Re: [Samba] two PDCs
I have a PDC with master ldap backend and a BDC with slave ldap backend (both are SaMBa 3.2 on Debian Lenny). I want to install an additional SaMBa server on an another site (on Debian Squeeze). The two sites is connected with VPN (on not so reliable ADSL lines). I read an interesting network scenario in the Samba Guide chapter 6: theoretically it is possible to install one PDC on both site, with the same domain, server name, and SID. I like this idea, but: is there anyone who tried that, have experience with it? No, but your best option is to simply use LDAP replication and install an LDAP server on the remote location server. This way, auth traffic on the remote is always local (saving bandwidth) and is available regardless of the link being up or down. Do the same with DNS, and you'll be quite happy with the results as will your users. Thanks. Of course, local LDAP and DNS is fundamental. My problem is the modifications (user and machine account passwords). It is written to the master LDAP server. As Scott wrote me, I could set up multi-master replication, but it is very hard. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] WG: Cross subnet browsing + OpenVPN
Hi, Robert Schetterer is right. You will succeed in the end with tap bridging. Bridiging does netbios reach trough. I did this with two XP-Clients 2 Nics build at each a bridge: Both the remote and the local Clients must be in the same subnet. My openvpn.conf: Client or server dev tap dev-node TAB proto udp remote 1194 resolv-retry infinite ca C:\\ca.crt cert C:\\client1.crt key C:\\client1.key ns-cert-type server verb 6 # Silence repeating messages script-security 2 comp-lzo tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 persist-tun persist-key route-delay 10 On CENTOS look here: http://csmorley.spaces.live.com/blog/cns!990C0A249621766!184.entry Greetings --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Robert Schetterer Gesendet: Freitag, 9. Juli 2010 17:26 An: t...@tms3.com Cc: samba@lists.samba.org Betreff: Re: [Samba] Cross subnet browsing + OpenVPN Am 09.07.2010 14:42, schrieb t...@tms3.com: --- Original message --- *Subject:* Re: [Samba] Cross subnet browsing + OpenVPN *From:* Robert Schetterer rob...@schetterer.org *To:* samba@lists.samba.org *Date:* Friday, 09/07/2010 3:05 AM Am 09.07.2010 11:37, schrieb Julian Pilfold-Bagwell: Sorry about the delay, family emergency to deal with. browse sync shares the info across them. I tried putting the specific IP addresses of the local master browsers into the browse sync but it still doesn't seem to spread everything across all the subnets. you should use tap interfaces with openvpn This is a matter of network design, and has nothing to do whatsoever with the issue at hand. Further: i used samba with subnet browsing years ago it dont worked with tun interfaces, it must have been tab interfaces additional right samba setup times may changed, samba and openvpn changed but simply try it does not cost anything my setup was bdc--internalnet--firewall--(tunnel)--firewall--internalnet--pdc i had samba on the firewalls to bind to tab tunnel interfaces as wins proxy the pdc was the wins server, bdc as wins proxy and directed browsing to pdc, all clients did got well configured parameters per dhcp additional there was a working dns which matched dynamicly wins anyway times may change , and there are better solutions now but this one worked stable an robust read samba faqs wins and subnet browsing etc good luck Server configuration file *dev tun ifconfig 10.8.0.1 10.8.0.2 secret static.key* Client configuration file *remote myremote.mydomain dev tun ifconfig 10.8.0.2 10.8.0.1 secret static.key* From: http://openvpn.net/index.php/open-source/documentation/miscellaneous/78-stat ic-key-mini-howto.html Which makes for a nice network to network setup for two locations connected via a wan link. Why not shift the discussion to weather we should use IPSEC and racoon instead of OpenVPN, or perhaps we should scrap all that and argue that he should be using Cisco vpn gateways altogether? GUH! ** From what I understand, the remote announce tells the WINS server to broadcast across the remote subnets and remote On 06/07/10 13:50, t...@tms3.com wrote: SNIP Hi All, I'm having a problem with cross subnet browsing and name resolution across an openvpn tunnel. i've found quite a few people who've had the same on mail lists but none of their fixes have worked. The spec of the setups at both ends of the tunnel are as follows: remote announce = 192.168.2.255/NEWDOM 192.168.1.255/NEWDOM remote browse sync = 192.168.1.255 192.168.2.255 This looks odd to me. remote announce = wins server ip/DOMNAME remote browse sync = wins server ip NEEDED in both smb.conf wins server = wins server ip Can't remember default for this setting so enhanced browsing = Yes in both smb.conf DHCP should point clients to headoffice for WINS. WINS proxy is not useful. OS - CentOS 5.5 Samba Version 3.5.4 OpenVPN Version 2.0.9-1 Each server is configured in gateway mode with two NICS, one to the lan and the other to a modem/router. The first machine, HEADOFFICE, has an internal IP address of 192.168.0.1 and an external of 192.168.10.4. The second machine, REMOTE1, has an internal address of 192.168.1.254 and an external of 192.168.20.4. On openVPN, I have configured client to client and routes and iroutes to allow machines on each network to ping machines at the other end as well as the server IP's. So far so good and I can ping any machine on either subnet from anywhere and get a reply. The servers are
Re: [Samba] two PDCs
2010/7/9 Scott Grizzard sc...@scottgrizzard.com Thank you for your detailed answer. If I recall correctly, I think Chapter 6 refers to running BDC's in each remote office, and only one PDC... In that chapter, there are two scenarios (one domain in all branches, or separate domains with reduced traffic), and one more scenario mentioned as a possible alternative with multiple PDCs: When Samba-3 is configured to use an LDAP backend, it stores the domain account information in a directory entry. This account entry contains the domain SID. An unintended but exploitable side effect is that this makes it possible to operate with more than one PDC on a distributed network. ... This concept has not been exhaustively validated, though we can see no reason why this should not work... I found it is much easier to set up two separate domains and have them trust each other, using different branches of the same LDAP tree. Then, let one server write to one branch, the other server write to the other branch, and do multi-master replication between them. That way, there is no worrying about simultaneous updates or any of that jazz. Not as cool...or as elegant, but it made my life easier by isolating problems. Of course, my users only visited each others' offices occasionally. If you have tons of movement between the offices, a one-domain solution may be forced upon you... Unfortunately, a lot of users are roaming users (teachers with laptop, and users). My plan is that I will set up separate profile shares on both side, but at least they can use their own username and even change their password. So, I would like to try the multi-PDC scenario with master and slave LDAP server, but I worry about a little. I have a PDC with master ldap backend and a BDC with slave ldap backend (both are SaMBa 3.2 on Debian Lenny). I want to install an additional SaMBa server on an another site (on Debian Squeeze). The two sites is connected with VPN (on not so reliable ADSL lines). I read an interesting network scenario in the Samba Guide chapter 6: theoretically it is possible to install one PDC on both site, with the same domain, server name, and SID. I like this idea, but: is there anyone who tried that, have experience with it? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] two PDCs
Of course, my users only visited each others' offices occasionally. If you have tons of movement between the offices, a one-domain solution may be forced upon you... Unfortunately, a lot of users are roaming users (teachers with laptop, and users). My plan is that I will set up separate profile shares on both side, but at least they can use their own username and even change their password. So, I would like to try the multi-PDC scenario with master and slave LDAP server, but I worry about a little. How are you intending to keep roaming profiles in sync (the files on the server, not the stuff in LDAP)? Are you going to use rsync? Scott Grizzard sc...@scottgrizzard.com http://www.ScottGrizzard.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] two PDCs
2010/7/12 Scott Grizzard sc...@scottgrizzard.com Of course, my users only visited each others' offices occasionally. If you have tons of movement between the offices, a one-domain solution may be forced upon you... Unfortunately, a lot of users are roaming users (teachers with laptop, and users). My plan is that I will set up separate profile shares on both side, but at least they can use their own username and even change their password. So, I would like to try the multi-PDC scenario with master and slave LDAP server, but I worry about a little. How are you intending to keep roaming profiles in sync (the files on the server, not the stuff in LDAP)? Are you going to use rsync? No, it won't be a 100% solution: the profiles will be independent (but it will be a progress, comparing with the present situation: now, there is a workgroup there, and no central server...). For laptop users it won't be a problem: Windows syncs the locally stored profile to the server. For others, it will be a little unconfortable: they will have two different profiles. The SaMBa examples deal with relative small profiles, but here are bigger profiles: 30-100MB, and even bigger for teachers. I excluded only the Documents folder from the profile dir. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Load schema into Samba4 Ldap
Hi all, can somebody tell me if it is possible to load an additional schema into Samba4's internal ldap server and how to do this. I want to be able to replace my openldap server and store users account information with the nis.schema . Thanks. Markus -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Using +group in valid users is not working
On 2010-07-12 at 14:19 +1000 Lee, Andrien sent off: I have included a level 3 log from log.smbd up to the first rejection, along with the relevant smb.conf info that I am aware of. The log is for a connection to a share with valid users = @payoff, where bbancroft is a member of the payoff group. make sure you don't run into the 16/32 Groups/User limitation of Solaris and also make sure to use @DOMAIN\group instread of @group. Cheers Björn -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 and DNS
Hey Everyone, I've been reading through the Samba4 docs, but I am a bit confused, so please forgive me if I have missed anything obvious. I am trying to setup Samba4 as a Domain Controller for our department. We do not control our DNS; that is done through campus IT. All of our workstations (soon to be members of the domain) already have entries in campus DNS. If I were to submit the contents of the /usr/local/samba/private/dns/ folder (generated by Samba4's provision step) to Campus IT, would that work? Would I be missing out on anything by not running my own DNS server? I've read about the dynamic changes made to DNS by Samba4, but I don't know if I need that if my clients already would have entries in DNS. Thank you for your time; I appreciate it. ---Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows 7 RC
Hey guys, the solution for this problem is: In smb.conf add the follow lines: client ntlmv2 auth = yes wins support = Yes wins proxy = No lanman auth = yes ntlm auth = Yes And restart samba On windows sevent or windows 2008, edit the registry an add (or copy and paste this script and execute). Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters] DomainCompatibilityMode=dword:0001 DNSNameResolutionRequired=dword: EnableSecuritySignature=dword: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Netlogon\Parameters] RequireStrongKey=dword:0001 RequireSignOrSeal=dword:0001 SealSecureChannel=dword:0001 SignSecureChannel=dword:0001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters] NV Domain=domain.local ICSDomain=mshome.net QualifyingDestinationThreshold=dword:0003 In my samba version 3.3.10 this solution is ok! Grettings -- View this message in context: http://old.nabble.com/Windows-7-RC-tp23405949p29113532.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] security = SHARE
I also encounter this problem that the user security mode work fine, but on share security level, it always return NT_STATUS_WRONG_PASSWORD. Is SHARE on samba 3.4 deprecated ? Can anybody give some advice? Thanks. -- View this message in context: http://old.nabble.com/security-%3D-SHARE-tp29102498p29114421.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Cross subnet browsing + vpn
Hi All, I'm having a problem with cross subnet browsing and name resolution across an openvpn tunnel. i've found quite a few people who've had the same on mail lists but none of their fixes have worked. The spec of the setups at both ends of the tunnel are as follows: OS - CentOS 5.5 Samba Version 3.5.4 OpenVPN Version 2.0.9-1 Each server is configured in gateway mode with two NICS, one to the lan and the other to a modem/router. The first machine, HEADOFFICE, has an internal IP address of 192.168.0.1 and an external of 192.168.10.4. The second machine, REMOTE1, has an internal address of 192.168.1.254 and an external of 192.168.20.4. On openVPN, I have configured client to client and routes and iroutes to allow machines on each network to ping machines at the other end as well as the server IP's. So far so good and I can ping any machine on either subnet from anywhere and get a reply. The servers are configured as Samba servers with the HEADOFFICE machine working as a PDC, DMC and WINS server and the REMOTE1 machine configured as a BDC and WINS proxy. In order to maintain logon facilities in the event of broadband failure, I have replicated the LDAP server from HEADOFFICE to REMOTE1 and updates and password changes propogate successfully from one site to the other. If I try to access HEADOFFICE from REMOTE1 and REMOTE1's subnet it works perfectly but trying to access REMOTE1 from HEADOFFICE and its subnet fails on name resolution while entering \\192.168.1.254\ brings up Windows Explorer and a list of shares. I've included the remote browse entries in smb.conf on the PDC and have WINS Proxying set