Re: [Samba] Samba/LDAP appliance recommendation
Am Mon, 17 Sep 2012 04:35:39 +0800 schrieb Jeffrey Chan: Hi all, What's a good Samba+LDAP appliance these days for a small business? not using it myself: http://www.univention.de/ http://www.zentyal.org/ - Thomas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Windows 8 Pro no domain logon possible
Hi Some days ago I installed windows 8 pro from MSDN on one of my machines. I got a serious problem with it. I cannot logon as domain user. I first tried joining my domain from win8 with an unchanged win8 installation. This did fail. Afterwards I applied the usual windows 7 registry patches to allow a samba domain join and rebooted. Afterwards I could join my domain with no trouble. I rebooted and tried to log in as domain user. No chance. It fails. In the windows eventviewer I can find a message from Netlogon about a missing RPC server and that it cannot create a secure session with the domain controller (translated from german). In the samba log I can find this: [2012/09/20 10:03:56.934783, 0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client DEVINTEL-2 machine account DEVINTEL-2$ My PDC is running samba 3.6.6 with smb2 enabled. My samba is ldap backed. The trust account looks as it should when I look into the informations. I already had the same problems with the release preview of windows 8 some weeks ago (at that time my pdc was still 3.6.3). All versions of windows 8 before the release preview did work without trouble. Does anyone have the same problems? Has anyone already got a working windows 8 pro in a domain? This is very annoying. Any help is greatly appreciated. Roland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 Smart card logon
I would really like to make Samba 4 work with smart card logon. Can anyone point me where to look for Samba 4 configuration options for PKINIT? Kind Regards, Charalampos On 7/12/12 11:47 AM, Charalampos Anargyrou wrote: I have finally found out that my problems had to do with wrong certificates. The commands I used to generate the certificates where taken from http://k5wiki.kerberos.org/wiki/Pkinit_configuration I downloaded and built heimdal 1.5.2 (I couldn't find hxtool in samba 4, that's why I used the instructions for OpenSSL in MIT Kerberos Wiki for the certificates in the first place). Using the hxtool I created new certificates and ... Success! Now that Heimdal has been configured to accept PKINIT, it's time to configure Samba4 to know about the certificate. Can anyone point me where to look for Samba 4 configuration options for PKINIT? Kind Regards, Charalampos Original Message Subject:Fwd: Fwd: Fwd: Re: [Samba] Fwd: Re: Samba 4 Smart card logon Date: Thu, 05 Jul 2012 13:04:21 +0300 From: Charalampos Anargyrou charalampos.anargy...@gmail.com To: samba@lists.samba.org Ok, I managed to solve some of my problems I had typographic errors in my /etc/krb5.conf Specifically I had [kdc] enable_pkinit = yes pkinit_identify = FILE:/home/virusakos/Downloads/kdc.pem,/home/virusakos/Downloads/kdckey.pem Changed to [kdc] enable-pkinit = yes pkinit_identity = FILE:/home/virusakos/Downloads/kdc.pem,/home/virusakos/Downloads/kdckey.pem I have also enabled debugging by stopping the samba service and started samba with: samba -i -M single -d3 Tried again to test samba4kinit with certificate with: /opt/samba-master/bin/samba4kinit -e arcfour-hmac-md5 --request-pac --renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem virusakos@SERVER.CENTOSDOMAIN which again produces samba4kinit: krb5_get_init_creds: Already tried pkinit, looping but I can at least see in the console this: Kerberos: AS-REQ virusakos@SERVER.CENTOSDOMAIN from ipv4:172.16.9.134:49289 for krbtgt/SERVER.CENTOSDOMAIN@SERVER.CENTOSDOMAIN Kerberos: Client sent patypes: PK-INIT(win2k), 132, 128 Kerberos: Looking for PKINIT pa-data -- virusakos@SERVER.CENTOSDOMAIN Kerberos: PKINIT: failed to verify signature: No signers where found: 569890 Kerberos: PKINIT: Couldn't find signers certificate Kerberos: Failed to decode PKINIT PA-DATA -- virusakos@SERVER.CENTOSDOMAIN Kerberos: Looking for ENC-TS pa-data -- virusakos@SERVER.CENTOSDOMAIN Kerberos: No preauth found, returning PREAUTH-REQUIRED -- virusakos@SERVER.CENTOSDOMAIN Kerberos: AS-REQ virusakos@SERVER.CENTOSDOMAIN from ipv4:172.16.9.134:44976 for krbtgt/SERVER.CENTOSDOMAIN@SERVER.CENTOSDOMAIN Kerberos: Client sent patypes: PK-INIT(win2k), 132, 128 Kerberos: Looking for PKINIT pa-data -- virusakos@SERVER.CENTOSDOMAIN Kerberos: PKINIT: failed to verify signature: No signers where found: 569890 Kerberos: PKINIT: Couldn't find signers certificate Kerberos: Failed to decode PKINIT PA-DATA -- virusakos@SERVER.CENTOSDOMAIN Kerberos: Looking for ENC-TS pa-data -- virusakos@SERVER.CENTOSDOMAIN Kerberos: No preauth found, returning PREAUTH-REQUIRED -- virusakos@SERVER.CENTOSDOMAIN Original Message Subject:Fwd: Fwd: Re: [Samba] Fwd: Re: Samba 4 Smart card logon Date: Thu, 05 Jul 2012 12:01:13 +0300 From: Charalampos Anargyrou charalampos.anargy...@gmail.com To: samba@lists.samba.org I've checked the source code and found out the enctypes I can test /opt/samba-master/bin/samba4kinit -e arcfour-hmac-md5 --request-pac --renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem virusakos@SERVER.CENTOSDOMAIN produces samba4kinit: krb5_get_init_creds: Already tried pkinit, looping For the rest enctypes /opt/samba-master/bin/samba4kinit -e aes256-cts-hmac-sha1-96 --request-pac --renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem virusakos@SERVER.CENTOSDOMAIN /opt/samba-master/bin/samba4kinit -e aes128-cts-hmac-sha1-96 --request-pac --renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem virusakos@SERVER.CENTOSDOMAIN /opt/samba-master/bin/samba4kinit -e des3-cbc-sha1 --request-pac --renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem virusakos@SERVER.CENTOSDOMAIN /opt/samba-master/bin/samba4kinit -e des3-cbc-none --request-pac --renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem virusakos@SERVER.CENTOSDOMAIN I get samba4kinit: krb5_get_init_creds: KDC has no support for encryption type Looking on the Internet, I found a suggestion to write allow_weak_crypto = true under [libdefaults] in /etc/krb5.conf, which I did, but I still get the same messages back Can anyone understand what could be my problem? Original Message Subject:Fwd: Re: [Samba] Fwd: Re: Samba 4 Smart card logon Date: Wed, 04 Jul 2012 20:22:12 +0300 From: Charalampos Anargyrou charalampos.anargy...@gmail.com
Re: [Samba] Windows 8 Pro no domain logon possible
By the way, the only success to join a windows 8 pro to a domain was to set up samba4 ads and join it successfully. I did not succeed in any way else. Greetings Daniel --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Roland Schwingel Gesendet: Donnerstag, 20. September 2012 11:30 An: samba@lists.samba.org Betreff: [Samba] Windows 8 Pro no domain logon possible Hi Some days ago I installed windows 8 pro from MSDN on one of my machines. I got a serious problem with it. I cannot logon as domain user. I first tried joining my domain from win8 with an unchanged win8 installation. This did fail. Afterwards I applied the usual windows 7 registry patches to allow a samba domain join and rebooted. Afterwards I could join my domain with no trouble. I rebooted and tried to log in as domain user. No chance. It fails. In the windows eventviewer I can find a message from Netlogon about a missing RPC server and that it cannot create a secure session with the domain controller (translated from german). In the samba log I can find this: [2012/09/20 10:03:56.934783, 0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client DEVINTEL-2 machine account DEVINTEL-2$ My PDC is running samba 3.6.6 with smb2 enabled. My samba is ldap backed. The trust account looks as it should when I look into the informations. I already had the same problems with the release preview of windows 8 some weeks ago (at that time my pdc was still 3.6.3). All versions of windows 8 before the release preview did work without trouble. Does anyone have the same problems? Has anyone already got a working windows 8 pro in a domain? This is very annoying. Any help is greatly appreciated. Roland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows 8 Pro no domain logon possible
Hi Daniel, Daniel Müller muel...@tropenklinik.de wrote on 20.09.2012 12:50:30: By the way, the only success to join a windows 8 pro to a domain was to set up samba4 ads and join it successfully. I did not succeed in any way else. It is good to hear that there is at least a chance to join windows 8 to samba. The bad news is that samba 4 is still beta and not ready for production use. I am sitting here in a bigger installation with a big central LDAP for each and everything (not only samba). Migrating from samba3 to samba4 is a several months task. So I hope there will be a samba 3 based solution for using windows 8 in a domain, too. What is the official plan here? Can the required portions for windows 8 be backported to samba 3? BTW: Is it possible to use samba4 with another LDAP server/infrastructure not the samba4 supplied one? Thanks in advance, Roland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows 8 Pro no domain logon possible
Disclaimer: I am just a Samba user. On 20 September 2012 13:11, Roland Schwingel roland.schwin...@onevision.com wrote: Hi Daniel, Daniel Müller muel...@tropenklinik.de wrote on 20.09.2012 12:50:30: By the way, the only success to join a windows 8 pro to a domain was to set up samba4 ads and join it successfully. I did not succeed in any way else. It is good to hear that there is at least a chance to join windows 8 to samba. The bad news is that samba 4 is still beta and not ready for production use. I am sitting here in a bigger installation with a big central LDAP for each and everything (not only samba). Migrating from samba3 to samba4 is a several months task. Well, the first release candidate has been released, and people are using it in production, but of course whether it's ready for you I cannot say. So I hope there will be a samba 3 based solution for using windows 8 in a domain, too. What is the official plan here? Can the required portions for windows 8 be backported to samba 3? I doubt it. As far as I know recent versions of Windows will not work with an NT-style domain at all, unless the DC is a Samba server. i.e. you will not be able to join a Windows 8 (or 7 or maybe earlier) machine to a Windows NT-style domain controller. So I don't think there's some little bit of Samba 4 that could be backported to Samba 3 to allow you to join a Windows 8 machine to the domain. More likely there's something that needs to be fixed in Samba 3 or in Windows 8 to get this working again. BTW: Is it possible to use samba4 with another LDAP server/infrastructure not the samba4 supplied one? No, it is not possible to use another LDAP server instead of Samba 4's built-in LDAP implementation. At one point there was support for this, but as far as I understand it, it is not technically possible to make it work properly and the support was removed/deprecated. Thanks in advance, Roland -- Michael Wood esiot...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows 8 Pro no domain logon possible
On Thu, Sep 20, 2012 at 9:17 AM, Michael Wood esiot...@gmail.com wrote: What is the official plan here? Can the required portions for windows 8 be backported to samba 3? I doubt it. As far as I know recent versions of Windows will not work with an NT-style domain at all, unless the DC is a Samba server. i.e. you will not be able to join a Windows 8 (or 7 or maybe earlier) machine to a Windows NT-style domain controller. So I don't think there's some little bit of Samba 4 that could be backported to Samba 3 to allow you to join a Windows 8 machine to the domain. More likely there's something that needs to be fixed in Samba 3 or in Windows 8 to get this working again. Can a Samba-3 Standalone server [[http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/StandAloneServer.html]] be made a member of a Samba-4 AD-DC, and then Win7 and Win8 domain clients on the same network access shares on the Samba-3 Standalone? Thank you for your help. Best, Mike -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows 8 Pro no domain logon possible
Daniel Müller muel...@tropenklinik.de wrote on 20.09.2012 12:50:30: By the way, the only success to join a windows 8 pro to a domain was to set up samba4 ads and join it successfully. I did not succeed in any way else. In my environment, Windows 8 Pro (32bit), can join to Samba 3.5.6 domain. I modified registries: HKLM\System\CCS\Services\LanmanWorkstation\Parameters DWORD DomainCompatibilityMode = 1 DWORD DNSNameResolutionRequired = 0 You can download Samba environment I examined at http://wiki.samba.gr.jp/mediawiki/index.php?title=Samba_PDC_VM(squeeze) Of course I examined that after rebooting some domain accounts can logon into Samba domain on Windows 8 box. -- TAKAHASHI Motonobu mo...@monyo.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows 8 Pro no domain logon possible
On Thu, Sep 20, 2012 at 9:47 AM, TAKAHASHI Motonobu mo...@monyo.com wrote: Daniel Müller muel...@tropenklinik.de wrote on 20.09.2012 12:50:30: By the way, the only success to join a windows 8 pro to a domain was to set up samba4 ads and join it successfully. I did not succeed in any way else. In my environment, Windows 8 Pro (32bit), can join to Samba 3.5.6 domain. I modified registries: HKLM\System\CCS\Services\LanmanWorkstation\Parameters DWORD DomainCompatibilityMode = 1 DWORD DNSNameResolutionRequired = 0 You can download Samba environment I examined at http://wiki.samba.gr.jp/mediawiki/index.php?title=Samba_PDC_VM(squeeze) Of course I examined that after rebooting some domain accounts can logon into Samba domain on Windows 8 box. This is good to know for me since I do not believe samba 4 will ever be an option for me since I am not permitted to connect my linux servers to the company internet. My current domain has the linux servers connected to a second private network and each client has 2 nics. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows 8 Pro no domain logon possible
Hi Michael... Disclaimer: I am just a Samba user. Me too ... ;-) On 20 September 2012 13:11, Roland Schwingel It is good to hear that there is at least a chance to join windows 8 to samba. The bad news is that samba 4 is still beta and not ready for production use. I am sitting here in a bigger installation with a big central LDAP for each and everything (not only samba). Migrating from samba3 to samba4 is a several months task. Well, the first release candidate has been released, and people are using it in production, but of course whether it's ready for you I cannot say. A while ago I have studied the samba repos for changes in samba 4 and there was still heavy movement in code. So well... I personally here prefere having an official stable version of a software. When looking at my schedule I can't afford loosing time with experiments. And moving from samba 3 to samba 4 is (as far as I understand it right now) a big move which has to planned and cannot be done in an afternoon and has a (for me) too much experimental character in a core area of the infrastructure. So I will/have to wait until there is an official version of samba4 and some (best practice) experiences in moving from 3 to 4. So I hope there will be a samba 3 based solution for using windows 8 in a domain, too. What is the official plan here? Can the required portions for windows 8 be backported to samba 3? I doubt it. As far as I know recent versions of Windows will not work with an NT-style domain at all, unless the DC is a Samba server. i.e. you will not be able to join a Windows 8 (or 7 or maybe earlier) machine to a Windows NT-style domain controller. So I don't think there's some little bit of Samba 4 that could be backported to Samba 3 to allow you to join a Windows 8 machine to the domain. More likely there's something that needs to be fixed in Samba 3 or in Windows 8 to get this working again. Just 30 minutes ago I maybe found a solution to allow my win8 pro machine to log in with a samba3 domain account. At present I am logged in. But this has some tradeoff. I will outline it in a seperate email after some more testing. Hopefully tomorrow. There might be a lot of people outside using samba 3 right now happily. Microsoft is releasing a new OS version which cannot be joined to their existing domains out of the box. So they are yet stranded (like me) and can't use the shiny new OS. The clean solution (samba 4) is IMHO still some month away. In my eyes samba 3 must support windows 8 in some way to avoid some chaos because of too fast rushing to samba4 forcing users to use a samba which still might have too much bugs giving samba4 a bad reputation/start. Windows 8 comes some month to early for the new samba. If samba4 would be out now for eg. 6 months and behave well and windows 8 will reach the market now it would be a different situation. BTW: Is it possible to use samba4 with another LDAP server/infrastructure not the samba4 supplied one? No, it is not possible to use another LDAP server instead of Samba 4's built-in LDAP implementation. At one point there was support for this, but as far as I understand it, it is not technically possible to make it work properly and the support was removed/deprecated. This is bad. Is it really expected to migrate over all data which is most likely present in companies current LDAP solutions to the samba ldap? Can samba ldap fullfill all needs here (eg. rock solid life replication and general purpose usage?). I would very much appreciate the possibility of being able to not use the embedded ldap. This would very much reduce the effort of moving from samba3 to 4 in existing ldap environments. Roland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows 8 Pro no domain logon possible
Hi Takahashi... TAKAHASHI Motonobu mo...@monyo.com wrote on 20.09.2012 15:47:42: In my environment, Windows 8 Pro (32bit), can join to Samba 3.5.6 domain. I modified registries: HKLM\System\CCS\Services\LanmanWorkstation\Parameters DWORD DomainCompatibilityMode = 1 DWORD DNSNameResolutionRequired = 0 You can download Samba environment I examined at http://wiki.samba.gr.jp/mediawiki/index.php?title=Samba_PDC_VM(squeeze) Of course I examined that after rebooting some domain accounts can logon into Samba domain on Windows 8 box. I also have these registry patches in place. They where already needed for windows 7. You are not using SMB2 which appears to be the key problem here. My current trick is based on disabling smb2 in windows 8. More after I have finished my tests. Roland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 new policy templates
Hi samba4 mates ! We work with a Samba4 in production (10 users) from a few month now, and we wonder about the new specific policy templates that can be created by Microsoft in their recent (or future releases, but we are not rushed) releases. How could we add them to the AD to be able to apply them to the hosts? For example, with windows 7 there is a *new* policy in the Computer configuration that was available in previous releases under the User Confriguration : The XP one (which is available in SMB4 rc1) : User Configuration\Policies\Administrative Templates\Control Panel\Printers Printers : Point and Print Restrictions The Win 7 one (unavailable in SMB4) : Computer Configuration - Policies - Administrative Templates - Printers : Point and Print Restrictions Note that this policy permit some unprivilegied user to download some printer drivers without administrative rights. We use it to deploy printers to user accounts. Some post talk about updating the ADMX files on the AD, but I would like to have your advices first. Thanks in advance (and sorry for my english faults). Cheers -- --- *** Olivier BILHAUT *** Service Informatique *** Fondation de la Miséricorde *** Email : o.bilh...@fondation-misericorde.fr *** Tel : 02.31.38.50.50 *** Fax : 02.31.38.50.00 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Cross Compile Samba4
On Sun, 2012-09-02 at 14:42 +0200, Sebastian Ulmer wrote: Hi, I try to port samba4beta8 to Optware which includes cross compiling it for various platforms. I already created makefiles for optware for samba versions 3.4 and 3.6. Creating a working makefile for samba4 I try to use the new build environment but it puzzles me. I don't get over part where the python version is being checked. From my findings it looks like the linker dislikes the argument -Bsymbolic-functions. I tried to find the part of the buildscript where this option is set, but didn't find it. Unfortunately I cannot switch to a newer compiler, which supports this argument. I tried to use option --nopyc, but that did not help. Further I did notice that the scripts does not find the correct python version of the target platform and uses host python and I don't how to change that. I would appreciate any help. Sorry for not getting back to you sooner. The cross-compile support isn't tested very often, and it may need some work in various areas to improve it. It certainly seems likely that we assume the python version is the same (as of course the build system is built with python). Sadly I can't really help much right now, you may find it less frustrating to switch to newer tools than to try and figure this out. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows 8 Pro no domain logon possible
On Thu, 2012-09-20 at 15:57 +0200, Roland Schwingel wrote: Hi Michael... Disclaimer: I am just a Samba user. Me too ... ;-) No, it is not possible to use another LDAP server instead of Samba 4's built-in LDAP implementation. At one point there was support for this, but as far as I understand it, it is not technically possible to make it work properly and the support was removed/deprecated. This is bad. Is it really expected to migrate over all data which is most likely present in companies current LDAP solutions to the samba ldap? Can samba ldap fullfill all needs here (eg. rock solid life replication and general purpose usage?). I would very much appreciate the possibility of being able to not use the embedded ldap. This would very much reduce the effort of moving from samba3 to 4 in existing ldap environments. We spent considerable effort over a period of years in attempting to make this possible. It is not. Even if it was, it would not involve 'simply' reading the companies LDAP server, it would be a very intrusive change no more acceptable than using our own built-in LDAP server. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba/LDAP appliance recommendation
On Mon, 2012-09-17 at 04:35 +0800, Jeffrey Chan wrote: Hi all, What's a good Samba+LDAP appliance these days for a small business? Currently I used a stock Ubuntu server and did all Samda/LDAP configuration manually. I'm looking for something that can allow my regular staff to use as well. 1. I tried most of the popular NAS distros, like FreeNAS, NAS4Free, OpenmediaVault, etc. Most of these NAS don't have an LDAP server built-in 2. I tried Openfiler, ClearOS and Zentyal which do have LDAP server built-in but I haven't gotten them to import my existing Samba/LDAP data yet. WIP. 3. I just discovered Artica NAS Appliance and Univention UCS, will be testing them this week. Do you guys know anything about these two distros? Sometimes I wonder if I even need LDAP, I migrated to LDAP before only to make it a little easier (though not by much) to edit samba account data (e.g. SID). I guess I'd like to have centralized authentication as well (clients include Windows, Mac OSX and Linux, maybe OpenVPN as well). Is there a simpler mode of centralized login operation? Or is LDAP the only viable solution? Samba 4.0 as an AD DC would be a good choice. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4, DHCP, BIND DLZ
Hello, I have recently compiled, installed and configured samba4 to run on a FreeBSD server. samba -V reports the version to be Version 4.1.0pre1-GIT-57990cb. The server has working BIND 9.9 and ISC-DHCP services running on it. I have provisioned samba 4 to use the BIND_DLZ DNS backend. On the whole things seem to be working. local names are being resolved. phpLDAPAdmin shows the new AD. I need to resolve a couple of things though. (1) log.samba has a lot of [2012/09/20 15:41:08, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: response to GSS-TSIG query was unsuccessful [2012/09/20 15:41:08, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: response to GSS-TSIG query was unsuccessful [2012/09/20 15:41:08, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: response to GSS-TSIG query was unsuccessful [2012/09/20 15:41:08, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: response to GSS-TSIG query was unsuccessful [2012/09/20 15:41:09, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: response to GSS-TSIG query was unsuccessful [2012/09/20 15:41:09, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: response to GSS-TSIG query was unsuccessful What does it mean and how do I fix it?? (2) I need to ensure that DHCP is playing nicely with samba4. How are DNS updates from the DHCP server propagated to samba4?? I've changed my BIND so that it no longer uses zone files for the local domain. Instead it uses the bind9 dlz driver that came with samba4. If I understand correctly, this means that bind will now pass queries about the local domain off to samba. So samba must be updated whenever a new DHCP lease is granted by the dhcp server. Does the DLZ driver handle this, or does the DHCP server need to be configured to cause these updates to go directly to samba?? Thanks, Jeff -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4, DHCP, BIND DLZ
Hello, I have recently compiled, installed and configured samba4 to run on a FreeBSD server. samba -V reports the version to be Version 4.1.0pre1-GIT-57990cb. The server has working BIND 9.9 and ISC-DHCP services running on it. I have provisioned samba 4 to use the BIND_DLZ DNS backend. On the whole things seem to be working. local names are being resolved. phpLDAPAdmin shows the new AD. I need to resolve a couple of things though. (1) log.samba has a lot of [2012/09/20 15:41:08, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: response to GSS-TSIG query was unsuccessful [2012/09/20 15:41:08, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: response to GSS-TSIG query was unsuccessful [2012/09/20 15:41:08, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: response to GSS-TSIG query was unsuccessful [2012/09/20 15:41:08, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: response to GSS-TSIG query was unsuccessful [2012/09/20 15:41:09, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: response to GSS-TSIG query was unsuccessful [2012/09/20 15:41:09, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: response to GSS-TSIG query was unsuccessful What does it mean and how do I fix it?? (2) I need to ensure that DHCP is playing nicely with samba4. How are DNS updates from the DHCP server propagated to samba4?? I've changed my BIND so that it no longer uses zone files for the local domain. Instead it uses the bind9 dlz driver that came with samba4. If I understand correctly, this means that bind will now pass queries about the local domain off to samba. So samba must be updated whenever a new DHCP lease is granted by the dhcp server. Does the DLZ driver handle this, or does the DHCP server need to be configured to cause these updates to go directly to samba?? Thanks, Jeff -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4, DHCP, BIND DLZ
2012-09-21 01:55 keltezéssel, Jeff írta: Hello, I have recently compiled, installed and configured samba4 to run on a FreeBSD server. samba -V reports the version to be Version 4.1.0pre1-GIT-57990cb. The server has working BIND 9.9 and ISC-DHCP services running on it. I have provisioned samba 4 to use the BIND_DLZ DNS backend. On the whole things seem to be working. local names are being resolved. phpLDAPAdmin shows the new AD. I need to resolve a couple of things though. (1) log.samba has a lot of [2012/09/20 15:41:08, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: response to GSS-TSIG query was unsuccessful [2012/09/20 15:41:08, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: response to GSS-TSIG query was unsuccessful [2012/09/20 15:41:08, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: response to GSS-TSIG query was unsuccessful [2012/09/20 15:41:08, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: response to GSS-TSIG query was unsuccessful [2012/09/20 15:41:09, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: response to GSS-TSIG query was unsuccessful [2012/09/20 15:41:09, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: response to GSS-TSIG query was unsuccessful What does it mean and how do I fix it?? (2) I need to ensure that DHCP is playing nicely with samba4. How are DNS updates from the DHCP server propagated to samba4?? I've changed my BIND so that it no longer uses zone files for the local domain. Instead it uses the bind9 dlz driver that came with samba4. If I understand correctly, this means that bind will now pass queries about the local domain off to samba. So samba must be updated whenever a new DHCP lease is granted by the dhcp server. Does the DLZ driver handle this, or does the DHCP server need to be configured to cause these updates to go directly to samba?? Thanks, Jeff Hi, The windows clients try to update their dns records themselves without the help of the dhcp server, for *nix clients I've seen some description how to configure isc-dhcp to update records on a Windows AD, which should apply to Samba as well, unfortunately I have no pointer to that document, but Google should find it. I have no personal experience with such setup, because I've decided to go with statically assigned addresses (based on MAC addresses). Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via d52d7ef s3-printing: Increase debug level for info that the db is empty. from bc77745 s3:smb2_server: fix usage of invalid memory in smb2_signing_check_pdu() http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit d52d7efba31e3f1e63ed365900aba0a8cb960930 Author: Andreas Schneider a...@samba.org Date: Thu Sep 20 10:20:31 2012 +0200 s3-printing: Increase debug level for info that the db is empty. Autobuild-User(master): Andreas Schneider a...@cryptomilk.org Autobuild-Date(master): Thu Sep 20 12:01:48 CEST 2012 on sn-devel-104 --- Summary of changes: source3/printing/printer_list.c |3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/printing/printer_list.c b/source3/printing/printer_list.c index 7079ddc..0afb84b 100644 --- a/source3/printing/printer_list.c +++ b/source3/printing/printer_list.c @@ -92,7 +92,8 @@ NTSTATUS printer_list_get_printer(TALLOC_CTX *mem_ctx, status = dbwrap_fetch_bystring_upper(db, key, key, data); if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, (Failed to fetch record!\n)); + DEBUG(6, (Failed to fetch record! + The printer database is empty?\n)); goto done; } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 48e6da6 Correct command help message from d52d7ef s3-printing: Increase debug level for info that the db is empty. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 48e6da64fd6cdd055008c7d3e42e8245435f422e Author: Daniele Dario d.dari...@gmail.com Date: Thu Sep 20 15:05:13 2012 +0200 Correct command help message Autobuild-User(master): Volker Lendecke v...@samba.org Autobuild-Date(master): Thu Sep 20 16:55:17 CEST 2012 on sn-devel-104 --- Summary of changes: source4/scripting/python/samba/netcmd/ntacl.py |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/scripting/python/samba/netcmd/ntacl.py b/source4/scripting/python/samba/netcmd/ntacl.py index 92239a7..e596ce9 100644 --- a/source4/scripting/python/samba/netcmd/ntacl.py +++ b/source4/scripting/python/samba/netcmd/ntacl.py @@ -94,7 +94,7 @@ class cmd_ntacl_set(Command): class cmd_ntacl_get(Command): -Set ACLs on a file +Get ACLs of a file synopsis = %prog file [options] takes_optiongroups = { -- Samba Shared Repository
autobuild: intermittent test failure detected
The autobuild test system has detected an intermittent failing test in the current master tree. The autobuild log of the failure is available here: http://git.samba.org/autobuild.flakey/2012-09-20-2027/flakey.log The samba3 build logs are available here: http://git.samba.org/autobuild.flakey/2012-09-20-2027/samba3.stderr http://git.samba.org/autobuild.flakey/2012-09-20-2027/samba3.stdout The source4 build logs are available here: http://git.samba.org/autobuild.flakey/2012-09-20-2027/samba.stderr http://git.samba.org/autobuild.flakey/2012-09-20-2027/samba.stdout The top commit at the time of the failure was: commit 48e6da64fd6cdd055008c7d3e42e8245435f422e Author: Daniele Dario d.dari...@gmail.com Date: Thu Sep 20 15:05:13 2012 +0200 Correct command help message Autobuild-User(master): Volker Lendecke v...@samba.org Autobuild-Date(master): Thu Sep 20 16:55:17 CEST 2012 on sn-devel-104
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via a125ea7 vfs: fix acl_blob_get* in vfs_full_audit via 47becf6 vfs: fix lock logging in vfs_full_audit from 48e6da6 Correct command help message http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit a125ea7419142dfb86c4f32b1d46896f3bf40704 Author: David Disseldorp dd...@samba.org Date: Thu Sep 20 08:35:27 2012 +0200 vfs: fix acl_blob_get* in vfs_full_audit Plumb-in functions and use correct return types. Autobuild-User(master): David Disseldorp dd...@samba.org Autobuild-Date(master): Thu Sep 20 20:42:09 CEST 2012 on sn-devel-104 commit 47becf6e20a970d273afab8be176d8cbe5ab2b9c Author: David Disseldorp dd...@samba.org Date: Thu Sep 20 08:20:57 2012 +0200 vfs: fix lock logging in vfs_full_audit --- Summary of changes: source3/modules/vfs_full_audit.c | 28 +++- 1 files changed, 15 insertions(+), 13 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/modules/vfs_full_audit.c b/source3/modules/vfs_full_audit.c index 392baea..1a481ab 100644 --- a/source3/modules/vfs_full_audit.c +++ b/source3/modules/vfs_full_audit.c @@ -1649,7 +1649,7 @@ static NTSTATUS smb_full_audit_brl_lock_windows(struct vfs_handle_struct *handle do_log(SMB_VFS_OP_BRL_LOCK_WINDOWS, NT_STATUS_IS_OK(result), handle, %s:%llu-%llu. type=%d. blocking=%d, fsp_str_do_log(br_lck-fsp), - plock-start, plock-size, plock-lock_type, blocking_lock ); + plock-start, plock-size, plock-lock_type, blocking_lock); return result; } @@ -1682,7 +1682,7 @@ static bool smb_full_audit_brl_cancel_windows(struct vfs_handle_struct *handle, do_log(SMB_VFS_OP_BRL_CANCEL_WINDOWS, (result == 0), handle, %s:%llu-%llu:%d, fsp_str_do_log(br_lck-fsp), plock-start, - plock-size); + plock-size, plock-lock_type); return result; } @@ -1697,7 +1697,7 @@ static bool smb_full_audit_strict_lock(struct vfs_handle_struct *handle, do_log(SMB_VFS_OP_STRICT_LOCK, result, handle, %s:%llu-%llu:%d, fsp_str_do_log(fsp), plock-start, - plock-size); + plock-size, plock-lock_type); return result; } @@ -1710,7 +1710,7 @@ static void smb_full_audit_strict_unlock(struct vfs_handle_struct *handle, do_log(SMB_VFS_OP_STRICT_UNLOCK, true, handle, %s:%llu-%llu:%d, fsp_str_do_log(fsp), plock-start, - plock-size); + plock-size, plock-lock_type); } static NTSTATUS smb_full_audit_translate_name(struct vfs_handle_struct *handle, @@ -1827,32 +1827,32 @@ static SMB_ACL_T smb_full_audit_sys_acl_get_fd(vfs_handle_struct *handle, static int smb_full_audit_sys_acl_blob_get_file(vfs_handle_struct *handle, const char *path_p, - SMB_ACL_TYPE_T type, - TALLOC_CTX *mem_ctx, + SMB_ACL_TYPE_T type, + TALLOC_CTX *mem_ctx, char **blob_description, DATA_BLOB *blob) { - SMB_ACL_T result; + int result; result = SMB_VFS_NEXT_SYS_ACL_BLOB_GET_FILE(handle, path_p, type, mem_ctx, blob_description, blob); - do_log(SMB_VFS_OP_SYS_ACL_BLOB_GET_FILE, (result = 0), handle, + do_log(SMB_VFS_OP_SYS_ACL_BLOB_GET_FILE, (result = 0), handle, %s, path_p); return result; } static int smb_full_audit_sys_acl_blob_get_fd(vfs_handle_struct *handle, - files_struct *fsp, - TALLOC_CTX *mem_ctx, + files_struct *fsp, + TALLOC_CTX *mem_ctx, char **blob_description, DATA_BLOB *blob) { - SMB_ACL_T result; + int result; - result = SMB_VFS_NEXT_SYS_ACL_BLOB_GET_FD(handle, fsp, mem_ctx, blob_description,blob); + result = SMB_VFS_NEXT_SYS_ACL_BLOB_GET_FD(handle, fsp, mem_ctx, blob_description, blob); - do_log(SMB_VFS_OP_SYS_ACL_BLOB_GET_FD, (result = 0), handle, + do_log(SMB_VFS_OP_SYS_ACL_BLOB_GET_FD, (result = 0), handle, %s, fsp_str_do_log(fsp)); return result; @@ -2131,6 +2131,8 @@ static struct vfs_fn_pointers vfs_full_audit_fns = { .fchmod_acl_fn = smb_full_audit_fchmod_acl, .sys_acl_get_file_fn = smb_full_audit_sys_acl_get_file, .sys_acl_get_fd_fn = smb_full_audit_sys_acl_get_fd, +
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 0231575 waf: Make samba ok with directories for install being symlinks from a125ea7 vfs: fix acl_blob_get* in vfs_full_audit http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 0231575709231eadd89761d966c1b8412950de00 Author: Ira Cooper i...@samba.org Date: Thu Sep 20 19:38:12 2012 + waf: Make samba ok with directories for install being symlinks stat - lstat conversion. This allows people for whom $PREFIX/var is a symlink to complete make install. Autobuild-User(master): Ira Cooper i...@samba.org Autobuild-Date(master): Thu Sep 20 23:26:26 CEST 2012 on sn-devel-104 --- Summary of changes: buildtools/wafadmin/Utils.py |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/buildtools/wafadmin/Utils.py b/buildtools/wafadmin/Utils.py index 41dad57..91ded93 100644 --- a/buildtools/wafadmin/Utils.py +++ b/buildtools/wafadmin/Utils.py @@ -15,7 +15,7 @@ Utilities, the stable ones are the following: import stat def h_file(filename): - st = os.stat(filename) + st = os.lstat(filename) if stat.S_ISDIR(st[stat.ST_MODE]): raise IOError('not a file') m = Utils.md5() m.update(str(st.st_mtime)) @@ -419,7 +419,7 @@ def pprint(col, str, label='', sep='\n'): def check_dir(dir): If a folder doesn't exists, create it. try: - os.stat(dir) + os.lstat(dir) except OSError: try: os.makedirs(dir) -- Samba Shared Repository
autobuild: intermittent test failure detected
The autobuild test system has detected an intermittent failing test in the current master tree. The autobuild log of the failure is available here: http://git.samba.org/autobuild.flakey/2012-09-21-0245/flakey.log The samba3 build logs are available here: http://git.samba.org/autobuild.flakey/2012-09-21-0245/samba3.stderr http://git.samba.org/autobuild.flakey/2012-09-21-0245/samba3.stdout The source4 build logs are available here: http://git.samba.org/autobuild.flakey/2012-09-21-0245/samba.stderr http://git.samba.org/autobuild.flakey/2012-09-21-0245/samba.stdout The top commit at the time of the failure was: commit 0231575709231eadd89761d966c1b8412950de00 Author: Ira Cooper i...@samba.org Date: Thu Sep 20 19:38:12 2012 + waf: Make samba ok with directories for install being symlinks stat - lstat conversion. This allows people for whom $PREFIX/var is a symlink to complete make install. Autobuild-User(master): Ira Cooper i...@samba.org Autobuild-Date(master): Thu Sep 20 23:26:26 CEST 2012 on sn-devel-104
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 914b02b libwbclient: bump ABI to 0.11 as wbcAuthenticateUserEx now provides PAC parsing via d9747b1 s4-torture: Complete test for winbindd PAC parsing via 05befd2 auth/kerberos: Adjust log level for failed PAC signature verification via 1bc2f28 winbind: Extend wbcAuthenticateUserEx to provide PAC via 8a6a13a auth: Fix some nonempty blank lines from 0231575 waf: Make samba ok with directories for install being symlinks http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 914b02be5a3e7805110f517e39ed9f6fe760c2bc Author: Andrew Bartlett abart...@samba.org Date: Thu Sep 20 19:46:31 2012 -0700 libwbclient: bump ABI to 0.11 as wbcAuthenticateUserEx now provides PAC parsing Autobuild-User(master): Andrew Bartlett abart...@samba.org Autobuild-Date(master): Fri Sep 21 06:37:15 CEST 2012 on sn-devel-104 commit d9747b15c4a737a1422d0156d92efed762bb672d Author: Christof Schmitt christof.schm...@us.ibm.com Date: Thu Sep 20 18:30:07 2012 -0700 s4-torture: Complete test for winbindd PAC parsing Decode the PAC through the wbcAuthenticateUserEx call, also decode it locally and compare the result. Signed-off-by: Andrew Bartlett abart...@samba.org commit 05befd2f734d3962619ebc0cc137bbe5cedfd81d Author: Christof Schmitt christof.schm...@us.ibm.com Date: Mon Jul 30 11:03:54 2012 -0700 auth/kerberos: Adjust log level for failed PAC signature verification With winbindd trying to verify the signature of an application provided PAC, this message can be easily triggered. Adjust the debug level to avoid filling up the logs. Signed-off-by: Andrew Bartlett abart...@samba.org commit 1bc2f28b9420829645ed571daf2a17e6688b2103 Author: Christof Schmitt christof.schm...@us.ibm.com Date: Wed Jul 18 14:38:47 2012 -0700 winbind: Extend wbcAuthenticateUserEx to provide PAC With this new interface, external applications that have authenticated to an ADS can pass the PAC from the Kerberos ticket to wbcAuthenticateUserEx. winbindd decodes and extracts the info3 information for the external application. If winbindd can verify the PAC signature, the info3 from the PACis also added to the netsamlogon_cache. The info3 data can be used by the external application to get the uid and primary gid. The data in netsamlogon_cache allows to retrieve the complete group list through the NSS function getgrouplist. Signed-off-by: Andrew Bartlett abart...@samba.org commit 8a6a13ab51f404525ff18f65d5a22132c465898e Author: Volker Lendecke v...@samba.org Date: Tue Sep 18 10:34:48 2012 -0700 auth: Fix some nonempty blank lines Signed-off-by: Andrew Bartlett abart...@samba.org --- Summary of changes: auth/gensec/spnego.c | 120 +- auth/kerberos/kerberos_pac.c |2 +- .../ABI/{wbclient-0.10.sigs = wbclient-0.11.sigs} |0 nsswitch/libwbclient/wbc_pam.c | 16 +++- nsswitch/libwbclient/wbclient.h| 45 --- nsswitch/libwbclient/wscript |2 +- nsswitch/winbind_struct_protocol.h |1 + source3/winbindd/winbindd_pam.c| 128 +++- source3/winbindd/winbindd_pam_auth_crap.c | 23 source3/winbindd/winbindd_proto.h |8 ++ source4/torture/winbind/winbind.c | 92 +- 11 files changed, 340 insertions(+), 97 deletions(-) copy nsswitch/libwbclient/ABI/{wbclient-0.10.sigs = wbclient-0.11.sigs} (100%) Changeset truncated at 500 lines: diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c index 5923200..da1fc0e 100644 --- a/auth/gensec/spnego.c +++ b/auth/gensec/spnego.c @@ -2,7 +2,7 @@ Unix SMB/CIFS implementation. RFC2478 Compliant SPNEGO implementation - + Copyright (C) Jim McDonough j...@us.ibm.com 2003 Copyright (C) Andrew Bartlett abart...@samba.org 2004-2005 Copyright (C) Stefan Metzmacher me...@samba.org 2004-2008 @@ -11,13 +11,13 @@ it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. - + This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. - + You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ @@ -121,7 +121,7 @@ static NTSTATUS