[Samba] Can SAMBA work with 2008 R2 Read Only Domain controller

[hagai yaffe]

Hello,
 
We are planing to utilize Microsoft 2008 R2 Read Only Domain controller, and 
deploy RODC's in branches. 
 
If I would like to have SAMBA servers in those branches, will I be able to add 
them to the domain (using net ads join) and work with them, when using the 
RODC's as domain controllers configured in my smb.conf  krb5.conf?
 
I have looked around and did not find any documentation for SAMBA supporting / 
not supporting this. 
 
I have done some testing and failed (I got Failed to join domain: failed to 
connect to AD: Decrypt integrity check failed Ok from the net ads join 
command), before investing more time in troubleshooting I hoped that someone 
could assist and tell me if such a configuration is possible.
 
If this is not possible, it would be great to know why.
 
Best Regards,
Hagai


  
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Can SAMBA work with 2008 R2 Read Only Domain controller

[Serge Fonville]

Hi,

Have you read http://wiki.samba.org/index.php/Samba4_joining_a_domain ?
# Samba4 joining a domain as a RODC

HTH

Regards,

Serge Fonville

On Sun, Jun 6, 2010 at 5:12 PM, hagai yaffe hag...@yahoo.com wrote:
 Hello,

 We are planing to utilize Microsoft 2008 R2 Read Only Domain controller, and 
 deploy RODC's in branches.

 If I would like to have SAMBA servers in those branches, will I be able to 
 add them to the domain (using net ads join) and work with them, when using 
 the RODC's as domain controllers configured in my smb.conf  krb5.conf?

 I have looked around and did not find any documentation for SAMBA supporting 
 / not supporting this.

 I have done some testing and failed (I got Failed to join domain: failed to 
 connect to AD: Decrypt integrity check failed Ok from the net ads join 
 command), before investing more time in troubleshooting I hoped that someone 
 could assist and tell me if such a configuration is possible.

 If this is not possible, it would be great to know why.

 Best Regards,
 Hagai



 --
 To unsubscribe from this list go to the following URL and read the
 instructions:  https://lists.samba.org/mailman/options/samba




-- 
http://www.sergefonville.nl

Convince Google!!
They need to support Adsense over SSL
https://www.google.com/adsense/support/bin/answer.py?hl=enanswer=10528
http://www.google.com/support/forum/p/AdSense/thread?tid=1884bc9310d9f923hl=en
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] File permissions

[Harry Jede]

On Donnerstag, 3. Juni 2010 wrote Steve Wolfe:
 Samba 3.4.7-58.fc12, windows 7 client.

 I have a share where, if I right-click and chose properties,
 everything shows up as read only.  I can un-check that, hit apply,
 and if I view the properties again, they are read only.

 Interestingly enough, I can go in and create files, modify files,
 rename files, delete files, etc..  However, some of the users'
 software checks for read-only status, and is throwing errors.

 Here's the smb.conf section:

 [Apps]
 path=/home/apps
 force user=appsuser
 force group=appsuser
 read only=no
 writeable=yes
 oplocks = False
 level2 oplocks = False

 Directory looks like this:

 drwxrwxr-x  94 appsuser appsuser  20K 2010-06-02 14:32 apps

 Files inside of it have permissions similar to these:

 -rwxr-xr-x1 appsuser appsuser 424K 2009-10-01 15:54 AAUTOLN.DLL
 -rwxr-xr-x1 appsuser appsuser  894 2008-07-23 08:37
 Accounting.HSICTB

 Any clues?

Windows is a little bit different;
you should never use usergroups. Setting up a user appsuser and a group 
appsuser is not supported by Windows Server products and not supported 
by Samba Servers.


-- 

regards
Harry Jede
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] 3.4.0 Samba box w/ NT 4 PDC and Win 95 client

[John Lawler]

Thanks for the reply, Günter.  I should've mentioned that I had run 
across similar advice when trying to diagnose Samba problems with Win95 
login past version 3.0.x, but the reason this doesn't apply to me is 
that I don't have the users defined in native Unix at all -- they're all 
only defined on the NT 4 PDC (I have security = domain), so I don't 
think the pdbedit -Lw / smbpasswd advice applies to me (I run pdbedit 
anyway, and confirmed th was only an entry for nobody).


So I don't think this has anything to do with how Samba is storing a 
password, it must have to do with how it's sending the authentication 
attempt through to the NT server which is different from how it used to 
in 3.0.x.  My goal is to determine whether there's a straightforward way 
(hopefully through smb.conf) that I can regain this old behavior for the 
sake of a couple of Win95 clients.


Thanks for taking the time to reply.

On 2010-06-05 22:51, Günter Kukkukk wrote:

Am Sonntag 06 Juni 2010 03:10:04 schrieb John Lawler:
Hi John,

make sure that
 lanman auth = yes
is still set in your smb.conf.

As root run 'pdbedit -Lw' to list all configured samba users in the old ASCII 
smbpasswd format.

All users listed with _both_ the LANMAN and the NT hash have valid stored 
password hashes for the
old legacy case and the newer ones- like:
linux:1003:D20B0D2670EBAAD3B435B4140475:B123AB4ECC88F8BBB126FF3A08D9C600:[U 
 ]:LCT-4B1ED764:
Those listed users should be able to logon.

In case you get user entries like
linux:1003:XX:B123664EC733B395A7260A3A08D9C699:[U
  ]:LCT-4B1ED796:
the old LANMAN hash is no longer available and a legacy logon will fail.

What you can do:

1.) make sure, that lanman auth = yes is still set in your smb.conf
2.) for all your win95 client users listed as X 
above, you need to run (as root)
 smbpasswd username
 (or even smbpasswd -a username )
 You need to enter the users password twice as usual
This procedure will re-install the LANMAN hash again (and also the NT hash!)
3.) check again with 'pdbedit -Lw' that the LANMAN hash is available now your 
for your win95 users

Please note, that setting lanman auth = yes implies a security problem.

Cheers, Günter

BTW - never ever post above mentioned LANMAN and NT hashes to the public - they 
are like
plaintext passwords (so my ones above are scrambled by intention)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Windows 7 Home to Ubuntu 10.4 Samba 3.4.7 Access denied

[Guy Rouillier]

I have spent many hours researching and trying many different things, 
starting with this: http://wiki.samba.org/index.php/Windows7.  However, 
I still cannot get Windows 7 Home Premium to connect to a Samba share 
using user-based security.  XP works fine. I keep getting access denied. 
 Just this evening, I finally tried share level security, and both XP 
and 7 can connect to that, so I'm using that for now.


I actually found one setting in smb.conf that does allow Win 7 to 
connect using user-based security:


protocol = LANMAN2

But this causes more issues than it solves. With that set, *both* my XP 
and Win7 boxes behave very strangely (and wrongly), e.g., with the 
following 3 files on the Ubuntu box:


ActivePerl-5.10.1.1007-MSWin32-x86-291969.msi
ActivePython-2.6.5.12-win32-x86.msi
ActiveTcl8.6.0.0b2.291226-win32-ix86-threaded.exe

from either Win box, typing a or A and hitting the tab key just 
produces a beep. Typing dir A* lists one file and then file not 
found. So, using that protocol is not an option.


The Ubuntu box is intended as a home-grown NAS, exporting a single 
share.  So I'm not using domain logons and I have browse = no.  After 
running through testparm, my smb.conf file looks like this:


[global]
workgroup = HOME
server string = %h server (Samba, Ubuntu)
interfaces = 127.0.0.0/8, eth0
bind interfaces only = Yes
map to guest = Bad User
obey pam restrictions = Yes
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n 
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

unix password sync = Yes
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
load printers = No
dns proxy = No
usershare max shares = 0
panic action = /usr/share/samba/panic-action %d
valid users = %S

[data]
comment = Samba server's /data directory
path = /data
valid users = guyr
read only = No
locking = No

I'd appreciate any suggestions.  Thanks.

--
Guy Rouillier
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Build status as of Sun Jun 6 06:00:01 2010

[build]

URL: http://build.samba.org/

--- /home/build/master/cache/broken_results.txt.old 2010-06-05 
00:00:03.0 -0600
+++ /home/build/master/cache/broken_results.txt 2010-06-06 00:00:02.0 
-0600
@@ -1,4 +1,4 @@
-Build status as of Sat Jun  5 06:00:02 2010
+Build status as of Sun Jun  6 06:00:01 2010
 
 Build counts:
 Tree Total  Broken Panic 
@@ -9,7 +9,7 @@
 lorikeet 0  0  0 
 pidl 19 19 0 
 ppp  14 0  0 
-rsync30 11 0 
+rsync30 12 0 
 samba-docs   0  0  0 
 samba-web0  0  0 
 samba_3_current 28 27 4 

[SCM] Samba Shared Repository - branch master updated

[Matthias Dieter Wallnöfer]

The branch, master has been updated
   via  93db960... s4:samldb LDB module - this codepart isn't needed due to 
the objectclass LDB module
   via  df63b2c... s4:get_last_structural_class - only real structural 
classes can be candidates for fetching the last one
   via  ae9faaa... s4:ldap.py - enhance the RDN name test to show that 
invalid name attributes are allowed on add operations
   via  dd64b25... s4:rdn_name LDB module - use ldb_msg_remove_attr for 
deleting attributes
   via  430491b... s4:rdn_name LDB module - remove rdn_name_find_attribute
   via  cadf774... s4:dsdb/common/util.c - provide a better implementation 
of the samdb_msg_add_(add/del)val calls
   via  fa2a86e... ldb:ltdb_filter_attrs - fix a counter variable type
   via  f3f9106... s4:ldap_server/ldap_backend.c - send back also the 
extended error message if it exists
   via  45171d6... s4:ridalloc LDB module - add more talloc_frees where 
useful
   via  787a42e... s4:acl LDB module - fix counter types where appropriate
   via  fc037e0... s4:descriptor LDB module - cosmetic fixup
   via  2fbb8c0... s4:urgent_replication.py - specify the dnsRoot 
attribute which is requested on crossRef entries
   via  7896a35... s4:ldap.py - make sure that also the posixuser will be 
deleted on test breakages
   via  b8ea2e0... s4:provision - fix typo in substitution variable
  from  62e0a74... Fix a long-standing bug with async io that would only be 
triggered by SMB2.

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 93db960fae43913a423fe1e35a60acf5ed0cc437
Author: Matthias Dieter Wallnöfer m...@samba.org
Date:   Sun Jun 6 19:12:48 2010 +0200

s4:samldb LDB module - this codepart isn't needed due to the objectclass 
LDB module

When a computer entry will be added, also the inherited user 
objectclass is
going to be specified.

commit df63b2ca0e64897b18f8b6be8c31e16d62a96a30
Author: Matthias Dieter Wallnöfer m...@samba.org
Date:   Fri Jun 4 21:10:41 2010 +0200

s4:get_last_structural_class - only real structural classes can be 
candidates for fetching the last one

Classes with objectCategory = 1 are always structural, these with
objectCategory = 0 also (as we can see in our Windows 2008 R2 schema file 
where
class Person has 0 but is structural).

Abstract classes and auxiliary ones cannot be considered (objectCategory = 
2, 3)

http://msdn.microsoft.com/en-us/library/ms677964(VS.85).aspx

commit ae9faaa89449cf25c2e5e8b51e64ceaacba01832
Author: Matthias Dieter Wallnöfer m...@samba.org
Date:   Thu Jun 3 18:05:52 2010 +0200

s4:ldap.py - enhance the RDN name test to show that invalid name 
attributes are allowed on add operations

commit dd64b253fcd9013788093f6b98ebd14ef2308619
Author: Matthias Dieter Wallnöfer m...@samba.org
Date:   Thu Jun 3 18:25:43 2010 +0200

s4:rdn_name LDB module - use ldb_msg_remove_attr for deleting attributes

commit 430491b2df9e3512a98a88aa279f04a91c12be92
Author: Matthias Dieter Wallnöfer m...@samba.org
Date:   Thu Jun 3 17:56:09 2010 +0200

s4:rdn_name LDB module - remove rdn_name_find_attribute

It does exactly the same as ldb_msg_find_element.

commit cadf774f8b8af2aedcdd359acf51695e9f4b04db
Author: Matthias Dieter Wallnöfer m...@samba.org
Date:   Mon May 31 14:52:46 2010 +0200

s4:dsdb/common/util.c - provide a better implementation of the 
samdb_msg_add_(add/del)val calls

This supports now also coexisting add and delete message elements with the
same attribute name.

commit fa2a86ec61a80f7fe85a2bb9668885a0b287afd6
Author: Matthias Dieter Wallnöfer m...@samba.org
Date:   Thu Jun 3 18:37:15 2010 +0200

ldb:ltdb_filter_attrs - fix a counter variable type

commit f3f91063bd1f79c8734fa55e92392a8f30ec4144
Author: Matthias Dieter Wallnöfer m...@samba.org
Date:   Sat Jun 5 14:33:52 2010 +0200

s4:ldap_server/ldap_backend.c - send back also the extended error message 
if it exists

This message often contains suggestions how to fix issues.

commit 45171d61083339a624a83a1412602475ce7978a6
Author: Matthias Dieter Wallnöfer m...@samba.org
Date:   Sat Jun 5 17:45:51 2010 +0200

s4:ridalloc LDB module - add more talloc_frees where useful

Some were missing on failure return branches.

