Re: [Samba] NIS to SAMBA4 Migration
I am also struggling to find up to date information on using Samba 4 with linux clients. I have managed to get the RFC 2307 fields by installing the 'NIS tools' feature on a W2k8 DC, and creating a 'NIS domain'. Previously I could see the fields, but could not select a NIS domain in the ADUC tool to make the RFC 2307 fields enabled. I'm also trying to find out the correct way to add the autohome nis map. I have tried: ldbmodify -H /usr/local/samba/private/sam.ldb automount_template.ldif --option=dsdb:schema update allowed=true But this seemed to fail. I have thought I might need to use the Microsoft schema management tool to add the automount schema. On Sat, Nov 24, 2012 at 4:01 PM, Gémes Géza g...@kzsdabas.hu wrote: Hi, Hello Steve, The only way I have found to enable those options is to provision with --use-rfc2307. We are performing an upgrade from Samba3 and I noticed that the options were not grayed out after performing a classicupgrade, but were grayed out after a clean provision. I finally figured out that the classicupgrade always uses the --use-rfc2307 flag. This flag will add the option idmap_ldb:use rfc2307 = yes to your smb.conf, however, it has been my experience that adding that to smb.conf post-provision does not enable the UNIX Attributes options, so the provision option must do something else. I would like to know if there is a way to enable this after the fact, but I've not come up with anything yet. I need to complete further testing on the actual authentication of Linux clients, Apache, RADIUS and OpenVPN, but have run into a show-stopper with DNS replication and have moved all my efforts to this for the time being. I was able to get Linux clients authenticating via winbind, but this was before I found out about the --use-rfc2307 option and winbind was using auto-generated UIDs and GIDs. Any notes you come up with would be greatly appreciated. Thanks, Thomas. Provisioning with --use-rfc2307 also loads the NIS schema into AD and thus allows you to set that attributes via ADUC. To do the same after provision you would need to import the schema after provision. The skeleton of it is in /usr/local/samba/share/setup/** ypServ30.ldif on a default install. Regards Geza Gemes On Fri, Nov 23, 2012 at 10:38 AM, Steve van Maanen st...@starsphere.jp wrote: Hello everyone, I am trying to figure out a way to migrate NIS maps to SAMBA4 (I want to replace NIS with SAMAB4 for a Linux domain. I have researched a fair bit on the web but have not found out any solutions and was hoping I could find some help here. What I have found so far pertains to Windows implementations of Active Directory. Here are my questions. 1) Is it possible with a default install of SAMBA4 or do I need to extend the schema? 2) I notice there is a Unix attributes tab for users, when using Active Directory users and groups to administer the Samba4 AD, but I am unable to change the properties. Is there any way I can enable this? 3) Has anyone done this and if so, can you offer me some pointers? Many thanks! Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] How to prevent /var/log/samba/log.[sn]mbd creation?
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=311300 I agree with comment #48, with syslog only = Yes early log messages should go to stderr. As the current behavior is by design, I ask if there is some way to prevent these files of being created. log file = /dev/null did not work (Fedora 18, Samba 4.0.0rc5). Regards, Marcos -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 as PDC: tsig verify failure
W dniu 2012-11-23 21:22, krzysztof.zajac pisze: I've configured samba4 as PDC according to the official HOWTO. Nearly everything went well, except that executing command samba_dnsupdate results with: ; TSIG error with server: tsig verify failure Failed nsupdate: 2 Failed update of 21 entries The whole output is available at: http://pastebin.com/xrG2KZwZ It's wired, because domain seems working properly: I can login as domain admin, join computers running both windows XP 7, manage them by GPO etc. I don't know whether it's combined with this issue, but I also noticed that files /usr/local/samba/private/dns.keytab /usr/local/samba/private/dns /usr/local/samba/private/dns/${MYREALM}.zone are missing. I'm using samba's internal DNS serwer. My version on samba is 4.0rc5 Thanks beforehand, Krzysiek Same problem here. Test passed ok, but now i can find it in logs. Only two hosts are updated correctly. Szymon Życiński -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] (Samba4) Normal users unable to login
This is a freshly provisioned Samba 4.0.0-rc5 installation. I provisioned the domain and created shares in the configuration file to match an existing Samba 3.5.x installation that we're moving away from (or at least, that's the plan...) for various reasons. I then moved all the contents of the shares over from the old server to the new server via rsync, including home directories and user profiles. I then changed the permissions on the profiles and home directories to match the POSIX IDs which were created by Samba 4 when I created the users using the Active Directory Users and Computers management tool from a workstation that I bound to the domain. I then created a Group Policy, which applied itself successfully to the workstation. So far, so good. However, I can only login as DOMAIN\Administrator or DOMAIN\{$USER} where $USER is a user account that has membership in the Domain Admins group. I am completely unable to login as any user that is not in Domain Admins. When I attempt to do so, the workstation returns the error message The Group Policy Client service failed the logon. Access is denied. There is nothing in the Windows Event Log indicating an access denied message, and there is nothing in the Windows Event Log indicating any other problems at the time that the error message is displayed or within the time that the login process is pending. There are no messages in the Samba 4 log, either, with the debug level set to 9. The best that I can come up with is that this is a permissions problem of _some_ sort, but I cannot determine what it is. The system running Samba has no MAC security systems in the way (e.g., no SELinux or anything like that, just simple UNIX DAC). The permissions on SYSVOL and NETLOGON are completely unmodified by me. Can someone give me an idea of where to start looking? I tried to figure out perhaps what the ID numbers in the ACLs are for the SYSVOL share, but wbinfo doesn't seem to know anything about ID numbers 300-303, which are the IDs on the share itself. The lowest ID number that I have which appears in user or group lists as returned by wbinfo is 304. Any help would be appreciated, as I have been banging my head against this brick wall for hours now, to no avail. Thanks, Mike -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] (Samba4) Normal users unable to login
On 11/24/2012 03:35 PM, Michael Trausch wrote: This is a freshly provisioned Samba 4.0.0-rc5 installation. I provisioned the domain and created shares in the configuration file to match an existing Samba 3.5.x installation that we're moving away from (or at least, that's the plan...) for various reasons. I then moved all the contents of the shares over from the old server to the new server via rsync, including home directories and user profiles. I then changed the permissions on the profiles and home directories to match the POSIX IDs which were created by Samba 4 when I created the users using the Active Directory Users and Computers management tool from a workstation that I bound to the domain. I then created a Group Policy, which applied itself successfully to the workstation. So far, so good. However, I can only login as DOMAIN\Administrator or DOMAIN\{$USER} where $USER is a user account that has membership in the Domain Admins group. I am completely unable to login as any user that is not in Domain Admins. When I attempt to do so, the workstation returns the error message The Group Policy Client service failed the logon. Access is denied. There is nothing in the Windows Event Log indicating an access denied message, and there is nothing in the Windows Event Log indicating any other problems at the time that the error message is displayed or within the time that the login process is pending. There are no messages in the Samba 4 log, either, with the debug level set to 9. The best that I can come up with is that this is a permissions problem of _some_ sort, but I cannot determine what it is. The system running Samba has no MAC security systems in the way (e.g., no SELinux or anything like that, just simple UNIX DAC). The permissions on SYSVOL and NETLOGON are completely unmodified by me. Can someone give me an idea of where to start looking? I tried to figure out perhaps what the ID numbers in the ACLs are for the SYSVOL share, but wbinfo doesn't seem to know anything about ID numbers 300-303, which are the IDs on the share itself. The lowest ID number that I have which appears in user or group lists as returned by wbinfo is 304. Try to do kinit simple_u...@mydomain.tld try also to disable the GPO. Try to trace and see if there is any kind of denied message (in netlogon, smb, smb2 messages). -- Matthieu Patou Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] (Samba4) Normal users unable to login
On 11/24/2012 07:35 PM, Matthieu Patou wrote: Try to do kinit simple_u...@mydomain.tld try also to disable the GPO. When I attempt login as a normal user, there are success messages for Kerberos login. On the Samba 4 server itself, kinit works just fine. When I login to the joined workstation as Administrator and then attempt to run kinit, I am told that the command does not exist. Try to trace and see if there is any kind of denied message (in netlogon, smb, smb2 messages). I assume that you mean to run samba -i -M single -d 99 --debug-stderr? I did so and redirected the output to a file. I then attempted to login as a normal user, which of course failed with the Group Policy Client error message. I found no occurrences of the words access, denied, fail, or deny. I found several lines saying error: 0, but when I then eliminated those lines there were no remaining lines with the word error. --- Mike -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Failure demoting 2008_R2 DC (S4rc5)
