[Samba] Can SAMBA work with 2008 R2 Read Only Domain controller
Hello, We are planing to utilize Microsoft 2008 R2 Read Only Domain controller, and deploy RODC's in branches. If I would like to have SAMBA servers in those branches, will I be able to add them to the domain (using net ads join) and work with them, when using the RODC's as domain controllers configured in my smb.conf krb5.conf? I have looked around and did not find any documentation for SAMBA supporting / not supporting this. I have done some testing and failed (I got Failed to join domain: failed to connect to AD: Decrypt integrity check failed Ok from the net ads join command), before investing more time in troubleshooting I hoped that someone could assist and tell me if such a configuration is possible. If this is not possible, it would be great to know why. Best Regards, Hagai -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can SAMBA work with 2008 R2 Read Only Domain controller
Hi, Have you read http://wiki.samba.org/index.php/Samba4_joining_a_domain ? # Samba4 joining a domain as a RODC HTH Regards, Serge Fonville On Sun, Jun 6, 2010 at 5:12 PM, hagai yaffe hag...@yahoo.com wrote: Hello, We are planing to utilize Microsoft 2008 R2 Read Only Domain controller, and deploy RODC's in branches. If I would like to have SAMBA servers in those branches, will I be able to add them to the domain (using net ads join) and work with them, when using the RODC's as domain controllers configured in my smb.conf krb5.conf? I have looked around and did not find any documentation for SAMBA supporting / not supporting this. I have done some testing and failed (I got Failed to join domain: failed to connect to AD: Decrypt integrity check failed Ok from the net ads join command), before investing more time in troubleshooting I hoped that someone could assist and tell me if such a configuration is possible. If this is not possible, it would be great to know why. Best Regards, Hagai -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- http://www.sergefonville.nl Convince Google!! They need to support Adsense over SSL https://www.google.com/adsense/support/bin/answer.py?hl=enanswer=10528 http://www.google.com/support/forum/p/AdSense/thread?tid=1884bc9310d9f923hl=en -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] File permissions
On Donnerstag, 3. Juni 2010 wrote Steve Wolfe: Samba 3.4.7-58.fc12, windows 7 client. I have a share where, if I right-click and chose properties, everything shows up as read only. I can un-check that, hit apply, and if I view the properties again, they are read only. Interestingly enough, I can go in and create files, modify files, rename files, delete files, etc.. However, some of the users' software checks for read-only status, and is throwing errors. Here's the smb.conf section: [Apps] path=/home/apps force user=appsuser force group=appsuser read only=no writeable=yes oplocks = False level2 oplocks = False Directory looks like this: drwxrwxr-x 94 appsuser appsuser 20K 2010-06-02 14:32 apps Files inside of it have permissions similar to these: -rwxr-xr-x1 appsuser appsuser 424K 2009-10-01 15:54 AAUTOLN.DLL -rwxr-xr-x1 appsuser appsuser 894 2008-07-23 08:37 Accounting.HSICTB Any clues? Windows is a little bit different; you should never use usergroups. Setting up a user appsuser and a group appsuser is not supported by Windows Server products and not supported by Samba Servers. -- regards Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] 3.4.0 Samba box w/ NT 4 PDC and Win 95 client
