[Samba] nslcd service - Client not found in Kerberos database
Hi, I am trying to configure the nslcd service on an Ubuntu client for kerberos authentication against samba4. My /etc/nslcd.conf contains the following: uid nslcd gid nslcd uri ldapi:///cofil01.mydomain.net base dc=mydomain,dc=net sasl_mech GSSAPI krb5_ccname FILE:/tmp/host.tkt I have added the host principal host/ubuntu-test.mydomain.net @ MYDOMAIN.NET to /etc/krb5.keytab on both the samba4 server and the client by using ktutil. I have confirmed that the principals exist on both machines by using klist -ke /etc/krb5.keytab. hostname -f gives me the fully qualified domain name for the client. If I restart the nslcd service, I get the following error on the client: * Starting Keep alive Kerberos ticket k5start k5start: error getting credentials: Client not found in Kerberos database On the samba4 server side, in the /var/log/samba/log.samba file, I get following errors: Kerberos: AS-REQ host/ubuntu-test.mydomain.net @ MYDOMAIN.NET from ipv4: 10.45.1.55:34456 for krbtgt/MYDOMAIN.NET @ MYDOMAIN.NET Kerberos: UNKNOWN -- host/ubuntu-test.mydomain.net @ MYDOMAIN.NET: no such entry found in hdb It says no such entry found in hdb, does hdb refer to the /etc/krb5.keytab principal database or is it referring to a database that I don't know about? Note: I have put spaces around all @ so the list does not interpret them as e-mail addresses. br, Quinn -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Fwd: Fwd: Fwd: Fwd: Re: Fwd: Re: Samba 4 Smart card logon
I have finally found out that my problems had to do with wrong certificates. The commands I used to generate the certificates where taken from http://k5wiki.kerberos.org/wiki/Pkinit_configuration I downloaded and built heimdal 1.5.2 (I couldn't find hxtool in samba 4, that's why I used the instructions for OpenSSL in MIT Kerberos Wiki for the certificates in the first place). Using the hxtool I created new certificates and ... Success! Now that Heimdal has been configured to accept PKINIT, it's time to configure Samba4 to know about the certificate. Can anyone point me where to look for Samba 4 configuration options for PKINIT? Kind Regards, Charalampos Original Message Subject:Fwd: Fwd: Fwd: Re: [Samba] Fwd: Re: Samba 4 Smart card logon Date: Thu, 05 Jul 2012 13:04:21 +0300 From: Charalampos Anargyrou charalampos.anargy...@gmail.com To: samba@lists.samba.org Ok, I managed to solve some of my problems I had typographic errors in my /etc/krb5.conf Specifically I had [kdc] enable_pkinit = yes pkinit_identify = FILE:/home/virusakos/Downloads/kdc.pem,/home/virusakos/Downloads/kdckey.pem Changed to [kdc] enable-pkinit = yes pkinit_identity = FILE:/home/virusakos/Downloads/kdc.pem,/home/virusakos/Downloads/kdckey.pem I have also enabled debugging by stopping the samba service and started samba with: samba -i -M single -d3 Tried again to test samba4kinit with certificate with: /opt/samba-master/bin/samba4kinit -e arcfour-hmac-md5 --request-pac --renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem virusakos@SERVER.CENTOSDOMAIN which again produces samba4kinit: krb5_get_init_creds: Already tried pkinit, looping but I can at least see in the console this: Kerberos: AS-REQ virusakos@SERVER.CENTOSDOMAIN from ipv4:172.16.9.134:49289 for krbtgt/SERVER.CENTOSDOMAIN@SERVER.CENTOSDOMAIN Kerberos: Client sent patypes: PK-INIT(win2k), 132, 128 Kerberos: Looking for PKINIT pa-data -- virusakos@SERVER.CENTOSDOMAIN Kerberos: PKINIT: failed to verify signature: No signers where found: 569890 Kerberos: PKINIT: Couldn't find signers certificate Kerberos: Failed to decode PKINIT PA-DATA -- virusakos@SERVER.CENTOSDOMAIN Kerberos: Looking for ENC-TS pa-data -- virusakos@SERVER.CENTOSDOMAIN Kerberos: No preauth found, returning PREAUTH-REQUIRED -- virusakos@SERVER.CENTOSDOMAIN Kerberos: AS-REQ virusakos@SERVER.CENTOSDOMAIN from ipv4:172.16.9.134:44976 for krbtgt/SERVER.CENTOSDOMAIN@SERVER.CENTOSDOMAIN Kerberos: Client sent patypes: PK-INIT(win2k), 132, 128 Kerberos: Looking for PKINIT pa-data -- virusakos@SERVER.CENTOSDOMAIN Kerberos: PKINIT: failed to verify signature: No signers where found: 569890 Kerberos: PKINIT: Couldn't find signers certificate Kerberos: Failed to decode PKINIT PA-DATA -- virusakos@SERVER.CENTOSDOMAIN Kerberos: Looking for ENC-TS pa-data -- virusakos@SERVER.CENTOSDOMAIN Kerberos: No preauth found, returning PREAUTH-REQUIRED -- virusakos@SERVER.CENTOSDOMAIN Original Message Subject:Fwd: Fwd: Re: [Samba] Fwd: Re: Samba 4 Smart card logon Date: Thu, 05 Jul 2012 12:01:13 +0300 From: Charalampos Anargyrou charalampos.anargy...@gmail.com To: samba@lists.samba.org I've checked the source code and found out the enctypes I can test /opt/samba-master/bin/samba4kinit -e arcfour-hmac-md5 --request-pac --renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem virusakos@SERVER.CENTOSDOMAIN produces samba4kinit: krb5_get_init_creds: Already tried pkinit, looping For the rest enctypes /opt/samba-master/bin/samba4kinit -e aes256-cts-hmac-sha1-96 --request-pac --renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem virusakos@SERVER.CENTOSDOMAIN /opt/samba-master/bin/samba4kinit -e aes128-cts-hmac-sha1-96 --request-pac --renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem virusakos@SERVER.CENTOSDOMAIN /opt/samba-master/bin/samba4kinit -e des3-cbc-sha1 --request-pac --renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem virusakos@SERVER.CENTOSDOMAIN /opt/samba-master/bin/samba4kinit -e des3-cbc-none --request-pac --renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem virusakos@SERVER.CENTOSDOMAIN I get samba4kinit: krb5_get_init_creds: KDC has no support for encryption type Looking on the Internet, I found a suggestion to write allow_weak_crypto = true under [libdefaults] in /etc/krb5.conf, which I did, but I still get the same messages back Can anyone understand what could be my problem? Original Message Subject:Fwd: Re: [Samba] Fwd: Re: Samba 4 Smart card logon Date: Wed, 04 Jul 2012 20:22:12 +0300 From: Charalampos Anargyrou charalampos.anargy...@gmail.com To: samba@lists.samba.org I have followed the instructions on http://k5wiki.kerberos.org/wiki/Pkinit_configuration and created CA and certificates with OpenSSL I changed the /etc/krb5.conf file to include the new CA and
Re: [Samba] nslcd service - Client not found in Kerberos database
ok, I did a simple GSSAPI test on the client with ldapsearch using ldapsearch -Y GSSAPI and I get Server not found in Kerberos database. In log.samba on the server, it gives: Kerberos: TGS-REQ user @ MYDOMAIN.NET from ipv4:10.45.1.55:48879 for ldap/ ubuntu-test.mydomain.net @ MYDOMAIN.NET [renewable, proxiable, forwardable] Kerberos: Server not found in database: ldap/ubuntu-test.mydomain.net @ MYDOMAIN.NET: no such entry found in hdb Kerberos: Failed building TGS-REP to ipv4:10.45.1.55:48879 I have added ldap/ubuntu-test.mydomain.net @ MYDOMAIN.NET into the server's /etc/krb5.keytab file using ktutil but the error still comes up. It is as if Kerberos is not checking /etc/krb5.keytab file. Any ideas? br, Quinn On Thu, Jul 12, 2012 at 10:41 AM, Quinn Plattel qie...@gmail.com wrote: Hi, I am trying to configure the nslcd service on an Ubuntu client for kerberos authentication against samba4. My /etc/nslcd.conf contains the following: uid nslcd gid nslcd uri ldapi:///cofil01.mydomain.net base dc=mydomain,dc=net sasl_mech GSSAPI krb5_ccname FILE:/tmp/host.tkt I have added the host principal host/ubuntu-test.mydomain.net @ MYDOMAIN.NET to /etc/krb5.keytab on both the samba4 server and the client by using ktutil. I have confirmed that the principals exist on both machines by using klist -ke /etc/krb5.keytab. hostname -f gives me the fully qualified domain name for the client. If I restart the nslcd service, I get the following error on the client: * Starting Keep alive Kerberos ticket k5start k5start: error getting credentials: Client not found in Kerberos database On the samba4 server side, in the /var/log/samba/log.samba file, I get following errors: Kerberos: AS-REQ host/ubuntu-test.mydomain.net @ MYDOMAIN.NET from ipv4: 10.45.1.55:34456 for krbtgt/MYDOMAIN.NET @ MYDOMAIN.NET Kerberos: UNKNOWN -- host/ubuntu-test.mydomain.net @ MYDOMAIN.NET: no such entry found in hdb It says no such entry found in hdb, does hdb refer to the /etc/krb5.keytab principal database or is it referring to a database that I don't know about? Note: I have put spaces around all @ so the list does not interpret them as e-mail addresses. br, Quinn -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Linux SSO with samba4?
Hi, I think it is great that samba4 has a single sign on solution for Windows platforms and it seems to work well too, but I am wondering is it possible to do the same for a Linux environment? I have been studying how to implement single sign on using the Ubuntu way through this document: https://help.ubuntu.com/community/SingleSignOn and I am wondering if I can do the same with samba4 where the samba4 just replaces openldap and the kerberos server components. On a windows client, you can login as a user though active directory even though that user is not defined locally on the client. Can you do the same in a Linux environment? I have done some testing and the results so far looks as if it is not quite there yet. For example, if I ssh to a machine using kerberos credentials, I cannot ssh to it without have a local account defined on that machine. Does a kerberos/ldap solution solve that kind of problem? br, Quinn -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Linux SSO with samba4?
Hi, I am running such a setup for over 2 years now. Samba4 acting as AD for the Windows Clients and LDAP/Kerberos for Linux and Solars clients. All users are stored centrally and no local users on the clients. I'd have to dig for more information on the setup though, as it's been a while since I implemented it. http://phaedrus77.blogspot.de/2010/04/samba4-ad-domain-controller-to-serve.html?showComment=190497132#c1731870195842128401 has my notes on setting up the Solaris clients. Linux was mostly similar enough with further information on several other sites. HTH, Bernd -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Linux SSO with samba4?
That sounds great! I think the Ubuntu SSO will work too but I am still trying to implement it - I have run into some hiccups such as nslcd complaining about Client not found in Kerberos database but I think it is because samba4 is running in a multi-homed environment and someone on the Kerberos mailing list said that KDC's don't like multi-homed environments - I don't know if that is also the case with samba4 kerberos but I am testing that theory by running a new samba4 machine with only one netcard in it. I look forward to your Linux implementation notes. br, Quinn On Thu, Jul 12, 2012 at 1:46 PM, Bernd Markgraf bernd.markg...@med.ovgu.dewrote: Hi, I am running such a setup for over 2 years now. Samba4 acting as AD for the Windows Clients and LDAP/Kerberos for Linux and Solars clients. All users are stored centrally and no local users on the clients. I'd have to dig for more information on the setup though, as it's been a while since I implemented it. http://phaedrus77.blogspot.de/2010/04/samba4-ad-domain-controller-to-serve.html?showComment=190497132#c1731870195842128401 has my notes on setting up the Solaris clients. Linux was mostly similar enough with further information on several other sites. HTH, Bernd -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Linux SSO with samba4?
On 12/07/12 14:05, Quinn Plattel wrote: while since I implemented it. http://phaedrus77.blogspot.de/2010/04/samba4-ad-domain-controller-to-serve.html?showComment=190497132#c1731870195842128401 has my notes on setting up the Solaris clients. Linux was mostly similar enough with further information on several other sites. HTH, Bernd Hi Quinn, Bernd, everyone We converted that same method into Linux. A Linux-windows SSO solution usind S4. We called it s4bind. The details are here: http://linuxcostablanca.blogspot.com.es/p/s4bind.html HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nslcd service - Client not found in Kerberos database
On 12/07/12 10:41, Quinn Plattel wrote: Hi, I am trying to configure the nslcd service on an Ubuntu client for kerberos authentication against samba4. My /etc/nslcd.conf contains the following: uid nslcd gid nslcd uri ldapi:///cofil01.mydomain.net base dc=mydomain,dc=net sasl_mech GSSAPI krb5_ccname FILE:/tmp/host.tkt Hi Quinn It can't authenticate because it doesn't know which principal to use. 1.Include the realm after the GSSAPI line: sasl_realm MYDOMAIN.NET 2. Create an AD user e.g. nslcd-service samba-tool user add nslcd-service 3. extract the keytab: samba-tool domain exportkeytab /etc/nslcd.keytab --principal=nslcd-service 4.edit /etc/default/nslcd to contain: K5START_START=no 5. start the service k5start -f /etc/nslcd.keytab -U -o nslcd -K 540 -k /tmp/host.tkt service nslcd start That's it. HTH Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba virtual server x domain membership
Hi there, I have a samba server (version 3.6) named 'lnbxservcid' which is already a member of a domain whose PDC is another samba server (version 3.4). I'm using the standard samba3 packages from centos and from servnet (as CentOS.4 comes with only samba 3.0.x, but later CentOS releases came with samba3-3.4.x packages). I wish to create on the lnxservcid machine another samba server (a virtual server) so I don't need to change login scripts and windows client UNC paths that point to a server which will be retired. The idea is each virtual server will show it's own set of shares. I tryed a test setup following instructions from: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/cfgsmarts.html On restart, domain member clients (windows machines) can connect to lnxservcid normally. But trying to connect to lnxservteste shows a login prompt, and no domain user works. It looks like I have to add machine lnxservteste to the domain. But neither net join or smbpasswd have options to tell the name of the machine (virtual server) to join, and lnxservcid is already joined. Any idea? I changed lnxservcid /etc/samba/smb.conf adding netbios aliases, smb ports and include statements: [global] netbios name = lnxservcid security = domain netbios aliases = lnxservteste smb ports = 139 include = /etc/samba/smb-%L.conf [work] path=/mnt/work And then I created /etc/samba/smb-lnxservteste.conf [global] workgroup = IBP netbios name = lnxservteste [teste] path = /mnt/teste Should I point net join or smbpasswd to smb-lnxservteste.conf file? Or should I change the local hostname to tool those utilites? Or isn't this setup supposed to work? No samba virtual server tutorial I found on google told about domain membership. :-( And by the way, will the need to use smb ports = 139 prevent Windows 7 clients from using my servers? So far I tried with only Windows XP clients. []s, Fernando Lozano -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba help?
On Thursday 12 July 2012 1:31:06 am Gémes Géza wrote: Hi Miklos, Hello Geza, I stand chastised and apologize. I didn't mean to hijack someone's thread. I also didn't plan to ask for help in Hungarian, and this is just a coincidence. However, if you can help me I'll take whatever I can get, so thank you. My question/problem is that I have no windows background at all and am trying to configure Samba with Active Directory. I also have no access to any windows machines to test my configuration so I don't know if it works. I believe I'm almost there but how do I know if it's really working? SWAT works fine, but Winbindd won't start. infadmnq:/lssrc -g samba Subsystem GroupPID Status smbd samba14221530 active nmbd samba13893726 active winbindd samba inoperative I ran testparm and it comes back clean. infadmnq:/testparm Load smb config files from /usr/lib/smb.conf Processing section [samba_infaQ] Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions [global] workgroup = HUMC security = DOMAIN auth methods = winbind password server = dchumc01, dchumc02 client NTLMv2 auth = Yes syslog = 3 log file = /var/log/samba ldap ssl = no idmap uid = 1-2 idmap gid = 1-2 winbind enum users = Yes winbind enum groups = Yes [samba_infaQ] comment = Share for DBA SAs path = /samba_infaQ I run: smbclient -L '\\fileserver1\DECN_Shared\' -U INFAservice and I get two pages of output starting like this: Sharename Type Comment - --- CHRT_Shared Disk CHRT Departmental Shared Files HEDU_Shared Disk HEDU Departmental Shared Files MREC_Shared Disk MREC Departmental Shared Files PHBL_Shared Disk PHBL Departmental Shared Files PHRM_Shared Disk PHRM Departmental Shared Files SLAB_Shared Disk SLAB Departmental Shared Files SPAS_Shared Disk SPAS Departmental Shared Files SPTY_Shared Disk SPTY Departmental Shared Files WomenChild Disk Kosonok minden sekitsegett!! Miklos First question: What does wbinfo -p, wbinfo -u and wbinfo -g returns? You wrote, that you have to authenticate your users against an AD. Have you joined it (e.g. net ads join -U username_of_an_AD_user_with_the_priviledge_of_joining (for example an administrator))? Regards Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba I'm reposting this, as I just resubscribed to the list using my new mail addy: I've found that I need to do a few things to make Samba work with AD (and, it does for me. I must have 15 server (Linux and *BSD) connected to our network via Win2008R2-based AD). First, I believe you have to get kerberos set up properly on your Linux box. Next, configure nsswitch.conf to use winbind. Then, you must join the box to the domain, just as Geza mentioned. After that, start samba. Finally, you can run the commands that Geza suggested (wbinfo -p, wbinfo -u and wbinfo -g. I'd also suggest getent passwd). These steps are all very well documented, and, are easy to find, but if you have a problem with anything, let us know. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Linux SSO with samba4?
yes, i found your windows/linux setup via google earlier, but the setup was based on OpenSuse which made it a little difficult in some areas when it comes to Ubuntu - particularly the nfs server setup section. But thanks for the info! :-) br, Quinn On Thu, Jul 12, 2012 at 2:23 PM, steve st...@steve-ss.com wrote: On 12/07/12 14:05, Quinn Plattel wrote: while since I implemented it. http://phaedrus77.blogspot.de/**2010/04/samba4-ad-domain-** controller-to-serve.html?**showComment=190497132#** c1731870195842128401http://phaedrus77.blogspot.de/2010/04/samba4-ad-domain-controller-to-serve.html?showComment=190497132#c1731870195842128401 has my notes on setting up the Solaris clients. Linux was mostly similar enough with further information on several other sites. HTH, Bernd Hi Quinn, Bernd, everyone We converted that same method into Linux. A Linux-windows SSO solution usind S4. We called it s4bind. The details are here: http://linuxcostablanca.**blogspot.com.es/p/s4bind.htmlhttp://linuxcostablanca.blogspot.com.es/p/s4bind.html HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- Best regards/Med venlig hilsen, Quinn Plattel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Linux SSO with samba4?
On 12/07/12 17:07, Quinn Plattel wrote: yes, i found your windows/linux setup via google earlier, but the setup was based on OpenSuse which made it a little difficult in some areas when it comes to Ubuntu - particularly the nfs server setup section. But thanks for the info! :-) There's an Ubuntu howto on the same site which includes the NFS. http://linuxcostablanca.blogspot.com.es/2012/01/samba-4-ubuntu.html Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] compiling samba 3.4.8 on CentOS_6.2
I have been using them on servers, so there are no KDE/Gnome specific stuff there. They work fine, although I haven't tested them in GUI environment. Probably, samba packages could be uninstalled with `--nodeps` flag and then replaced with the SerNet ones. Anyway, rebuilding yourself from SRPMS and installing, or compiling from source you impact on your system the same way. --- wbr, Denis. On Thu, Jul 12, 2012 at 10:06 PM, Randy Rue r...@fhcrc.org wrote: It looks like to install these rpm's I first need to use yum to remove all samba-related packages and a bunch of KDE and gnome stuff, is there a way to make this work without gutting too much of the rest of the OS? ** ** Randy ** ** *From:* Denis Fateyev [mailto:de...@fateyev.com] *Sent:* Wednesday, July 11, 2012 8:47 PM *To:* Randy Rue *Cc:* samba@lists.samba.org *Subject:* Re: [Samba] compiling samba 3.4.8 on CentOS_6.2 ** ** Hello there, In general, you may save efforts using precompiled binaries from the SerNet team. For example: http://ftp.sernet.de/pub/samba/3.6/rhel/6/x86_64/ --- wbr, Denis. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Fwd: Fwd: Fwd: Fwd: Re: Fwd: Re: Samba 4 Smart card logon
2012-07-12 10:47 keltezéssel, Charalampos Anargyrou írta: I have finally found out that my problems had to do with wrong certificates. The commands I used to generate the certificates where taken from http://k5wiki.kerberos.org/wiki/Pkinit_configuration I downloaded and built heimdal 1.5.2 (I couldn't find hxtool in samba 4, that's why I used the instructions for OpenSSL in MIT Kerberos Wiki for the certificates in the first place). Using the hxtool I created new certificates and ... Success! Now that Heimdal has been configured to accept PKINIT, it's time to configure Samba4 to know about the certificate. Can anyone point me where to look for Samba 4 configuration options for PKINIT? Kind Regards, Charalampos Original Message Subject: Fwd: Fwd: Fwd: Re: [Samba] Fwd: Re: Samba 4 Smart card logon Date: Thu, 05 Jul 2012 13:04:21 +0300 From: Charalampos Anargyrou charalampos.anargy...@gmail.com To: samba@lists.samba.org Ok, I managed to solve some of my problems I had typographic errors in my /etc/krb5.conf Specifically I had [kdc] enable_pkinit = yes pkinit_identify = FILE:/home/virusakos/Downloads/kdc.pem,/home/virusakos/Downloads/kdckey.pem Changed to [kdc] enable-pkinit = yes pkinit_identity = FILE:/home/virusakos/Downloads/kdc.pem,/home/virusakos/Downloads/kdckey.pem I have also enabled debugging by stopping the samba service and started samba with: samba -i -M single -d3 Tried again to test samba4kinit with certificate with: /opt/samba-master/bin/samba4kinit -e arcfour-hmac-md5 --request-pac --renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem virusakos@SERVER.CENTOSDOMAIN which again produces samba4kinit: krb5_get_init_creds: Already tried pkinit, looping but I can at least see in the console this: Kerberos: AS-REQ virusakos@SERVER.CENTOSDOMAIN from ipv4:172.16.9.134:49289 for krbtgt/SERVER.CENTOSDOMAIN@SERVER.CENTOSDOMAIN Kerberos: Client sent patypes: PK-INIT(win2k), 132, 128 Kerberos: Looking for PKINIT pa-data -- virusakos@SERVER.CENTOSDOMAIN Kerberos: PKINIT: failed to verify signature: No signers where found: 569890 Kerberos: PKINIT: Couldn't find signers certificate Kerberos: Failed to decode PKINIT PA-DATA -- virusakos@SERVER.CENTOSDOMAIN Kerberos: Looking for ENC-TS pa-data -- virusakos@SERVER.CENTOSDOMAIN Kerberos: No preauth found, returning PREAUTH-REQUIRED -- virusakos@SERVER.CENTOSDOMAIN Kerberos: AS-REQ virusakos@SERVER.CENTOSDOMAIN from ipv4:172.16.9.134:44976 for krbtgt/SERVER.CENTOSDOMAIN@SERVER.CENTOSDOMAIN Kerberos: Client sent patypes: PK-INIT(win2k), 132, 128 Kerberos: Looking for PKINIT pa-data -- virusakos@SERVER.CENTOSDOMAIN Kerberos: PKINIT: failed to verify signature: No signers where found: 569890 Kerberos: PKINIT: Couldn't find signers certificate Kerberos: Failed to decode PKINIT PA-DATA -- virusakos@SERVER.CENTOSDOMAIN Kerberos: Looking for ENC-TS pa-data -- virusakos@SERVER.CENTOSDOMAIN Kerberos: No preauth found, returning PREAUTH-REQUIRED -- virusakos@SERVER.CENTOSDOMAIN Original Message Subject: Fwd: Fwd: Re: [Samba] Fwd: Re: Samba 4 Smart card logon Date: Thu, 05 Jul 2012 12:01:13 +0300 From: Charalampos Anargyrou charalampos.anargy...@gmail.com To: samba@lists.samba.org I've checked the source code and found out the enctypes I can test /opt/samba-master/bin/samba4kinit -e arcfour-hmac-md5 --request-pac --renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem virusakos@SERVER.CENTOSDOMAIN produces samba4kinit: krb5_get_init_creds: Already tried pkinit, looping For the rest enctypes /opt/samba-master/bin/samba4kinit -e aes256-cts-hmac-sha1-96 --request-pac --renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem virusakos@SERVER.CENTOSDOMAIN /opt/samba-master/bin/samba4kinit -e aes128-cts-hmac-sha1-96 --request-pac --renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem virusakos@SERVER.CENTOSDOMAIN /opt/samba-master/bin/samba4kinit -e des3-cbc-sha1 --request-pac --renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem virusakos@SERVER.CENTOSDOMAIN /opt/samba-master/bin/samba4kinit -e des3-cbc-none --request-pac --renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem virusakos@SERVER.CENTOSDOMAIN I get samba4kinit: krb5_get_init_creds: KDC has no support for encryption type Looking on the Internet, I found a suggestion to write allow_weak_crypto = true under [libdefaults] in /etc/krb5.conf, which I did, but I still get the same messages back Can anyone understand what could be my problem? Original Message Subject: Fwd: Re: [Samba] Fwd: Re: Samba 4 Smart card logon Date: Wed, 04 Jul 2012 20:22:12 +0300 From: Charalampos Anargyrou charalampos.anargy...@gmail.com To: samba@lists.samba.org I have followed the instructions on http://k5wiki.kerberos.org/wiki/Pkinit_configuration and created CA and certificates with
Re: [Samba] compiling samba 3.4.8 on CentOS_6.2
With help from members here I've successfully installed 3.6.6 to a test machine and reproduced the same problem as with 3.5. So now I'm back to trying to install 3.4.8 to see if the problem exists there. Any guidance on a failure for the compiled binaries to launch with no clues in any log? Or a pointer toward rpms for 3.4.8 and CentOS_6? Randy -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Randy Rue Sent: Wednesday, July 11, 2012 2:38 PM To: samba@lists.samba.org Subject: [Samba] compiling samba 3.4.8 on CentOS_6.2 Too late to save grief, I've been grieving on this for weeks now. I'm rolling back to 3.4.8 because I heard from several sources that idmap against AD has broken at some point since then. I'd obviously prefer to install 3.4.8 from an RPM or (even better) a yum repository somewhere but can't seem to find any for this distro and/or version. I haven't heard from anywhere that the idmap -- ad problem is fixed in 3.6. Is it? If so, I'd be happy to try that instead. I confess I'm unfamiliar with how to use RPM's to install the source and then compile from there. Install the RPM and then from some newly created source folder I ./configure / make / make install / etc? From the github link below, how do I get an actual rpm file to install? Can anyone point me toward a howto? Or I could get the plain source tarball from samba.org for some later version (that's where I'm getting 3.4.8). But it seems likely I'll have the same trouble with the daemon not starting. Or can anyone answer my actual question? For example, how to get logging working so I can get some clues on why the binary fails to start? Hope to hear from you. Randy -Original Message- From: Nico Kadel-Garcia [mailto:nka...@gmail.com] Sent: Tuesday, July 10, 2012 6:07 PM To: Randy Rue Cc: samba@lists.samba.org Subject: Re: [Samba] compiling samba 3.4.8 on CentOS_6.2 On Tue, Jul 10, 2012 at 7:32 PM, Randy Rue randy...@gmail.com wrote: Hello All. Been trying without avail to make idmap work with my AD so I can get real UID/GID for SSH logins on a CentOS_6 box. Have heard from several sources that idmap has seen some serious changes since 3.5 and decided to roll back from the stock 3.5 that comes with CentOS_6 to 3.4.8. I'd like to see if it has the same problems. Save yourself some grief. Either go to www.samba.org for a more recent version, or look at: https://github.com/nkadel/samba-3.6.4-srpm for some useful and very buildable tools for a more recent release. Installed a clean build of CentOS_6.2. Stopped the samba service, removed the package using yum and excluded samba* from yum updates in /etc/yum.conf. Downloaded and extracted the 3.4.8 tarball. cd into samba-3.../source3 and ran: the autoconfig.sh script ./configure make make install copied the smb.init script from the packaging/RHEL/setup folder to /etc/init.d and made it executable chkconfig --add smb chkconfig smb on service smb start fails. Tries to start both smbd and nmbd and both fail. First I get errors about libraries. copied the libtalloc.so.1 file from /usr/local/samba/lib to /usr/lib64 fixed that one Then I get errors about not finding the binaries linked /usr/local/samba/sbin/smbd and nmbd to /sbin and fixed that one This feels like a hack. I also tried adding /usr/local/samba/sbin to the path. Also a hack but made no difference. Now if I try service smb start (or restart) I get failures from the init script. Or I can try smbd directly and I get no response (it appears to start) but ps shows that it didn't start. I've turned debug level and log level up to 3 in smb.conf (tried both arguments) but I get nothing in /var/log/syslog and nothing in any file in /var/log/samba when I try to start it. Forgive the anecdotal tone of the above, I'm working mostly from memory and have probably garbled a path or file name. Then again, I've been through these steps six or more times now. Am I missing something obvious? Hope to hear from you, Randy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.6.5, idmap configuration and WBC_ERR_DOMAIN_NOT_FOUND
I read the bugreport that Dale linked and ended up using the workaround listed there. Changes made to '/etc/samba/smb.conf' follow: @@ -28,9 +28,12 @@ winbind enum users = Yes winbind enum groups = Yes panic action = /usr/share/samba/panic-action %d -idmap config CBJ_NT:backend = rid -idmap config CBJ_NT:base_rid = 0 -idmap config CBJ_NT:range = 1-65533 +idmap config * : backend = rid +idmap config * : base_rid = 0 +idmap config * : range = 1-65533 idmap config LIBRARY:backend = rid idmap config LIBRARY:base_rid = 0 idmap config LIBRARY:range = 65535-7 Does anyone have any idea why not explictly specifying the domain fixes this issue? -Original Message- From: Dale Schroeder [mailto:d...@briannassaladdressing.com] Sent: Tuesday, July 10, 2012 11:18 To: Kevin Elliott Cc: samba@lists.samba.org Subject: Re: [Samba] Samba 3.6.5, idmap configuration and WBC_ERR_DOMAIN_NOT_FOUND On 07/10/2012 12:56 PM, Kevin Elliott wrote: Hello all, I recently upgraded from Samba 3.5.6 (the version contained in Debian Stable) to Samba 3.6.5 (the version from Debian Backports) in an effort to closer track the current development to try and chase some long standing bugs out. I think I've resolved one problem but introduced another. I'm getting the WBC_ERR_DOMAIN_NOT_FOUND when I try to perform a SID to UID lookup much like so: city-liza-lnx:/var/log/samba# wbinfo -t checking the trust secret for domain CBJ_NT via RPC calls succeeded city-liza-lnx:/var/log/samba# wbinfo -n CBJ_NT+kevin_elliott S-1-5-21-505306839-1977890393-20515302-14949 SID_USER (1) city-liza-lnx:/var/log/samba# wbinfo -s S-1-5-21-505306839-1977890393-20515302-14949 CBJ_NT+kevin_elliott 1 city-liza-lnx:/var/log/samba# wbinfo -S S-1-5-21-505306839-1977890393-20515302-14949 failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid S-1-5-21-505306839-1977890393-20515302-14949 to uid This looks like it has all the markings of following bugreport: https://bugzilla.samba.org/show_bug.cgi?id=8371#c5 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652679 Before I follow this upstream can someone sanity check my configs for me? I understand that much has changed between 3.5 and 3.6 regarding the idmaping. [global] workgroup = CBJ_NT realm = CBJ.LOCAL netbios aliases = CITY-LIZA-L90, CITY-LIZA server string = External FTP Server interfaces = 199.58.55.87/22, lo bind interfaces only = Yes security = ADS obey pam restrictions = Yes passdb backend = tdbsam password server = 199.58.55.25, 199.58.55.50 passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . client NTLMv2 auth = Yes log level = 10 log file = /var/log/samba/log.%m max log size = 2500 printcap name = cups os level = 5 local master = No domain master = No wins server = 199.58.55.25 ldap ssl = no winbind enum users = Yes winbind enum groups = Yes panic action = /usr/share/samba/panic-action %d idmap config CBJ_NT:backend = rid idmap config CBJ_NT:base_rid = 0 idmap config CBJ_NT:range = 1-65533 idmap config LIBRARY:backend = rid idmap config LIBRARY:base_rid = 0 idmap config LIBRARY:range = 65535-7 winbind separator = + winbind use default domain = Yes [ftp] comment = FTP directory path = /var/ftp/pub/ valid users = @CBJ_NT+domain users read only = No create mask = 0775 directory mask = 0775 hide unreadable = Yes Thank you for your consideration. Kevin, With idmap rid, it could also be this one: https://bugzilla.samba.org/show_bug.cgi?id=8676 This bug has been in every version of 3.6. For me, a reboot of the system usually will fix the problem until the next samba/winbind restart is required; others have not been so fortunate. Dale -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nslcd service - Client not found in Kerberos database
Hi Steve, Thanks for the info - that helps a lot! I can see that the /etc/init.d/nslcd script in Ubuntu needs modifying in order for k5start to work. It uses -u to specify an alternate principal which you don't use in your example. The script uses host/client.example.com as an alternate principal - can you not use that principal format instead of just a user name? br, Quinn On Thu, Jul 12, 2012 at 3:08 PM, steve st...@steve-ss.com wrote: On 12/07/12 10:41, Quinn Plattel wrote: Hi, I am trying to configure the nslcd service on an Ubuntu client for kerberos authentication against samba4. My /etc/nslcd.conf contains the following: uid nslcd gid nslcd uri ldapi:///cofil01.mydomain.net base dc=mydomain,dc=net sasl_mech GSSAPI krb5_ccname FILE:/tmp/host.tkt Hi Quinn It can't authenticate because it doesn't know which principal to use. 1.Include the realm after the GSSAPI line: sasl_realm MYDOMAIN.NET 2. Create an AD user e.g. nslcd-service samba-tool user add nslcd-service 3. extract the keytab: samba-tool domain exportkeytab /etc/nslcd.keytab --principal=nslcd-service 4.edit /etc/default/nslcd to contain: K5START_START=no 5. start the service k5start -f /etc/nslcd.keytab -U -o nslcd -K 540 -k /tmp/host.tkt service nslcd start That's it. HTH Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- Best regards/Med venlig hilsen, Quinn Plattel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] compiling samba 3.4.8 on CentOS_6.2
You would better consult the Samba Core Team about this particular issue. Maybe that feature is broken in recent releases. --- wbr, Denis. On Thu, Jul 12, 2012 at 11:40 PM, Randy Rue randy...@gmail.com wrote: With help from members here I've successfully installed 3.6.6 to a test machine and reproduced the same problem as with 3.5. So now I'm back to trying to install 3.4.8 to see if the problem exists there. Any guidance on a failure for the compiled binaries to launch with no clues in any log? Or a pointer toward rpms for 3.4.8 and CentOS_6? Randy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nslcd service - Client not found in Kerberos database
On 12/07/12 20:30, Quinn Plattel wrote: Hi Steve, Thanks for the info - that helps a lot! I can see that the /etc/init.d/nslcd script in Ubuntu needs modifying in order for k5start to work. It uses -u to specify an alternate principal which you don't use in your example. The script uses host/client.example.com http://client.example.com as an alternate principal - can you not use that principal format instead of just a user name? Hi Quinn It's one of the annoyances with Ubuntu. Just disable the automatic starting of k5start with nslcd as in my item: 4.edit /etc/default/nslcd to contain: K5START_START=no Make sure k5start is active before nslcd HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] compiling samba 3.4.8 on CentOS_6.2
From the same source as the 3.6 rpms I've installed 3.4.17. It works, almost. I can log in using an AD account, and the user has a UID matching the AD Unix Attribute UID and a GID matching that of the Unix Attributes Primary Group. The only weird part is that on login I get an error id: cannot find name for group ID , that is, the GID doesn't resolve to the AD name of the Primary Group. If I enter id my uid (same as my emplid) and my ad alias, and the numerical gid but no matching name. Then when it lists my group memberships, it lists the primary group first (by gid only) and then the rest of my AD groups including gid and ad name. Progress. And this would seem to support that idmap backend = ad is broken. Any guidance on resolving the group name? Randy -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Denis Fateyev Sent: Thursday, July 12, 2012 11:32 AM To: samba@lists.samba.org Subject: Re: [Samba] compiling samba 3.4.8 on CentOS_6.2 You would better consult the Samba Core Team about this particular issue. Maybe that feature is broken in recent releases. --- wbr, Denis. On Thu, Jul 12, 2012 at 11:40 PM, Randy Rue randy...@gmail.com wrote: With help from members here I've successfully installed 3.6.6 to a test machine and reproduced the same problem as with 3.5. So now I'm back to trying to install 3.4.8 to see if the problem exists there. Any guidance on a failure for the compiled binaries to launch with no clues in any log? Or a pointer toward rpms for 3.4.8 and CentOS_6? Randy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Exchange setup failure
I am trying to install Exchange 2010 with Samba. I am able to install the Management tools but setup of the Mailbox role fails. Is this known to work with Samba 4.0 beta 3? The release notes mention that Samba beta 3 is able to handle installation of exchange but some issues prevent run-time operation. Error reported by Exchange setup: The following error was generated when $error.Clear(); if ($RoleIsDatacenter -ne $true) { if (test-ExchangeServersWriteAccess -DomainController $RoleDomainController -ErrorAction SilentlyContinue) { # upgrade the discovery mailboxes to R5 version, this will fix the RecipientDisplayType property of the discovery mailbox which was wrong in R4. get-mailbox -RecipientTypeDetails DiscoveryMailbox -DomainController $RoleDomainController | where {$_.IsValid -eq $false} | set-mailbox -DomainController $RoleDomainController $name = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxUniqueName; $dispname = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxDisplayName; $mbxs = @( get-mailbox -Filter {name -eq $name} -IgnoreDefaultScope -resultSize 1 ); if ( $mbxs.length -eq 0) { $dbs = @(get-MailboxDatabase -Server:$RoleFqdnOrName -DomainController $RoleDomainController); if($dbs.Length -ne 0) { $mbxUser = @(get-user -Filter {name -eq $name} -IgnoreDefaultScope -ResultSize 1); if ($mbxUser.Length -ne 0) { enable-mailbox -Discovery -identity $mbxUser[0] -DisplayName $dispname -database $dbs[0].Identity; } } } } else { write-exchangesetuplog -info Skipping creating Discovery Search Mailbox because of insufficient permission. } } was run: Active Directory operation failed on ip-10-252-67-22.testdm2.alinuxsrv.com. This error is not retriable. Additional information: The attribute syntax specified to the directory service is invalid. Active directory response: 200B: objectclass_attrs: attribute 'authOrig' on entry 'CN=DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=testdm2,DC=alinuxsrv,DC=com' contains at least one invalid value!. Active Directory operation failed on ip-10-252-67-22.testdm2.alinuxsrv.com. This error is not retriable. Additional information: The attribute syntax specified to the directory service is invalid. Active directory response: 200B: objectclass_attrs: attribute 'authOrig' on entry 'CN=DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=testdm2,DC=alinuxsrv,DC=com' contains at least one invalid value! The syntax is invalid. Click here for help... http://technet.microsoft.com/en-US/library/ms.exch.err.default(EXCHG.141).aspx?v=14.1.218.11e=ms.exch.err.Ex88D115l=0cl=cp Thanks, Harsh -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.6.5, idmap configuration and WBC_ERR_DOMAIN_NOT_FOUND
I think you might be missing some stuff in the prior config you had. The following works for me with Samba 3.6.6: idmap config * : backend = tdb idmap config * : range = 100-199 idmap config MYDOMAIN : backend = rid idmap config MYDOMAIN : range = 1000-99 idmap config MYDOMAIN : base_rid= 0 You need the * entry in there because you need a range for defaults. I only have a single domain (and yes it's not called MYDOMAIN:-) ). For instance, I have log files named: log.wb-BUILTIN log.wb-MYDOMAIN log.wb-HOSTNAME I do not have the winbind enum groups or users defined in my config file. The default is no for both. Also, winbind refused to function properly when I attempted setting the backend for my domain as tdb. Everywhere I've read, rid is safe for multiple domains and multiple winbind enabled systems, so long as those ranges are consistent throughout your winbind systems' config settings, and they have completely separate ranges. They must not overlap! Sample output: [hchoi@HOSTNAME hchoi](30)# wbinfo -i hchoi hchoi:*:2601:1513::/home/hchoi:/bin/bash [hchoi@HOSTNAME hchoi](31)# id hchoi uid=2601(hchoi) gid=1513(domain users) groups=1513(domain users),...,101(BUILTIN\users) [hchoi@HOSTNAME hchoi](34)# wbinfo -i administrator administrator:*:1500:1513::/home/administrator:/bin/bash [hchoi@HOSTNAME hchoi](32)# id administrator uid=1500(administrator) gid=1513(domain users) groups=1513(domain users),1520(group policy creator owners),1512(domain admins),2106(organization management),1519(enterprise admins),1518(schema admins),101(BUILTIN\users),100(BUILTIN\administrators) My remaining smb.conf: [global] workgroup = MYDOMAIN realm = MYDOMAIN.NET server string = Linux Server security = ADS ntlm auth = No kerberos method = secrets and keytab log file = /var/log/samba/log.%m max log size = 1000 max protocol = SMB2 load printers = No printcap name = /dev/null disable spoolss = Yes wins server = 192.168.10.10, 192.168.10.11 template homedir = /home/%U template shell = /bin/bash winbind use default domain = Yes winbind offline logon = Yes [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon guest ok = Yes ... krb5.conf: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = MYDOMAIN.NET dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = yes [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } [domain_realm] .mydomain.net = MYDOMAIN.NET mydomain.net = MYDOMAIN.NET Hope this helps.. On 07/12/2012 01:06 PM, Kevin Elliott wrote: I read the bugreport that Dale linked and ended up using the workaround listed there. Changes made to '/etc/samba/smb.conf' follow: @@ -28,9 +28,12 @@ winbind enum users = Yes winbind enum groups = Yes panic action = /usr/share/samba/panic-action %d -idmap config CBJ_NT:backend = rid -idmap config CBJ_NT:base_rid = 0 -idmap config CBJ_NT:range = 1-65533 +idmap config * : backend = rid +idmap config * : base_rid = 0 +idmap config * : range = 1-65533 idmap config LIBRARY:backend = rid idmap config LIBRARY:base_rid = 0 idmap config LIBRARY:range = 65535-7 Does anyone have any idea why not explictly specifying the domain fixes this issue? -Original Message- From: Dale Schroeder [mailto:d...@briannassaladdressing.com] Sent: Tuesday, July 10, 2012 11:18 To: Kevin Elliott Cc: samba@lists.samba.org Subject: Re: [Samba] Samba 3.6.5, idmap configuration and WBC_ERR_DOMAIN_NOT_FOUND On 07/10/2012 12:56 PM, Kevin Elliott wrote: Hello all, I recently upgraded from Samba 3.5.6 (the version contained in Debian Stable) to Samba 3.6.5 (the version from Debian Backports) in an effort to closer track the current development to try and chase some long standing bugs out. I think I've resolved one problem but introduced another. I'm getting the WBC_ERR_DOMAIN_NOT_FOUND when I try to perform a SID to UID lookup much like so: city-liza-lnx:/var/log/samba# wbinfo -t checking the trust secret for domain CBJ_NT via RPC calls succeeded city-liza-lnx:/var/log/samba# wbinfo -n CBJ_NT+kevin_elliott S-1-5-21-505306839-1977890393-20515302-14949 SID_USER (1) city-liza-lnx:/var/log/samba# wbinfo -s S-1-5-21-505306839-1977890393-20515302-14949 CBJ_NT+kevin_elliott 1 city-liza-lnx:/var/log/samba# wbinfo -S S-1-5-21-505306839-1977890393-20515302-14949 failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid S-1-5-21-505306839-1977890393-20515302-14949 to uid This looks like it has all the markings of following