up on the BDC but I can't get it to push REMOTE1's IP back to the WINS server. Port scanning the internal IP of each machine from the oher end of the tunnel returns a full set of open ports for the services I'm using but no IP. If anyone can spot what I'm doing wrong I'd be grateful. Thanks. smb.conf - HEADOFFICE ### Included 2nd subnet for second remote site in browse sync [ global] workgroup = NEWDOM netbios name = HEADOFFICE security = user enable privileges = yes interfaces = 192.168.0.1 127.0.0.1 # hosts allow = 192.168.0.0/255.255.255.0 192.168.1.0/255.255.255.0 194.168.2.0/255.255.255.0 127.0.0.1 remote announce = 192.168.2.255/NEWDOM 192.168.1.255/NEWDOM remote browse sync = 192.168.1.255 192.168.2.255 wins support = yes name resolve order = wins hosts bcast username map = /etc/samba/smbusers server string = Samba Server %v encrypt passwords = Yes ldap ssl = no unix password sync = yes ldap passwd sync = no passwd program = /usr/sbin/smbldap-passwd -u %u passwd chat = Changing *\nNew password* %n\n *Retype new password* %n\n #public = yes #browseable = yes #lm announce = yes #browse list = yes #auto services = yes log level = 3 syslog = 0 log file = /var/log/samba/log.%U max log size = 10 time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 mangling method = hash2 Dos charset = 850 Unix charset = ISO8859-1 local master = Yes domain logons = Yes domain master = Yes os level = 65 preferred master = Yes wins support = yes passdb backend = ldapsam:ldap://127.0.0.1 ldap admin dn = cn=Manager,dc=newdom,dc=ldm ldap suffix = dc=newdom,dc=ldm ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Idmap add user script = /usr/sbin/smbldap-useradd -m %u ldap delete dn = Yes delete user script = /usr/sbin/smbldap-userdel %u add machine script = /usr/sbin/smbldap-useradd -t 0 -w %u add group script = /usr/sbin/smbldap-groupadd -p %g #delete group script = /usr/sbin/smbldap-groupdel %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' [shared] comment = shared directory path = /dat browseable = yes read only = no create mask = 0660 directory mask = 0770 smb.conf - REMOTE1 # [global] workgroup = NEWDOM netbios name = REMOTE1 security = user enable privileges = yes interfaces = 192.168.1.254 127.0.0.1 #hosts allow = 192.168.0.0/24 192.168.1.0/24 192.168.2.0/24 10.8.0.0/24 127.0.0.1 wins server = 192.168.0.1 wins proxy = yes username map = /etc/samba/smbusers name resolve order = wins bcast hosts server string = Samba Server
[Samba] tree connect failed: NT_STATUS_BAD_NETWORK_NAME
Hi all, I have deleted and reinstalled samba 3.4.0 and then I got a failure at starting samba .I guess that was because of lacking of smb.conf ( I have deleted it manually and it didn't install it back) And I have decided to install samba4 which gave me also the same failure so I have again installed samba 3.4.0 and I found out an smb.conf file from /usr/share/doc/samba-doc/examples/smb.conf.default.gz then I copied it into /etc/samba afterwards I didn't get the same failure but whenever I try smbclient -L localhost -U% I get the following error Domain=[WORKGROUP] OS=[Unix] Server=[Samba 4.0.0alpha9-GIT-27087e6] tree connect failed: NT_STATUS_BAD_NETWORK_NAME I guess Samba 4.0.0alpha9-GIT-27087e6 explains there are still some samba4 files that effects the system but I have deleted it. Can you please help me? Thanks in Advance Murat Can Tuna _ Hotmail: Free, trusted and rich email service. https://signup.live.com/signup.aspx?id=60969 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Can't mount samba drive or join domain with W2K3 server
Hi,I have some questions about the same questions for [Can't mount samba drive or join domain with W2K3 server] On my computer my samba version is 3.0.4 Andkinit administra...@domain can pass. But when I input: Net rpc join �CS domain name �CU administrator There is wrong message : Rpc_client/cli_netlogon.c:cli_nt_setup_creds(249) cli_net_setup_creds: request challenge failed When I enter the password,ther is wrong message: Utils/net_rpc_join.c:net_rpc_join_newstyle(326) error domain join verification (reused connection): NT_STATUS_INVALID_COMPUTER_NAME I don’t know what can I do now ….. There is no more message about this wrong situation.. Please help . Thanks very much. Looking forward to hearing from you soon. Best regards! Enki -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Cross subnet browsing + vpn
If you have fixed IPs (or static DNS leases), one way round this is to populate %SystemRoot%\system32\drivers\etc\lmhosts on the Windows client. I look forward to seeing any other solutions here :-) On 6 July 2010 13:07, j...@oss4all.plus.com wrote: Hi All, I'm having a problem with cross subnet browsing and name resolution across an openvpn tunnel. i've found quite a few people who've had the same on mail lists but none of their fixes have worked. The spec of the setups at both ends of the tunnel are as follows: OS - CentOS 5.5 Samba Version 3.5.4 OpenVPN Version 2.0.9-1 Each server is configured in gateway mode with two NICS, one to the lan and the other to a modem/router. The first machine, HEADOFFICE, has an internal IP address of 192.168.0.1 and an external of 192.168.10.4. The second machine, REMOTE1, has an internal address of 192.168.1.254 and an external of 192.168.20.4. On openVPN, I have configured client to client and routes and iroutes to allow machines on each network to ping machines at the other end as well as the server IP's. So far so good and I can ping any machine on either subnet from anywhere and get a reply. The servers are configured as Samba servers with the HEADOFFICE machine working as a PDC, DMC and WINS server and the REMOTE1 machine configured as a BDC and WINS proxy. In order to maintain logon facilities in the event of broadband failure, I have replicated the LDAP server from HEADOFFICE to REMOTE1 and updates and password changes propogate successfully from one site to the other. If I try to access HEADOFFICE from REMOTE1 and REMOTE1's subnet it works perfectly but trying to access REMOTE1 from HEADOFFICE and its subnet fails on name resolution while entering \\192.168.1.254\ brings up Windows Explorer and a list of shares. I've included the remote browse entries in smb.conf on the PDC and have WINS Proxying set up on the BDC but I can't get it to push REMOTE1's IP back to the WINS server. Port scanning the internal IP of each machine from the oher end of the tunnel returns a full set of open ports for the services I'm using but no IP. If anyone can spot what I'm doing wrong I'd be grateful. Thanks. smb.conf - HEADOFFICE ### Included 2nd subnet for second remote site in browse sync [ global] workgroup = NEWDOM netbios name = HEADOFFICE security = user enable privileges = yes interfaces = 192.168.0.1 127.0.0.1 # hosts allow = 192.168.0.0/255.255.255.0 192.168.1.0/255.255.255.0 194.168.2.0/255.255.255.0 127.0.0.1 remote announce = 192.168.2.255/NEWDOM 192.168.1.255/NEWDOM remote browse sync = 192.168.1.255 192.168.2.255 wins support = yes name resolve order = wins hosts bcast username map = /etc/samba/smbusers server string = Samba Server %v encrypt passwords = Yes ldap ssl = no unix password sync = yes ldap passwd sync = no passwd program = /usr/sbin/smbldap-passwd -u %u passwd chat = Changing *\nNew password* %n\n *Retype new password* %n\n #public = yes #browseable = yes #lm announce = yes #browse list = yes #auto services = yes log level = 3 syslog = 0 log file = /var/log/samba/log.%U max log size = 10 time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 mangling method = hash2 Dos charset = 850 Unix charset = ISO8859-1 local master = Yes domain logons = Yes domain master = Yes os level = 65 preferred master = Yes wins support = yes passdb backend = ldapsam:ldap://127.0.0.1 ldap admin dn = cn=Manager,dc=newdom,dc=ldm ldap suffix = dc=newdom,dc=ldm ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Idmap add user script = /usr/sbin/smbldap-useradd -m %u ldap delete dn = Yes delete user script = /usr/sbin/smbldap-userdel %u add machine script = /usr/sbin/smbldap-useradd -t 0 -w %u add group script = /usr/sbin/smbldap-groupadd -p %g #delete group script = /usr/sbin/smbldap-groupdel %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' [shared] comment = shared directory path = /dat browseable = yes read only = no create mask = 0660 directory mask = 0770 smb.conf - REMOTE1 # [global] workgroup = NEWDOM netbios name = REMOTE1 security = user enable privileges = yes
Re: [Samba] Samba4 FreBSD
--- Original message --- Subject: Re: [Samba] Samba4 FreBSD From: Günter Kukkukk li...@kukkukk.com To: samba@lists.samba.org Date: Sunday, 11/07/2010 4:28 PM Am Sonntag 11 Juli 2010 18:32:34 schrieb t...@tms3.com: Having some issues with: samba_dnsupdate Specifically: /usr/bin/nsupdate: cannot specify -gor -o, program not linked with GSS API Library I've looked through the script, and cannot find these options called. If anyone can point me to where they're called I'd appreciate it. Cheers, TMS III nsupdate is (usually) part of the nameserver bind (named) package. At least named itself writes the build-in compile options to the (kernel) system logfile - after being started. If you don't see the build option --with-gssapi Yes quite, but there are issue with bind and gssapi on FreeBSD, and if I could find out in the scripts where the options are called and turn them off, I could work forward from there in debubbing. your bind build is missing some needed features. Cheers, Günter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] WG: Cross subnet browsing + OpenVPN
--- Original message --- Subject: [Samba] WG: Cross subnet browsing + OpenVPN From: Daniel Müller muel...@tropenklinik.de To: samba@lists.samba.org Date: Sunday, 11/07/2010 11:39 PM Hi, Robert Schetterer is right. You will succeed in the end with tap bridging. Bridiging does netbios reach trough. You will achieve it either way. The TYPE of VPN is not relevant. There was a discussion a while back regarding SE Linux and netbios. I would check those settings. I did this with two XP-Clients 2 Nics build at each a bridge: Both the remote and the local Clients must be in the same subnet. My openvpn.conf: Client or server dev tap dev-node TAB proto udp remote 1194 resolv-retry infinite ca C:\\ca.crt cert C:\\client1.crt key C:\\client1.key ns-cert-type server verb 6 # Silence repeating messages script-security 2 comp-lzo tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 persist-tun persist-key route-delay 10 On CENTOS look here: http://csmorley.spaces.live.com/blog/cns!990C0A249621766!184.entry Greetings --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: http://www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Robert Schetterer Gesendet: Freitag, 9. Juli 2010 17:26 An: t...@tms3.com Cc: samba@lists.samba.org Betreff: Re: [Samba] Cross subnet browsing + OpenVPN Am 09.07.2010 14:42, schrieb t...@tms3.com: --- Original message --- *Subject:* Re: [Samba] Cross subnet browsing + OpenVPN *From:* Robert Schetterer rob...@schetterer.org *To:* samba@lists.samba.org *Date:* Friday, 09/07/2010 3:05 AM Am 09.07.2010 11:37, schrieb Julian Pilfold-Bagwell: Sorry about the delay, family emergency to deal with. browse sync shares the info across them. I tried putting the specific IP addresses of the local master browsers into the browse sync but it still doesn't seem to spread everything across all the subnets. you should use tap interfaces with openvpn This is a matter of network design, and has nothing to do whatsoever with the issue at hand. Further: i used samba with subnet browsing years ago it dont worked with tun interfaces, it must have been tab interfaces additional right samba setup times may changed, samba and openvpn changed but simply try it does not cost anything my setup was bdc--internalnet--firewall--(tunnel)--firewall--internalnet--pdc i had samba on the firewalls to bind to tab tunnel interfaces as wins proxy the pdc was the wins server, bdc as wins proxy and directed browsing to pdc, all clients did got well configured parameters per dhcp additional there was a working dns which matched dynamicly wins anyway times may change , and there are better solutions now but this one worked stable an robust read samba faqs wins and subnet browsing etc good luck Server configuration file *dev tun ifconfig 10.8.0.1 10.8.0.2 secret static.key* Client configuration file *remote myremote.mydomain dev tun ifconfig 10.8.0.2 10.8.0.1 secret static.key* From: http://openvpn.net/index.php/open-source/documentation/miscellaneous/78-stat ic-key-mini-howto.html Which makes for a nice network to network setup for two locations connected via a wan link. Why not shift the discussion to weather we should use IPSEC and racoon instead of OpenVPN, or perhaps we should scrap all that and argue that he should be using Cisco vpn gateways altogether? GUH! ** From what I understand, the remote announce tells the WINS server to broadcast across the remote subnets and remote On 06/07/10 13:50, t...@tms3.com wrote: SNIP Hi All, I'm having a problem with cross subnet browsing and name resolution across an openvpn tunnel. i've found quite a few people who've had the same on mail lists but none of their fixes have worked. The spec of the setups at both ends of the tunnel are as follows: remote announce = 192.168.2.255/NEWDOM 192.168.1.255/NEWDOM remote browse sync = 192.168.1.255 192.168.2.255 This looks odd to me. remote announce = wins server ip/DOMNAME remote browse sync = wins server ip NEEDED in both smb.conf wins server = wins server ip Can't remember default for this setting so enhanced browsing = Yes in both smb.conf DHCP should point clients to headoffice for WINS. WINS proxy is not useful. OS - CentOS 5.5 Samba Version 3.5.4 OpenVPN Version 2.0.9-1 Each server is configured in gateway mode with two NICS, one to the lan and the other to a modem/router. The first machine, HEADOFFICE, has an internal IP address of 192.168.0.1
Re: [Samba] two PDCs