Thanks for the reply, Günter. I should've mentioned that I had run across similar advice when trying to diagnose Samba problems with Win95 login past version 3.0.x, but the reason this doesn't apply to me is that I don't have the users defined in native Unix at all -- they're all only defined on the NT 4 PDC (I have security = domain), so I don't think the pdbedit -Lw / smbpasswd advice applies to me (I run pdbedit anyway, and confirmed th was only an entry for nobody). So I don't think this has anything to do with how Samba is storing a password, it must have to do with how it's sending the authentication attempt through to the NT server which is different from how it used to in 3.0.x. My goal is to determine whether there's a straightforward way (hopefully through smb.conf) that I can regain this old behavior for the sake of a couple of Win95 clients. Thanks for taking the time to reply. On 2010-06-05 22:51, Günter Kukkukk wrote: Am Sonntag 06 Juni 2010 03:10:04 schrieb John Lawler: Hi John, make sure that lanman auth = yes is still set in your smb.conf. As root run 'pdbedit -Lw' to list all configured samba users in the old ASCII smbpasswd format. All users listed with _both_ the LANMAN and the NT hash have valid stored password hashes for the old legacy case and the newer ones- like: linux:1003:D20B0D2670EBAAD3B435B4140475:B123AB4ECC88F8BBB126FF3A08D9C600:[U ]:LCT-4B1ED764: Those listed users should be able to logon. In case you get user entries like linux:1003:XX:B123664EC733B395A7260A3A08D9C699:[U ]:LCT-4B1ED796: the old LANMAN hash is no longer available and a legacy logon will fail. What you can do: 1.) make sure, that lanman auth = yes is still set in your smb.conf 2.) for all your win95 client users listed as X above, you need to run (as root) smbpasswd username (or even smbpasswd -a username ) You need to enter the users password twice as usual This procedure will re-install the LANMAN hash again (and also the NT hash!) 3.) check again with 'pdbedit -Lw' that the LANMAN hash is available now your for your win95 users Please note, that setting lanman auth = yes implies a security problem. Cheers, Günter BTW - never ever post above mentioned LANMAN and NT hashes to the public - they are like plaintext passwords (so my ones above are scrambled by intention) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Windows 7 Home to Ubuntu 10.4 Samba 3.4.7 Access denied
I have spent many hours researching and trying many different things, starting with this: http://wiki.samba.org/index.php/Windows7. However, I still cannot get Windows 7 Home Premium to connect to a Samba share using user-based security. XP works fine. I keep getting access denied. Just this evening, I finally tried share level security, and both XP and 7 can connect to that, so I'm using that for now. I actually found one setting in smb.conf that does allow Win 7 to connect using user-based security: protocol = LANMAN2 But this causes more issues than it solves. With that set, *both* my XP and Win7 boxes behave very strangely (and wrongly), e.g., with the following 3 files on the Ubuntu box: ActivePerl-5.10.1.1007-MSWin32-x86-291969.msi ActivePython-2.6.5.12-win32-x86.msi ActiveTcl8.6.0.0b2.291226-win32-ix86-threaded.exe from either Win box, typing a or A and hitting the tab key just produces a beep. Typing dir A* lists one file and then file not found. So, using that protocol is not an option. The Ubuntu box is intended as a home-grown NAS, exporting a single share. So I'm not using domain logons and I have browse = no. After running through testparm, my smb.conf file looks like this: [global] workgroup = HOME server string = %h server (Samba, Ubuntu) interfaces = 127.0.0.0/8, eth0 bind interfaces only = Yes map to guest = Bad User obey pam restrictions = Yes pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 load printers = No dns proxy = No usershare max shares = 0 panic action = /usr/share/samba/panic-action %d valid users = %S [data] comment = Samba server's /data directory path = /data valid users = guyr read only = No locking = No I'd appreciate any suggestions. Thanks. -- Guy Rouillier -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Build status as of Sun Jun 6 06:00:01 2010
URL: http://build.samba.org/ --- /home/build/master/cache/broken_results.txt.old 2010-06-05 00:00:03.0 -0600 +++ /home/build/master/cache/broken_results.txt 2010-06-06 00:00:02.0 -0600 @@ -1,4 +1,4 @@ -Build status as of Sat Jun 5 06:00:02 2010 +Build status as of Sun Jun 6 06:00:01 2010 Build counts: Tree Total Broken Panic @@ -9,7 +9,7 @@ lorikeet 0 0 0 pidl 19 19 0 ppp 14 0 0 -rsync30 11 0 +rsync30 12 0 samba-docs 0 0 0 samba-web0 0 0 samba_3_current 28 27 4
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 93db960... s4:samldb LDB module - this codepart isn't needed due to the objectclass LDB module via df63b2c... s4:get_last_structural_class - only real structural classes can be candidates for fetching the last one via ae9faaa... s4:ldap.py - enhance the RDN name test to show that invalid name attributes are allowed on add operations via dd64b25... s4:rdn_name LDB module - use ldb_msg_remove_attr for deleting attributes via 430491b... s4:rdn_name LDB module - remove rdn_name_find_attribute via cadf774... s4:dsdb/common/util.c - provide a better implementation of the samdb_msg_add_(add/del)val calls via fa2a86e... ldb:ltdb_filter_attrs - fix a counter variable type via f3f9106... s4:ldap_server/ldap_backend.c - send back also the extended error message if it exists via 45171d6... s4:ridalloc LDB module - add more talloc_frees where useful via 787a42e... s4:acl LDB module - fix counter types where appropriate via fc037e0... s4:descriptor LDB module - cosmetic fixup via 2fbb8c0... s4:urgent_replication.py - specify the dnsRoot attribute which is requested on crossRef entries via 7896a35... s4:ldap.py - make sure that also the posixuser will be deleted on test breakages via b8ea2e0... s4:provision - fix typo in substitution variable from 62e0a74... Fix a long-standing bug with async io that would only be triggered by SMB2. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 93db960fae43913a423fe1e35a60acf5ed0cc437 Author: Matthias Dieter Wallnöfer m...@samba.org Date: Sun Jun 6 19:12:48 2010 +0200 s4:samldb LDB module - this codepart isn't needed due to the objectclass LDB module When a computer entry will be added, also the inherited user objectclass is going to be specified. commit df63b2ca0e64897b18f8b6be8c31e16d62a96a30 Author: Matthias Dieter Wallnöfer m...@samba.org Date: Fri Jun 4 21:10:41 2010 +0200 s4:get_last_structural_class - only real structural classes can be candidates for fetching the last one Classes with objectCategory = 1 are always structural, these with objectCategory = 0 also (as we can see in our Windows 2008 R2 schema file where class Person has 0 but is structural). Abstract classes and auxiliary ones cannot be considered (objectCategory = 2, 3) http://msdn.microsoft.com/en-us/library/ms677964(VS.85).aspx commit ae9faaa89449cf25c2e5e8b51e64ceaacba01832 Author: Matthias Dieter Wallnöfer m...@samba.org Date: Thu Jun 3 18:05:52 2010 +0200 s4:ldap.py - enhance the RDN name test to show that invalid name attributes are allowed on add operations commit dd64b253fcd9013788093f6b98ebd14ef2308619 Author: Matthias Dieter Wallnöfer m...@samba.org Date: Thu Jun 3 18:25:43 2010 +0200 s4:rdn_name LDB module - use ldb_msg_remove_attr for deleting attributes commit 430491b2df9e3512a98a88aa279f04a91c12be92 Author: Matthias Dieter Wallnöfer m...@samba.org Date: Thu Jun 3 17:56:09 2010 +0200 s4:rdn_name LDB module - remove rdn_name_find_attribute It does exactly the same as ldb_msg_find_element. commit cadf774f8b8af2aedcdd359acf51695e9f4b04db Author: Matthias Dieter Wallnöfer m...@samba.org Date: Mon May 31 14:52:46 2010 +0200 s4:dsdb/common/util.c - provide a better implementation of the samdb_msg_add_(add/del)val calls This supports now also coexisting add and delete message elements with the same attribute name. commit fa2a86ec61a80f7fe85a2bb9668885a0b287afd6 Author: Matthias Dieter Wallnöfer m...@samba.org Date: Thu Jun 3 18:37:15 2010 +0200 ldb:ltdb_filter_attrs - fix a counter variable type commit f3f91063bd1f79c8734fa55e92392a8f30ec4144 Author: Matthias Dieter Wallnöfer m...@samba.org Date: Sat Jun 5 14:33:52 2010 +0200 s4:ldap_server/ldap_backend.c - send back also the extended error message if it exists This message often contains suggestions how to fix issues. commit 45171d61083339a624a83a1412602475ce7978a6 Author: Matthias Dieter Wallnöfer m...@samba.org Date: Sat Jun 5 17:45:51 2010 +0200 s4:ridalloc LDB module - add more talloc_frees where useful Some were missing on failure return branches. commit 787a42ef9972eca3f3889e2ad8b5e890b7c551fd Author: Matthias Dieter Wallnöfer m...@samba.org Date: Sat Jun 5 20:08:45 2010 +0200 s4:acl LDB module - fix counter types where appropriate commit fc037e029e23aeaa8debe1c17cf81bd3a859ae4a Author: Matthias Dieter Wallnöfer m...@samba.org Date: Sat Jun 5 19:58:28 2010 +0200 s4:descriptor LDB module - cosmetic fixup commit 2fbb8c08ef6042a7f479e3d9ef36ba7cc730de79 Author: Matthias Dieter Wallnöfer m...@samba.org Date: Sun Jun 6 20:23:42 2010 +0200 s4:urgent_replication.py - specify the dnsRoot attribute which
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 98b98a2... s4:password_hash LDB module - adapt the module to the new ldb_msg_remove_attr behaviour via 28cb883... ldb:ldb_msg_remove_attr - provide a better implementation from 93db960... s4:samldb LDB module - this codepart isn't needed due to the objectclass LDB module http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 98b98a29f6502422fb6e4bd8c16b5731e2c9c553 Author: Matthias Dieter Wallnöfer m...@samba.org Date: Thu Jun 3 18:35:00 2010 +0200 s4:password_hash LDB module - adapt the module to the new ldb_msg_remove_attr behaviour commit 28cb8839b75ed9a023a032c195469b61224fe688 Author: Matthias Dieter Wallnöfer m...@samba.org Date: Thu Jun 3 18:22:10 2010 +0200 ldb:ldb_msg_remove_attr - provide a better implementation We can have some special (bad) messages which contain multiple message elements for the same attribute. The AD password change ones are such an example. --- Summary of changes: source4/dsdb/samdb/ldb_modules/password_hash.c | 23 ++- source4/lib/ldb/common/ldb_msg.c |5 +++-- 2 files changed, 9 insertions(+), 19 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c index 58ab6f7..1b0b490 100644 --- a/source4/dsdb/samdb/ldb_modules/password_hash.c +++ b/source4/dsdb/samdb/ldb_modules/password_hash.c @@ -2266,22 +2266,11 @@ static int password_hash_add_do_add(struct ph_context *ac) return LDB_ERR_OPERATIONS_ERROR; } - /* remove attributes that we just read into 'io' (handle also superfluous -* password modify trials - multiple attributes with the same name - -* on add operations) */ - while (ldb_msg_find_element(msg, userPassword) != NULL) { - ldb_msg_remove_attr(msg, userPassword); - } - while (ldb_msg_find_element(msg, clearTextPassword) != NULL) { - ldb_msg_remove_attr(msg, clearTextPassword); - } - while (ldb_msg_find_element(msg, unicodePwd) != NULL) { - ldb_msg_remove_attr(msg, unicodePwd); - } - while (ldb_msg_find_element(msg, dBCSPwd) != NULL) { - ldb_msg_remove_attr(msg, dBCSPwd); - } - + /* remove attributes that we just read into 'io' */ + ldb_msg_remove_attr(msg, userPassword); + ldb_msg_remove_attr(msg, clearTextPassword); + ldb_msg_remove_attr(msg, unicodePwd); + ldb_msg_remove_attr(msg, dBCSPwd); ldb_msg_remove_attr(msg, pwdLastSet); ldb = ldb_module_get_ctx(ac-module); @@ -2452,7 +2441,7 @@ static int password_hash_modify(struct ldb_module *module, struct ldb_request *r *l); return LDB_ERR_CONSTRAINT_VIOLATION; } - ldb_msg_remove_attr(msg, *l); + ldb_msg_remove_element(msg, passwordAttr); } } if ((del_attr_cnt 0) (add_attr_cnt == 0)) { diff --git a/source4/lib/ldb/common/ldb_msg.c b/source4/lib/ldb/common/ldb_msg.c index 59bd320..4d0149a 100644 --- a/source4/lib/ldb/common/ldb_msg.c +++ b/source4/lib/ldb/common/ldb_msg.c @@ -798,8 +798,9 @@ void ldb_msg_remove_element(struct ldb_message *msg, struct ldb_message_element */ void ldb_msg_remove_attr(struct ldb_message *msg, const char *attr) { - struct ldb_message_element *el = ldb_msg_find_element(msg, attr); - if (el) { + struct ldb_message_element *el; + + while ((el = ldb_msg_find_element(msg, attr)) != NULL) { ldb_msg_remove_element(msg, el); } } -- Samba Shared Repository