Hello Matthieu, I am working in with VMs, so it's very easy to deploy and test systems. I shutdown the Samba server and provisioned a 2008R2 server using the same domain name testdom.com. When I join another 2008R2 server to this domain, it correctly detects one authoritative DNS server. Please let me know if you have any advice. I am surprised that no one has reported this before - I would assume most AD root domains are not provisioned as subdomain. We will be using a subdomain and I only stumbled on this issue trying to resolve the demotion issue, however I am happy help with further testing. I have opened a bug regarding the problem I am seeing when demoting a Windows Server. https://bugzilla.samba.org/show_bug.cgi?id=9429 On Sat, Nov 24, 2012 at 12:42 AM, Matthieu Patou m...@samba.org wrote: On 11/23/2012 02:31 PM, Thomas Simmons wrote: Thank you Matthieu! Do you know if there is a known issue that is causing me to receive the message that Windows (Server 2008R2) cannot determine the number of authoritative DNS servers during dcpromo when my domain is testdom.com or testdom.local but when I provision as internal.testdom.com Windows correctly reports finding one authoritative DNS server? Thanks again! No I don't know but what if you try to use dcpromo on a new domain testdom2.corp ? (that is to say without a samba DC) does it gives the same error ? Matthieu -- Matthieu Patou Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] (Samba4) Normal users unable to login
On 11/24/2012 07:35 PM, Matthieu Patou wrote: Try to do kinit simple_u...@mydomain.tld try also to disable the GPO. Try to trace and see if there is any kind of denied message (in netlogon, smb, smb2 messages). I tried again under strace and got no EACCESS error messages of any sort. --- Mike -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] (Samba4) Normal users unable to login
On 11/24/2012 07:35 PM, Matthieu Patou wrote: Try to do kinit simple_u...@mydomain.tld try also to disable the GPO. Disabling the GPO also had no effect. --- Mike -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] (Samba4) Normal users unable to login
On 11/24/2012 07:35 PM, Matthieu Patou wrote: Try to do kinit simple_u...@mydomain.tld try also to disable the GPO. Try to trace and see if there is any kind of denied message (in netlogon, smb, smb2 messages). The only thing I found in a tcpdump was a STATUS_ACCESS_DENIED in response to a Create request for the user's \ntuser.ini. After that point, there are open requests which succeed, so I am assuming that the access denied is in response to the fact that the file already exists. I'm out of ideas for tracing things, though, so I'm waiting on y'all for more ideas... --- Mike -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] (Samba4) Normal users unable to login
On 11/24/2012 04:47 PM, Michael Trausch wrote: On 11/24/2012 07:35 PM, Matthieu Patou wrote: Try to do kinit simple_u...@mydomain.tld try also to disable the GPO. When I attempt login as a normal user, there are success messages for Kerberos login. On the Samba 4 server itself, kinit works just fine. When I login to the joined workstation as Administrator and then attempt to run kinit, I am told that the command does not exist. Try to trace and see if there is any kind of denied message (in netlogon, smb, smb2 messages). I assume that you mean to run samba -i -M single -d 99 --debug-stderr? I did so and redirected the output to a file. I then attempted to login as a normal user, which of course failed with the Group Policy Client error message. No I meant use wireshark to do trace (https://wiki.samba.org/index.php/Capture_Packets) Matthieu. -- Matthieu Patou Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] (Samba4) Normal users unable to login
On 11/24/2012 07:36 PM, Michael Trausch wrote: On 11/24/2012 10:01 PM, Matthieu Patou wrote: No I meant use wireshark to do trace (https://wiki.samba.org/index.php/Capture_Packets) Yeah, I did that; I posted a little bit ago about that. Nothing interesting was found. The group policy thing is a red herring it turns out. Here's what I know at the moment: * My user account and profile work just fine. They were rsync'd over from the Samba 3.5 server. * All other user accounts and profiles _do not_ work, giving the Group Policy Client failed the logon error message. Color me confused as to why. I tried this: I created a new user account, testuser, and that logged in successfully. It is not a member of Domain Admins, so it seems that only the users from the old Samba server (excluding myself, which I have no clue why) are somehow not compatible with the new setup. I thought maybe it was a permissions problem on the profile directory, so I checked the ACLs against the ACLs for the newly created profile. Identical, except for the user account, which was to be expected. Nothing useful learned there. Maybe you were using the old policy system (poledit ?) and it conflict with the new one ? Try to clean one user home if you can. Matthieu -- Matthieu Patou Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] NIS to SAMBA4 Migration
Hi, I am also struggling to find up to date information on using Samba 4 with linux clients. I have managed to get the RFC 2307 fields by installing the 'NIS tools' feature on a W2k8 DC, and creating a 'NIS domain'. Previously I could see the fields, but could not select a NIS domain in the ADUC tool to make the RFC 2307 fields enabled. I was successful in using Samba4 AD with Ubuntu 12.04 (precise) clients using winbind (in nsswitch and pam) and kerberos (pam-krb5) the relevant changes (to the default config are): /etc/krb5.conf proxiable = false /etc/samba/smb.conf workgroup = YOUR_WORKGROUP realm = YOUR_REALM kerberos method = system keytab security = ads winbind enum groups = yes winbind enum users = yes idmap config *:backend = tdb idmap config *:range = 201-300 idmap config YOUR_WORKGROUP:default = yes idmap config YOUR_WORKGROUP:backend = ad idmap config YOUR_WORKGROUP:range = 0-200 idmap config YOUR_WORKGROUP:schema_mode = rfc2307 winbind nss info = rfc2307 winbind expand groups = 2 winbind nested groups = yes winbind use default domain = yes /etc/nsswitch.conf passwd: files winbind group: files winbind pam-auth-update took care of pam configuration (I had to do only afs homedirs related changes, irrelevant if you don't use afs) winbind pulls correctly all the information for the users and group which have been posixified. However with the same config on debian squeeze or wheezy I receive only a part of the group memberships, and other nastiness (e.g. getent group and id for a group member give different results) I'm also trying to find out the correct way to add the autohome nis map. I have tried: ldbmodify -H /usr/local/samba/private/sam.ldb automount_template.ldif You shouldn't modify the sam.ldb directly while samba is running instead would suggest to use ldbmodify -H ldap://your-ad.server --option=dsdb:schema update allowed=true But this seemed to fail. I have thought I might need to use the Microsoft schema management tool to add the automount schema. Regards Geza Gemes Hi, Hello Steve, The only way I have found to enable those options is to provision with --use-rfc2307. We are performing an upgrade from Samba3 and I noticed that the options were not grayed out after performing a classicupgrade, but were grayed out after a clean provision. I finally figured out that the classicupgrade always uses the --use-rfc2307 flag. This flag will add the option idmap_ldb:use rfc2307 = yes to your smb.conf, however, it has been my experience that adding that to smb.conf post-provision does not enable the UNIX Attributes options, so the provision option must do something else. I would like to know if there is a way to enable this after the fact, but I've not come up with anything yet. I need to complete further testing on the actual authentication of Linux clients, Apache, RADIUS and OpenVPN, but have run into a show-stopper with DNS replication and have moved all my efforts to this for the time being. I was able to get Linux clients authenticating via winbind, but this was before I found out about the --use-rfc2307 option and winbind was using auto-generated UIDs and GIDs. Any notes you come up with would be greatly appreciated. Thanks, Thomas. Provisioning with --use-rfc2307 also loads the NIS schema into AD and thus allows you to set that attributes via ADUC. To do the same after provision you would need to import the schema after provision. The skeleton of it is in /usr/local/samba/share/setup/** ypServ30.ldif on a default install. Regards Geza Gemes On Fri, Nov 23, 2012 at 10:38 AM, Steve van Maanen st...@starsphere.jp wrote: Hello everyone, I am trying to figure out a way to migrate NIS maps to SAMBA4 (I want to replace NIS with SAMAB4 for a Linux domain. I have researched a fair bit on the web but have not found out any solutions and was hoping I could find some help here. What I have found so far pertains to Windows implementations of Active Directory. Here are my questions. 1) Is it possible with a default install of SAMBA4 or do I need to extend the schema? 2) I notice there is a Unix attributes tab for users, when using Active Directory users and groups to administer the Samba4 AD, but I am unable to change the properties. Is there any way I can enable this? 3) Has anyone done this and if so, can you offer me some pointers? Many thanks! Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba