Re: [Samba] Internal DNS - TTL enforcement for dynamic updates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 2012-10-31 22:25, Dmitry Khromov wrote: Samba 4 rc 3. I had noticed a strange behavior. If host creates a record, it won't be further updated until the record gets deleted manually. What could cause this? What updates are you expecting? Another question: how could the dynamically added record's TTL be enforced? For example, we have a user-based VLAN assignment in our networks. When Windows host boots, it authenticates with machine account and goes to the one of parking VLANs. Later, when user logs in, he gets a different VLAN and different IP address. So, we really want other DNS servers to not cache this records for too long. Normally, this is done by modifying SOA record (and, as I recall, Samba's internal DNS respects TTLs in SOA). But samba-tool can't edit SOA records, MMC DNS snap-in fails to do it too. The TTL only affects caching decisions on the resolver side, so the internal DNS actually doesn't do anything with the TTLs apart from serving them out with the record. Now, if your clients register their DNS records, they get to pick the TTL of the entry themselves. This can probably be affected with a GPO somehow, but I don't know the AD stuff enough to know where to look. I don't think the TTL of the SOA record should affect anything apart from how long resolvers cache the SOA record. Cheers, Kai - -- Kai Blin Worldforge developer http://www.worldforge.org/ Wine developer http://wiki.winehq.org/KaiBlin Samba team member http://www.samba.org/samba/team/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlCSLckACgkQEKXX/bF2FpSe2wCgjnUF23yZkp4qp7c21o0Kjcj6 M2EAoI2MO2KA5AsoB64OTCORJ7PClAJf =24+4 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Internal DNS - TTL enforcement for dynamic updates
Hello! Samba 4 rc 3. I had noticed a strange behavior. If host creates a record, it won't be further updated until the record gets deleted manually. What could cause this? What updates are you expecting? When Windows DHCP client receives a lease or when you manually issue ipconfig /renew command, Windows sends out DNS messages (unsigned, then signed if needed) with UPDATE opcode towards a NS specified in NS field of SOA with a new IP address for the record. I expected Samba to behave like MS DNS server and replace the old record with a new one. Another question: how could the dynamically added record's TTL be enforced? For example, we have a user-based VLAN assignment in our networks. When Windows host boots, it authenticates with machine account and goes to the one of parking VLANs. Later, when user logs in, he gets a different VLAN and different IP address. So, we really want other DNS servers to not cache this records for too long. Normally, this is done by modifying SOA record (and, as I recall, Samba's internal DNS respects TTLs in SOA). But samba-tool can't edit SOA records, MMC DNS snap-in fails to do it too. The TTL only affects caching decisions on the resolver side so the internal DNS actually doesn't do anything with the TTLs apart from serving them out with the record. That's true. But you may specify expire for the whole zone in SOA to force other DNS servers that provide clients with cached recursion to query upstream NS again after the zone is expired, no matter what the TTL for individual records is - that is what I need. Now, if your clients register their DNS records, they get to pick the TTL of the entry themselves. This can probably be affected with a GPO somehow, but I don't know the AD stuff enough to know where to look. When I googled last time, I had seen some Microsoft guys saying it's hardcoded. Not sure if that's true, but it looks like, giving the fact Windows just creates a record with TTL of 1200 seconds, even if DHCP server gives a 10 seconds lasting lease. I don't think the TTL of the SOA record should affect anything apart from how long resolvers cache the SOA record. And that is what I need. As a last resort one could modify SOA record directly via LDAP (e.g. using ldbmodify). This is the method we currently use. One needs to change dnsRecord attribute of DC=@ for domain in question. add: in LDIF should appear before delete: or Samba may become inoperable. Or just pkill samba and use ldbmodify on the .ldb directly. http://msdn.microsoft.com/en-us/library/ee898781(prot.20).aspx describes dnsRecord attribute data format http://msdn.microsoft.com/en-us/library/cc448905(v=prot.20).aspx describes SOA record format Thank you! -- Best regards, Dmitry Khromov -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Internal DNS - TTL enforcement for dynamic updates
By the way, maybe an option should be added for Samba internal DNS server that will allow to force TTL of individual records since it's not tunable in Windows? This would be a feature I missed in MS DNS server much. In my opinion, network administrator, not MS DNS client alone, should have a control of records TTL. P.S. When Windows DHCP client receives a lease or when you manually issue ipconfig /renew command Sorry, not /renew, I meant /registerdns. Thanks. -- Best regards, Dmitry Khromov -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Internal DNS - TTL enforcement for dynamic updates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 2012-11-01 09:40, Dmitry Khromov wrote: Hi, When Windows DHCP client receives a lease or when you manually issue ipconfig /renew command, Windows sends out DNS messages (unsigned, then signed if needed) with UPDATE opcode towards a NS specified in NS field of SOA with a new IP address for the record. I expected Samba to behave like MS DNS server and replace the old record with a new one. Yes, that should work. If it doesn't work for you, you need to tell us some more details about your smb.conf and maybe provide a network capture of the failing DNS update. That's true. But you may specify expire for the whole zone in SOA to force other DNS servers that provide clients with cached recursion to query upstream NS again after the zone is expired, no matter what the TTL for individual records is - that is what I need. Fair enough. Again, we probably need a network capture to see what's going on with the DNS MMC failing to update the SOA record. Cheers, Kai - -- Kai Blin Worldforge developer http://www.worldforge.org/ Wine developer http://wiki.winehq.org/KaiBlin Samba team member http://www.samba.org/samba/team/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlCSOyQACgkQEKXX/bF2FpR3JgCbB7Yo+UfygC5vXlv8/Y3p4+dV tnMAn1nlhAe0QttmuPuvna+22CYMW2Cv =SQUJ -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows 7 8 + HomeGroup support
Le Wed, 31 Oct 2012 22:11:36 -0700 vous écriviez: As windows 8 is continuing the tradition of using HomeGroup instead of traditional sharing, I'd like to re-request that some consideration be given to implementing HomeGroup support in Samba. From my understanding of HomeGroup (admittedly incomplete), it uses different protocols, sharing and authentication mechanisms, etc than SMB. Therefore it belongs to an entirely different package than samba (maybe under the samba.org umbrella, but another program nonetheless). -- Emmanuel Florac | Direction technique | Intellique | eflo...@intellique.com | +33 1 78 94 84 02 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Internal DNS - TTL enforcement for dynamic updates
