Re: [Samba] smbd cannot be killed

2009-03-19 Thread Volker Lendecke 
On Thu, Mar 19, 2009 at 04:58:13PM -0600, Sergey Manucharian wrote:
> I run a server with Archlinux and Samba 3.2.5 as PDC for ~30
> Windows workstations. I have a share containing a CRM-like system with
> whole bunch of DB files and Windows executables (GoldMine). People run
> the executables remotely from that share, and regularly it works
> properly. But once in a week it stops working - the DB program cannot
> access some files in the share, and also I cannot restart the Samba -
> several instances of smbd continue running and even "kill -9 smbd"
> doesn't help. After I restart the system in such cases everything
> starts working properly.

If kill -9 does not help, you have a kernel problem. There
have been kernels with broken inotify that leads to runaway
smbd processes chewing CPU. You might want to try

notify:inotify = false

or upgrade your kernel.

Volker


pgp4PCUIcmzRi.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] smbd cannot be killed

2009-03-19 Thread Sergey Manucharian 
On Thu, 19 Mar 2009 16:47:36 -0700 (PDT)
"Yan Seiner"  wrote:

> 
> On Thu, March 19, 2009 3:58 pm, Sergey Manucharian wrote:
> > But once in a week it stops working - the DB program cannot
> > access some files in the share, and also I cannot restart the Samba
> > - several instances of smbd continue running and even "kill -9 smbd"
> > doesn't help. After I restart the system in such cases everything
> > starts working properly.
> >
> > Could somebody point the direction I should go to catch the actual
> > problem?
> 
> Samba logs?
> 
> What does 'ps auxww | grep mbd' say?
> 

Thanks for reply, Yan.

Well, I need to catch such an event one more time...
Both log.smbd and log.smbd.old already do not include the time period
of the failure, log.nmbd contains nothing suspicious (during that time),
just a lot of stuff like:

 process_name_query_request: ...
 process_host_announce: ...
 process_logon_packet: ...
 write_browse_list: ...

Process list at the moment shows 1 nmbd and 12 smbd processes, all
sleeping - again, I need to capture it during the failure. The bad
thing is that when such a failure happens, I do not have much time,
since the users cannot wait - I restart the server ASAP :)

Sergey.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] smbd cannot be killed

2009-03-19 Thread Yan Seiner 

On Thu, March 19, 2009 3:58 pm, Sergey Manucharian wrote:
> But once in a week it stops working - the DB program cannot
> access some files in the share, and also I cannot restart the Samba -
> several instances of smbd continue running and even "kill -9 smbd"
> doesn't help. After I restart the system in such cases everything
> starts working properly.
>
> Could somebody point the direction I should go to catch the actual
> problem?

Samba logs?

What does 'ps auxww | grep mbd' say?

-- 
  o__
  ,>/'_  o__
  (_)\(_),>/'_o__
Yan Seiner  (_)\(_)   ,>/'_ o__
   Personal Trainer  (_)\(_),>/'_o__
 Professional Engineer (_)\(_)   ,>/'_
Who says engineers have to be pencil necked geeks?  (_)\(_)

You are an adult when you realize that everyone's an idiot sometimes. You
are wise when you include yourself.


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] smbldap and samba as a PDC

2009-03-19 Thread LiPi - 
Hi people, I have a problem with samba, openldap and the creation of machine
accounts.
I don't know if here is a good place to ask but I don't receive help in
other places.. I read many guides, howto's, etc. but
I can't get around with the solution...

 I have seen an older message to another list (mail.gna.org) asking for the
same problem that I have, it was:

   - [Smbldap-tools-tech] Problem creating machine
accounts,
   *Jonathan Warrington   (September 24, 2008 - 19:24)*

I didn't know if Jonathan received a response, but I have two problems, one
is exactly the same that's described there, and the other is explained as
follows:

I have samba + ldap PDC with smbldap-tools, and when I try to join the
domain I get these error:

r...@patata:/# net rpc join -U administrador
  Password:
  Creation of workstation account failed
  Unable to join domain TESTING.

  If I take a look to the logs...:
  2009/03/19 20:18:42, 0] passdb/pdb_interface.c:pdb_
default_create_user(329)
   _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w
patata$' gave 127

 Then manually, smbldap-useradd -w patata$:
  Error: modifications require authentication at /usr/share/perl5/
smbldap_tools.pm line 1083.

  And if I create the machine account from phpldapadmin, it works perfectly.

  What can I do? I tried:
   net -U administrador% rpc rights grant 'TESTING\smbadmins'
SeMachineAccountPrivilege,

   also tried to modify smbldap.conf and smbldap_bind.conf, and I got
nothing...

  I followed many howto's and surelly there is something that i'm not
understanding, but I don't know what. Any suggestion would surely be
helpful.

getent passwd and getent group works well. If I try to add a machine account
from phpldapadmin, all goes right.