--- Original message --- Subject: Re: [Samba] two PDCs From: Scott Grizzard sc...@scottgrizzard.com To: Tamás Pisch pisc...@gmail.com Cc: samba@lists.samba.org Date: Monday, 12/07/2010 12:38 AM Of course, my users only visited each others' offices occasionally. If you have tons of movement between the offices, a one-domain solution may be forced upon you... Unfortunately, a lot of users are roaming users (teachers with laptop, and users). My plan is that I will set up separate profile shares on both side, but at least they can use their own username and even change their password. So, I would like to try the multi-PDC scenario with master and slave LDAP server, but I worry about a little. It makes very little sense to have multiple PDC's, and only adds to both administrative and user confusion IMHO. Give the present workings of OpenLDAP, just pick a replication strategy the makes sense and use a single domain. I've built and run a single domain on a 15 node VPN with multi-master OpenLDAP backend, and it is remarkably resilient. How are you intending to keep roaming profiles in sync (the files on the server, not the stuff in LDAP)? Are you going to use rsync? Unless users jump from office to office, why bother. I would set road warriors with local profiles and and sync their stuff in a manner appropriate to there schedules/primary location. Scott Grizzard sc...@scottgrizzard.com http://www.ScottGrizzard.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 and DNS
--- Original message --- Subject: [Samba] Samba4 and DNS From: Alex Waite awa...@mcw.edu To: samba@lists.samba.org samba@lists.samba.org Date: Monday, 12/07/2010 4:56 AM Hey Everyone, I've been reading through the Samba4 docs, but I am a bit confused, so please forgive me if I have missed anything obvious. I am trying to setup Samba4 as a Domain Controller for our department. We do not control our DNS; that is done through campus IT. All of our workstations (soon to be members of the domain) already have entries in campus DNS. If I were to submit the contents of the /usr/local/samba/private/dns/ folder (generated by Samba4's provision step) to Campus IT, would that work? Would I be missing out on anything by not running my own DNS server? I've read about the dynamic changes made to DNS by Samba4, but I don't know if I need that if my clients already would have entries in DNS. Talk to DNS admins. Ask them if you can run a master DNS for your domain, and then use campus DNS as a the forwarder. Thank you for your time; I appreciate it. ---Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] security = SHARE
I also encounter this problem that the user security mode work fine, but on share security level, it always return NT_STATUS_WRONG_PASSWORD. Is SHARE on samba 3.4 deprecated ? Can anybody give some advice? user = share is like Windoze95/98 type file share. Thanks. -- View this message in context: http://old.nabble.com/security-%3D-SHARE-tp29102498p29114421.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 FreBSD
On 12 July 2010 14:30, t...@tms3.com wrote: --- Original message --- From: Günter Kukkukk li...@kukkukk.com Am Sonntag 11 Juli 2010 18:32:34 schrieb t...@tms3.com: [...] /usr/bin/nsupdate: cannot specify -g or -o, program not linked with GSS API Library I've looked through the script, and cannot find these options called. If anyone can point me to where they're called I'd appreciate it. nsupdate is (usually) part of the nameserver bind (named) package. At least named itself writes the build-in compile options to the (kernel) system logfile - after being started. If you don't see the build option --with-gssapi Yes quite, but there are issue with bind and gssapi on FreeBSD, and if I could find out in the scripts where the options are called and turn them off, I could work forward from there in debubbing. I think you're looking for the nsupdate command parameter in the smb.conf file. I'm sure I've seen it documented somewhere, but it's in source4/param/loadparm.c anyway: param/loadparm.c: lp_do_global_parameter(lp_ctx, nsupdate command, /usr/bin/nsupdate -g); -- Michael Wood esiot...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] security = SHARE
On 07/12/2010 07:47 AM, t...@tms3.com wrote: I also encounter this problem that the user security mode work fine, but on share security level, it always return NT_STATUS_WRONG_PASSWORD. Is SHARE on samba 3.4 deprecated ? Can anybody give some advice? user = share is like Windoze95/98 type file share. Shares mode security has been deprecated. Also, the LanMan password required for use with Windows 9x is no longer stored in smbpasswd or in the tdbsam/ldapsam backends. - John T. Thanks. -- View this message in context: http://old.nabble.com/security-%3D-SHARE-tp29102498p29114421.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How to regenerate passdb.tdb
On Fri, Jul 9, 2010 at 10:43 AM, Abe Lau
abelau+sa...@gmail.comabelau%2bsa...@gmail.com
wrote:
On Fri, Jul 9, 2010 at 8:26 AM, Gaiseric Vandal gaiseric.van...@gmail.com
wrote:
On 07/08/2010 05:43 PM, Jeremy Allison wrote:
On Thu, Jul 08, 2010 at 11:32:32AM +1000, Abe Lau wrote:
Hi,
I was having problem with the tdbsam backend in which a particular user
got
listed twice with pdbedit.
(http://www.mail-archive.com/samba@lists.samba.org/msg109110.html)
Without much hope in fixing it, I am planning to re-generating
passdb.tdb on
my PDC by:
(1)exporting tdbsam to smbpasswd backend
(2)delete passdb.tdb
(3)re-import smbpasswd to tdbsam backend
If you do this you lose a lot of the extra
data that tdbsam stores that smbpasswd does
not.
Jeremy.
Does tdbdump passdb.tbd show the user listed twice?
Maybe you can use tdbtool to edit a copy of the file. The man page for
tdbbackup indicates it can check for corruption (but not fix it.)
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Yes, it seems to have appeared twice
`tdbdump passdb.tdb` gives
{
key(13) = RID_03e9\00
data(5) = usera\00
}
{
key(10) = USER_usera\00
data(180) =
\00\00\00\00\FF\FF\FF\7F\FF\FF\FF\7F\00\00\00\00\B2c6L\00\00\00\00\FF\FF\FF\7F\05\00\00\00nick\00\04\00\00\00ORL\00\01\00\00\00\00\01\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\01\00\00\00\00\01\00\00\00\00\00\00\00\00\01\00\00\00\00T\04\00\00\01\02\00\00\00\00\00\00\10\00\00\00\03\0C\8C\98\89\87\DC+\CE\0Ax)JP\01\00\00\00\00\10\00\00\00\A8\00\15\00\00\00
\00\00\00\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\EC\04\00\00
}
..
{
key(13) = RID_0454\00
data(5) = usera\00
}
I have tried using tdbbackup -v, but it didn't indicate any corruption. I
may try tdbtool on a copy of passdb.db and see how it goes. Thanks for the
suggestion.
Just tried using tdbtool and removed one of the duplicated RID key of
usera. I randomly picked one, because I am really not sure which one is
correct (or if it even matters). Now, pdbedit does not display 2 duplicated
entries. I hope that is the solution, and the problem won't come back
again. will report back in case this leads to other complications.
Just a side note, according to the old man page of tdbtool (
http://www.samba.org/samba/docs/man/manpages-3/tdbtool.8.html), there is an
option check to verify the integrity of tdb file, but my copy from Debian
Lenny doesn't have it!
I wonder if there is any other better integrity checking tool for the tdb,
apart from tdbbackup, which didn't ever report any problem in my case all
the way anyway!
Thanks all for the help,
Abe
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
[Samba] smbldap-groupmod problem
Hi, i'm having a problem with the smbldap-groupmod. I tried to change
the users of some groups, i get an error message. The action indeed
execute, as the users was removed or added from the group, but an error
is throwed in the output:
server:~# smbldap-groupmod -x user1 -m user2 testgroup
Can't call method get_value on an undefined value at
/usr/sbin/smbldap-groupmod line 146.
The line in question is:
if ($group_entry-get_value('sambaSID') eq
$user_entry-get_value('sambaPrimaryGroupSID')) {
What this means? Tks in advance.
--
Leonardo Carneiro
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
[Samba] ntlm locking user accounts in 2003 AD
Hello to all, I'm having problem using this enviroment: Squid 2.7.STABLE7 Samba 3.4.7 Squid.conf auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 5 auth_param ntlm keep_alive on auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours smb.conf workgroup = domain netbios name = NETSERVER server string = PROXY SERVER load printers = no log file = /var/log/samba/log.%m max log size = 500 winbind trusted domains only = yes realm = domain.ltd security = ads auth methods = winbind password server = Server.domain.ltd winbind separator = + encrypt passwords = yes winbind cache time = 3600 winbind enum users = yes winbind enum groups = yes winbind use default domain = false idmap uid = 1-2 idmap gid = 1-2 local master = no os level = 233 domain master = no preferred master = no domain logons = no wins server = 10.0.0.249, 10.0.0.250 dns proxy = no ldap ssl = no load printers = no template shell = /sbin/nologin The problem is when some user request webpages i have alot with of 680 EVENT (logon) in Windows events/security, with seconds of interval and sometimes the user account are locked. I supose the account is locked because user makes alot of authentication requests. Some way to fix this? Thanks, Stacker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Error 0x000003e6 when trying to connect to a printer from w2k8 (x64)
Hello, I'm trying to connect my W2k8 (x64) Server farm to our new installed printserver based on debian lenny with sernet samba 3.5.4 installed. Everytime i try to connect to a printer share via point and print, it fails with error 0x03e6. When i do the same from Windows XP or from our old w2k3 (x64) server farm everything works excellent. Does anybody know a workaround. I installed nearly 80 printers on the samba server and i don't want to do this again. Regards Thorsten -- Thorsten Leiser IT-Systembetreuung SYNCHRON Gesellschaft für betriebswirtschaftliche Beratung und Informationssysteme mbH Liebknechtstr. 50 70565 Stuttgart-Vaihingen Fon: 0711/7868-356 Fax: 0711/7868-446 www.synchron-is.de Sitz der Gesellschaft: Stuttgart Registergericht: Amtsgericht Stuttgart, HRB 8619 GF: Michael Schober - - - - - - - - - Diese E-Mail beinhaltet vertrauliche und/oder rechtlich geschuetzte Daten. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtuemlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. This e-mail may contain confidential and/or privileged data. If you are not the intended recipient or have received this e-mail in error, please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the content in this e-mail is strictly forbidden. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] File owner SID instead of name showing for one user
Hi, 1. Yes, ls -l shows the correct info. 2. Yes, only in Windows Explorer 3. Samba domain. I did some additional digging over the weekend and discovered that there are two other users whose SID's are showing instead of their names. Thanks again for any insight. On 7/8/2010 1:50 PM, t...@tms3.com wrote: On 07/08/2010 03:10 PM, Gregory A. Cain wrote: Exactly. I checked 4 or 5 other users - no problems. Also did a spot-check of files belonging to other users in Windows Explorer. It appears this is the only user with the problem. I checked for duplicate UID's and found none. Using ls -l on the server returns the correct user name and UID for the files. OK, Greg, let me get this straight: 1. From a server terminal ls -l shows correct info. 2. Only in Windows exploderer the SID instead of name? 3. I forget...Samba domain or samba joined to AD domain? On 7/8/2010 12:01 PM, t...@tms3.com wrote: wbinfo -s (user sid) returns Could not lookup sid (user sid) But all other SID lookups are good (well at least a test smattering of them)? What does pdbedit -Lv theuser show? It should show the user's SID. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Error 0x000003e6 when trying to connect to a printer from w2k8 (x64)
Hi Thorsten, I can't be sure that its exactly the same error, but I had a very similar problem that I solved like this: In the policy editor, for the group policy that you're using to control your print servers, explicitly disable the policy: Computer Configuration:Policies:Administrative Templates:Printers:Always render print jobs on the server Windows documentation says this defaults to disabled, but we have found this to be (at least partially) untrue for W2k8 - if you need it disabled then disable it explicitly. Hopefully that works for you... - rob. On 07/12/2010 08:09 AM, Thorsten Leiser wrote: Hello, I'm trying to connect my W2k8 (x64) Server farm to our new installed printserver based on debian lenny with sernet samba 3.5.4 installed. Everytime i try to connect to a printer share via point and print, it fails with error 0x03e6. When i do the same from Windows XP or from our old w2k3 (x64) server farm everything works excellent. Does anybody know a workaround. I installed nearly 80 printers on the samba server and i don't want to do this again. Regards Thorsten -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] group permissions not setting correctly.
On Fri, Jul 9, 2010 at 4:16 PM, t...@tms3.com wrote: On Samba 3.5.4, I have a share that should be writable by all in the Domain Users group. When I write to the share, the permission mode is correct but the data doesn't have the correct group and instead lists the username as the group. Do you have: pam_ldap/nss_ldap .conf setup correctly (They may be the same file depending on Linux OS. Ubuntu server uses same file.)? nsswitch.conf set up correctly? As far as I am aware, yes. /etc/nsswitch.conf: passwd: files ldap shadow: files ldap group: files ldap hosts: files dns wins bootparams: files ethers: files netmasks: files networks: files protocols: files rpc:files services: files netgroup: files ldap publickey: files automount: files ldap aliases:files /etc/pam.d/system-auth authrequired pam_env.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid = 500 quiet authsufficientpam_ldap.so use_first_pass authrequired pam_deny.so account required pam_unix.so broken_shadow account sufficientpam_succeed_if.so uid 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so passwordrequisite pam_cracklib.so try_first_pass retry=3 passwordsufficientpam_unix.so md5 shadow nullok try_first_pass use_authtok passwordsufficientpam_ldap.so use_authtok passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so I tried using force group but the share stopped being accessible after a restart so I removed it. It doesn't seem like this is standard behavior so I'm not sure what could be causing it. Relevant smb.conf info: [global] workgroup = domain netbios name = fs server string = domauin FS passdb backend = ldapsam:ldap://127.0.0.1 printcap name = cups printing = cups security = user log level = 3 name resolve order = wins bcast hosts ldap ssl = off ldap admin dn = cn=root,dc=domain,dc=com ldap suffix = dc=domain,dc=com ldap user suffix = ou=Users ldap group suffix = ou=Group ldap idmap suffix = ou=Idmap ldap machine suffix = ou=Computers ldap delete dn = Yes add user script = /usr/sbin/smbldap-useradd -m %u add machine script = /usr/sbin/smbldap-useradd -w %u add group script = /usr/sbin/smbldap-groupadd -p %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u delete user script = /usr/sbin/smbldap-userdel %u delete group script = /usr/sbin/smbldap-groupdel %g logon path = \\%L\profiles\%U logon drive = H: logon home = \\%L\%U #logon script = %U.bat logon script = logon.bat domain master = Yes domain logons = Yes os level = 35 preferred master = Yes idmap uid = 15000-2 idmap gid = 15000-2 passwd program = /usr/bin/passwd '%u' unix password sync = yes passwd chat = *New UNIX password* %n\n *Retype new UNIX password* %n\n *updated successfully* enable privileges = yes username map = /etc/samba/smbusers wins support = yes [public] path = /data/public create mask = 0775 create mode = 0775 directory mask = 0775 guest ok = no browseable = Yes writable = yes write list = @Domain Users -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba3 domain client not auth some users
I have a samba3 domain controller and a bunch of linux/windows clients. One of my users came to me with trouble trying to access one of the linux clients. He was getting the: NT_STATUS_NO_LOGON_SERVERS error. However the client machine had no trouble with my credentials, or with another set of user credentials. I reset his password on the samba3 DC and verified that the DC would authenticate via smbclient directly on the DC but then again with this one client, his credentials give the No Logon Servers error, whereas mine and at least one other have no problem. I would also point out that this user has no trouble with other domain members, just this one. Any help or advice ? Thanks, Dirk -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 FreBSD
On 12 July 2010 15:07, Michael Wood esiot...@gmail.com wrote: On 12 July 2010 14:30, t...@tms3.com wrote: --- Original message --- From: Günter Kukkukk li...@kukkukk.com Am Sonntag 11 Juli 2010 18:32:34 schrieb t...@tms3.com: [...] /usr/bin/nsupdate: cannot specify -g or -o, program not linked with GSS API Library I've looked through the script, and cannot find these options called. If anyone can point me to where they're called I'd appreciate it. nsupdate is (usually) part of the nameserver bind (named) package. At least named itself writes the build-in compile options to the (kernel) system logfile - after being started. If you don't see the build option --with-gssapi Yes quite, but there are issue with bind and gssapi on FreeBSD, and if I could find out in the scripts where the options are called and turn them off, I could work forward from there in debubbing. I think you're looking for the nsupdate command parameter in the smb.conf file. I'm sure I've seen it documented somewhere, but it's in source4/param/loadparm.c anyway: Ah, this is where I saw it: http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC#A_note_on_DNS_updates -- Michael Wood esiot...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Wrong results in dir listing with wildcard
Guy Rouillier guyr-ml1 at burntmail.com writes: I get the following results from issuing directory listings with a wildcard: N:\tempdir ac* Volume in drive N is data Volume Serial Number is 0160-027E Directory of N:\temp 06/10/2010 03:33 PM 6 authenejbcp.bat 06/10/2010 03:33 PM 6 ActivePython-2.6.5.12-win32-x86.msi 06/10/2010 03:33 PM 6 ActiveTcl8.6.0.0b2.291226-win32-ix86-threaded.exe 06/10/2010 03:33 PM 6 ActivePerl-5.10.1.1007-MSWin32-x86-291969.msi 4 File(s) 24 bytes 0 Dir(s) 533,019,426,816 bytes free N:\tempdir au* Volume in drive N is data Volume Serial Number is 0160-027E Directory of N:\temp 06/10/2010 03:33 PM 6 authenejbcp.bat 06/10/2010 03:33 PM 6 authencp.bat 06/10/2010 03:33 PM 6 authenclientcp.bat 3 File(s) 18 bytes 0 Dir(s) 533,019,484,160 bytes free Notice that authenejbcp.bat is included in both listings. If someone else can confirm they are seeing the same thing, I'll file a bug report. Thanks. For what it's worth, this behavior is not limited to Samba servers. I have the exact same problem using standard Microsoft servers. Dir EC05*.* might return a file named EC11*.* which is also visible if you Dir EC11*.*. The main difference is that my problem doesn't seem to be reproducible like yours. During the course of a month we generate several thousand of these files which are processed then archived and deleted. The names are all unique, containing date/time stamps. In the course of a month maybe 10 of these files will be affected as you describe. We have modified our code to monitor for this situation and give warnings. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Wrong results in dir listing with wildcard
What does dir /x show? The /x option should give you the 8.3 version of the name. That may be being matched by the wildcard. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Jeffrey McLellan Sent: Friday, July 09, 2010 8:25 PM To: samba@lists.samba.org Subject: Re: [Samba] Wrong results in dir listing with wildcard Guy Rouillier guyr-ml1 at burntmail.com writes: I get the following results from issuing directory listings with a wildcard: N:\tempdir ac* Volume in drive N is data Volume Serial Number is 0160-027E Directory of N:\temp 06/10/2010 03:33 PM 6 authenejbcp.bat 06/10/2010 03:33 PM 6 ActivePython-2.6.5.12-win32-x86.msi 06/10/2010 03:33 PM 6 ActiveTcl8.6.0.0b2.291226-win32-ix86-threaded.exe 06/10/2010 03:33 PM 6 ActivePerl-5.10.1.1007-MSWin32-x86-291969.msi 4 File(s) 24 bytes 0 Dir(s) 533,019,426,816 bytes free N:\tempdir au* Volume in drive N is data Volume Serial Number is 0160-027E Directory of N:\temp 06/10/2010 03:33 PM 6 authenejbcp.bat 06/10/2010 03:33 PM 6 authencp.bat 06/10/2010 03:33 PM 6 authenclientcp.bat 3 File(s) 18 bytes 0 Dir(s) 533,019,484,160 bytes free Notice that authenejbcp.bat is included in both listings. If someone else can confirm they are seeing the same thing, I'll file a bug report. Thanks. For what it's worth, this behavior is not limited to Samba servers. I have the exact same problem using standard Microsoft servers. Dir EC05*.* might return a file named EC11*.* which is also visible if you Dir EC11*.*. The main difference is that my problem doesn't seem to be reproducible like yours. During the course of a month we generate several thousand of these files which are processed then archived and deleted. The names are all unique, containing date/time stamps. In the course of a month maybe 10 of these files will be affected as you describe. We have modified our code to monitor for this situation and give warnings. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba3 domain client not auth some users
Is the linux client configured as a samba server? Or is the user trying to access via console logion, ssh or nfs? -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Dirk Kleinhesselink Sent: Monday, July 12, 2010 2:12 PM To: samba@lists.samba.org Subject: [Samba] samba3 domain client not auth some users I have a samba3 domain controller and a bunch of linux/windows clients. One of my users came to me with trouble trying to access one of the linux clients. He was getting the: NT_STATUS_NO_LOGON_SERVERS error. However the client machine had no trouble with my credentials, or with another set of user credentials. I reset his password on the samba3 DC and verified that the DC would authenticate via smbclient directly on the DC but then again with this one client, his credentials give the No Logon Servers error, whereas mine and at least one other have no problem. I would also point out that this user has no trouble with other domain members, just this one. Any help or advice ? Thanks, Dirk -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Wrong results in dir listing with wildcard
On Mon, Jul 12, 2010 at 07:09:36PM -0400, Gaiseric Vandal wrote: What does dir /x show? The /x option should give you the 8.3 version of the name. That may be being matched by the wildcard. That's exactly the issue. The SMB/CIFS wildcard matching algorithm matches both short and long names. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Using +group in valid users is not working
Hi Björn Thanks for your response. The problem I'm having is that payoff in this instance is actually a UNIX group. If I set valid users as +payoff I get the same problem with the same error message. It just isn't recognising that bbancroft is a member of the local UNIX group payoff. Cheers Andrien Lee -Original Message- From: Björn Jacke [mailto:b...@sernet.de] On 2010-07-12 at 14:19 +1000 Lee, Andrien sent off: I have included a level 3 log from log.smbd up to the first rejection, along with the relevant smb.conf info that I am aware of. The log is for a connection to a share with valid users = @payoff, where bbancroft is a member of the payoff group. make sure you don't run into the 16/32 Groups/User limitation of Solaris and also make sure to use @DOMAIN\group instread of @group. Cheers Björn -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen This e-mail and any attachments may contain confidential information that is intended solely for the use of the intended recipient and may be subject to copyright. If you receive this e-mail in error, please notify the sender immediately and delete the email and its attachments from your system. You must not disclose, copy or use any part of this e-mail if you are not the intended recipient. Any opinion expressed in this e-mail and any attachments is not an opinion of RailCorp unless stated or apparent from its content. RailCorp is not responsible for any unauthorised alterations to this e-mail or any attachments. RailCorp will not incur any liability resulting directly or indirectly as a result of the recipient accessing any of the attached files that may contain a virus. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Build status as of Mon Jul 12 06:00:01 2010
URL: http://build.samba.org/ --- /home/build/master/cache/broken_results.txt.old 2010-07-11 00:00:04.0 -0600 +++ /home/build/master/cache/broken_results.txt 2010-07-12 00:00:02.0 -0600 @@ -1,4 +1,4 @@ -Build status as of Sun Jul 11 06:00:02 2010 +Build status as of Mon Jul 12 06:00:01 2010 Build counts: Tree Total Broken Panic @@ -16,7 +16,7 @@ samba_3_master 28 28 4 samba_3_next 28 28 6 samba_4_0_test 30 30 0 -samba_4_0_waf 30 27 1 +samba_4_0_waf 30 28 1 talloc 30 7 0 tdb 28 7 0
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 1b51ddd... s3-dcerpc: Fix miscalculation of buffer start address
from 77a3858... tsocket: Fix some unreachable code
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 1b51ddd37085e6dcc2fbe5056e902270d1efb076
Author: Simo Sorce i...@samba.org
Date: Mon Jul 12 15:09:42 2010 -0400
s3-dcerpc: Fix miscalculation of buffer start address
This was breaking schannel
---
Summary of changes:
source3/rpc_client/cli_pipe.c |4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index b9b04b6..aea6b36 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -1004,7 +1004,9 @@ static NTSTATUS cli_pipe_verify_schannel(struct
rpc_pipe_client *cli,
return NT_STATUS_BUFFER_TOO_SMALL;
}
- blob = data_blob_const(prs_data_p(current_pdu) +
prs_offset(current_pdu), auth_len);
+ blob = data_blob_const(prs_data_p(current_pdu) +
+ prs_offset(current_pdu) +
+ RPC_HDR_AUTH_LEN, auth_len);
if (DEBUGLEVEL = 10) {
dump_NL_AUTH_SIGNATURE(talloc_tos(), blob);
--
Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 25d487b... s3-dcerpc: Fix ntlmssp sign/seal.
via 6555307... s3-dceprc: Fix auth_length in auth3 response
from 1b51ddd... s3-dcerpc: Fix miscalculation of buffer start address
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 25d487bebfdc771b1e0ab510ecbe4a8601f8fc98
Author: Simo Sorce i...@samba.org
Date: Mon Jul 12 18:57:32 2010 -0400
s3-dcerpc: Fix ntlmssp sign/seal.
Header calculation was misplaced.
Signed-off-by: Günther Deschner g...@samba.org
commit 6555307aa11741171258541da2c13ce25d9e3f55
Author: Simo Sorce i...@samba.org
Date: Mon Jul 12 16:27:22 2010 -0400
s3-dceprc: Fix auth_length in auth3 response
Signed-off-by: Günther Deschner g...@samba.org
---
Summary of changes:
source3/rpc_client/cli_pipe.c | 49 ++---
1 files changed, 31 insertions(+), 18 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index aea6b36..20f2246 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -2146,6 +2146,29 @@ static NTSTATUS add_ntlmssp_auth_footer(struct
rpc_pipe_client *cli,
return NT_STATUS_INVALID_PARAMETER;
}
+ /* marshall the dcerpc_auth with an actually empty auth_blob.
+* this is needed because the ntmlssp signature includes the
+* auth header */
+ status = dcerpc_push_dcerpc_auth(prs_get_mem_context(rpc_out),
+
map_pipe_auth_type_to_rpc_auth_type(cli-auth-auth_type),
+ cli-auth-auth_level,
+ ss_padding_len,
+ 1 /* context id. */,
+ auth_blob,
+ auth_info);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ /* append the header */
+ if (!prs_copy_data_in(rpc_out,
+ (char *)auth_info.data,
+ auth_info.length)) {
+ DEBUG(0, (Failed to add %u bytes auth blob.\n,
+ (unsigned int)auth_info.length));
+ return NT_STATUS_NO_MEMORY;
+ }
+
switch (cli-auth-auth_level) {
case DCERPC_AUTH_LEVEL_PRIVACY:
/* Data portion is encrypted. */
@@ -2186,21 +2209,12 @@ static NTSTATUS add_ntlmssp_auth_footer(struct
rpc_pipe_client *cli,
return NT_STATUS_INVALID_PARAMETER;
}
- /* Finally marshall the blob. */
- status = dcerpc_push_dcerpc_auth(prs_get_mem_context(rpc_out),
-
map_pipe_auth_type_to_rpc_auth_type(cli-auth-auth_type),
- cli-auth-auth_level,
- ss_padding_len,
- 1 /* context id. */,
- auth_blob,
- auth_info);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
- if (!prs_copy_data_in(rpc_out, (const char *)auth_info.data,
auth_info.length)) {
- DEBUG(0, (add_ntlmssp_auth_footer: failed to add %u bytes auth
blob.\n,
- (unsigned int)auth_info.length));
+ /* Finally attach the blob. */
+ if (!prs_copy_data_in(rpc_out,
+ (char *)auth_blob.data,
+ auth_blob.length)) {
+ DEBUG(0, (Failed to add %u bytes auth blob.\n,
+ (unsigned int)auth_info.length));
return NT_STATUS_NO_MEMORY;
}
@@ -2715,7 +2729,6 @@ static NTSTATUS create_rpc_bind_auth3(struct
rpc_pipe_client *cli,
DATA_BLOB *pauth_blob,
prs_struct *rpc_out)
{
- uint16_t auth_len = pauth_blob-length;
uint16_t frag_len = 0;
NTSTATUS status;
union dcerpc_payload u;
@@ -2735,14 +2748,14 @@ static NTSTATUS create_rpc_bind_auth3(struct
rpc_pipe_client *cli,
}
/* Start building the frag length. */
- frag_len = RPC_HEADER_LEN + 4 /* pad */ + RPC_HDR_AUTH_LEN + auth_len;
+ frag_len = RPC_HEADER_LEN + 4 /* pad */ + RPC_HDR_AUTH_LEN +
pauth_blob-length;
status = dcerpc_push_ncacn_packet(prs_get_mem_context(rpc_out),
DCERPC_PKT_AUTH3,
DCERPC_PFC_FLAG_FIRST |
DCERPC_PFC_FLAG_LAST,
frag_len,
- auth_len