commit 787a42ef9972eca3f3889e2ad8b5e890b7c551fd
Author: Matthias Dieter Wallnöfer m...@samba.org
Date:   Sat Jun 5 20:08:45 2010 +0200

s4:acl LDB module - fix counter types where appropriate

commit fc037e029e23aeaa8debe1c17cf81bd3a859ae4a
Author: Matthias Dieter Wallnöfer m...@samba.org
Date:   Sat Jun 5 19:58:28 2010 +0200

s4:descriptor LDB module - cosmetic fixup

commit 2fbb8c08ef6042a7f479e3d9ef36ba7cc730de79
Author: Matthias Dieter Wallnöfer m...@samba.org
Date:   Sun Jun 6 20:23:42 2010 +0200

s4:urgent_replication.py - specify the dnsRoot attribute which 

[SCM] Samba Shared Repository - branch master updated

[Matthias Dieter Wallnöfer]

The branch, master has been updated
   via  98b98a2... s4:password_hash LDB module - adapt the module to the 
new ldb_msg_remove_attr behaviour
   via  28cb883... ldb:ldb_msg_remove_attr - provide a better implementation
  from  93db960... s4:samldb LDB module - this codepart isn't needed due to 
the objectclass LDB module

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 98b98a29f6502422fb6e4bd8c16b5731e2c9c553
Author: Matthias Dieter Wallnöfer m...@samba.org
Date:   Thu Jun 3 18:35:00 2010 +0200

s4:password_hash LDB module - adapt the module to the new 
ldb_msg_remove_attr behaviour

commit 28cb8839b75ed9a023a032c195469b61224fe688
Author: Matthias Dieter Wallnöfer m...@samba.org
Date:   Thu Jun 3 18:22:10 2010 +0200

ldb:ldb_msg_remove_attr - provide a better implementation

We can have some special (bad) messages which contain multiple message 
elements
for the same attribute. The AD password change ones are such an example.

---

Summary of changes:
 source4/dsdb/samdb/ldb_modules/password_hash.c |   23 ++-
 source4/lib/ldb/common/ldb_msg.c   |5 +++--
 2 files changed, 9 insertions(+), 19 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c 
b/source4/dsdb/samdb/ldb_modules/password_hash.c
index 58ab6f7..1b0b490 100644
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -2266,22 +2266,11 @@ static int password_hash_add_do_add(struct ph_context 
*ac)
return LDB_ERR_OPERATIONS_ERROR;
}
 
-   /* remove attributes that we just read into 'io' (handle also 
superfluous
-* password modify trials - multiple attributes with the same name -
-* on add operations) */
-   while (ldb_msg_find_element(msg, userPassword) != NULL) {
-   ldb_msg_remove_attr(msg, userPassword);
-   }
-   while (ldb_msg_find_element(msg, clearTextPassword) != NULL) {
-   ldb_msg_remove_attr(msg, clearTextPassword);
-   }
-   while (ldb_msg_find_element(msg, unicodePwd) != NULL) {
-   ldb_msg_remove_attr(msg, unicodePwd);
-   }
-   while (ldb_msg_find_element(msg, dBCSPwd) != NULL) {
-   ldb_msg_remove_attr(msg, dBCSPwd);
-   }
-
+   /* remove attributes that we just read into 'io' */
+   ldb_msg_remove_attr(msg, userPassword);
+   ldb_msg_remove_attr(msg, clearTextPassword);
+   ldb_msg_remove_attr(msg, unicodePwd);
+   ldb_msg_remove_attr(msg, dBCSPwd);
ldb_msg_remove_attr(msg, pwdLastSet);
 
ldb = ldb_module_get_ctx(ac-module);
@@ -2452,7 +2441,7 @@ static int password_hash_modify(struct ldb_module 
*module, struct ldb_request *r
   *l);
return LDB_ERR_CONSTRAINT_VIOLATION;
}
-   ldb_msg_remove_attr(msg, *l);
+   ldb_msg_remove_element(msg, passwordAttr);
}
}
if ((del_attr_cnt  0)  (add_attr_cnt == 0)) {
diff --git a/source4/lib/ldb/common/ldb_msg.c b/source4/lib/ldb/common/ldb_msg.c
index 59bd320..4d0149a 100644
--- a/source4/lib/ldb/common/ldb_msg.c
+++ b/source4/lib/ldb/common/ldb_msg.c
@@ -798,8 +798,9 @@ void ldb_msg_remove_element(struct ldb_message *msg, struct 
ldb_message_element
 */
 void ldb_msg_remove_attr(struct ldb_message *msg, const char *attr)
 {
-   struct ldb_message_element *el = ldb_msg_find_element(msg, attr);
-   if (el) {
+   struct ldb_message_element *el;
+
+   while ((el = ldb_msg_find_element(msg, attr)) != NULL) {
ldb_msg_remove_element(msg, el);
}
 }


-- 
Samba Shared Repository