile over but then it hangs and says it cant. i also cant delete the local folder which it copies over to the win2k box. its very strange and weird. it just started to happen when we upgraded to 2.2.7a. are old version worked fine without any problems. no matter what i do there is a problem. deleted his .ntprofile. you name it i basically did it. Ronnie Manjunath H N [EMAIL PROTECTED] wrote in message 04f401c2cb9f$3a29c610$[EMAIL PROTECTED]">news:04f401c2cb9f$3a29c610$[EMAIL PROTECTED]... On Monday, February 03, 2003 7:56 PM Robert Adkins [EMAIL PROTECTED] wrote: I believe that your issue is related to UNIX permissions. The location of your profiles directory must be set to allow all users R/W to it. Create a new group in your group file and add every user to it. Then change the ownership of the profiles directory. Also make sure that all of your users have R/W permissions on that directory. Yea I changed the permissions but now on Win 2k m/c I am getting the following error Windows cannot log on you bcos it cannot find the file specified. (i.e The Profile ) Detail - The system cannot find the file specified. -Original Message- From: Manjunath H N [mailto:[EMAIL PROTECTED]] Sent: Monday, February 03, 2003 5:37 PM To: [EMAIL PROTECTED]; Robert Adkins Subject: [Samba] Not able to login to Samba PDC. Hello All, I am getting Windows cannot create profile directory, when I try to log on to the Samba PDC, on Win2K m/c Also I am not getting any log messages, this is the only log I got, the second log I got a long time back the log file is not getting appended after further logins [2003/02/03 17:06:24, 0] smbd/service.c:make_connection(384) administrator logged in as admin user (root privileges) [2003/02/03 17:13:29, 0] lib/util_sock.c:read_data(436) read_data: read failure for 4. Error = Connection reset by peer But earlier for the same problem I was getting these logs [2003/02/01 13:53:08, 0] smbd/service.c:make_connection(252) iwave-123 (192.168.2.157) couldn't find service profiles DISCLAIMER: This e-mail and any attachment (s) is for authorised use by the intended recipient (s) only. It may contain proprietary material, confidential information and/or be subject to the legal privilege of iWave Systems Technologies Private Limited. If you have received this message in error, please notify the originator immediately. If you are not the intended recipient, you are notified that you are strictly prohibited from retaining, using, copying, alerting or disclosing the content of this message. Thank you for your co-operation. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Interesting problem with samba and .ntprofile
here is a update We are now trying to upgrade all of our domain client machines from WinNT to Windows2000 (we're actually doing clean installs, not upgrades). Under our limited testing this worked well. Now that we're rolling it out to the masses in our department, many users are beginning to have roaming profile problems. Upon logging in, Win2k (SP3) gives access denied errors to seemingly random files in a users' profile, and then login using a local profile. I delete the trouble-maker files, and a user can login... once. They logout, and try to login again, and then we get some access denied errors again. (I can access these files by hand just fine once logged in). same problem someone else had a from a long time ago. Ronald [EMAIL PROTECTED] wrote in message b1u5jb$d9t$[EMAIL PROTECTED]">news:b1u5jb$d9t$[EMAIL PROTECTED]... To ANYONE that can help :), we where using samba version 2.0.7 and everything worked great. we just upgraded to version 2.2.7a. and now we get this weird/wicked problem. sometimes when a user logs out and then trys to log back in it says //servername/.ntprofile/share/file cannot be copied over. i can delete the file and then another file cant be copied over. i at times cant delete the folder or file. windows will say access denied source file is in use. i cant even delete the file when i boot up into safe mode. i have to change the permissions all over just to be able to delete it. it only happens to a few people. now the thing is if i go to a different win2k machine the profile will download file and it will save fine. something is happening since we went to the new version of samba and i cant seem to figure it out. if you need more help or .information please send a email