[Samba] FIXED AGAIN: Win2003 ADS, wbinfo -u and -g bug
System: Win2003 ADS, Samba 3.0.26a on RHEL5. I thought I had this fixed but sadly no - it came back. The situation changes when I reboot the PC, or cycle power on the PC. This indicates to me that there is a structure in winbind that is not initialized properly. wbinfo -t: OK, shows domain joined fine. wbinfo -g: Shows all groups, or only the first two BUILTIN groups, or nothing at all. wbinfo -u: Shows all users, or no users. Login works if wbinfo -g shows all groups, fails otherwise. kinit [EMAIL PROTECTED]: works wbinit -a user%domain: works --- This weird Winbind/Kerberos problem has been fixed again - hopefully for good. I started to read the source code, followed the log messages at debug level 10 and sniffed the network with tcpdump. Eventually, I figured out that Kerberos is generating an inordinate amount of traffic, with the result that the Windows server doesn't always get around to answering the LDAP request and the user/group query then times out. The solution is to reset the Windows Administrator password. I remembered reading in the Samba howto guide that the Administrator password reset also does something to Kerberos, so I tried it and it worked. I haven't been able to break it again for the rest of the day. Cheers, Herman -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Unable to join domain in remote subnet...
Quinn Fissler gmail.com> writes: > > The problem is caused by the client not having the address of the > domain controller. > > On a windows client, you need to populate > %SYSTEM_ROOT%\system32\drivers\etc\lmhosts > > use UPPERCASE names regardless of what the MS docs say. > Hi Guys, Thanks for the input... I was also able to solve the problem by pointing the client's WINS server setting to the PDC in the TCP/IP settings for their Network Connection. Have a great weekend! -Matt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Too many smb processes....
I run samba ( ver 3.0.26a ) on a linux box ( Fedora 4 ) so that users from a Windows 2003 domain can access those files on the linux box. I compiled the samba and configured it with the command : configure --with-ads The /usr/local/samba/lib/smb.conf is : -- [global] domain master = no local master = no preferred master = no os level = 0 netbios name = linuxbox WORKGROUP=XXX security = ADS realm = XXX.YYY.EDU password server = 111.222.333.111 server string = "linux Server" log file = /var/log/samba.log socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 encrypt passwords = yes wins server = 111.222.333.444 create mask = 775 directory mask = 775 [project] path = /home/project writeable = yes # ldd /usr/local/samba/sbin/smbd linux-gate.so.1 => (0x001ba000) libldap-2.2.so.7 => /usr/lib/libldap-2.2.so.7 (0x005a9000) liblber-2.2.so.7 => /usr/lib/liblber-2.2.so.7 (0x002b1000) libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x0035c000) libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x00a1d000) libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x00453000) libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0x0089b000) libcom_err.so.2 => /lib/libcom_err.so.2 (0x00111000) libresolv.so.2 => /lib/libresolv.so.2 (0x0078f000) libcrypt.so.1 => /lib/libcrypt.so.1 (0x00177000) libnsl.so.1 => /lib/libnsl.so.1 (0x00114000) libdl.so.2 => /lib/libdl.so.2 (0x00978000) libpopt.so.0 => /usr/lib/libpopt.so.0 (0x0012a000) libc.so.6 => /lib/libc.so.6 (0x00477000) libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x00132000) libssl.so.5 => /lib/libssl.so.5 (0x00b17000) libcrypto.so.5 => /lib/libcrypto.so.5 (0x005df000) /lib/ld-linux.so.2 (0x003bb000) I have been using samba on a linux box like this for years. Users do not have any problem accessing the linux files. However I have noticed that the number of smbd processes keeps growing. This phenomenon also occurred earlier when I was using samba 3.0.25 # ps ax | grep mbd -- 20598 ?Ss 0:00 /usr/local/samba/sbin/smbd -D 20600 ?Ss 0:00 /usr/local/samba/sbin/nmbd -D 20602 ?S 0:00 /usr/local/samba/sbin/smbd -D 20697 ?S 0:00 /usr/local/samba/sbin/smbd -D 20698 ?S 0:00 /usr/local/samba/sbin/smbd -D 20956 ?S 0:00 /usr/local/samba/sbin/smbd -D 21217 ?S 0:00 /usr/local/samba/sbin/smbd -D 21218 ?S 0:00 /usr/local/samba/sbin/smbd -D . # ps aux | grep mbd --- root 20598 0.0 0.7 10732 3656 ?Ss Oct11 0:00 /usr/local/samba/sbin/smbd -D root 20600 0.0 0.4 8088 2212 ?Ss Oct11 0:00 /usr/local/samba/sbin/nmbd -D root 20602 0.0 0.7 10732 3648 ?SOct11 0:00 /usr/local/samba/sbin/smbd -D root 20697 0.0 0.7 11976 3784 ?SOct11 0:00 /usr/local/samba/sbin/smbd -D root 20698 0.0 0.7 11992 3908 ?SOct11 0:00 /usr/local/samba/sbin/smbd -D root 20956 0.0 0.7 11992 3912 ?SOct11 0:00 /usr/local/samba/sbin/smbd -D # ps alx | grep mbd --- 5 0 20598 1 16 0 10732 3656 - Ss ? 0:00 /usr/local/samba/sbin/smbd -D 5 0 20600 1 16 0 8088 2212 - Ss ? 0:00 /usr/local/samba/sbin/nmbd -D 1 0 20602 20598 19 0 10732 3648 pause S? 0:00 /usr/local/samba/sbin/smbd -D 5 0 20697 20598 17 0 11976 3784 322475 S? 0:00 /usr/local/samba/sbin/smbd -D 5 0 20698 20598 16 0 11992 3908 322475 S? 0:00 /usr/local/samba/sbin/smbd -D 5 0 20956 20598 16 0 11992 3912 322475 S? 0:00 /usr/local/samba/sbin/smbd -D ... Excerpt from /var/log/samba.log --- Whenever a new smbd process is created, 'Backtrace' and 'Memory Map' outputs show up. Following is an example. [2007/10/12 12:26:06, 1] smbd/sesssetup.c:reply_spnego_kerberos(439) Username XXX\AAA$ is invalid on this system *** glibc detected *** /usr/local/samba/sbin/smbd: free(): invalid pointer: 0x001ac7f0 *** === Backtrace: = /lib/libc.so.6[0xc8d424] /lib/libc.so.6(__libc_free+0x77)[0xc8d95f] /lib/libcom_err.so.2(remove_error_table+0x4b)[0x1adabb] /usr/lib/libkrb5.so.3[0x14a823] /usr/lib/libkrb5.so.3[0x14a5c7] /usr/lib/libkrb5.so.3[0x19b3ba] /lib/ld-linux.so.2[0x11f058] /lib/libc.so.6(exit+0xc5)[0xc54c69] /usr/local/samba/sbin/smbd(exit_server+0x0)[0x674afa] /usr/local/samba/sbin/smbd(exit_server_fault+0x0)[0x674b1a] /usr/local/samba/sbin/smbd(main+0x821)[0x67539a] /lib/libc.so.6(__libc_start_main+0xc6)[0xc3ede6] /usr/local/samba/sbin/smbd[0x42dbc9]
[Samba] Mangled home directory with AD
Hi all, We have a Linux member server attached to a w3k domain, called DISCOVERY. The AD user policy has U: drives mapped to a home directory but they have mangled the path, for example: \\discovery\users\8\7\534236187 this translates to /home/DISCOVERY/users/8/7/534236187 on the Linux machine. Setting "winbind nss info = sfu" allows the U: drive to be mapped correctly from XP but when a Linux workstation is joined to the domain the users home directory is /home/DISCOVERY/534236187 wbinfo -i 534236187 shows: 534236187:*:16800438:16777218:534236187:/home/DISCOVERY/534236187:/bin/bash Is there anyway for the Linux machine to get the home directory location from AD so we can log users in correctly? Any help appreciated. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Unusable performance over WAN (part 2)
On 10/12/07, James Lamanna <[EMAIL PROTECTED]> wrote: > On 10/8/07, James Lamanna <[EMAIL PROTECTED]> wrote: > > On 10/8/07, Mike Eggleston <[EMAIL PROTECTED]> wrote: > > > On Mon, 08 Oct 2007, James Lamanna might have said: > > > > > > > So as it turns out, apparently it was a window scaling issue. > > > > Turning on an excessively large window size on the routers (thereby > > > > enabling dynamic TCP window scaling) seems to have fixed the issue. I > > > > now get transfer rates around 130-160k/s. > > > > > > Great. For hysterical porpoises please document what specific changes > > > you made on the windows boxes and what specific changes you made on > > > your router. > > > > > > Mike > > > > > > > The only change I made on the routers was I added the global > > configuration command (both Cisco routers btw) > > ip tcp window-size 75 > > > > -- James > > > > Apparently this was 'temporary'. > I had to power cycle one of the routers, and lo and behold, the old, > slow behavior is back even with the window-size being set. > > Now I'm clueless again. > > -- James Are you sure there is no other underlying issues with the frame circuit? Are you taking CRC errors on the T1 interface at either end, etc.? Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] samba and vista workstation logins
Helli All, I am trying to get our Samba "homes" file server to work with Vista workstation logins. The following is what I am getting ONLY on Vista workstations in the samba.log. ( XP & 2000 machines do not get this.) I did add the [profiles.V2} copy = profiles Hoping this might be the fix. Still no joy. I can paste my smb.conf if any thinks it would help. Bottom line is my smb.conf works fine thwith XP & 2000 but not Vista. I have done the reg hack of allowing lesser than" NTLMv2 authenitcation on a couple of the Vista boxes so I can test with them. I am wondering if this is still dns releated?,,,hhmmm. lib/util_sock.c:get_peer_addr(1000) Oct 12 18:52:59 wcfile smbd[14114]: getpeername failed. Error was Transport endpoint is not connecte 2007/10/12 18:52:59, 0] lib/util_sock.c:write_socket_data(430) Oct 12 18:52:59 wcfile smbd[14114]: write_socket_data: write failure. Error = Connection reset by peer [2007/10/12 18:52:59, 0] lib/util_sock.c:write_socket(455) Oct 12 18:52:59 wcfile smbd[14114]: write_socket: Error writing 4 bytes to socket 21: ERRNO = Connection reset by peer [2007/10/12 18:52:59, 0] lib/util_sock.c:send_smb(647) Oct 12 18:52:59 wcfile smbd[14114]: Error writing 4 bytes to client. -1. (Connection reset by peer) Thanks, Barry Cisna -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Unusable performance over WAN (part 2)
On 10/8/07, James Lamanna <[EMAIL PROTECTED]> wrote: > On 10/8/07, Mike Eggleston <[EMAIL PROTECTED]> wrote: > > On Mon, 08 Oct 2007, James Lamanna might have said: > > > > > So as it turns out, apparently it was a window scaling issue. > > > Turning on an excessively large window size on the routers (thereby > > > enabling dynamic TCP window scaling) seems to have fixed the issue. I > > > now get transfer rates around 130-160k/s. > > > > Great. For hysterical porpoises please document what specific changes > > you made on the windows boxes and what specific changes you made on > > your router. > > > > Mike > > > > The only change I made on the routers was I added the global > configuration command (both Cisco routers btw) > ip tcp window-size 75 > > -- James > Apparently this was 'temporary'. I had to power cycle one of the routers, and lo and behold, the old, slow behavior is back even with the window-size being set. Now I'm clueless again. -- James -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba Server for Mac Computer
> How can I perform a Samba server to serve for the Mac machine? On Mac OS X, the samba client is native. from Finder, Go -> Connect to Server -> smb://servername or of course CLI bsd tools -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Profile Location Best Practice
Server Gremlin wrote: > it seems like the convention has shifted to that of storing profiles > in one place (/sambaprofiles/john/profile) while storing home > directories in another (/sambahomes/john). > > What is the advantage of this setup, if any? The key advantage is that if the profile is stored within the user's home directory, the Windows workstations will sometimes discconnect the user's home directory network drive mapping during logout before the profile has finished synchronizing between the workstation and the server, and your users may have broken profile problems. I have multiple samba servers running at several sites, some with profiles in the home directory and some with the profiles stored under a separate profile share. From experience, the samba servers with a separate profile share have much less problems with profiles breaking. Unfortunately, I've seen several distros ship their samba smb.conf with the users' profiles in the users' home directory, which is where my coworker and I have argued endlessly about. -- Eric Feldhusen Network Administratorhttp://www.remc1.org [EMAIL PROTECTED] PO Box 270 (906) 482-4520 x239 809 Hecla St(906) 482-5031 fax Hancock, MI 49930 (906) 370 6202 mobile -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Profile Location Best Practice
I have a question about using roaming profiles in a Samba PDC controlled
domain. I know that with Windows 95 and that generation or so, the
profile had to be stored in the same directory as the home folder.
("/sambahomes/john/profile" for example.) You didn't have a choice
because of technical reasons. But that restriction no longer applies
with modern versions of Windows, and it seems like the convention has
shifted to that of storing profiles in one place
(/sambaprofiles/john/profile) while storing home directories in another
(/sambahomes/john).
What is the advantage of this setup, if any?
Thanks,
- SG
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] static wins entries for failover shares -- do Microsoft clients get confused?
On my RedHat Cluster I am trying to configure samba shares that can be relocated or fail over from one node to anoter. This is done by: 1. mounting the corresponding file system on the node from SAN 2. having the cluster assign the corresponding virtual ip number to that node 3. I tried to run an aditional instance of samba for that share ( See posting: "security = domain -- samba adds its netbios name as samba domain to LDAP") As I ran into trouble with such a lot samba instances beeing safely started and stopped on one machine, now I try another method: I try to run only one instance of samba on each node and then work with: "netbios alias =" and "include =" It is not possible to add all needed netbios aliases to all nodes because then all nodes seem to have the same names and clients get confused, trying to resolve names and having to wait for some timeout. I do not know what happens in detail. What I know is that sometimes it takes a long time to establish a file transfer, but when it is established, it has full bandwidth. So it is more some kind of latency. This meens processes that open a lot of files can drastically slow down. So I looked for the solution in the use of wins. I eliminated "netbios aliases" in smb.conf. Instead I introduced "Static WINS Entries" as stated in Samba-3-Howto like that: "SERVER1#00" 0 192.168.1.1 192.168.1.1 66R "SERVER1#20" 0 192.168.1.1 192.168.1.1 66R "SERVER1#03" 0 192.168.1.1 192.168.1.1 66R Which is the netbios name of my one of my servers with it's two physical ip numbers on it's network interfaces. "SHARE1#00" 0 192.168.1.41 192.168.1.41 66R "SHARE1#20" 0 192.168.1.41 192.168.1.41 66R "SHARE1#03" 0 192.168.1.41 192.168.1.41 66R Which is the former netbios alias associated with the two virtual ip numbers that are assigned to the node that actually holds the corresponding share. The share should be accessible by: \\SHARE1\share1 Distinguished is by "include = /etc/samba/smb.conf.%i". So that works fine. Name resolution is done by wins real quickly. For some reason a DNS query as well is done by Microsoft Clients even when the name is resolved by wins. And hybrid clients even do a broadcast after they got their wins reply. For some reason after a while Microsoft clients still get confused. Maybee when they get a wins reply, then broadcast and get a different one from the server. This affects even file transfer to Novell Clients, which sometimes have this latency, too. So it must be a blocking wait for a timeout. ( See posting: multihomed samba -- how to tell samba which ip-numbers to respond? ) Does anyone know why Microsoft clients get confused? Or even better how to configure a cluster with samba shares that fail over from one node to another? Best regards Christian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba + LDAP
John H Terpstra wrote: On Thursday 11 October 2007 22:57, Daniel L. Miller wrote: Are the IDEALX tools necessary for "complete" integration with LDAP? Or is the built-in support sufficiently advanced now? Daniel Daniel, What function do you believe the IDEALX tools serve? Why do you think these scripts are needed? What makes you think that "built-in support" might be the right (or best) solution? Have you read the Samba documentation? Specifically, is there anything in the Samba3-HOWTO or in Samba3-ByExample that would lead you to believe that there is any attempt to supercede the necessity for the IDEALX tools (or an alternative set of scripts that is external to Samba itself)? What does "complete" integration with LDAP mean to you? You are not the first person to ask questions like these. It would help me to write more useful documentation if I could better understand what is behind the questions. In case you do not know of the books "Samba3-HOWTO" and "Samba3-byExample" they can be obtained from: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf http://www.samba.org/samba/docs/Samba3-ByExample.pdf The IDEALX tools are a means of creating and managing UNIX user and group accounts in the LDAP directory. Samba can then create and manage the Windows (SambaSAM) account information that is necessary to support Windows network activities. As a network administrator, I want total control over how UNIX accounts are managed in my LDAP directory and I would not want this done by Samba - particularly if that removes my ability to control how this is done. Your mileage may vary, but I suspect most UNIX administrators who manage Samba would not want to lose control of the UNIX part of the directory. For example, if Samba had total control over all Windows networking (Samba) accounts, and the Windows network administrator deletes a user account, but the users also has vital UNIX files, how should the deletion of the UNIX account information be handled? By keeping the LDAP administration scripts that impact the UNIX account management separate from the Windows (Samba) account part, the administrator can exercise greater control over. - Just my $0.02 worth. Cheers, John T. By "built-in support", I am referring to the ldapsam:trusted and ldapsam:editposix extensions - documented at: http://wiki.samba.org/index.php/Ldapsam_Editposix Because using these extensions appeared to simplify my configuration, and inferred that they were "optimized", I thought this was the future of Samba+LDAP and the IDEALX scripts were a holdover from the past. Since I have had difficulty in getting this configuration to work solidly - I'm still questioning whether or not these extensions are what I should be using. "Complete" integration to me means after setting the appropriate smb.conf parameters - and having a configured LDAP backend - no information is stored external to the LDAP server and standard tools for Samba account manipulation perform all needed functions without the need for manipulating the LDAP database directly. Such account manipulation should be exclusive to Samba - if the UNIX accounts are also LDAP based then obviously the UNIX accounts MAY be impacted by such Samba configuration - but it should not be a requirement for any Samba accounts to map to UNIX - unless the administrator wants that. How to handle account deletion is a matter of individual preference - both for Samba and for UNIX. In any case, the option to either leave the user files intact, move them to a repository, or delete upon account deletion should be a simple configuration setting. I'm still learning how all these components interconnect - I have yet to have a fully-functional Samba PDC, that has no errors/warnings in the logs, and communicates with the compatible Windows NT tools for domain manipulation. I had thought that if the IDEALX tools had been superseded by the ldapsam:trusted extensions, that was one less item I had to worry about. Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] DFS access
Hi all, This is my first message here, so pardon me if I break some etiquette. I have a Linux (Debian 4, kernel 2.6.18-4-686) SaMBa (3.0.24) server whose shares I want to mount on a Distributed File System running from a Windows Server 2003 R2. The share itself is accessible without problems as long as I try to get to it directly (\\smb\share), but if I try to browse through the DFS I get the "\\DFS\share is not accessible. You might not have permission to use this network resource... Configuration information could not be read from the domain controller, either because the machine is unavailable, or access has been denied" error message. The SaMBa server is part of the Active Directory domain. Also, a similar server with the same software and smb.conf file (different host and share names, of course) works with that same DFS without any problems whatsoever. Both servers are on the same side of the firewall and reside in the same Organizational Unit of Active Directory. The (sanitized) smb.conf file I use is: [global] workgroup= DOMAIN security = ADS netbios name = smb netbios aliases = smb realm= DOMAIN.UK encrypt passwords= yes password server = * server string= Samba shares for smb on %h bind interfaces only = yes hosts allow = *our IP range* interfaces = *smb IP* log file = /var/log/samba/log.%m log level= 1 passdb:2 auth:2 locking = yes lock directory = /var/log/samba/locks pid directory= /var/run private dir = /etc/samba/private username map = /etc/samba/username.map smb passwd file = /etc/samba/private/smbpasswd show add printer wizard = no utmp directory = /var/log encrypt passwords= yes domain master= no preferred master = no guest account= nobody max log size = 1000 syslog = 0 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 invalid users= root admin local master = no dns proxy= no panic action = /usr/share/samba/panic-action %d [share] comment = Webservice Documents path = /data/sites/share printable= no browseable = no write list = @sysman valid users = @sysman force user = sysman force group = sysman The log file (sanitized) only reports: [2007/10/12 13:17:45, 0] smbd/map_username.c:map_username(107) can't open username map /etc/samba/username.map. Error No such file or directory [2007/10/12 13:17:45, 1] smbd/sesssetup.c:reply_spnego_kerberos(310) Username STATS\CLIENT$ is invalid on this system Both SaMBa servers have no username.map, and the CLIENT machine works with the other server. Where else should I look for differences between the two SaMBa servers? What is going on? Thank you for your help. David -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: default kerberos realm??
Ok this wasn't supposed to be sent allready... On 10/12/07, Frank Van Damme <[EMAIL PROTECTED]> wrote: > Hello list, > > I am trying to join a win2k domain with Samba, with security = ads. My > member server is a Debian Etch. I get the following error when trying > to join the domain: > #net ads join -U administrator administrator's password: [2007/10/12 12:04:19, 0] libsmb/cliconnect.c:cli_session_setup_spnego(785) Kinit failed: Configuration file does not specify default realm Failed to join domain! -- Frank Van Damme A: Because it destroys the flow of the conversation Q: Why is it bad? A: No, it's bad. Q: Should I top post in replies to mails or on usenet? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] multihomed samba -- how to tell samba which ip-numbers to respond?
I have got a samba server with multiple interfaces. Some of them are virtual interfaces in the same network dynamically assigned by a RedHat Cluster. So "Server1" can have: 192.168.1.1 (physical) 192.168.1.42 (virtual) 192.168.1.43 (virtual) 192.168.1.44 (virtual) ... 192.168.2.1 (physical) 192.168.2.42 (virtual) 192.168.2.43 (virtual) 192.168.2.44 (virtual) ... But virtual interfaces can change during runtime. When a Microsoft Client broadcasts for "Server1"s ip-number. Server1 responds one of it's ip-numbers on the corresponding network interfaces. Not necessarily the physical one. I would like not to set "bind interfaces only = true", in order to have the samba server still listen for connections on virtual interfaces, especially when they are assigned during runtime of the samba server. But I would like it not to advertise them. Is there a way to make the server answer only it's physical ip-number, when it receives a broadcast query? Best regards Christian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] default kerberos realm??
Hello list, I am trying to join a win2k domain with Samba, with security = ads. My member server is a Debian Etch. I get the following error when trying to join the domain: #net ads join -U administrator administrator's password: [2007/10/12 12:04:19, 0] libsmb/cliconnect.c:cli_session_setup_spnego(785) -- Frank Van Damme A: Because it destroys the flow of the conversation Q: Why is it bad? A: No, it's bad. Q: Should I top post in replies to mails or on usenet? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Comprehensive list of ports used by samba when being used with active directory
Hi all, I was wondering if anybody had a comprehensive list of default ports that should be open when using samba with active directory. Right now I get some slightly odd performance issues when running iptables with samba-3.0.10-1.4E.9.x86_64 - but with iptables off, all runs smoothly. I've also noticed that net ads join and kerberos operations can be flaky with the below iptables config. Sometimes they work, sometimes not. Again - with iptables disabled all is fine. Are there any additional ports I should have open that anybody can spot? Is there some other problem with the below config? Many thanks for any help! # IPtables config *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [26:8868] -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 88 -j ACCEPT -A INPUT -p udp -m udp --dport 88 -j ACCEPT -A INPUT -p tcp -m multiport --dports 139,445 -j ACCEPT -A INPUT -p udp -m multiport --dports 139,445 -j ACCEPT -A INPUT -p tcp -m multiport --dports 137,138 -j ACCEPT -A INPUT -p udp -m multiport --dports 137,138 -j ACCEPT -A INPUT -p udp -m udp --dport 135 -j ACCEPT -A INPUT -p tcp -s 10.80.19.217 -m tcp --dport 22 -m state --state NEW -m limit --limit 3/min --limit-burst 3 -j ACCEPT -A INPUT -p tcp --dport 22 -m state --state ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -p udp -m udp --dport 123 -j ACCEPT -A INPUT -p udp -m udp --dport 1984 -j ACCEPT -A INPUT -s 127.0.0.1 -p tcp -m tcp --dport 25 -j ACCEPT -A INPUT -j DROP -A OUTPUT -o lo -j ACCEPT -A OUTPUT -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -p icmp -j ACCEPT -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT -A OUTPUT -d 127.0.0.1 -p tcp -m tcp --dport 25 -j ACCEPT -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 88 -j ACCEPT -A OUTPUT -p udp -m udp --dport 123 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 135 -j ACCEPT -A OUTPUT -p tcp -m multiport --dports 139,445 -j ACCEPT -A OUTPUT -p udp -m multiport --dports 137,138 -j ACCEPT -A OUTPUT -p udp -m udp --dport 389 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 636 -j ACCEPT -A OUTPUT -p udp -m udp --dport 1984 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 3268 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 3269 -j ACCEPT COMMIT http://www.bbc.co.uk/ This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba Server for Mac Computer
How can I perform a Samba server to serve for the Mac machine? Are there any HowTo or tutorial about this topic? Because I'm a newbie on Linux, I need some more details for me to understand. Thanks buddy Ken -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba + LDAP
Am Freitag, 12. Oktober 2007 06:58 schrieb John H Terpstra: > On Thursday 11 October 2007 22:57, Daniel L. Miller wrote: > > Are the IDEALX tools necessary for "complete" integration with LDAP? Or > > is the built-in support sufficiently advanced now? > > > > Daniel > > Daniel, > > What function do you believe the IDEALX tools serve? Why do you think these > scripts are needed? What makes you think that "built-in support" might be > the right (or best) solution? > > Have you read the Samba documentation? Specifically, is there anything in the > Samba3-HOWTO or in Samba3-ByExample that would lead you to believe that there > is any attempt to supercede the necessity for the IDEALX tools (or an > alternative set of scripts that is external to Samba itself)? > > What does "complete" integration with LDAP mean to you? > > You are not the first person to ask questions like these. It would help me > to > write more useful documentation if I could better understand what is behind > the questions. > > In case you do not know of the books "Samba3-HOWTO" and "Samba3-byExample" > they can be obtained from: > > http://www.samba.org/samba/docs/Samba3-HOWTO.pdf > http://www.samba.org/samba/docs/Samba3-ByExample.pdf > > The IDEALX tools are a means of creating and managing UNIX user and group > accounts in the LDAP directory. Samba can then create and manage the Windows > (SambaSAM) account information that is necessary to support Windows network > activities. > > As a network administrator, I want total control over how UNIX accounts are > managed in my LDAP directory and I would not want this done by Samba - > particularly if that removes my ability to control how this is done. Your > mileage may vary, but I suspect most UNIX administrators who manage Samba > would not want to lose control of the UNIX part of the directory. > > For example, if Samba had total control over all Windows networking (Samba) > accounts, and the Windows network administrator deletes a user account, but > the users also has vital UNIX files, how should the deletion of the UNIX > account information be handled? > > By keeping the LDAP administration scripts that impact the UNIX account > management separate from the Windows (Samba) account part, the administrator > can exercise greater control over. - Just my $0.02 worth. > > Cheers, > John T. Hi John, there is ongoing work to avoid (some) external scripts http://wiki.samba.org/index.php/Ldapsam_Editposix Cheers, Guenter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