I expected Samba to behave like MS DNS server and replace the old record with a new one. Yes, that should work. If it doesn't work for you, you need to tell us some more details about your smb.conf and maybe provide a network capture of the failing DNS update. # cat etc/smb.conf # Global parameters [global] workgroup = MK_KLIN realm = klin.kifato-mk.com netbios name = DC1 interfaces = 192.168.1.24, 127.0.0.1 bind interfaces only = Yes server role = active directory domain controller idmap_ldb:use rfc2307 = yes debug level = 1 wins server = 192.168.1.31 allow dns updates = secure only [netlogon] path = /usr/local/samba/var/locks/sysvol/klin.kifato-mk.com/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No PCAP-formatted dump is attached. According to the dump, Windows just doesn't try to send a signed update after receiveng TKEY. However, this host had succeded at least once today. Rebooted it, now no updates happen, but Samba started to say: [2012/11/01 14:32:30, 1] ../source4/dns_server/dns_server.c:150(dns_process_send) Failed to verify TSIG! Some background: we already had the same symptoms this week for most of our Windows hosts (and some Samba 3 based, too). Yesterday we had to delete the zone (it was somewhat dirty after years on Windows, e.g. MMC DNS said Server couldn't load the zone when you open it on Samba server) and rebuilt it from scratch. As a side effect those TSIG-related messages had gone and records had started to update (one time until deletion). Now it looks like nothing had actually changed. Again, we probably need a network capture to see what's going on with the DNS MMC failing to update the SOA record. Attached (PCAP-formatted). Thanks in advance. -- Best regards, Dmitry Khromov -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [samba] printer cups
From: root [mailto:r...@server-ready.aghezzi.it] Sent: 30 October 2012 17:47 my samba is working good, only a problem with the classic pdf printer I get this message from testparm Warning: Service pdf-printer defines a print command, but print command parameter is ignored when using CUPS libraries. Server role: ROLE_STANDALONE Press enter to see a dump of your service definitions and this is my .conf [global] workgroup = RSA netbios name = RSA-INTRANET server string = RSA-INTRANET map to guest = Bad User passdb backend = tdbsam log file = /var/log/samba/log.%m dns proxy = No [pubblico] comment = condivisione pubblica path = /var/pubblico read only = No [pdf-printer] path = /var/pubblico/ create mask = 0700 guest ok = Yes printable = Yes print command = /usr/bin/printpdf.sh %s printer name = lp everyt hings works ok, but the print command isn't executed altough the printer is shared and visible on the lan. thanks for any help We had printing = bsd when we had a PDF printer script like yours. Because we are running SELinux, we also had to label our script samba_unconfined_script_exec_t to allow Samba to run it. However, we found that Samba was not really happy with both real CUPS printer shares and a virtual PDF printing script, so we have moved to PDFCreator (www.pdfforge.org) on the clients instead. It lets you use more features than the server-side script too. [It's better English to say working well than working good] Moray. To err is human; to purr, feline. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] sambar4: user creation with ldap and initial password
hi trying to create a user with ldap from a remote server. The user is created successfully. I'm failing setting the initial password. Setting the unicodePwd with kerberos administrator credentials with ldbmodify and the ldif below results in 2035: setup_io: it's not allowed to set the NT hash password directly. searching the web I've found s4 mailinglist entries telling do not set unicodePwd with ldap. this KB article tells in AD it's possible to set it: http://support.microsoft.com/kb/263991/en-us Is there a supported method to supply the initial user password with s4 and ldap? - Thomas LDIF: dn: CN=Thomas Mueller,OU=Users,DC=test,DC=testing changetype: modify replace: unicodePwd unicodePwd:: $IlRlc3QxMjMtLSIK -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] force user not working
Hai, small question. Im running debian squeeze, samba 3.6.6-2~bpo60+1 in with domain with ldap. I joint my domain with a new server as domain member, so far so good. im having problems with the force user parameter. Its not working. ;-) the force group is working fine. strange this is, the share is a copy of other server ( the settings ) and on other server its working ok. this is the share : [dbspool] comment = Aftermath Database Spooling path = /home/dbspool browseable = yes writeable = yes read list = @DOMAINNAME\groupname write list = @DOMAINNAME\groupname force user = username force group = groupname create mode = 666 directory mode = 777 wide links = yes follow symlinks = yes Very this i copy to the share has user root ( and this is correct since my user is also in the Domain Admins group ) but with force user it should be username and not root. Im missing something, but can see what. the logs are error free. Best regards, Louis -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba/WinBind Trusted domain
Our AD Forest has user account in one domain and resources in a trusted domain. I have gotten the Samba3x to join to the domain and authenticated to user accounts in both domains. The question I have is, is there a way to set the default domain for when people are not putting in a domain+userid, to have it default to the account domain rather than the resource domain the Samba Server is joined to. Diagram: Account.local (User Account domain) Limited admin privileges, but where all the user accounts live | | |-- Resource.account.local (Resource domain) Full admin privileges -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Group membership lost unpredictably
Hi, I have a very bizarre problem linking to my Active Directory from my Ubuntu 11.10 system. I have three AD users setup with them belonging to a specific AD group. When I first login a user onto my Ubuntu system, that user is shown to be a member of the group: wbinfo -r user And if I show the group members, it also lists my user: wbinfo --gid-info gid However - after a while (sometimes minutes, sometimes up to 10 minutes) wbinfo -r no longer indicates the user is part of that group anymore (even though wbinfo --gid-info still does). Rebooting the linux box makes no difference - group membership is lost. There doesn't seem to be an obvious trigger for this behavior either - the timing is inconsistent, I'm not executing any special commands - but it only happens once the user has logged in. Not all AD group memberships are lost though, it is still part of the domain users and domain admin groups (the built-in groups). Can anyone explain why the two commands would say different things that seem to be in direct conflict? Also, is there a way to manually change it? Or force a refresh of the information? Specs: Windows Server 2003 Ubuntu 11.10 Samba 3.5.11 I know you are up to 3.6.8 now. Is it possible this was related to a bug fix and I need to upgrade? I'm on an isolated system and upgrading isn't an easy process - so I figured I'd ask before I wasted my time. Ian -- Ian D. Frisbie 609 Colchester Ct. Middletown, DE 19709 (302) 648-6378 (Google Voice) (302) 437-6378 (Cell) (302) 378-7664 (Home) ifris...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SYSVOL ACLs and GPOs
On 30/10/2012 00:08, Jeremy Allison wrote:
On Tue, Oct 30, 2012 at 11:00:31AM +1100, Andrew Bartlett wrote:
be a particular trigger - but it shouldn't be able to make a
modification that doesn't go via vfs_acl_xattr.
For Alex, before running the Group Policy tools on WinXP, he gets (at
level 10 on samba-tool ntacl sysvolcheck):
get_nt_acl_internal: blob hash matches for
file
/root/samba_test/build_master/var/locks/sysvol/realm.com/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
then after, he gets:
get_nt_acl_internal: blob hash does not match for
file
/root/samba_test/build_master/var/locks/sysvol/realm.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
- returning file system SD mapping.
Is this message from smbd, or from samba-tool ?
That's what vfs_acl_common is printing, being run from samba-tool ntacl
sysvolcheck. It links to the VFS layer.
So this looks like it's running the Group Policy tools on WinXP
that causes the problem ?
Can we get a debug level 10 log of that activity going on
against smbd ?
Jeremy.
Ok I have some additional info.
Using the GPMC I cannot create new GPOs. I get the message: This
security ID may not be assigned as the owner of this object
If I use samba-tool gpo create I get the following:
# bin/samba-tool gpo create SMC Students
ERROR(ldb): uncaught exception - LDAP error 50
LDAP_INSUFFICIENT_ACCESS_RIGHTS - dsdb_access: Access check failed on
CN=Policies,CN=System,DC=internal,DC=stmaryscollege,DC=co,DC=uk
File
/vol/samba4/build/lib64/python2.7/site-packages/samba/netcmd/__init__.py,
line 175, in _run
return self.run(*args, **kwargs)
File
/vol/samba4/build/lib64/python2.7/site-packages/samba/netcmd/gpo.py,
line 952, in run
self.samdb.add(m)
If I supply administrator as username I get:
# bin/samba-tool gpo create SMC Students -U administrator
Password for [SMC\administrator]:
ERROR(runtime): uncaught exception - (-1073741734,
'NT_STATUS_INVALID_OWNER')
File
/vol/samba4/build/lib64/python2.7/site-packages/samba/netcmd/__init__.py,
line 175, in _run
return self.run(*args, **kwargs)
File
/vol/samba4/build/lib64/python2.7/site-packages/samba/netcmd/gpo.py,
line 987, in run
conn.set_acl(sharepath, fs_sd, sio)
However this time it has successfully created the GPO. (GPMC still
throws the same warnings about inconsistent ACLs).
bin/samba-tool gpo create SMC Students -d 10: http://pastebin.com/tjutA68u
bin/samba-tool gpo create SMC Students -U administrator -d 10:
http://pastebin.com/8kkVEy7V
I would hazard a guess and say the GPMC error (when creating a GPO) is
the same error as the samba-tool error.
Thanks,
Alex
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba Active Directory w/ Kerberos Trust
Hello, I'm having some difficulty understanding the best approach to setting up a samba fileserver in our environment. We have an active directory domain (2008) that has account stubs that we use for security and authorization (the passwords are unknown/random). This domain has a one-way Kerberos trust to an MIT Kerberos realm that we use for authentication. The user accounts are name-mapped to the corresponding principal name in the kerberos/authentication realm. I had planned to net join the server to the active directory realm for user and group resolution, but configure PAM to use pam_krb5 for authentication instead of winbind. However, it appears to me that, by design, Samba is not able to authenticate and authorize in two different realms this way for the following reason: Samba always ignores PAM for authentication in the case of encrypt passwords = yeshttp://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/smb.conf.5.html#ENCRYPTPASSWORDS http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html Setting encrypt passwords = no results in the following testparm error: ERROR: in 'security=domain' mode the 'encrypt passwords' parameter must always be set to 'true'. Anyone successfully authenticating this way? Thanks for the help! -Joseph smb.conf: [global] log file = /var/log/samba/log.%m log level = auth:3 max log size = 50 security = ads netbios name = SERVERNAME realm = AD.DOMAIN.EDUhttp://ad.domain.edu/ password server = dc.ad.domain.eduhttp://dc.ad.domain.edu/ workgroup = AD idmap uid = 1-500 idmap gid = 1-500 winbind separator = + winbind enum users = no winbind enum groups = no winbind use default domain = yes obey pam restrictions = yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] libkdc-policy.so: cannot open shared object file: No such file or directory?
Built from tar. Same result from git pull as of 01NOV install sudo samba-tool domain provision --realm=hen.us.mentats.us --domain=NEWDOM --dns-backend=BIND9_DLZ --adminpass=badpass --server-role='domain controller' libkdc-policy.so: cannot open shared object file: No such file or directory How do I find/build this module? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] smbd daemon crash when connect to shared folder
Hi All,
I've installed and configured Samba 3.5.11 on a Solaris 8 machine. I was able
to join it to the 2008 R2 AD. However, its smbd daemon is crashed everytime I
connect to its shared folder from the windows machine, so I'm not able to
connect to its shared folders. Below is its log from smb.log file. Is there
anyone has any idea what cause the problem? I appreciate very much
Regards,
Anh
[2012/11/01 14:38:29.737077, 0] lib/util.c:1468(smb_panic)
PANIC (pid 1515): sys_setgroups failed
[2012/11/01 14:38:29.737982, 0] lib/util.c:1622(log_stack_trace)
unable to produce a stack trace on this platform
[2012/11/01 14:38:29.738879, 0] lib/fault.c:326(dump_core)
dumping core in /usr/local/samba/var/cores/smbd
[2012/11/01 14:38:29.907709, 0] lib/util.c:1468(smb_panic)
PANIC (pid 1516): sys_setgroups failed
[2012/11/01 14:38:29.908671, 0] lib/util.c:1622(log_stack_trace)
unable to produce a stack trace on this platform
[2012/11/01 14:38:29.909428, 0] lib/fault.c:326(dump_core)
dumping core in /usr/local/samba/var/cores/smbd
Here is my krb5.conf file
# Copyright 2007 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# ident @(#)krb5.conf 1.4 07/11/14 SMI
#
# krb5.conf template
# In order to complete this configuration file
# you will need to replace the __name__ placeholders
# with appropriate values for your network and uncomment the
# appropriate entries.
#
[libdefaults]
default_realm = DOMAIN.COM
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
des3-hmac-sha1
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
des3-hmac-sha1
# dns_lookup_kdc = true
# verify_ap_req_nofail = false
clockskew = 300
[realms]
DOMAIN.COM = {
kdc = kdc1.domain.com
kdc = kdc2.domain.com
kdc = kdc3.domain.com
admin_server = kdc1.domain.com
default_domain = domain.com
}
[domain_realm]
.kerberos.server = DOMAIN.COM
domain.com = DOMAIN.COM
.domain.com = DOMAIN.COM
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/log/kdc.log
kdc_rotate = {
# How often to rotate kdc.log. Logs will get rotated no more
# often than the period, and less often if the KDC is not used
# frequently.
period = 1d
# how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, ...)
versions = 10
}
[appdefaults]
# kinit = {
# renewable = true
# forwardable= true
kinit = {
debug = false
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 500
try_first_pass = true
}
gkadmin = {
help_url =
http://docs.sun.com:80/ab2/coll.384.1/SEAM/@AB2PageView/1195
Here is my smb.conf file
# Samba config file created using SWAT
# Date: 2005/03/19 12:43:32
# Global parameters
[global]
workgroup = DOMAIN.COM
realm = DOMAIN.COM
preferred master = no
server string = Samba %v - %h
security = ADS
encrypt passwords = yes
inherit acls = Yes
debug level = 0
log file = /var/log/smb.log
winbind enum users = yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nested groups = Yes
winbind separator = +
;template primary group = Domain Users
# idmap domains = DOMAIN
idmap config DOMAIN:backend = ad
idmap config DOMAIN:default = yes
idmap config DOMAIN:readonly = yes
idmap config DOMAIN:range = 8000-5
idmap config DOMAIN:schema = rfc2307
idmap alloc backend = tdb
idmap alloc config:range = 2000-3000
load printers = No
disable spoolss = Yes
printcap name = /dev/null
[mu]
comment = Mu lock views
path = /home/mu
read only = No
create mask = 0775
directory mask = 0775
[vbstor]
comment = Mu lock vob
path = /vobstor
read only = No
create mask = 0775
directory mask = 0775
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Internal DNS - TTL enforcement for dynamic updates
According to the dump, Windows just doesn't try to send a signed update after receiveng TKEY. However, this host had succeded at least once today. Rebooted it, now no updates happen, but Samba started to say: [2012/11/01 14:32:30, 1] ../source4/dns_server/dns_server.c:150(dns_process_send) Failed to verify TSIG! Things get even more interesting. Looks like in fact there are two problems. I have another two dumps, illustrating the original issue I was talking about. In dump 1 the host is just booted and the record from the previous boot exists. As you can see Samba says SERVFAIL. debug level = 1 says: [2012/11/01 23:59:44, 1] ../source4/dns_server/dns_query.c:501(handle_tkey) Tkey handshake completed [2012/11/01 23:59:48, 1] ../source4/dns_server/dns_update.c:672(handle_updates) update count is 3 [2012/11/01 23:59:48, 1] ../source4/dns_server/dns_update.c:672(handle_updates) update count is 3 [2012/11/01 23:59:48, 1] ../source4/dns_server/dns_update.c:672(handle_updates) update count is 3 [2012/11/01 23:59:48, 1] ../source4/dns_server/dns_update.c:672(handle_updates) update count is 3 In dump 2 I have just deleted the record. As you can see, only the first update succeeds, then - SERVFAIL again. P.S. Just in case you're suprised with the updates frequency - it's what we really have in production on parking subnets, as a workaround for the Windows 7 DHCPINFORM on non-authoritative subnets problem. -- Best regards, Dmitry Khromov -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows 7 8 + HomeGroup support
My understanding was that it was purely a new authentication method on top of existing CIFS/AD protocols. Either way, I believe home-group integration is important, and samba is where it belongs. On 11/01/12 02:26, Emmanuel Florac wrote: Le Wed, 31 Oct 2012 22:11:36 -0700 vous écriviez: As windows 8 is continuing the tradition of using HomeGroup instead of traditional sharing, I'd like to re-request that some consideration be given to implementing HomeGroup support in Samba. From my understanding of HomeGroup (admittedly incomplete), it uses different protocols, sharing and authentication mechanisms, etc than SMB. Therefore it belongs to an entirely different package than samba (maybe under the samba.org umbrella, but another program nonetheless). -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows 7 8 + HomeGroup support
On Thu, Nov 01, 2012 at 01:17:10PM -0700, Christ Schlacta wrote: My understanding was that it was purely a new authentication method on top of existing CIFS/AD protocols. H. http://download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D-A4F81802D92C/[MS-HGRP].pdf Looks like a web service, that then might use SMB/CIFS underneath. Either way, I believe home-group integration is important, and samba is where it belongs. Get me a wireshark trace of homegroup sharing and we'll see (yes I know I could do it, but I'm busy with Samba4.0.0 work right now :-). Jemy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] smbd daemon crash when connect to shared folder
On Thu, Nov 01, 2012 at 03:40:52PM -0400, Le, Anh wrote: Hi All, I've installed and configured Samba 3.5.11 on a Solaris 8 machine. I was able to join it to the 2008 R2 AD. However, its smbd daemon is crashed everytime I connect to its shared folder from the windows machine, so I'm not able to connect to its shared folders. Below is its log from smb.log file. Is there anyone has any idea what cause the problem? I appreciate very much Regards, Anh [2012/11/01 14:38:29.737077, 0] lib/util.c:1468(smb_panic) PANIC (pid 1515): sys_setgroups failed [2012/11/01 14:38:29.737982, 0] lib/util.c:1622(log_stack_trace) unable to produce a stack trace on this platform [2012/11/01 14:38:29.738879, 0] lib/fault.c:326(dump_core) dumping core in /usr/local/samba/var/cores/smbd [2012/11/01 14:38:29.907709, 0] lib/util.c:1468(smb_panic) PANIC (pid 1516): sys_setgroups failed [2012/11/01 14:38:29.908671, 0] lib/util.c:1622(log_stack_trace) unable to produce a stack trace on this platform [2012/11/01 14:38:29.909428, 0] lib/fault.c:326(dump_core) dumping core in /usr/local/samba/var/cores/smbd Almost certainly too many groups for your poor Solaris 8 machine (which has a limit of 16 groups per process I believe). Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restricting DC Roles?
On Thu, 2012-11-01 at 19:26 +, Bethel, Zach wrote: I went ahead and updated to samba-master, and the error is replaced by a new one that is rather strange: Windows was unable to determine whether new Group Policy settings defined by a network administrator should be enforced for this user or computer because this computer's clock is not synchronized with the clock of one of the domain controllers for the domain. Because of this issue, this computer system may not be in compliance with the network administrator’s requirements, and users of this system may not be able to use some functionality on the network. Windows will periodically attempt to retry this operation, and it is possible that either this system or the domain controller will correct the time settings without intervention by an administrator, so the problem will be corrected. If this issue persists for more than an hour, checking the local system's clock settings to ensure they are accurate and are synchronized with the clocks on the network's domain controllers is one way to resolve this problem. A network administrator may be required to resolve the issue if correcting the local time settings does not address the problem. So it's obviously complaining about clock skew. Once again, I checked the event log and it's trying to update from the samba machine. The odd thing is that the samba DC time is perfectly in sync with the two Windows DCs. I setup NTP on it, and lsof reveals that the signed socket is indeed being read by samba. I am not having any other authentication issues with kerberos. Is this a known issue by chance? Thanks! No, it is not, sorry. Please file a bug with network captures etc. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Joining domain without password?
On 10/30/2012 06:53 AM, Andrew Bartlett wrote: By some means, we need to securely establish a shared secret between the machine and the DC. You could forward a kerberos ticket to the host, if that's easier to automate and use -k. The old (NT4) style of setting up the account first, which implicitly set the password to machinename, isn't exactly secure, so doesn't help much. (that was what smbpasswd -j used long ago). You can delegate the privilege of joining machines to the domain, which may lessen the impact of the password or kerberos ticket/keytab you forward, but the shared secret needs to be securely set up somehow. I've decided to create user with sole privilege of joining machines to domain, and automation works OK. Thank you. -- Jakov Sosic www.srce.unizg.hr -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 3.5 - user authentication issues
Hi. I'm using CentOS 5 with samba3x packages (Samba 3.5.10) and Solaris 10 (Samba 3.5.8) for achieving AD integration. Samba hosts are added as domain members. Now, I've tried to add CentOS 6, which also uses 3.5.10, but have encountered a problem - users cannot authenticate for some reason. Configurations are pretty much the same across the board, and they look like this: # testparm Load smb config files from /etc/samba/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section [www] Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions [global] workgroup = DOMAIN realm = DOMAIN.LOCAL server string = www2 (Samba ver. %v) security = ADS allow trusted domains = No password server = server.domain.local log level = 10 syslog = 0 log file = /var/log/samba/log.%m load printers = No local master = No domain master = No idmap backend = rid:DOMAIN=1-4 idmap uid = 1-4 idmap gid = 1-4 winbind use default domain = Yes cups options = raw [share] comment = something path = /home/share/www force user = share force group = share read only = No force create mode = 0660 force security mode = 0660 force directory mode = 0770 delete readonly = Yes Tesparm is ok (exit: 0). # net ads testjoin Join is OK # net ads testjoin -k Join is OK # net rpc testjoin -k saf_store: refusing to store 0 length domain or servername! Join to 'DOMAIN' is OK # net ads info LDAP server: 192.168.xx.y y LDAP server name: server.Domain.local Realm: DOMAIN.LOCAL Bind Path: dc=DOMAIN,dc=LOCAL LDAP port: 389 Server time: Wed, 31 Oct 2012 17:46:46 CET KDC server: 192.168.xx.yy Server time offset: 0 wbinfo -u, wbinfo -g, wbinfo -i username all work OK... so mapping is ok. But when I try to access share from other computer, credentials are refused... # smbclient www2\\www -U jakov.sosic Enter jakov.sosic's password: session setup failed: NT_STATUS_LOGON_FAILURE If I take a look at the log, I see this: [2012/10/31 17:39:41.443043, 6] param/loadparm.c:7158(lp_file_list_changed) lp_file_list_changed() file /etc/samba/smb.conf - /etc/samba/smb.conf last mod_time: Wed Oct 31 17:35:47 2012 [2012/10/31 17:39:41.443102, 5] auth/auth_util.c:211(make_user_info_map) Mapping user [DOMAIN]\[jakov.sosic] from workstation [WS101] [2012/10/31 17:39:41.443592, 5] auth/auth_util.c:122(make_user_info) attempting to make a user_info for jakov.sosic (jakov.sosic) [2012/10/31 17:39:41.443616, 5] auth/auth_util.c:132(make_user_info) making strings for jakov.sosic's user_info struct [2012/10/31 17:39:41.443632, 5] auth/auth_util.c:164(make_user_info) making blobs for jakov.sosic's user_info struct [2012/10/31 17:39:41.443651, 10] auth/auth_util.c:182(make_user_info) made an encrypted user_info for jakov.sosic (jakov.sosic) [2012/10/31 17:39:41.443671, 3] auth/auth.c:216(check_ntlm_password) check_ntlm_password: Checking password for unmapped user [DOMAIN]\[jakov.sosic]@[WS101] with the new password interface [2012/10/31 17:39:41.443695, 3] auth/auth.c:219(check_ntlm_password) check_ntlm_password: mapped user is: [DOMAIN]\[jakov.sosic]@[WS101] [2012/10/31 17:39:41.443714, 10] auth/auth.c:228(check_ntlm_password) check_ntlm_password: auth_context challenge created by NTLMSSP callback (NTLM2) [2012/10/31 17:39:41.443733, 10] auth/auth.c:230(check_ntlm_password) challenge is: [2012/10/31 17:39:41.443763, 5] ../lib/util/util.c:278(_dump_data) [] C5 DA F3 11 9A 67 11 50.g.P [2012/10/31 17:39:41.443795, 10] auth/auth.c:256(check_ntlm_password) check_ntlm_password: guest had nothing to say [2012/10/31 17:39:41.443817, 8] lib/util.c:1894(is_myname) is_myname(DOMAIN) returns 0 [2012/10/31 17:39:41.443837, 6] auth/auth_sam.c:556(check_samstrict_security) check_samstrict_security: DOMAIN is not one of my local names (ROLE_DOMAIN_MEMBER) [2012/10/31 17:39:41.443860, 10] auth/auth.c:256(check_ntlm_password) check_ntlm_password: sam had nothing to say [2012/10/31 17:39:41.443882, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2012/10/31 17:39:41.443904, 3] smbd/uid.c:429(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2012/10/31 17:39:41.443923, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2012/10/31 17:39:41.443959, 5] auth/token_util.c:525(debug_nt_user_token) NT user token: (NULL) [2012/10/31 17:39:41.443977, 5] auth/token_util.c:551(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2012/10/31 17:39:41.452516, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx =
[Samba] ldbsearch returning NT_STATUS_INVALID_PARAMETER
I have a Samba DC connected to two Windows 2008 R2 DC's. On the Samba machine, if I run `ldbsearch -H ldaps://*SAMBA-DC-IP* -U administrator` It asks for my password and then works great. I can use any domain user and this works. However, if I instead run: `ldbsearch -H ldaps://10.120.160.12 -k1 --krb5-ccache=/tmp/krb5cc_0` I get this: Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER Failed to connect to '...' with backend 'ldaps': (null) Failed to connect to ... - (null) This happens regardless of whether or not the ticket exists at /tmp/krb5cc_0 (I can run kinit to create it and kdestroy to remove it). It's not the most useful error message...and strace isn't turning up anything interesting. Any ideas? The information in this communication is intended solely for the individual or entity to whom it is addressed. It may contain confidential or legally privileged information. If you are not the intended recipient, any disclosure, copying, distribution or reliance on the contents of this information is strictly prohibited, and may be unlawful. If you have received this communication in error, please notify us immediately by responding to the sender of this email, and then delete it from your system. Taylor University is not liable for the inaccurate or improper transmission of the information contained in this communication or for any delay in its receipt. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restricting DC Roles?
I went ahead and updated to samba-master, and the error is replaced by a new
one that is rather strange:
Windows was unable to determine whether new Group Policy settings defined by a
network administrator should be enforced for this user or computer because this
computer's clock is not synchronized with the clock of one of the domain
controllers for the domain. Because of this issue, this computer system may not
be in compliance with the network administrator’s requirements, and users of
this system may not be able to use some functionality on the network. Windows
will periodically attempt to retry this operation, and it is possible that
either this system or the domain controller will correct the time settings
without intervention by an administrator, so the problem will be corrected.
If this issue persists for more than an hour, checking the local system's clock
settings to ensure they are accurate and are synchronized with the clocks on
the network's domain controllers is one way to resolve this problem. A network
administrator may be required to resolve the issue if correcting the local time
settings does not address the problem.
So it's obviously complaining about clock skew. Once again, I checked the event
log and it's trying to update from the samba machine. The odd thing is that the
samba DC time is perfectly in sync with the two Windows DCs. I setup NTP on it,
and lsof reveals that the signed socket is indeed being read by samba. I am not
having any other authentication issues with kerberos.
Is this a known issue by chance?
Thanks!
From: Andrew Bartlett [abart...@samba.org]
Sent: Friday, October 26, 2012 5:53 PM
To: Bethel, Zach
Cc: samba@lists.samba.org
Subject: Re: [Samba] Restricting DC Roles?
On Fri, 2012-10-26 at 16:56 +, Bethel, Zach wrote:
Okay, I copied the files over and ran those two commands. Both of them
returned nothing (which I assume is a good thing?) and the file permissions
appear to have extended ACLs in the sysvol folder. So I'm assuming that
worked.
However, when my Windows client attempts to `gpupdate /force` (as the domain
admin) from the samba machine, I get the following error message for the
computer policy:
The processing of Group Policy failed. Windows attempted to read the file
\\csetest.taylor.edu\sysvol\csetest.taylor.edu\Policies\{GUID}\gpt.ini from a
domain controller and was not successful. Group Policy settings may not be
applied until this event is resolved. This issue may be transient and could
be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain
controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
The user policy gets applied just fine.
When I look in the event viewer, I get error code 5 with Access is Denied
as the description. The same event has a DCName field which points at the
samba machine, so I know that it's trying to talk to samba. I can mount the
sysvol share manually as the domain administrator and see all the files just
fine.
Any idea what might be going on?
This fix I just put in master is almost certainly for this problem.
If it doesn't apply, then just run 'sh -c 'umask 0 samba-tool ntacl
sysvolreset' to remove the umask for the duration of this operation.
Andrew Bartlett
--
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
The information in this communication is intended solely for the individual or
entity to whom it is addressed. It may contain confidential or legally
privileged information. If you are not the intended recipient, any disclosure,
copying, distribution or reliance on the contents of this information is
strictly prohibited, and may be unlawful. If you have received this
communication in error, please notify us immediately by responding to the
sender of this email, and then delete it from your system. Taylor University is
not liable for the inaccurate or improper transmission of the information
contained in this communication or for any delay in its receipt.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via dd60dcf test-chgdcpass: test the ldap case for server password change via 0e6c5c0 s4-ldapclient: cope with logon failure retry in LDAP via b0cc0d5 s4-librpc: set error code to LOGON_FAILURE on RPC fault with access denied via 538dd04 samba-tool: drs options does not need a samdb connection via 5d6ae34 s4-librpc: try a 2nd logon for more error cases via 30ffdda ldb: fixed callers for ldb_pack_data() and ldb_unpack_data() via fc47b0d ldb: move ldb_pack.c into common via e480995 test_chgdpass: use drs bind to test password change on RPC via ed2e69f s4-librpc: use cli_credentials_failed_kerberos_login to cope with stale tickets via fce66b2 test_chgdpass: added test for kerberos retry via d4ea637 libcli: use cli_credentials_failed_kerberos_login() to cope with server changes via 994696c auth: added cli_credentials_failed_kerberos_login() from ffb608b util: remove accidently committed hunk http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit dd60dcf343bfb8286951d3109055693634574d8b Author: Andrew Tridgell tri...@samba.org Date: Thu Nov 1 14:11:02 2012 +1100 test-chgdcpass: test the ldap case for server password change use samba-tool drs options which does both RPC and LDAP connections Pair-Programmed-With: Andrew Bartlett abart...@samba.org Autobuild-User(master): Andrew Tridgell tri...@samba.org Autobuild-Date(master): Thu Nov 1 07:21:17 CET 2012 on sn-devel-104 commit 0e6c5c036f8faddcc6ca65c26453ffaf248ed2b5 Author: Andrew Tridgell tri...@samba.org Date: Thu Nov 1 14:10:14 2012 +1100 s4-ldapclient: cope with logon failure retry in LDAP similar to what was done for rpc and cifs, we now retry once on logon failure for ldap, allowing for a new ticket to be fetched when a server password changes while we have a valid ticket for the old password Pair-Programmed-With: Andrew Bartlett abart...@samba.org commit b0cc0d5698d34aa7956b22faa8b79bd9b338286d Author: Andrew Tridgell tri...@samba.org Date: Thu Nov 1 13:42:52 2012 +1100 s4-librpc: set error code to LOGON_FAILURE on RPC fault with access denied this allows the client code to trigger a retry with a new password callback for NTLM connections Pair-Programmed-With: Andrew Bartlett abart...@samba.org commit 538dd046f1efefbeb8660ef1ff5afd594a003341 Author: Andrew Tridgell tri...@samba.org Date: Thu Nov 1 13:31:47 2012 +1100 samba-tool: drs options does not need a samdb connection this gives us a handy pure RPC client test for use in blackbox testing Pair-Programmed-With: Andrew Bartlett abart...@samba.org commit 5d6ae3498ad77ccdb7a8b3a316d7aa86c2f0c56a Author: Andrew Tridgell tri...@samba.org Date: Thu Nov 1 13:30:47 2012 +1100 s4-librpc: try a 2nd logon for more error cases not all servers give LOGON_FAILURE on authentication failures, so we need to do the retry with a new ticket on a wider range of error types Pair-Programmed-With: Andrew Bartlett abart...@samba.org commit 30ffdda45bd3ae602b453c9c1bbdb77ea3de8a8d Author: Andrew Tridgell tri...@samba.org Date: Wed Oct 31 16:06:03 2012 +1100 ldb: fixed callers for ldb_pack_data() and ldb_unpack_data() with ltdb_pack_data() and ltdb_unpack_data() now moved into common, we need to increase the minor version and fixup callers of the API Note that this relies on struct ldb_val being the same shape as TDB_DATA, in much the same way as we rely on ldb_val and DATA_BLOB being the same shape. Pair-Programmed-With: Andrew Bartlett abart...@samba.org commit fc47b0d03c577730ce0ef9e09092f80c0712d5d0 Author: Andrew Tridgell tri...@samba.org Date: Wed Oct 31 15:39:09 2012 +1100 ldb: move ldb_pack.c into common this code should not be tied to the ldb_tdb backend, both because it could be used for any record oriented backend, and because it should be exposed for use by diagnosis/repair tools such as the recently added ldbdump tool Pair-Programmed-With: Andrew Bartlett abart...@samba.org commit e48099516e4975cb69c7e2850d3b13b25bab7c44 Author: Andrew Tridgell tri...@samba.org Date: Wed Oct 31 18:45:25 2012 +1100 test_chgdpass: use drs bind to test password change on RPC Pair-Programmed-With: Andrew Bartlett abart...@samba.org commit ed2e69fe91fee642392803a17d42d64adc36e41d Author: Andrew Tridgell tri...@samba.org Date: Wed Oct 31 18:44:23 2012 +1100 s4-librpc: use cli_credentials_failed_kerberos_login to cope with stale tickets This allows our RPC client code to cope with a kerberos server changing password while we have a valid service ticket Pair-Programmed-With: Andrew Bartlett abart...@samba.org commit
[SCM] Samba Shared Repository - branch v3-5-test updated
The branch, v3-5-test has been updated via 4067d19 WHATSNEW: Prepare release notes for Samba 3.5.19. from 92bd768 Revert Fix bug #7781 (Samba transforms ShareName to lowercase when adding new share via MMC) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-test - Log - commit 4067d192f62d6fc20e1cdf8820656b03aa9f5931 Author: Karolin Seeger ksee...@samba.org Date: Thu Nov 1 09:30:00 2012 +0100 WHATSNEW: Prepare release notes for Samba 3.5.19. Karolin --- Summary of changes: WHATSNEW.txt | 27 ++- 1 files changed, 26 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 1551865..5bf1c53 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -8,12 +8,37 @@ This is the latest stable release of Samba 3.5. Major enhancements in Samba 3.5.19 include: -o +o Connection to outbound trusted domain goes offline (bug #9016). +o ACL masks incorrectly applied when setting ACLs (bug #9236). +o Samba panics if a user specifies an invalid port number (bug #9218). + Changes since 3.5.17: - o Jeremy Allison j...@samba.org +* BUG 9016: Connection to outbound trusted domain goes offline. +* BUG 9117: smbclient can't connect to a Windows 7 server using NTLMv2. +* BUG 9213: Bad ASN.1 NegTokenInit packet can cause invalid free. +* BUG 9236: ACL masks incorrectly applied when setting ACLs. + + +o Andrew Bartlett abart...@samba.org +* BUG 8788: libsmb: Initialise ticket to ensure we do not free invalid memory. + + +o Björn Jacke b...@sernet.de +* BUG 8344: autoconf: Fix --with(out)-sendfile-support option handling. +* BUG 8732: Fix compile of krb5 locator on Solaris. +* BUG 9172: Add quota support for gfs2. + + +o Matthieu Patou m...@matws.net +* BUG 9259: lib-addns: Ensure that allocated buffer are pre set to 0. + + +o Andreas Schneider a...@samba.org +* BUG 9218: Samba panics if a user specifies an invalid port number. ## -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 75c51d6 s3-param: Move the options needed for running smbd in the
AD DC to loadparm
via fc5caff file_server: put set create mask and directory mask in
fileserver.conf
from dd60dcf test-chgdcpass: test the ldap case for server password
change
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 75c51d6561f6f39dd02fd942709039b871957f44
Author: Andrew Bartlett abart...@samba.org
Date: Thu Nov 1 11:26:16 2012 +1100
s3-param: Move the options needed for running smbd in the AD DC to loadparm
This avoids the whole fileserver.conf thing, and simply handles everything
in C.
The main challenge is that if s3fs is enabled in a member server
configuration (unlikely) then these options will not be set, and it
overrides any other attempt to set these as globals. (The previous
approach essentially just changed defaults, because the include =
of smb.conf was after the values were set in fileserver.conf).
Andrew Bartlett
Signed-off-by: Andrew Bartlett abart...@samba.org
Reviewed-by: Michael Adam ob...@samba.org
Autobuild-User(master): Michael Adam ob...@samba.org
Autobuild-Date(master): Thu Nov 1 11:47:22 CET 2012 on sn-devel-104
commit fc5caffbc139d63cab1ec105884863f73772586f
Author: Andrew Bartlett abart...@samba.org
Date: Thu Nov 1 11:24:00 2012 +1100
file_server: put set create mask and directory mask in fileserver.conf
This allows any ACL to be set from the client, without restriction
from the Samba side.
Based on advise from Jermey at
https://lists.samba.org/archive/samba-technical/2012-October/088414.html
Andrew Bartlett
Signed-off-by: Andrew Bartlett abart...@samba.org
Reviewed-by: Michael Adam ob...@samba.org
---
Summary of changes:
file_server/file_server.c | 51 +---
source3/param/loadparm.c | 17 +++
2 files changed, 19 insertions(+), 49 deletions(-)
Changeset truncated at 500 lines:
diff --git a/file_server/file_server.c b/file_server/file_server.c
index 0777de5..430782c 100644
--- a/file_server/file_server.c
+++ b/file_server/file_server.c
@@ -30,49 +30,6 @@
#include dynconfig.h
/*
- generate a smbd config file for the file server
- */
-static const char *generate_smb_conf(struct task_server *task)
-{
- int fd;
- struct loadparm_context *lp_ctx = task-lp_ctx;
- const char *path = smbd_tmp_path(task, lp_ctx, fileserver.conf);
-
- if (path == NULL) {
- return NULL;
- }
-
- fd = open(path, O_WRONLY|O_CREAT|O_TRUNC, 0644);
- if (fd == -1) {
- DEBUG(0,(Failed to create %s, path));
- return NULL;
- }
-
- fdprintf(fd, [globals]\n);
- fdprintf(fd, # auto-generated config for fileserver\n);
- fdprintf(fd, server role check:inhibit=yes\n);
-fdprintf(fd, rpc_server:default = external\n);
- fdprintf(fd, rpc_server:svcctl = embedded\n);
- fdprintf(fd, rpc_server:srvsvc = embedded\n);
- fdprintf(fd, rpc_server:eventlog = embedded\n);
- fdprintf(fd, rpc_server:ntsvcs = embedded\n);
- fdprintf(fd, rpc_server:winreg = embedded\n);
- fdprintf(fd, rpc_server:spoolss = embedded\n);
- fdprintf(fd, rpc_daemon:spoolssd = embedded\n);
- fdprintf(fd, rpc_server:tcpip = no\n);
-
- fdprintf(fd, map hidden = no\n);
- fdprintf(fd, map system = no\n);
- fdprintf(fd, map readonly = no\n);
- fdprintf(fd, store dos attributes = yes\n);
-
- fdprintf(fd, include = %s\n, lpcfg_configfile(lp_ctx));
-
- close(fd);
- return path;
-}
-
-/*
called if smbd exits
*/
static void file_server_smbd_done(struct tevent_req *subreq)
@@ -98,23 +55,19 @@ static void file_server_smbd_done(struct tevent_req *subreq)
*/
static void s3fs_task_init(struct task_server *task)
{
- const char *fileserver_conf;
struct tevent_req *subreq;
const char *smbd_path;
const char *smbd_cmd[2] = { NULL, NULL };
task_server_set_title(task, task[s3fs_parent]);
- /* create a smb.conf for smbd to use */
- fileserver_conf = generate_smb_conf(task);
-
smbd_path = talloc_asprintf(task, %s/smbd, dyn_SBINDIR);
smbd_cmd[0] = smbd_path;
/* start it as a child process */
subreq = samba_runcmd_send(task, task-event_ctx, timeval_zero(), 1, 0,
smbd_cmd,
- --configfile, fileserver_conf,
+ --option=server role check:inhibit=yes,
--foreground,
debug_get_output_is_stdout()?--log-stdout:NULL,
NULL);
@@
autobuild: intermittent test failure detected
The autobuild test system has detected an intermittent failing test in the current master tree. The autobuild log of the failure is available here: http://git.samba.org/autobuild.flakey/2012-11-01-1221/flakey.log The samba3 build logs are available here: http://git.samba.org/autobuild.flakey/2012-11-01-1221/samba3.stderr http://git.samba.org/autobuild.flakey/2012-11-01-1221/samba3.stdout The source4 build logs are available here: http://git.samba.org/autobuild.flakey/2012-11-01-1221/samba.stderr http://git.samba.org/autobuild.flakey/2012-11-01-1221/samba.stdout The top commit at the time of the failure was: commit 75c51d6561f6f39dd02fd942709039b871957f44 Author: Andrew Bartlett abart...@samba.org Date: Thu Nov 1 11:26:16 2012 +1100 s3-param: Move the options needed for running smbd in the AD DC to loadparm This avoids the whole fileserver.conf thing, and simply handles everything in C. The main challenge is that if s3fs is enabled in a member server configuration (unlikely) then these options will not be set, and it overrides any other attempt to set these as globals. (The previous approach essentially just changed defaults, because the include = of smb.conf was after the values were set in fileserver.conf). Andrew Bartlett Signed-off-by: Andrew Bartlett abart...@samba.org Reviewed-by: Michael Adam ob...@samba.org Autobuild-User(master): Michael Adam ob...@samba.org Autobuild-Date(master): Thu Nov 1 11:47:22 CET 2012 on sn-devel-104
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 2a3eb64 s3:winbindd: use PROTOCOL_LATEST instead of
PROTOCOL_SMB2_02 (bug #9175)
via 45105af s3:winbindd: disconnection after getting
NETWORK_SESSION_EXPIRED (bug #9175)
via c5cd22b libcli/smb: add smbXcli_session_set_disconnect_expired()
(bug #9175)
via 24f3f87 lib/krb5_wrap: request enc_types in the correct order (bug
#9272)
via f853c17 s3:winbindd:cache: fix offline logons with cached
credentials (bug #9321)
from 75c51d6 s3-param: Move the options needed for running smbd in the
AD DC to loadparm
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 2a3eb641fe34fb95bf713f0e7184581847af1357
Author: Stefan Metzmacher me...@samba.org
Date: Mon Oct 22 14:35:41 2012 +0200
s3:winbindd: use PROTOCOL_LATEST instead of PROTOCOL_SMB2_02 (bug #9175)
We should use the latest supported dialect.
Signed-off-by: Stefan Metzmacher me...@samba.org
Reviewd-by: Michael Adam ob...@samba.org
Autobuild-User(master): Michael Adam ob...@samba.org
Autobuild-Date(master): Thu Nov 1 18:11:27 CET 2012 on sn-devel-104
commit 45105afffc5678082b23165ff74610d67e57a82a
Author: Stefan Metzmacher me...@samba.org
Date: Mon Oct 22 14:31:20 2012 +0200
s3:winbindd: disconnection after getting NETWORK_SESSION_EXPIRED (bug #9175)
Signed-off-by: Stefan Metzmacher me...@samba.org
Reviewed-by: Michael Adam ob...@samba.org
commit c5cd22b5bbce724dcd68fe94320382b3f772cabf
Author: Stefan Metzmacher me...@samba.org
Date: Mon Oct 22 14:18:20 2012 +0200
libcli/smb: add smbXcli_session_set_disconnect_expired() (bug #9175)
This should be a short term hack until the upper layers have implemented
re-authentication.
Signed-off-by: Stefan Metzmacher me...@samba.org
Reviewed-by: Michael Adam ob...@samba.org
commit 24f3f87706329e6e280dc6be6d025e997d46c910
Author: Stefan Metzmacher me...@samba.org
Date: Mon Oct 22 13:47:48 2012 +0200
lib/krb5_wrap: request enc_types in the correct order (bug #9272)
aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96
should have a higher priority than arcfour-hmac-md5,
otherwise the KDC still gives us arcfour-hmac-md5 session keys.
Signed-off-by: Stefan Metzmacher me...@samba.org
Reviewed-by: Michael Adam ob...@samba.org
commit f853c1792967332c4aff52c0fb35f653f614f86d
Author: Michael Adam ob...@samba.org
Date: Thu Nov 1 14:41:56 2012 +0100
s3:winbindd:cache: fix offline logons with cached credentials (bug #9321)
The removal of consumption of the time field from the centry
as removal of unused variable in 21528da9cd12a4f5c3792a482a5d18fe946a6f7a
had the side effect of changing the offset for reading the following
nt password hash, so the read password hash was wrong.
This patch re-installs the consumption of the time,
thereby fixing the bug without changing the disk format of the cache.
Signed-off-by: Michael Adam ob...@samba.org
Reviewed-by: Stefan Metzmacher me...@samba.org
---
Summary of changes:
lib/krb5_wrap/krb5_samba.c| 12 ++--
libcli/smb/smbXcli_base.c | 34 ++
libcli/smb/smbXcli_base.h |1 +
source3/winbindd/winbindd_cache.c |7 +++
source3/winbindd/winbindd_cm.c| 13 -
5 files changed, 60 insertions(+), 7 deletions(-)
Changeset truncated at 500 lines:
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 8037337..f04f6e1 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -685,15 +685,15 @@ int cli_krb5_get_ticket(TALLOC_CTX *mem_ctx,
krb5_ccache ccdef = NULL;
krb5_auth_context auth_context = NULL;
krb5_enctype enc_types[] = {
- ENCTYPE_ARCFOUR_HMAC,
- ENCTYPE_DES_CBC_MD5,
- ENCTYPE_DES_CBC_CRC,
-#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
- ENCTYPE_AES128_CTS_HMAC_SHA1_96,
-#endif
#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
ENCTYPE_AES256_CTS_HMAC_SHA1_96,
#endif
+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
+ ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+#endif
+ ENCTYPE_ARCFOUR_HMAC,
+ ENCTYPE_DES_CBC_MD5,
+ ENCTYPE_DES_CBC_CRC,
ENCTYPE_NULL};
initialize_krb5_error_table();
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index 02d0227..c547515 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -157,6 +157,13 @@ struct smbXcli_session {
struct {
DATA_BLOB signing_key;
} smb2_channel;
+
+ /*
+* this should be a short term hack
+* until the upper layers have implemented
+*