to [EMAIL PROTECTED] Thank you to all smb.conf = workgroup = ??? (our workgroup) security = DOMAIN encrypt passwords = Yes password server = PDC (our pdc) passwd chat = *login*password* %o\n *New*password* %n\n *new*password* %n\n *changed* debug level = 0 max disk size = 1000 logon script = scripts\%U.bat logon path = \\%N\%U\.ntprofile logon home = \\%N\%U\.wprofile homedir map = auto_home NIS homedir = Yes create mask = 0664 directory mask = 0775 hide files = /DesktopFolderDB/TrashFor%m/resource.frk/ delete readonly = Yes -- Ronald Rusnak Wall Street Source 212-479-1451 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Interesting problem with samba and .ntprofile
Dear Troy, Already did that and still no luck. i noticed that when there was a + at the end of the directories. and reran the config. everything was working fine untill this new upgrade. i have read on the forums about it but nobody really gives a answer. i also added this user to are default group and that didnt work. ive been racking my brain all day over this :( thanks for the help though Troy Ronald On Thu, 6 Feb 2003, Troy.A Johnson wrote: Ronald, I am not sure, but I think I remember reading that some strange behavior connected with roaming profiles can be taken care of by turning nt acl support off on the profile share. I don't know if it applies here or if is is dependent on other unknown factors (OS of Samba machine, phase of moon, ...). Good luck, Troy Ronald [EMAIL PROTECTED] 02/06/03 02:25PM here is a update We are now trying to upgrade all of our domain client machines from WinNT to Windows2000 (we're actually doing clean installs, not upgrades). Under our limited testing this worked well. Now that we're rolling it out to the masses in our department, many users are beginning to have roaming profile problems. Upon logging in, Win2k (SP3) gives access denied errors to seemingly random files in a users' profile, and then login using a local profile. I delete the trouble-maker files, and a user can login... once. They logout, and try to login again, and then we get some access denied errors again. (I can access these files by hand just fine once logged in). same problem someone else had a from a long time ago. Ronald [EMAIL PROTECTED] wrote in message b1u5jb$d9t$[EMAIL PROTECTED]">news:b1u5jb$d9t$[EMAIL PROTECTED]... To ANYONE that can help :), we where using samba version 2.0.7 and everything worked great. we just upgraded to version 2.2.7a. and now we get this weird/wicked problem. sometimes when a user logs out and then trys to log back in it says //servername/.ntprofile/share/file cannot be copied over. i can delete the file and then another file cant be copied over. i at times cant delete the folder or file. windows will say access denied source file is in use. i cant even delete the file when i boot up into safe mode. i have to change the permissions all over just to be able to delete it. it only happens to a few people. now the thing is if i go to a different win2k machine the profile will download file and it will save fine. something is happening since we went to the new version of samba and i cant seem to figure it out. if you need more help or .information please send a email to [EMAIL PROTECTED] Thank you to all smb.conf = workgroup = ??? (our workgroup) security = DOMAIN encrypt passwords = Yes password server = PDC (our pdc) passwd chat = *login*password* %o\n *New*password* %n\n *new*password* %n\n *changed* debug level = 0 max disk size = 1000 logon script = scripts\%U.bat logon path = \\%N\%U\.ntprofile logon home = \\%N\%U\.wprofile homedir map = auto_home NIS homedir = Yes create mask = 0664 directory mask = 0775 hide files = /DesktopFolderDB/TrashFor%m/resource.frk/ delete readonly = Yes -- Ronald Rusnak Wall Street Source 212-479-1451 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Re: Interesting problem with samba and .ntprofile
Kyle and everyone else, I tried that also and still it didnt work. so i then installed sp3 and W00t. works fine now. i dont have much time to look into it as im in a rush and have about 100x other things to do but i will look into it more tomorrow. thanks for the help everyone. Sincerely Ronald Kyle Loree [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... http://us1.samba.org/samba/ftp/docs/README.Win2kSP2 it has info on that there. [EMAIL PROTECTED] writes: Ronald, I am not sure, but I think I remember reading that some strange behavior connected with roaming profiles can be taken care of by turning nt acl support off on the profile share. I don't know if it applies here or if is is dependent on other unknown factors (OS of Samba machine, phase of moon, ...). Good luck, Troy Ronald [EMAIL PROTECTED] 02/06/03 02:25PM here is a update We are now trying to upgrade all of our domain client machines from WinNT to Windows2000 (we're actually doing clean installs, not upgrades). Under our limited testing this worked well. Now that we're rolling it out to the masses in our department, many users are beginning to have roaming profile problems. Upon logging in, Win2k (SP3) gives access denied errors to seemingly random files in a users' profile, and then login using a local profile. I delete the trouble-maker files, and a user can login... once. They logout, and try to login again, and then we get some access denied errors again. (I can access these files by hand just fine once logged in). same problem someone else had a from a long time ago. Ronald [EMAIL PROTECTED] wrote in message b1u5jb$d9t$[EMAIL PROTECTED]">news:b1u5jb$d9t$[EMAIL PROTECTED]... To ANYONE that can help :), we where using samba version 2.0.7 and everything worked great. we just upgraded to version 2.2.7a. and now we get this weird/wicked problem. sometimes when a user logs out and then trys to log back in it says //servername/.ntprofile/share/file cannot be copied over. i can delete the file and then another file cant be copied over. i at times cant delete the folder or file. windows will say access denied source file is in use. i cant even delete the file when i boot up into safe mode. i have to change the permissions all over just to be able to delete it. it only happens to a few people. now the thing is if i go to a different win2k machine the profile will download file and it will save fine. something is happening since we went to the new version of samba and i cant seem to figure it out. if you need more help or .information please send a email to [EMAIL PROTECTED] Thank you to all smb.conf = workgroup = ??? (our workgroup) security = DOMAIN encrypt passwords = Yes password server = PDC (our pdc) passwd chat = *login*password* %o\n *New*password* %n\n *new*password* %n\n *changed* debug level = 0 max disk size = 1000 logon script = scripts\%U.bat logon path = \\%N\%U\.ntprofile logon home = \\%N\%U\.wprofile homedir map = auto_home NIS homedir = Yes create mask = 0664 directory mask = 0775 hide files = /DesktopFolderDB/TrashFor%m/resource.frk/ delete readonly = Yes -- Ronald Rusnak Wall Street Source 212-479-1451 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba Kyle Loree Rendek Communications [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: DOS mode bits missing from Folders
Why not store DOS bit modes in an accompanying dot file? (The DOS modes then read by smbd if it (the dot file) exists) Ron ;) On Monday, January 20, 2003, at 10:04 AM, Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 14 Jan 2003, Esh, Andrew wrote: I have a question about the following piece of code in HEAD smbd/dosmode.c, at line 139: if (S_ISDIR(sbuf-st_mode)) result = aDIR | (result aRONLY); This causes the DOS mode HSA Hidden, System, and Archive bits to be stripped off if a folder is being processed. This makes it impossible to store these bits on a Samba server. Windows allows them to be stored for folders, except for the S System bit. Why are these bits being stripped off folders? Shouldn't it be: if (S_ISDIR(sbuf-st_mode)) result |= aDIR; When I made that change, folders began to retain DOS bits like the ones stored on Windows do. The e(X)exute bits are special on folders. For example, if you remove the archive (user 'x' bit) from a directory, you will not be able to change to that directory. The DOS mode bit stuff really needs a better solution. cheers, jerry -- Hewlett-Packard- http://www.hp.com SAMBA Team -- http://www.samba.org GnuPG Key http://www.plainjoe.org/gpg_public.asc ISBN 0-672-32269-2 SAMS Teach Yourself Samba in 24 Hours 2ed You can never go home again, Oatman, but I guess you can shop there. --John Cusack - Grosse Point Blank (1997) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE+LDpKIR7qMdg1EfYRAvkiAJ9cA8Gm9t9iPSBeYudtluJxJRuZ6ACfT3k7 ExM1uo7m6Eaf5RGXO6Y8wLQ= =WSgs -END PGP SIGNATURE-