Re: [Samba] compiling samba 3.4.8 on CentOS_6.2
How is Samba 3.6 against ADS broken? I have Samba 3.6.6 on SL6.2 with ADS and it's running great... In fact on my Windows 7 laptop, with my SSH client, I can SSH in with kerberos, no password entering is needed. :-)Same with Linux to Linux. If you really have to install Samba 3.4 against CentOS 6.2, install these: http://ftp.sernet.de/pub/samba/3.4/rhel/6/x86_64/ But you really should at least try to stick with Samba 3.6, and get your configuration file correct. On 07/11/2012 10:46 PM, Denis Fateyev wrote: Hello there, In general, you may save efforts using precompiled binaries from the SerNet team. For example: http://ftp.sernet.de/pub/samba/3.6/rhel/6/x86_64/ --- wbr, Denis. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI? [Solved]
If you configure PAM and kerberos properly, you do not need to do a kinit first. I get them automatically when I login. They automatically renew when I type my password into the GNOME screensaver. Btw, I am also using Samba 3, not Samba4. On 07/11/2012 03:07 AM, Quinn Plattel wrote: Btw, forgot to mention, when testing, make sure on the client you do a kinit user to get a valid ticket before doing your ssh login. You can check if you have a valid ticket with the klist command. br, Quinn On Wed, Jul 11, 2012 at 9:56 AM, Quinn Plattel qie...@gmail.com wrote: Hi Marcel, On the client machine (Ubuntu 12.04 LTS) I have (dpkg -l) : ii krb5-config 2.2 Configuration files for Kerberos Version 5 ii krb5-locales 1.10+dfsg~beta1-2ubuntu0.1 Internationalization support for MIT Kerberos ii krb5-user 1.10+dfsg~beta1-2ubuntu0.1 Basic programs to authenticate using MIT Kerberos ii libgssapi-krb5-2 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii libkrb5-26-heimdal 1.6~git20120311.dfsg.1-2Heimdal Kerberos - libraries ii libkrb5-3 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries ii libkrb5support0 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries - Support library ii libpam-krb5 4.5-3 PAM module for MIT Kerberos ii openssh-client 1:5.9p1-5ubuntu1secure shell (SSH) client, for secure access to remote machines On the server machine (Ubuntu 12.04 LTS) I have (dpkg -l): ii krb5-config 2.2 Configuration files for Kerberos Version 5 ii krb5-locales 1.10+dfsg~beta1-2ubuntu0.1 Internationalization support for MIT Kerberos ii krb5-user 1.10+dfsg~beta1-2ubuntu0.1 Basic programs to authenticate using MIT Kerberos ii libgssapi-krb5-2 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii libkrb5-26-heimdal 1.6~git20120311.dfsg.1-2Heimdal Kerberos - libraries ii libkrb5-3 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries ii libkrb5support0 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries - Support library ii openssh-client 1:5.9p1-5ubuntu1secure shell (SSH) client, for secure access to remote machines ii openssh-server 1:5.9p1-5ubuntu1secure shell (SSH) server, for secure access from remote machines samba Version 4.0.0beta3-GIT-UNKNOWN Without GSSAPIStrictAcceptorCheck no you need an fqdn in the clients /etc/hosts file and have all the principals needed added to the servers keytab file, but this is not necessary if you use the parameter. With the parameter, the only thing you need is to make sure is that on the server /var/lib/samba/secrets.keytab is copied or linked to /etc/krb5.keytab (sshd looks for it). You can use the keytab file as it is without copying any extra principals into it. You can have a very simple /etc/hosts on the client such as: 127.0.0.1localhost 127.0.1.1ubuntu-test This setup probably only works for ssh kerberos. nfsv4, pam logins, and other kerberos aware services may need strict checking. That is my next research project. For ssh debugging, on the server I used -ddd for sshd and looked at both syslog and auth.log under /var/log. On the client, I used ssh -vvvl user server For kerberos samba4 debugging, start samba with -d 5 parameter and then tail -f /var/log/samba/log.samba|grep Kerberos: br, Quinn On Wed, Jul 11, 2012 at 8:32 AM, Ritter, Marcel - RRZE marcel.rit...@rrze.fau.de wrote: Hi Quinn, I just tried your solution (my machine is also multi-homed). However it doesn't work for me. The man-page of sshd_config also states, that the behavior of GSSAPIStrictAcceptorCheck may depend on the used krb5 libraries. Could you please have a look at the krb5 and openssh versions you're using (and perhaps the linux distribution/version)? BTW: I'm running: Ubuntu 12.04 LTS openssh-server 5.9p1-5ubuntu1 libkrb5-3 1.10+dfsg~beta1-2ubuntu0.1 auth.log mentions (during failed login): Unspecified GSS failure. Minor code may provide more information: Wrong principal in request Thanks, Marcel -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Quinn Plattel Gesendet: Dienstag, 10. Juli 2012 16:08 An: samba Betreff: Re: [Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI? [Solved] Hi, I solved my ssh GSSAPI problem. There were a lot of solutions on google referring to a proper fqdn in the /etc/hosts file and having the fqdn's/principals in the kerberos server's keytab file but I found out that my problem was that the samba4/kerberos server was running on a multi-homed
Re: [Samba] Samba with Active directory integration problem
What is the lwopen idmap backend? First I've heard of that one:-) Also, why are you setting your homedir template as /dev/null, and yet shell as /bin/true? That's pretty goofy..=-O On 07/10/2012 07:20 AM, velusamy Krishnan wrote: Hi, I have followed the all the steps given, in https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto. to integrate the samba with active directory. I have the following configuration file, [global] workgroup = ASSURANCE security = ads realm = ASSURANCE.LOCAL encrypt passwords = yes winbind separator = + idmap backend = lwopen idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind enum groups = yes template homedir = /dev/null template shell = /bin/true [adshare] path = */home/velusamy/Pictures/* writable = yes valid users = ASSURANCE+velu browseable = yes Now, executed the smb-clinet. smbclient //192.168.5.136/adshare -U velu It asked password, given, it connected to the share. But, I was unable to access the share form different machine which is connected in the same network. It said the following error. smbclient //192.168.5.136/adshare -U velu Enter velu's password: session setup failed: NT_STATUS_LOGON_FAILURE Kindly anyone please help me out form this problem.. I could not solve this issue for las two days. Please help me out. Thanks, Velusamy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Yet another Win7 failing to join the domain...
I'm pretty sure that would be samba3x, not samba3 for RHEL/CentOS 5. On 06/06/2012 09:07 AM, John Doe wrote: From: Hoover, Tony hoo...@sal.ksu.edu CentOS 5 does have a newer samba available. To get it: yum remove samba yum install samba3 or to get really fresh samba, use the SerNet repos. Ah, thx for the info! JD -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] waf workaround?
Is it possible to build samba without waf? It has slowed down my local samba builds by a factor of 5-10x -- it seems to lack any parallelism, and on a 12 core machine, that really sucks. When going through it's tests, it's noticeably slower than the configure shell tests that do the same... But then the build/make parts all go by like molasses... What is wrong with standard make tools that proprietary - going back a generation or two, stuff had to be used? What did it solve that wasn't solvable in a standard make? Maybe waf can be configured to create a standard makefile to handle the more complex configuration parts, and then let make do what it does best? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 19e8002 s3/torture: adjust dependency to fix build when no winbind was build before via b865cdd s3: make log message of FSCTL_IS_VOLUME_DIRTY more clear via a93f56a test: fix compile warning on test summary from 2cc38ac mkversion: Remove quotes around SAMBA_VERSION_VENDOR_PATCH string http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 19e80027b4fe946d2e96d770b92415c8bdc185c5 Author: Björn Jacke b...@sernet.de Date: Thu Jul 12 12:41:55 2012 +0200 s3/torture: adjust dependency to fix build when no winbind was build before Autobuild-User(master): Björn Jacke b...@sernet.de Autobuild-Date(master): Thu Jul 12 14:44:14 CEST 2012 on sn-devel-104 commit b865cddee7690bc61d76348b295edded96ae4d58 Author: Björn Jacke b...@sernet.de Date: Tue Jul 10 12:26:50 2012 +0200 s3: make log message of FSCTL_IS_VOLUME_DIRTY more clear commit a93f56a0699e32243efd8829db159ae947808530 Author: Björn Jacke b...@sernet.de Date: Fri Jul 6 07:01:09 2012 +0200 test: fix compile warning on test summary --- Summary of changes: source3/Makefile.in |2 +- source3/modules/vfs_default.c |2 +- tests/summary.c |2 +- 3 files changed, 3 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/Makefile.in b/source3/Makefile.in index 3b59a28..39efd99 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -2007,7 +2007,7 @@ bin/nmblookup: $(BINARY_PREREQS) $(NMBLOOKUP_OBJ) @BUILD_POPT@ $(LIBTALLOC) $(LI @$(CC) -o $@ $(NMBLOOKUP_OBJ) $(LDFLAGS) $(DYNEXP) $(LIBS) \ $(POPT_LIBS) $(LDAP_LIBS) $(LIBTALLOC_LIBS) $(LIBTDB_LIBS) -bin/smbtorture: $(BINARY_PREREQS) $(SMBTORTURE_OBJ) @BUILD_POPT@ $(LIBTALLOC) $(LIBTDB) $(LIBWBCLIENT) +bin/smbtorture: $(BINARY_PREREQS) $(SMBTORTURE_OBJ) @BUILD_POPT@ $(LIBTALLOC) $(LIBTDB) $(LIBWBCLIENT) $(IDMAP_UTIL_OBJ) @echo Linking $@ @$(CC) -o $@ $(SMBTORTURE_OBJ) $(IDMAP_UTIL_OBJ) $(LDFLAGS) $(DYNEXP) \ $(LIBS) $(KRB5LIBS) $(LDAP_LIBS) $(POPT_LIBS) $(LIBTALLOC_LIBS) \ diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c index eb3e343..8485495 100644 --- a/source3/modules/vfs_default.c +++ b/source3/modules/vfs_default.c @@ -1084,7 +1084,7 @@ static NTSTATUS vfswrap_fsctl(struct vfs_handle_struct *handle, case FSCTL_IS_VOLUME_DIRTY: { DEBUG(10,(FSCTL_IS_VOLUME_DIRTY: called on %s - (but not implemented)\n, fsp_fnum_dbg(fsp))); + (but remotely not supported)\n, fsp_fnum_dbg(fsp))); /* * http://msdn.microsoft.com/en-us/library/cc232128%28PROT.10%29.aspx * says we have to respond with NT_STATUS_INVALID_PARAMETER diff --git a/tests/summary.c b/tests/summary.c index bd0c162..27f7d4d 100644 --- a/tests/summary.c +++ b/tests/summary.c @@ -2,7 +2,7 @@ void exit(int); -main() +int main() { #if !defined(HAVE_FCNTL_LOCK) printf(ERROR: No locking available. Running Samba would be unsafe\n); -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 1ee95e4 s3: rename sid_check_is_in_our_domain() to sid_check_is_in_our_sam() via c43505b s3: rename sid_check_is_domain() to sid_check_is_our_sam() via ac2644b s3:passdb: remove commented out pdb_lookup_names code from 19e8002 s3/torture: adjust dependency to fix build when no winbind was build before http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 1ee95e4cb14b0f9c7bbaba0c994f0a511822cff8 Author: Michael Adam ob...@samba.org Date: Thu Jul 12 16:00:59 2012 +0200 s3: rename sid_check_is_in_our_domain() to sid_check_is_in_our_sam() This does not check whether the given sid is in our domain, but but whether it belongs to the local sam, which is a different thing on a domain member server. Autobuild-User(master): Michael Adam ob...@samba.org Autobuild-Date(master): Thu Jul 12 18:36:02 CEST 2012 on sn-devel-104 commit c43505b621725c9a754f0ee98318d451b093f2ed Author: Michael Adam ob...@samba.org Date: Thu Jul 12 15:55:21 2012 +0200 s3: rename sid_check_is_domain() to sid_check_is_our_sam() This does not check whether the given sid is the domain sid, but whether it is the sid of the local sam, which is different for a domain member server. commit ac2644b7766e41858d53ead9d0c023a26265789a Author: Michael Adam ob...@samba.org Date: Thu Jul 12 15:51:21 2012 +0200 s3:passdb: remove commented out pdb_lookup_names code This code is lying there unused since more than five years now. --- Summary of changes: source3/auth/token_util.c |2 +- source3/passdb/lookup_sid.c |8 ++-- source3/passdb/machine_sid.c |8 ++-- source3/passdb/machine_sid.h |4 +- source3/passdb/passdb.c |4 +- source3/passdb/pdb_interface.c| 86 + source3/passdb/pdb_ldap.c | 12 ++-- source3/rpc_server/samr/srv_samr_nt.c | 24 +- source3/utils/net_groupmap.c |2 +- source3/winbindd/idmap.c |2 +- source3/winbindd/wb_lookupsids.c |4 +- source3/winbindd/wb_next_grent.c |4 +- source3/winbindd/wb_next_pwent.c |4 +- source3/winbindd/winbindd_cache.c |4 +- source3/winbindd/winbindd_cm.c|2 +- source3/winbindd/winbindd_samr.c |6 +- source3/winbindd/winbindd_util.c |4 +- 17 files changed, 49 insertions(+), 131 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c index 4a88a6b..59295fd 100644 --- a/source3/auth/token_util.c +++ b/source3/auth/token_util.c @@ -583,7 +583,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, goto done; } - if (sid_check_is_in_our_domain(user_sid)) { + if (sid_check_is_in_our_sam(user_sid)) { bool ret; uint32_t pdb_num_group_sids; /* This is a passdb user, so ask passdb */ diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c index 3f8b06d..8e14cec 100644 --- a/source3/passdb/lookup_sid.c +++ b/source3/passdb/lookup_sid.c @@ -497,7 +497,7 @@ static bool lookup_rids(TALLOC_CTX *mem_ctx, const struct dom_sid *domain_sid, *types = NULL; } - if (sid_check_is_domain(domain_sid)) { + if (sid_check_is_our_sam(domain_sid)) { NTSTATUS result; if (*domain_name == NULL) { @@ -613,7 +613,7 @@ static bool lookup_as_domain(const struct dom_sid *sid, TALLOC_CTX *mem_ctx, const char *tmp; enum lsa_SidType type; - if (sid_check_is_domain(sid)) { + if (sid_check_is_our_sam(sid)) { *name = talloc_strdup(mem_ctx, get_global_sam_name()); return true; } @@ -710,7 +710,7 @@ static bool check_dom_sid_to_level(const struct dom_sid *sid, int level) case 3: case 4: case 6: - ret = sid_check_is_domain(sid); + ret = sid_check_is_our_sam(sid); break; case 5: ret = false; @@ -1081,7 +1081,7 @@ static void legacy_gid_to_sid(struct dom_sid *psid, gid_t gid) static bool legacy_sid_to_unixid(const struct dom_sid *psid, struct unixid *id) { GROUP_MAP *map; - if (sid_check_is_in_our_domain(psid)) { + if (sid_check_is_in_our_sam(psid)) { bool ret; become_root(); diff --git a/source3/passdb/machine_sid.c b/source3/passdb/machine_sid.c index bc663f0..56edb17 100644 --- a/source3/passdb/machine_sid.c +++ b/source3/passdb/machine_sid.c @@ -229,10 +229,10 @@ void reset_global_sam_sid(void) }
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 622eb59 s3: Make us survive base-delaywrite with aio enabled via 67e7e14 s3: Factor out mark_file_modified from 1ee95e4 s3: rename sid_check_is_in_our_domain() to sid_check_is_in_our_sam() http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 622eb59eb472bbdb9fd985c4d8880d3a1c098cd7 Author: Volker Lendecke v...@samba.org Date: Thu Jul 12 18:47:42 2012 +0200 s3: Make us survive base-delaywrite with aio enabled Signed-off-by: Jeremy Allison j...@samba.org Autobuild-User(master): Jeremy Allison j...@samba.org Autobuild-Date(master): Thu Jul 12 21:28:19 CEST 2012 on sn-devel-104 commit 67e7e14e6231b420d34b9782cfac7901c2e28663 Author: Volker Lendecke v...@samba.org Date: Thu Jul 12 16:28:11 2012 +0200 s3: Factor out mark_file_modified This is in preparation of making us survive base-delaywrite with async I/O activated Signed-off-by: Jeremy Allison j...@samba.org --- Summary of changes: source3/smbd/aio.c|4 +++ source3/smbd/fileio.c | 67 ++-- source3/smbd/proto.h |1 + 3 files changed, 47 insertions(+), 25 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/smbd/aio.c b/source3/smbd/aio.c index ec68b90..0ea5274 100644 --- a/source3/smbd/aio.c +++ b/source3/smbd/aio.c @@ -733,6 +733,8 @@ static int handle_aio_write_complete(struct aio_extra *aio_ex, int errcode) } aio_ex-fsp-fh-pos = aio_ex-acb.aio_offset + nwritten; + + mark_file_modified(aio_ex-fsp); } show_msg(outbuf); @@ -821,6 +823,8 @@ static int handle_aio_smb2_write_complete(struct aio_extra *aio_ex, int errcode) return errcode; } + mark_file_modified(fsp); + tevent_req_done(subreq); return errcode; } diff --git a/source3/smbd/fileio.c b/source3/smbd/fileio.c index a14be78..631a9a1 100644 --- a/source3/smbd/fileio.c +++ b/source3/smbd/fileio.c @@ -269,6 +269,37 @@ void trigger_write_time_update_immediate(struct files_struct *fsp) (void)smb_set_file_time(fsp-conn, fsp, fsp-fsp_name, ft, false); } +void mark_file_modified(files_struct *fsp) +{ + int dosmode; + + if (fsp-modified) { + return; + } + + fsp-modified = true; + + if (SMB_VFS_FSTAT(fsp, fsp-fsp_name-st) != 0) { + return; + } + trigger_write_time_update(fsp); + + if (fsp-posix_open) { + return; + } + if (!(lp_store_dos_attributes(SNUM(fsp-conn)) || + MAP_ARCHIVE(fsp-conn))) { + return; + } + + dosmode = dos_mode(fsp-conn, fsp-fsp_name); + if (IS_DOS_ARCHIVE(dosmode)) { + return; + } + file_set_dosmode(fsp-conn, fsp-fsp_name, +dosmode | FILE_ATTRIBUTE_ARCHIVE, NULL, false); +} + / Write to a file. / @@ -300,34 +331,20 @@ ssize_t write_file(struct smb_request *req, return -1; } - if (!fsp-modified) { - fsp-modified = True; - - if (SMB_VFS_FSTAT(fsp, fsp-fsp_name-st) == 0) { - trigger_write_time_update(fsp); - if (!fsp-posix_open - (lp_store_dos_attributes(SNUM(fsp-conn)) || - MAP_ARCHIVE(fsp-conn))) { - int dosmode = dos_mode(fsp-conn, fsp-fsp_name); - if (!IS_DOS_ARCHIVE(dosmode)) { - file_set_dosmode(fsp-conn, fsp-fsp_name, -dosmode | FILE_ATTRIBUTE_ARCHIVE, NULL, false); - } - } - - /* -* If this is the first write and we have an exclusive oplock then setup -* the write cache. -*/ + /* +* If this is the first write and we have an exclusive oplock +* then setup the write cache. +*/ - if (EXCLUSIVE_OPLOCK_TYPE(fsp-oplock_type) !wcp) { - setup_write_cache(fsp, -fsp-fsp_name-st.st_ex_size); - wcp = fsp-wcp; - } - } + if (!fsp-modified + EXCLUSIVE_OPLOCK_TYPE(fsp-oplock_type) + (wcp == NULL)) { + setup_write_cache(fsp, fsp-fsp_name-st.st_ex_size); + wcp =
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via e454681 Linux-specific optimization in aio_open code. via a7c63ac Set fsp-initial_allocation_size before calling open_file_ntcreate(). via 775014b Make sure we reset fsp-initial_allocation_size to zero if we didn't create the file. via cb40594 Add an optimization to pthread aio writes to also do fsync if requested. from 622eb59 s3: Make us survive base-delaywrite with aio enabled http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit e454681276ffa34984dda56e74d2fda05a24636c Author: Jeremy Allison j...@samba.org Date: Thu Jul 12 10:10:32 2012 -0700 Linux-specific optimization in aio_open code. Use initial_allocation_size to allocate on disk if sent. Ignore failures (upper level will cope). Autobuild-User(master): Jeremy Allison j...@samba.org Autobuild-Date(master): Fri Jul 13 00:35:48 CEST 2012 on sn-devel-104 commit a7c63ac1b7bc3f9c9a0e8786046644194e270f10 Author: Jeremy Allison j...@samba.org Date: Thu Jul 12 10:09:37 2012 -0700 Set fsp-initial_allocation_size before calling open_file_ntcreate(). Allows an SMB_VFS_OPEN() vfs module to do something interesting with the request. commit 775014bd9cc8717ad5bb2651ca1078833d149610 Author: Jeremy Allison j...@samba.org Date: Wed Jul 11 16:35:32 2012 -0700 Make sure we reset fsp-initial_allocation_size to zero if we didn't create the file. This will become important as we set fsp-initial_allocation_size before create. commit cb405947caa9f4bdb962483860a9093a364ecbf2 Author: Jeremy Allison j...@samba.org Date: Thu Jul 12 10:57:47 2012 -0700 Add an optimization to pthread aio writes to also do fsync if requested. Should help by ensuring complete writes done in sub-thread, not in the main thread. --- Summary of changes: source3/modules/vfs_aio_pthread.c | 37 + source3/smbd/aio.c|9 + source3/smbd/open.c |7 +++ source3/smbd/proto.h |1 + 4 files changed, 54 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/modules/vfs_aio_pthread.c b/source3/modules/vfs_aio_pthread.c index d62af57..2c6121d 100644 --- a/source3/modules/vfs_aio_pthread.c +++ b/source3/modules/vfs_aio_pthread.c @@ -27,6 +27,9 @@ #include smbd/smbd.h #include smbd/globals.h #include lib/pthreadpool/pthreadpool.h +#ifdef HAVE_LINUX_FALLOC_H +#include linux/falloc.h +#endif struct aio_extra; static struct pthreadpool *pool; @@ -40,6 +43,7 @@ struct aio_private_data { int ret_errno; bool cancelled; bool write_command; + bool flush_write; }; /* List of outstanding requests we have. */ @@ -115,6 +119,14 @@ static void aio_worker(void *private_data) (const void *)pd-aiocb-aio_buf, pd-aiocb-aio_nbytes); } + if (pd-ret_size != -1 pd-flush_write) { + /* +* Optimization - flush if requested. +* Ignore error as upper layer will +* also do this. +*/ + (void)fsync(pd-aiocb-aio_fildes); + } } else { pd-ret_size = sys_pread(pd-aiocb-aio_fildes, (void *)pd-aiocb-aio_buf, @@ -229,6 +241,12 @@ static int aio_pthread_write(struct vfs_handle_struct *handle, } pd-write_command = true; + if (lp_strict_sync(SNUM(fsp-conn)) + (lp_syncalways(SNUM(fsp-conn)) || + aio_write_through_requested(aio_ex))) { + pd-flush_write = true; + } + ret = pthreadpool_add_job(pool, pd-jobid, aio_worker, (void *)pd); if (ret) { @@ -620,6 +638,7 @@ struct aio_open_private_data { char *dname; struct smbd_server_connection *sconn; const struct security_unix_token *ux_tok; + uint64_t initial_allocation_size; /* Returns. */ int ret_fd; int ret_errno; @@ -754,6 +773,23 @@ static void aio_open_worker(void *private_data) } else { /* Create was successful. */ opd-ret_errno = 0; + +#if defined(HAVE_LINUX_FALLOCATE) + /* +* See if we can set the initial +* allocation size. We don't record +* the return for this as it's an +* optimization - the upper layer +* will also do this for us once +* the open returns. +*/ + if (opd-initial_allocation_size) { +
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via bf650a1 s4:registry:regdiff: use existing talloc context for the event context via 342ab97 s4:registry:regdiff: add TALLOC_CTX * argument to open_backend() via 6ee16ce s4:registry: add a TALLOC_CTX argument to reg_open_remote() from e454681 Linux-specific optimization in aio_open code. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit bf650a1b59f84f93f79d753a6dc99940772fb020 Author: Michael Adam ob...@samba.org Date: Fri Jul 13 00:29:14 2012 +0200 s4:registry:regdiff: use existing talloc context for the event context Autobuild-User(master): Michael Adam ob...@samba.org Autobuild-Date(master): Fri Jul 13 02:51:44 CEST 2012 on sn-devel-104 commit 342ab9750657bd34d7212f7121d47a06b6b12aa5 Author: Michael Adam ob...@samba.org Date: Fri Jul 13 00:20:03 2012 +0200 s4:registry:regdiff: add TALLOC_CTX * argument to open_backend() commit 6ee16cefc98c8a033664be476be4446599450d23 Author: Michael Adam ob...@samba.org Date: Fri Jul 13 00:16:09 2012 +0200 s4:registry: add a TALLOC_CTX argument to reg_open_remote() --- Summary of changes: source4/lib/registry/registry.h |3 ++- source4/lib/registry/rpc.c |5 +++-- source4/lib/registry/tools/common.c |2 +- source4/lib/registry/tools/regdiff.c | 15 --- 4 files changed, 14 insertions(+), 11 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/lib/registry/registry.h b/source4/lib/registry/registry.h index 8a8271e..c22038c 100644 --- a/source4/lib/registry/registry.h +++ b/source4/lib/registry/registry.h @@ -379,7 +379,8 @@ WERROR reg_open_samba(TALLOC_CTX *mem_ctx, /** * Open the registry on a remote machine. */ -WERROR reg_open_remote(struct registry_context **ctx, +WERROR reg_open_remote(TALLOC_CTX *mem_ctx, + struct registry_context **ctx, struct auth_session_info *session_info, struct cli_credentials *credentials, struct loadparm_context *lp_ctx, diff --git a/source4/lib/registry/rpc.c b/source4/lib/registry/rpc.c index 42b7374..a8f8382 100644 --- a/source4/lib/registry/rpc.c +++ b/source4/lib/registry/rpc.c @@ -475,7 +475,8 @@ static struct registry_operations reg_backend_rpc = { .get_key_info = rpc_get_info, }; -_PUBLIC_ WERROR reg_open_remote(struct registry_context **ctx, +_PUBLIC_ WERROR reg_open_remote(TALLOC_CTX *mem_ctx, + struct registry_context **ctx, struct auth_session_info *session_info, struct cli_credentials *credentials, struct loadparm_context *lp_ctx, @@ -487,7 +488,7 @@ _PUBLIC_ WERROR reg_open_remote(struct registry_context **ctx, dcerpc_init(); - rctx = talloc(NULL, struct rpc_registry_context); + rctx = talloc(mem_ctx, struct rpc_registry_context); W_ERROR_HAVE_NO_MEMORY(rctx); /* Default to local smbd if no connection is specified */ diff --git a/source4/lib/registry/tools/common.c b/source4/lib/registry/tools/common.c index d997cb0..a2fda8d 100644 --- a/source4/lib/registry/tools/common.c +++ b/source4/lib/registry/tools/common.c @@ -31,7 +31,7 @@ struct registry_context *reg_common_open_remote(const char *remote, struct registry_context *h = NULL; WERROR error; - error = reg_open_remote(h, NULL, creds, lp_ctx, remote, ev_ctx); + error = reg_open_remote(NULL, h, NULL, creds, lp_ctx, remote, ev_ctx); if (!W_ERROR_IS_OK(error)) { fprintf(stderr, Unable to open remote registry at %s:%s \n, diff --git a/source4/lib/registry/tools/regdiff.c b/source4/lib/registry/tools/regdiff.c index bd58f77..cf65de3 100644 --- a/source4/lib/registry/tools/regdiff.c +++ b/source4/lib/registry/tools/regdiff.c @@ -28,7 +28,8 @@ enum reg_backend { REG_UNKNOWN, REG_LOCAL, REG_REMOTE, REG_NULL }; -static struct registry_context *open_backend(poptContext pc, +static struct registry_context *open_backend(TALLOC_CTX *mem_ctx, +poptContext pc, struct tevent_context *ev_ctx, struct loadparm_context *lp_ctx, enum reg_backend backend, @@ -42,14 +43,14 @@ static struct registry_context *open_backend(poptContext pc, poptPrintUsage(pc, stderr, 0); return NULL; case REG_LOCAL: - error = reg_open_samba(NULL, ctx, ev_ctx, lp_ctx, NULL, cmdline_credentials); + error = reg_open_samba(mem_ctx, ctx, ev_ctx, lp_ctx, NULL, cmdline_credentials); break; case
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 5a9ce8b Use HAVE_FSYNC, we bothered to test for it. from bf650a1 s4:registry:regdiff: use existing talloc context for the event context http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 5a9ce8b94acf201ddb3d8e34dd962955284f1c5f Author: Jeremy Allison j...@samba.org Date: Thu Jul 12 17:20:51 2012 -0700 Use HAVE_FSYNC, we bothered to test for it. Autobuild-User(master): Jeremy Allison j...@samba.org Autobuild-Date(master): Fri Jul 13 04:44:42 CEST 2012 on sn-devel-104 --- Summary of changes: source3/modules/vfs_aio_pthread.c |2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/modules/vfs_aio_pthread.c b/source3/modules/vfs_aio_pthread.c index 2c6121d..ae5963b 100644 --- a/source3/modules/vfs_aio_pthread.c +++ b/source3/modules/vfs_aio_pthread.c @@ -119,6 +119,7 @@ static void aio_worker(void *private_data) (const void *)pd-aiocb-aio_buf, pd-aiocb-aio_nbytes); } +#if defined(HAVE_FSYNC) if (pd-ret_size != -1 pd-flush_write) { /* * Optimization - flush if requested. @@ -127,6 +128,7 @@ static void aio_worker(void *private_data) */ (void)fsync(pd-aiocb-aio_fildes); } +#endif } else { pd-ret_size = sys_pread(pd-aiocb-aio_fildes, (void *)pd-aiocb-aio_buf, -- Samba Shared Repository
[SCM] CTDB repository - branch master updated - ctdb-1.13-210-gd29e188
The branch, master has been updated via d29e1880c8ce7219e065d31b47b0e8ad9e83146d (commit) from a0a0f5588445aeabe07b0e4d65087db454dc09da (commit) http://gitweb.samba.org/?p=ctdb.git;a=shortlog;h=master - Log - commit d29e1880c8ce7219e065d31b47b0e8ad9e83146d Author: Amitay Isaacs ami...@gmail.com Date: Fri Jun 15 15:07:04 2012 +1000 Fix compiler warnings. Signed-off-by: Amitay Isaacs ami...@gmail.com --- Summary of changes: libctdb/control.c |2 +- server/ctdb_takeover.c |2 +- 2 files changed, 2 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/libctdb/control.c b/libctdb/control.c index f927e08..e8a5cd7 100644 --- a/libctdb/control.c +++ b/libctdb/control.c @@ -137,7 +137,7 @@ bool ctdb_getdbstat_recv(struct ctdb_connection *ctdb, return false; } - wire = reply-data; + wire = (struct ctdb_db_statistics_wire *)reply-data; s = malloc(offsetof(struct ctdb_db_statistics, hot_keys) + sizeof(struct ctdb_db_hot_key) * wire-num_hot_keys); if (!s) { diff --git a/server/ctdb_takeover.c b/server/ctdb_takeover.c index cb6aa83..99d765e 100644 --- a/server/ctdb_takeover.c +++ b/server/ctdb_takeover.c @@ -3763,7 +3763,7 @@ static int ctdb_reloadips_child(struct ctdb_context *ctdb) } if (i == ips-num) { struct ctdb_control_ip_iface pub; - char *ifaces = NULL; + const char *ifaces = NULL; int iface = 0; DEBUG(DEBUG_NOTICE,(RELOADIPS: New ip:%s found, adding it.\n, ctdb_addr_to_str(vnn-public_address))); -- CTDB repository
[SCM] CTDB repository - tag 1.2.40 created - ctdb-1.9.1-535-g0a9484c
The tag, 1.2.40 has been created at 0a9484c20cb0d3cd58c0ffeabca81c7b9aeca12d (commit) - Log - commit 0a9484c20cb0d3cd58c0ffeabca81c7b9aeca12d Author: Ronnie Sahlberg ronniesahlb...@gmail.com Date: Mon Feb 6 09:22:37 2012 +1100 New version 1.2.40 --- -- CTDB repository
[SCM] CTDB repository - tag ctdb-1.0.112 created - ctdb-1.0.111-7-g64ae8b0
The tag, ctdb-1.0.112 has been created at 64ae8b0702cfdc44a778e0cc3705dd685f9f6ab0 (commit) - Log - commit 64ae8b0702cfdc44a778e0cc3705dd685f9f6ab0 Author: Martin Schwenke mar...@meltin.net Date: Tue Jan 12 21:07:45 2010 +1100 New version 1.0.112. Signed-off-by: Martin Schwenke mar...@meltin.net --- -- CTDB repository
[SCM] CTDB repository - tag ctdb-1.2.40 created - ctdb-1.9.1-535-g0a9484c
The tag, ctdb-1.2.40 has been created at 0a9484c20cb0d3cd58c0ffeabca81c7b9aeca12d (commit) - Log - commit 0a9484c20cb0d3cd58c0ffeabca81c7b9aeca12d Author: Ronnie Sahlberg ronniesahlb...@gmail.com Date: Mon Feb 6 09:22:37 2012 +1100 New version 1.2.40 --- -- CTDB repository
[SCM] CTDB repository - annotated tag ctdb-1.2.45 created - ctdb-1.2.45
The annotated tag, ctdb-1.2.45 has been created at 0f0cec3f3b87917f13ffe79b7c95b1f3e4ad5f56 (tag) tagging 95efb0cffb19a4311d706b2fd7031834a2711022 (commit) replaces ctdb-1.9.1 tagged by Martin Schwenke on Thu Jul 12 14:06:47 2012 +1000 - Log - CTDB release 1.2.45 Andrew Tridgell (1): tdb: added TDB_NO_FSYNC env variable Chandra Seetharaman (1): make changes to ctdb event scripts to support NFS-Ganesha. Christian Ambach (1): improve timing issue detections David Disseldorp (1): io: Make queue_io_read() safe for reentry Evan Kinney (1): ctdb: Fixed use of reserved word private in typedefs Gregor Beck (4): ctdb catdb: fix escaping of '' and '\' add ltdbtool - a standalone ltdb tool ltdbtool: add manpage ltdbtool: add manpage html + roff Günther Deschner (1): lib/tdb: fix c++ build warning in tdb_header_hash(). Harald Klatte (1): AIX bind wants the correct addrsize Jelmer Vernooij (3): pytdb: Make filename argument optional. pytdb: Include Python.h first to prevent warning. pytdb: Add __version__ attribute. Kirill Smelkov (9): pytdb: Add support for tdb_add_flags() tdb_remove_flags() pytdb: Fix repr segfault for internal db pytdb: Update open flags to match those for tdb_open() in tdb.h pytdb: Add support for tdb_enable_seqnum, tdb_get_seqnum and tdb_increment_seqnum_nonblock pytdb: Add support for tdb_transaction_prepare_commit() pytdb: Add support for tdb_freelist_size() pytdb: Add TDB_INCOMPATIBLE_HASH open flag pytdb: Add support for tdb_repack() pytdb: Check errors after PyObject_New() calls Martin Schwenke (103): Test suite: handle change to disconnected node error message. Test suite: handle extra lines in statistics output. Optimise 61.nfstickle to write the tickles more efficiently. Testing: Add Python IP allocation simulation. Test suite: handle change to disconnected node error message. Test suite: handle extra lines in statistics output. Optimise 61.nfstickle to write the tickles more efficiently. Testing: Add Python IP allocation simulation. Merge branch 'master' of git://git.samba.org/sahlberg/ctdb Testing: Add imbalance information to IP allocation simulation. Testing: In IP allocation simulation count total number of events. Testing: IP allocation simulation prints final imbalance in statistics. Testing: IP allocation simulation - save some warnings for verbose mode. Testing: IP allocation simulation - add command line option for random seed. Testing: IP allocation simulation - update copyright message. Testing: IP allocation simulation - Tweak options handling and Cluster.diff(). Testing: IP allocation simulation - fix nondeterminism in do_something_random(). Testing: IP allocation simulation - Update README. Testing: IP allocation simulation - update options processing in examples. Testing: IP allocation simulation - add general node group example. Testing: IP allocation simulation - rename an example to node_group_simple.py. Testing: IP allocation simulation - rename an example to node_group_extra.py. Testing: IP allocation simulation - make usage/failure more obvious. Testing: IP allocation simulation - improve help for options. Testing: IP allocation simulation - print maximum number of unhealthy nodes. Testing: IP allocation simulation - clean up usage message. Testing: IP allocation simulation - add option to change odds of a failure. Test suite - try to make addip test more reliable and add some debugging. Merge remote branch 'martins/master' Test suite - fix addip test. Test suite: remove thaw/freeze tests. Test suite - make the ctdb_fetch test cope with Reqid wrap! messages. initscript: wait until we can ping ctdbd before setting tunables. Test suite: weaken ctdb continue/enable tests for non-deterministic IPs. Test suite: Fix typo in continue test. Test suite: remove unnecessary verbosity from enable/continue tests. Add some command-line options to ctdb_diagnostics. Test suite: make addip test use $CTDB rather than ctdb in debug code. Test suite: improve wait_until_node_has_status() Test suite: use $CTDB rather than ctdb everywhere in ctdb_test_functions.sh. Test suite: strengthen function _cluster_is_healthy(). Test suite: print date/time at test completion. Test suite: Add more timestamping of debugging information. Test suite: loosen the getmonmode test. Move NAT gateway firewall rules to recovered|updatenatgw events. Merge branch 'master' of git://git.samba.org/sahlberg/ctdb Merge branch 'master' of git://git.samba.org/sahlberg/ctdb Test suite: in
[SCM] CTDB repository - branch 1.2.40 updated - ctdb-1.2.45
The branch, 1.2.40 has been updated via 95efb0cffb19a4311d706b2fd7031834a2711022 (commit) via 32d6d39626df46a1c0bb21554497685279ead88a (commit) via 0c6d9b84b12d32cb8f563f441377eaf2c9648b99 (commit) via e609b63bc3dd2eb838fbf11997a49730c89a6a5e (commit) from 8c3aed36615e083e0b91efd70380b7711f9f9f7e (commit) http://gitweb.samba.org/?p=ctdb.git;a=shortlog;h=1.2.40 - Log - commit 95efb0cffb19a4311d706b2fd7031834a2711022 Author: Martin Schwenke mar...@meltin.net Date: Thu Jul 12 14:03:58 2012 +1000 New version 1.2.45 Signed-off-by: Martin Schwenke mar...@meltin.net commit 32d6d39626df46a1c0bb21554497685279ead88a Author: Ronnie Sahlberg ronniesahlb...@gmail.com Date: Wed Jun 20 15:10:05 2012 +1000 When we find an ip we shouldnt host, just release it Dont call a full blown clusterwide ipreallocation, just release it locally commit 0c6d9b84b12d32cb8f563f441377eaf2c9648b99 Author: Ronnie Sahlberg ronniesahlb...@gmail.com Date: Wed Jun 20 10:08:11 2012 +1000 When we release an ip, get the interface name from the kernel instead of using the interface where ctdb thinks the ip is hosted at. The difference is that this now allows us to handle cases where we want to release an ip but ctdbd does not know which interface the ip is assigned on. (user has used 'ip addr add...' and manually assigned an ip to the wrong interface) commit e609b63bc3dd2eb838fbf11997a49730c89a6a5e Author: Ronnie Sahlberg ronniesahlb...@gmail.com Date: Wed Jun 20 13:32:02 2012 +1000 Add new command to find which interface is located on --- Summary of changes: common/system_common.c | 84 include/ctdb_private.h |1 + packaging/RPM/ctdb.spec.in |4 ++- server/ctdb_recoverd.c |8 +++- server/ctdb_takeover.c | 15 tools/ctdb.c | 22 +++ 6 files changed, 124 insertions(+), 10 deletions(-) Changeset truncated at 500 lines: diff --git a/common/system_common.c b/common/system_common.c index f28045f..6ee615f 100644 --- a/common/system_common.c +++ b/common/system_common.c @@ -73,3 +73,87 @@ bool ctdb_sys_have_ip(ctdb_sock_addr *_addr) close(s); return ret == 0; } + + +/* find which interface an ip address is currently assigned to */ +char *ctdb_sys_find_ifname(ctdb_sock_addr *addr) +{ + int s; + int size; + struct ifconf ifc; + char *ptr; + + s = socket(AF_INET, SOCK_RAW, htons(IPPROTO_RAW)); + if (s == -1) { + DEBUG(DEBUG_CRIT,(__location__ failed to open raw socket (%s)\n, +strerror(errno))); + return NULL; + } + + + size = sizeof(struct ifreq); + ifc.ifc_buf = NULL; + ifc.ifc_len = size; + + while(ifc.ifc_len (size - sizeof(struct ifreq))) { + size *= 2; + + free(ifc.ifc_buf); + ifc.ifc_len = size; + ifc.ifc_buf = malloc(size); + memset(ifc.ifc_buf, 0, size); + if (ioctl(s, SIOCGIFCONF, (caddr_t)ifc) 0) { + DEBUG(DEBUG_CRIT,(Failed to read ifc buffer from socket\n)); + free(ifc.ifc_buf); + close(s); + return NULL; + } + } + + for (ptr =(char *)ifc.ifc_buf; ptr ((char *)ifc.ifc_buf) + ifc.ifc_len; ) { + char *ifname; + struct ifreq *ifr; + + ifr = (struct ifreq *)ptr; + +#ifdef HAVE_SOCKADDR_LEN + if (ifr-ifr_addr.sa_len sizeof(struct sockaddr)) { + ptr += sizeof(ifr-ifr_name) + ifr-ifr_addr.sa_len; + } else { + ptr += sizeof(ifr-ifr_name) + sizeof(struct sockaddr); + } +#else + ptr += sizeof(struct ifreq); +#endif + + if (ifr-ifr_addr.sa_family != addr-sa.sa_family) { + continue; + } + + switch (addr-sa.sa_family) { + case AF_INET: + + + if (memcmp(addr-ip.sin_addr, ((struct sockaddr_in *)ifr-ifr_addr)-sin_addr, sizeof(addr-ip.sin_addr))) { + continue; + } + break; + case AF_INET6: + if (memcmp(addr-ip6.sin6_addr, ((struct sockaddr_in6 *)ifr-ifr_addr)-sin6_addr, sizeof(addr-ip6.sin6_addr))) { + continue; + } + break; + } + + ifname = strdup(ifr-ifr_name); + free(ifc.ifc_buf); + close(s); + return ifname; + } + + + free(ifc.ifc_buf); +
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 15fedb3 s3-auth Remove unused global_machine_account_needs_changing via d55cde1 s3-auth Remove confusing reference to global_machine_password_needs_changing via 70de501 s4-provision: Provide YP/NIS subtree to allow ADUC to see and set rfc2307 attrs from 5a9ce8b Use HAVE_FSYNC, we bothered to test for it. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 15fedb3c6855751678e93e3f4a7e443b0495b1c3 Author: Andrew Bartlett abart...@samba.org Date: Fri Jul 13 11:01:47 2012 +1000 s3-auth Remove unused global_machine_account_needs_changing This boolean was only set if the old machine account store (with an MD4 hash in it) was returned. We have not set that password type for years. If this call ever worked, it would store a plaintext password, so we could only ever be here if we had set a password using a version of Samba so old as not to store plaintext, and then never honered the flag anyway. Andrew Bartlett Autobuild-User(master): Andrew Bartlett abart...@samba.org Autobuild-Date(master): Fri Jul 13 07:52:40 CEST 2012 on sn-devel-104 commit d55cde19d31484079d69182fcaa9dfa889fd7fed Author: Andrew Bartlett abart...@samba.org Date: Fri Jul 13 10:01:44 2012 +1000 s3-auth Remove confusing reference to global_machine_password_needs_changing This is in the trusted domain codepath, not the primary domain code path. Andrew Bartlett commit 70de501d6a628e8b08a93134753e25e9f037c995 Author: Geza Gemes g...@kzsdabas.hu Date: Thu Jul 12 16:05:04 2012 +0200 s4-provision: Provide YP/NIS subtree to allow ADUC to see and set rfc2307 attrs When provisioning with --use_rfc2307=yes populate the subtree: CN=ypServ30,CN=RpcServices,CN=System,${DOMAINDN} This makes it possible to manipulate the posix attributes via ADUC (commit message adjusted by abartlet) Signed-off-by: Andrew Bartlett abart...@samba.org --- Summary of changes: source3/auth/auth_domain.c | 74 --- source3/passdb/machine_account_secrets.c | 11 - source3/smbd/process.c |5 - .../scripting/python/samba/provision/__init__.py | 27 +- source4/setup/provision|4 +- source4/setup/ypServ30.ldif| 507 6 files changed, 536 insertions(+), 92 deletions(-) create mode 100644 source4/setup/ypServ30.ldif Changeset truncated at 500 lines: diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 696b18b..286c75c 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -31,74 +31,8 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH -extern bool global_machine_password_needs_changing; static struct named_mutex *mutex; -/* - * Change machine password (called from main loop - * idle timeout. Must be done as root. - */ - -void attempt_machine_password_change(void) -{ - unsigned char trust_passwd_hash[16]; - time_t lct; - void *lock; - - if (!global_machine_password_needs_changing) { - return; - } - - if (lp_security() != SEC_DOMAIN) { - return; - } - - /* -* We're in domain level security, and the code that -* read the machine password flagged that the machine -* password needs changing. -*/ - - /* -* First, open the machine password file with an exclusive lock. -*/ - - lock = secrets_get_trust_account_lock(NULL, lp_workgroup()); - - if (lock == NULL) { - DEBUG(0,(attempt_machine_password_change: unable to lock - the machine account password for machine %s in - domain %s.\n, - lp_netbios_name(), lp_workgroup() )); - return; - } - - if(!secrets_fetch_trust_account_password(lp_workgroup(), - trust_passwd_hash, lct, NULL)) { - DEBUG(0,(attempt_machine_password_change: unable to read the - machine account password for %s in domain %s.\n, - lp_netbios_name(), lp_workgroup())); - TALLOC_FREE(lock); - return; - } - - /* -* Make sure someone else hasn't already done this. -*/ - - if(time(NULL) lct + lp_machine_password_timeout()) { - global_machine_password_needs_changing = false; - TALLOC_FREE(lock); - return; - } - - /* always just contact the PDC here */ - - change_trust_account_password( lp_workgroup(), NULL); - global_machine_password_needs_changing = false; - TALLOC_FREE(lock); -} -