This is my smbldap config:
http://pastebin.ca/1365687

And this my smb.conf:
http://pastebin.ca/1365698


Thank you all.

LiPi
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] smbd cannot be killed

2009-03-19 Thread Sergey Manucharian 
Hello folks,

I'm new to this list. Before posting this I tried to search the
archives, but couldn't find anything relevant - so excuse me if it's
been discussed already.

I run a server with Archlinux and Samba 3.2.5 as PDC for ~30
Windows workstations. I have a share containing a CRM-like system with
whole bunch of DB files and Windows executables (GoldMine). People run
the executables remotely from that share, and regularly it works
properly. But once in a week it stops working - the DB program cannot
access some files in the share, and also I cannot restart the Samba -
several instances of smbd continue running and even "kill -9 smbd"
doesn't help. After I restart the system in such cases everything
starts working properly.

I've checked the number of open files - it doesn't seem to be too large,
and only 5-6 people can run that DB interface simultaneously.

Could somebody point the direction I should go to catch the actual
problem?

Thanks,
Sergey
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] root ownership on all new files for admin users

2009-03-19 Thread Mark Casey 

Hi,

I'm dealing with the same issue so I thought I'd share a few ideas I've 
found so far.


"write users=" should just be letting those users write as themselves. 
Its the "admin users=" line that is intervening and mapping them to root.


If its just the need for admin rights, I know that there is a privileges 
system built into samba. Most of the things you would want for an admin 
user to be able to do can actually be enabled for that user instead of 
mapping them to root. I've read that while no account has any privileges 
by default, the Domain Admins group is automatically given the right to 
hand out new privileges. Just search for "samba privileges" online, I 
think this is the preferred way to accomplish what you want, removing 
the need for the admin users parameter.


Another thing you may consider is just make a new user in AD, and then 
change the "admin users" line so that it only lists that account. I 
don't even imagine that account would have to be an admin as far as 
Windows is concerned, but it could be made one if the situation arises 
to warrant it. Then your write list can write as themselves, and the new 
user can be mapped to root and not used to edit user's files. They could 
share the password if more than one person needs access, which is no 
worse than having them all mapped to root anyway (possibly better).


I don't quite have it figured yet so double check me if you go with one 
of those, but I HTH.


-Mark




Vladimir Shved wrote:

Hello,
I have samba server on windows domain, in ADS mode but have problem
tracking files that belong to admin users, anytime new file created
the default owner is root. For non-admin users its normal, newly
created files have correct ownership permissions. Its possible for a
user to go and take ownership manually from windows machine but its
just inconvenient. Is there anyway to change default behavior to
create files with correct ownership of original user rather than
mapping to root for admin users?

Thank you,
Vladimir Shved

My setup:
Ubuntu 8.04 Hardy
Samba 3.0.28a
ext3 fs w/ ACLs

censored smb.conf:
[global]
workgroup = MYDOMAIN
realm = MYDOMAIN.LOCAL
server string = File Server
security = ADS
syslog = 0
log file = /var/log/samba/log.%m
log level = 1 ads:10 auth:10 sam:10 rpc:10
max log size = 1000
local master = No
dns proxy = No
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
wins server = 192.168.1.2
winbind enum users = no
winbind enum groups = no
winbind use default domain = yes
winbind nested groups = yes
passdb backend = tdbsam

ldap ssl = on

idmap domains = MYDOMAIN
idmap config MYDOMAIN:backend = ldap
idmap config MYDOMAIN:readonly = yes
idmap config MYDOMAIN:default = yes
idmap config MYDOMAIN:ldap_base_dn = ou=idmap,dc=mydomain,dc=local
idmap config MYDOMAIN:ldap_url = ldaps://ldapmachine
idmap config MYDOMAIN:ldap_anon = yes

idmap alloc backend = tdb
idmap alloc config:range = 3-4

template shell = /bin/bash

admin users = @"BUILTIN\administrators"
write list = @"BUILTIN\administrators"
client use spnego = yes
domain master = no
load printers = no
printing = bsd
printcap name = /dev/null
show add printer wizard = no
disable spoolss = yes

guest account = nobody
map to guest = bad user
invalid users = root
map to guest = bad password

[share]
path = /share
guest ok = Yes
create mask = 0664
directory mode = 0775
  

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] root ownership on all new files for admin users

2009-03-19 Thread Volker Lendecke 
On Thu, Mar 19, 2009 at 03:28:07PM -0600, Vladimir Shved wrote:
> I have samba server on windows domain, in ADS mode but have problem
> tracking files that belong to admin users, anytime new file created
> the default owner is root. For non-admin users its normal, newly
> created files have correct ownership permissions. Its possible for a
> user to go and take ownership manually from windows machine but its
> just inconvenient. Is there anyway to change default behavior to
> create files with correct ownership of original user rather than
> mapping to root for admin users?

Remove the

@"BUILTIN\administrators"

line from your smb.conf.

Volker


pgpsDox9HekEV.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Re: Updated sources and clean build gives linker error in cldapd.o

2009-03-19 Thread Harsha 
I'm sorry to first post this message here. I just figured that
samba-technical is the relevant list for my question.

Sincerely,
Harsha
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] root ownership on all new files for admin users

2009-03-19 Thread Vladimir Shved 
Hello,
I have samba server on windows domain, in ADS mode but have problem
tracking files that belong to admin users, anytime new file created
the default owner is root. For non-admin users its normal, newly
created files have correct ownership permissions. Its possible for a
user to go and take ownership manually from windows machine but its
just inconvenient. Is there anyway to change default behavior to
create files with correct ownership of original user rather than
mapping to root for admin users?

Thank you,
Vladimir Shved

My setup:
Ubuntu 8.04 Hardy
Samba 3.0.28a
ext3 fs w/ ACLs

censored smb.conf:
[global]
workgroup = MYDOMAIN
realm = MYDOMAIN.LOCAL
server string = File Server
security = ADS
syslog = 0
log file = /var/log/samba/log.%m
log level = 1 ads:10 auth:10 sam:10 rpc:10
max log size = 1000
local master = No
dns proxy = No
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
wins server = 192.168.1.2
winbind enum users = no
winbind enum groups = no
winbind use default domain = yes
winbind nested groups = yes
passdb backend = tdbsam

ldap ssl = on

idmap domains = MYDOMAIN
idmap config MYDOMAIN:backend = ldap
idmap config MYDOMAIN:readonly = yes
idmap config MYDOMAIN:default = yes
idmap config MYDOMAIN:ldap_base_dn = ou=idmap,dc=mydomain,dc=local
idmap config MYDOMAIN:ldap_url = ldaps://ldapmachine
idmap config MYDOMAIN:ldap_anon = yes

idmap alloc backend = tdb
idmap alloc config:range = 3-4

template shell = /bin/bash

admin users = @"BUILTIN\administrators"
write list = @"BUILTIN\administrators"
client use spnego = yes
domain master = no
load printers = no
printing = bsd
printcap name = /dev/null
show add printer wizard = no
disable spoolss = yes

guest account = nobody
map to guest = bad user
invalid users = root
map to guest = bad password

[share]
path = /share
guest ok = Yes
create mask = 0664
directory mode = 0775
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Updated sources and clean build gives linker error in cldapd.o

2009-03-19 Thread Harsha 
Hi all,

This is my first week with Samba. I got sources and compiled them fine
till yesterday. Today I did a git pull and am getting the following
linker errors-

Compiling smbd/process_standard.c
Partially linking bin/mergedobj/process_model_standard.o
Linking bin/samba
bin/mergedobj/cldapd.o: In function `cldapd_request_handler':
cldap_server.c:(.text+0x79): undefined reference to `tsocket_address_string'
cldap_server.c:(.text+0xca): undefined reference to `cldap_error_reply'
cldap_server.c:(.text+0x13b): undefined reference to `tsocket_address_string'
cldap_server.c:(.text+0x188): undefined reference to `cldap_error_reply'
cldap_server.c:(.text+0x1e6): undefined reference to `tsocket_address_string'
cldap_server.c:(.text+0x233): undefined reference to `cldap_error_reply'
bin/mergedobj/cldapd.o: In function `cldapd_add_socket':
cldap_server.c:(.text+0x337): undefined reference to
`_tsocket_address_inet_from_strings'
cldap_server.c:(.text+0x3f6): undefined reference to `cldap_socket_init'
cldap_server.c:(.text+0x448): undefined reference to `tsocket_address_string'
cldap_server.c:(.text+0x496): undefined reference to
`cldap_set_incoming_handler'
bin/mergedobj/cldapd.o: In function `cldapd_netlogon_request':
(.text+0x1ccb): undefined reference to `tsocket_address_inet_addr_string'
bin/mergedobj/cldapd.o: In function `cldapd_netlogon_request':
(.text+0x1d74): undefined reference to `cldap_netlogon_reply'
bin/mergedobj/cldapd.o: In function `cldapd_netlogon_request':
(.text+0x1df8): undefined reference to `cldap_empty_reply'
bin/mergedobj/cldapd.o: In function `cldapd_rootdse_request':
(.text+0x23d0): undefined reference to `cldap_reply_send'
bin/mergedobj/samba-net.o: In function `libnet_FindSite':
(.text+0x6e4d): undefined reference to `cldap_socket_init'
bin/mergedobj/samba-net.o: In function `libnet_FindSite':
(.text+0x6ea7): undefined reference to `cldap_netlogon'
bin/mergedobj/samba-net.o: In function `becomeDC_send_cldap':
libnet_become_dc.c:(.text+0x7747): undefined reference to `cldap_socket_init'
libnet_become_dc.c:(.text+0x7779): undefined reference to `cldap_netlogon_send'
bin/mergedobj/samba-net.o: In function `becomeDC_recv_cldap':
libnet_become_dc.c:(.text+0x780e): undefined reference to `cldap_netlogon_recv'
bin/mergedobj/samba-net.o: In function `unbecomeDC_send_cldap':
libnet_unbecome_dc.c:(.text+0xd8d5): undefined reference to `cldap_socket_init'
libnet_unbecome_dc.c:(.text+0xd907): undefined reference to
`cldap_netlogon_send'
bin/mergedobj/samba-net.o: In function `unbecomeDC_recv_cldap':
libnet_unbecome_dc.c:(.text+0xd99c): undefined reference to
`cldap_netlogon_recv'
collect2: ld returned 1 exit status
make: *** [bin/samba] Error 1
r...@harsha-amd64:/home/harsha/mapi/samba-master/source4#

I deleted /usr/local/samba, did make clean and tried compiling, but I
still see the problem.

Can anyone please tell me why this may be happening ?

Many thanks,
Harsha
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Can join ADS domain, all accounts/auth work fine, but leaving domain fails

2009-03-19 Thread Mark Casey 

Hello all,

As the subject says, as far as I can tell everything works on my ads 
integrated samba server. Domain accounts can be used for ssh, and 
accessing shares, I just can't leave the domain. Here is a successful 
join command followed by an unsuccessful leave command at debug level 4. 
Any ideas?


TIA,
Mark

u...@dordal:~$ sudo net ads join -U administra...@mydomain.com -d 4
[2009/03/19 14:00:07, 3] param/loadparm.c:lp_load(5063)
 lp_load: refreshing parameters
[2009/03/19 14:00:07, 3] param/loadparm.c:init_globals(1448)
 Initialising global parameters
[2009/03/19 14:00:07, 3] param/params.c:pm_process(572)
 params.c:pm_process() - Processing configuration file 
"/etc/samba/smb.conf"

[2009/03/19 14:00:07, 3] param/loadparm.c:do_section(3802)
 Processing section "[global]"
 doing parameter workgroup = MYDOMAIN
 doing parameter realm = MYDOMAIN.COM
 doing parameter security = ADS
 doing parameter password server = dal-dc1.mydomain.com, 
den-dc1.mydomain.com

 doing parameter client schannel = Yes
 doing parameter server schannel = Yes
 doing parameter username map = /etc/samba/smbusers
 doing parameter obey pam restrictions = Yes
 doing parameter enable privileges = Yes
 doing parameter restrict anonymous = 2
 doing parameter allow trusted domains = No
 doing parameter lanman auth = No
 doing parameter ntlm auth = No
 doing parameter client NTLMv2 auth = Yes
 doing parameter log level = 1
 doing parameter syslog = 0
 doing parameter min protocol = NT1
 doing parameter client signing = Yes
 doing parameter server signing = Yes
 doing parameter load printers = No
 doing parameter preferred master = No
 doing parameter local master = No
 doing parameter domain master = No
 doing parameter dns proxy = No
 doing parameter ldap ssl = no
 doing parameter host msdfs = No
 doing parameter idmap domains = MYDOMAIN
 doing parameter idmap alloc backend = ldap
 doing parameter template shell = /bin/false
 doing parameter winbind enum users = Yes
 doing parameter winbind enum groups = Yes
 doing parameter winbind use default domain = Yes
 doing parameter winbind refresh tickets = Yes
 doing parameter idmap alloc config:range = 10 - 50
 doing parameter idmap alloc config:ldap_url = 
ldap://dal-dc1.mydomain.com ldap://den-dc1.mydomain.com
 doing parameter idmap alloc config:ldap_user_dn = 
cn=idmapmgr,cn=users,dc=mydomain,dc=com
 doing parameter idmap alloc config:ldap_base_dn = 
ou=idmap,dc=sambaidmap,dc=mydomain,dc=com

 doing parameter idmap config MYDOMAIN:range = 10 - 50
 doing parameter idmap config MYDOMAIN:ldap_url = 
ldap://dal-dc1.mydomain.com ldap://den-dc1.mydomain.com
 doing parameter idmap config MYDOMAIN:ldap_user_dn = 
cn=idmapmgr,cn=users,dc=mydomain,dc=com
 doing parameter idmap config MYDOMAIN:ldap_base_dn = 
ou=idmap,dc=sambaidmap,dc=mydomain,dc=com

 doing parameter idmap config MYDOMAIN:backend = ldap
 doing parameter idmap config MYDOMAIN:default = yes
 doing parameter hosts allow = 10.0.0.0/255.255.254.0 
10.1.0.0/255.255.254.0

 doing parameter map acl inherit = No
 doing parameter hide special files = Yes
 doing parameter map archive = No
 doing parameter map readonly = No
 doing parameter map system = No
 doing parameter map hidden = No
 doing parameter ea support = No
 doing parameter store dos attributes = No
 doing parameter wide links = No
 doing parameter follow symlinks = No
 doing parameter dos filemode = No
 doing parameter add share command = /etc/samba/command.pl
 doing parameter delete share command = /etc/samba/command.pl
 doing parameter change share command = /etc/samba/command.pl
[2009/03/19 14:00:07, 4] param/loadparm.c:lp_load(5094)
 pm_process() returned Yes
[2009/03/19 14:00:07, 2] lib/interface.c:add_interface(81)
 added interface ip=10.0.1.35 bcast=10.0.1.255 nmask=255.255.254.0
[2009/03/19 14:00:07, 4] libsmb/namequery_dc.c:ads_dc_name(73)
 ads_dc_name: domain=MYDOMAIN
[2009/03/19 14:00:07, 3] libsmb/namequery.c:get_dc_list(1489)
 get_dc_list: preferred server list: "10.0.1.30, dal-dc1.mydomain.com, 
den-dc1.mydomain.com"

[2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1599)
 get_dc_list: returning 2 ip addresses in an ordered list
[2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1600)
 get_dc_list: 10.0.1.30:389 10.1.1.30:389
[2009/03/19 14:00:07, 3] libads/ldap.c:ads_connect(394)
 Connected to LDAP server 10.0.1.30
[2009/03/19 14:00:07, 3] libsmb/namequery.c:get_dc_list(1489)
 get_dc_list: preferred server list: "10.0.1.30, dal-dc1.mydomain.com, 
den-dc1.mydomain.com"

[2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1599)
 get_dc_list: returning 2 ip addresses in an ordered list
[2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1600)
 get_dc_list: 10.0.1.30:389 10.1.1.30:389
[2009/03/19 14:00:07, 3] libsmb/namequery.c:get_dc_list(1489)
 get_dc_list: preferred server list: "10.0.1.30, dal-dc1.mydomain.com, 
den-dc1.mydomain.com"

[2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1599)
 get_dc_list: returning 2 ip

[Samba] samba not using nearest ADS server

2009-03-19 Thread Tobias Hennerich 
Hello,

we integrated an samba v3.2.8 into a bigger ADS environment which is
connected via MPLS world wide. Everything works as expected, but the login
via SSH is slow:

After entering the login name in ssh we can see via tcpdump network
traffic to different ADS controllers:

First a connection from Germany to UK:

17:16:43.867219 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:44.092774 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:44.092785 IP 10.49.x.y.37722 > 10.44.x.y.389: .
17:16:44.093054 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:44.265776 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:44.265987 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:44.647671 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:44.693567 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:44.693840 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:44.922527 IP 10.44.x.y.389 > 10.49.x.y.37722: .
17:16:44.997865 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:44.998074 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:45.314621 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:45.314831 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:45.577894 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:45.578100 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:45.791494 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:45.791702 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:45.982034 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:45.982240 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:46.189828 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:46.190037 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:46.365426 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:46.365633 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:46.596653 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:46.596900 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:46.802280 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:46.802487 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:47.006571 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:47.006783 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:47.325662 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:47.325868 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:47.577930 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:47.578140 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:47.775371 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:47.775577 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:47.971495 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:47.971704 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:48.186311 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:48.186521 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:48.430837 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:48.431043 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:48.622070 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:48.622274 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:48.816862 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:48.817100 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:49.061838 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:49.062951 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:49.268437 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:49.268634 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:49.426980 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:49.466643 IP 10.49.x.y.37722 > 10.44.x.y.389: .

then a connection from Germany to the United States:

17:16:49.547138 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:49.693649 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:49.693662 IP 10.49.x.y.37731 > 10.3.x.y.389: .
17:16:49.693849 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:49.843729 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:49.843918 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:49.992361 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:49.992553 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:50.129522 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:50.129715 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:50.298217 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:50.298406 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:50.447220 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:50.447408 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:50.589299 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:50.589487 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:50.748952 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:50.749139 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:50.902596 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:50.902787 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:51.048477 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:51.048669 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:51.16 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:51.200183 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:51.343439 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:51.343626 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:51.509961 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:51.510146 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:51.666507 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:51.96 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:51.809460 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:51.809759 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:51.950416 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:51.950732 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:52.097813 I

Re: [Samba] Samba Password Question.

2009-03-19 Thread Helmut Hullen 
Hallo, Eric,

Du meintest am 19.03.09:

> Have you already tried this and it did not work?

> http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.htm
> l#pdbeditthing

> I think it's:

> pdbedit -P "maximum password age" -C value
> pdbedit -u user --pwd-must-change-time 0

Here: Samba 3.2.5, security=user # (no PDC)

With "value" = -1 or 0:

pdbedit -Lwv -u 

always shows "Password must change: never"

Viele Gruesse!
Helmut
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba Password Question.

2009-03-19 Thread Eric Roseme 



mpars...@uk.ey.com wrote:
Hi David, 

Its Samba Release 3 on an HP-UX 11.11 machine. We are allowing users to 
map folders from the unix box as shares on their windows laptops. 


Mark - I posted this on ITRC too:

I assume that you have a Samba PDC (security = user) with a passdb 
backend of tdbsam or ldapsam.  If so, then you set domain policies with 
pdbedit.  I believe that you have to set the "user must change password" 
attribute *and* the "password age" attribute to 0 (for each user) to 
make it happen at the next logon.


Have you already tried this and it did not work?

http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html#pdbeditthing

I think it's:

pdbedit -P "maximum password age" -C value
pdbedit -u user --pwd-must-change-time 0


Eric Roseme
Hewlett-Packard

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Server 2008 and Samba 3.0.25b

2009-03-19 Thread Volker Lendecke 
On Thu, Mar 19, 2009 at 11:11:18AM -0400, Alainna C. White wrote:
> I'm experiencing a very strange problem with Server 2008 machines (for 
> all intents and purposes related to Samba, it's Vista) connecting to a 
> Samba Server.  The Samba machine is a RHEL4.6 machine running Samba 
> 3.0.25b.  I am joined to the mixed mode AD domain via the command "net 
> rpc join -U administrator ".  I am not using winbind or 
> kerberos.  Or at least, I am not trying to.  The smb.conf file is at the 
> bottom of this email.  I've removed things like disallowed users from 
> the file to keep it brief.
> 
> I have another samba machine with the very same OS and release, and it 
> works fine. 
> 
> When I try to connect to the Samba machine from the 2k8 machine using 
> the UNC path, I get a "network path not found" message.  Oddly, if I use 
> '\\ipaddress' it works just fine.

Please update to Samba 3.3.2, there have been fixes for 2k8
interoperability.

Volker


pgpGkiVEvJNwX.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Server 2008 and Samba 3.0.25b

2009-03-19 Thread Alainna C. White 

Hi folks -

Not fifteen minutes after I sent this message, I've solved the problem.  
I've been fighting with this for a while now (over a year; I've been 
delaying Vista deployments because of this).   I never would've guessed 
that taking the RPC out of the net join command would fix it. 


But it did.

This is the fix (at least for me):
join the domain with, "net join -U administrator ", not, "net 
join RPC -U administrator ".


Thanks and sorry for the spam!

Alainna


Alainna C. White wrote:

Hi Folks -

I'm experiencing a very strange problem with Server 2008 machines (for 
all intents and purposes related to Samba, it's Vista) connecting to a 
Samba Server.  The Samba machine is a RHEL4.6 machine running Samba 
3.0.25b.  I am joined to the mixed mode AD domain via the command "net 
rpc join -U administrator ".  I am not using winbind or 
kerberos.  Or at least, I am not trying to.  The smb.conf file is at 
the bottom of this email.  I've removed things like disallowed users 
from the file to keep it brief.


I have another samba machine with the very same OS and release, and it 
works fine.
When I try to connect to the Samba machine from the 2k8 machine using 
the UNC path, I get a "network path not found" message.  Oddly, if I 
use '\\ipaddress' it works just fine.


I used Wireshark to look at the packets, and there is one glaring 
difference between the working samba install and the non-working samba 
install: in the Session Setup andX Request packet  (under the 
"security blob") that the client sends to the samba server,  the 
working one lists one mechtype: NTLMSSP.  The non-working one lists 
three mechtypes: MS KRB5, KRB5, NTLMSSP, in that order.  The 
non-working one has a krb5 ticket further down in the packet.


Samba logs show an error:
Failed to parse NTLMSSP packet, could not extract NTLMSSP command
[2009/03/18 10:39:36, 1] libsmb/ntlmssp.c:ntlmssp_update(327)

I don't think it should be able to parse the NTLMSSP packet, since it 
isn't an NTLMSSP packet.  It's a KRB5 ticket.  At least, to the best 
that I can understand



I have tried copying the working SMB.CONF file to the non-working 
host, and that didn't help at all.


To me it seems like the client is requesting KRB5 authentication.  I'm 
not good enough with network packets to see if the server requested 
that type of session, but as far as I can tell it did not.

Any help would be greatly appreciated.
Thanks,

Alainna


SMB.CONF---
[global]
hosts allow = xxx.xxx.xxx.
workgroup = dss
security = domain
password server = *
encrypt passwords = yes
wins support = no
debug level = 1
guest ok = no
inherit permissions = yes
username map = /etc/samba/smbusers
-





--
Alainna C. White
Johns Hopkins University 
Physics & Astronomy, 3701 San Martin Drive, Baltimore MD  21218 
Voice: 410 516 4536 | Email: alai...@pha.jhu.edu

http://skysrv.pha.jhu.edu/~alainna


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Server 2008 and Samba 3.0.25b

2009-03-19 Thread Alainna C. White 

Hi Folks -

I'm experiencing a very strange problem with Server 2008 machines (for 
all intents and purposes related to Samba, it's Vista) connecting to a 
Samba Server.  The Samba machine is a RHEL4.6 machine running Samba 
3.0.25b.  I am joined to the mixed mode AD domain via the command "net 
rpc join -U administrator ".  I am not using winbind or 
kerberos.  Or at least, I am not trying to.  The smb.conf file is at the 
bottom of this email.  I've removed things like disallowed users from 
the file to keep it brief.


I have another samba machine with the very same OS and release, and it 
works fine. 

When I try to connect to the Samba machine from the 2k8 machine using 
the UNC path, I get a "network path not found" message.  Oddly, if I use 
'\\ipaddress' it works just fine.


I used Wireshark to look at the packets, and there is one glaring 
difference between the working samba install and the non-working samba 
install: in the Session Setup andX Request packet  (under the "security 
blob") that the client sends to the samba server,  the working one lists 
one mechtype: NTLMSSP.  The non-working one lists three mechtypes: MS 
KRB5, KRB5, NTLMSSP, in that order.  The non-working one has a krb5 
ticket further down in the packet.


Samba logs show an error:
Failed to parse NTLMSSP packet, could not extract NTLMSSP command
[2009/03/18 10:39:36, 1] libsmb/ntlmssp.c:ntlmssp_update(327)

I don't think it should be able to parse the NTLMSSP packet, since it 
isn't an NTLMSSP packet.  It's a KRB5 ticket.  At least, to the best 
that I can understand



I have tried copying the working SMB.CONF file to the non-working host, 
and that didn't help at all.


To me it seems like the client is requesting KRB5 authentication.  I'm 
not good enough with network packets to see if the server requested that 
type of session, but as far as I can tell it did not. 

Any help would be greatly appreciated. 


Thanks,

Alainna


SMB.CONF---
[global]
hosts allow = xxx.xxx.xxx.
workgroup = dss
security = domain
password server = *
encrypt passwords = yes
wins support = no
debug level = 1
guest ok = no
inherit permissions = yes
username map = /etc/samba/smbusers
-



--
Alainna C. White
Johns Hopkins University 
Physics & Astronomy, 3701 San Martin Drive, Baltimore MD  21218 
Voice: 410 516 4536 | Email: alai...@pha.jhu.edu

http://skysrv.pha.jhu.edu/~alainna


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] ADS Authentication - CLDAP request failed

2009-03-19 Thread Sakshale eQuorian 
I have a RHEL 5 system, with Samba 3.0.33 installed, that _used_ to
authenticate against the corporate Active Directory system without any
problems.  However, about a month ago the connection broke, but the users
didn't complain until some time went buy.  I've spent quite a few hours
trying to reconnect this system, but nothing works.  I do not believe it is
a simple configuration problem, as it used to work... and am afraid that
something changed on the corporate domain controllers. Unfortunately,
corporate doesn't believe in non-Windows solutions to anything and will not
support me in this effort.  They also don't support an NFS services, which
are critical for my user community. sigh...

Kerberos authentication still works;
--
 # kinit -V username
Password for usern...@wkg.company.com:
Authenticated to Kerberos v5
[r...@palsrv6] klist
Ticket cache: *FILE:/tmp/krb5cc_0*
Default principal: usern...@wkg.company.com

Valid starting ExpiresService principal
03/16/09 09:42:42  03/16/09 19:42:51  krbtgt/wkg.company@wkg.company.com
renew until 03/17/09 09:42:42
--
Samba can talk to the Primary Domain Controller as a client, but doesn't
seem to
recognize the PDC as a server.
--
# smbclient -L /pdc01 -k
OS=[Windows Server 2003 R2 3790 Service Pack 2] Server=[Windows Server 2003
R2 5.2]

Sharename   Type  Comment
-     ---
C$  Disk  Default share
H$  Disk  Default share
F$  DiskDefault share
IPC$IPC   Remote IPC
G$  Disk  Default share
ADMIN$  Disk  Remote Admin
D$  Disk  Default share
E$  Disk  Default share
SYSVOL  Disk  Logon server share
NETLOGONDisk  Logon server share
OS=[Windows Server 2003 R2 3790 Service Pack 2] Server=[Windows Server 2003
R2 5.2]

[snipping noise]
--
# net ads join -U usern...@wkg.company.com
usern...@wkg.company.com's password:
[2009/03/16 09:58:23, 0] utils/net_ads.c:ads_startup_int(286)
  ads_connect: No logon servers
Failed to join domain: No logon servers
--

-sh-3.2# net rpc testjoin
Unable to find a suitable server
Join to domain 'WKG' is not valid
-sh-3.2# net -d5 ads testjoin
[2009/03/18 09:07:16, 5] lib/debug.c:debug_dump_status(391)
  INFO: Current debug levels:
all: True/5
tdb: False/0
printdrivers: False/0
lanman: False/0
smb: False/0
rpc_parse: False/0
rpc_srv: False/0
rpc_cli: False/0
passdb: False/0
sam: False/0
auth: False/0
winbind: False/0
vfs: False/0
idmap: False/0
quota: False/0
acls: False/0
locking: False/0
msdfs: False/0
dmapi: False/0
[2009/03/18 09:07:16, 3] param/loadparm.c:lp_load(5064)
  lp_load: refreshing parameters
[2009/03/18 09:07:16, 3] param/loadparm.c:init_globals(1440)
  Initialising global parameters
[2009/03/18 09:07:16, 3] param/params.c:pm_process(572)
  params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
[2009/03/18 09:07:16, 3] param/loadparm.c:do_section(3803)
  Processing section "[global]"
  doing parameter workgroup = wks
  doing parameter password server = pdc01.wks.company.com
  doing parameter realm = WKS.COMPANY.COM  #[GLOBAL]
  doing parameter security = ads
  doing parameter idmap uid = 16777216-33554431
  doing parameter idmap gid = 16777216-33554431
  doing parameter winbind use default domain = Yes
  doing parameter winbind offline logon = false
  doing parameter server string = Samba Server Version %v
  doing parameter passdb backend = tdbsam
  doing parameter cups options = raw
[2009/03/18 09:07:16, 4] param/loadparm.c:lp_load(5095)
  pm_process() returned Yes
[2009/03/18 09:07:16, 5] lib/iconv.c:smb_register_charset(105)
  Attempting to register new charset UCS-2LE
 [snipping noise]
[2009/03/18 09:07:16, 5] lib/charcnv.c:charset_name(82)
  Substituting charset 'UTF-8' for LOCALE
 [snipping noise]
[2009/03/18 09:07:16, 5] lib/util.c:init_names(309)
  Netbios name list:-
  my_netbios_names[0]="HOSTNAME"
[2009/03/18 09:07:16, 2] lib/interface.c:add_interface(81)
  added interface ip=10.20.30.99 bcast=10.20.30.255 nmask=255.255.254.0
 [snipping noise]
[2009/03/18 09:07:16, 5] lib/gencache.c:gencache_init(61)
  Opening cache file at /var/cache/samba/gencache.tdb
[2009/03/18 09:07:16, 5] libads/dns.c:sitename_fetch(706)
  sitename_fetch: No stored sitename for WKS.COMPANY.COM   #[GLOBAL]
[2009/03/1

Re: [Samba] Ftp login

2009-03-19 Thread John Doe 

From: Muthukumaran Saravanan 
> Can you help me to login into the ftp server using a shell script.
> My ftp server is secured. Need username and password for login.
> Pls help me to get thru.

Since you did not give any context, maybe try something like:

  wget --user=user --password=password ftp://ftp.ccatgroup.com/...

JD


  

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba LDAP troubleshooting

2009-03-19 Thread Adam Williams 



Brad C wrote:

Hi There,

Yep, Ok now I understand the SID needs to be the same as the server the
client formed the initial security relationship with,

Is this correct?

Kind Regards
Brad


yes.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Export groups, users, all objects in Samba domain a nutshell

2009-03-19 Thread Jimmy PIERRE 
Greetings,

I want to set a lab and ant to use all the objects in my Samba Domain
so that I can play with.

Obviously, if some users are members of groups and that these groups
are themselves members of other groups,  I would need this as well.
In a nutshell, I am attempting to make a full export that I can
manipulate, “redesign” and re-inject afterwards.

Best,

Jimmy
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Ftp login

2009-03-19 Thread Muthukumaran Saravanan 
Dear All,

Can you help me to login into the ftp server using a shell script.

My ftp server is secured. Need username and password for login.

Pls help me to get thru.



-- 
M.Saravanan
CCAT LTD
302, Koon Fook Centre,
9, Knutsford Terrace,
T.S.T, Kowloon, Hong Kong.
Phone: 28516318
Mobile : 61000856
Fax: 37434866



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba