Re: [Samba] Windows 8 printing to CUPS+Samba - will CreatePrinterIC RPC call stub be implemented?
On Thu, 2012-12-20 at 10:05 -0500, Alex Korobkin wrote: Hi All, I'm trying to make Windows 8 clients print to Samba 3.5 and CUPS 1.5.4. Thanks to the patch from Frank Lascheit (https://lists.samba.org/archive/samba/2012-December/170322.html) it seems to work, except for one thing. By default, Windows 8 client emits CreatePrinterIC request, to which Samba replies with Not Implemented answer. Instead of ignoring it, Win8 client fails with 0x06d1 error. As it is mentioned in the bug https://bugzilla.samba.org/show_bug.cgi?id=6559 , disabling Computer Configuration/Policies/Administrative Templates/Printers/Always render print jobs on the server helps to workaround it, but one doesn't always have control over clients' computers. I know, it seems to be a bug on MS side, but is there a plan to implement some stub for CreatePrinterIC call, so that Win8 (and probably win2k8r2) clients could receive a harmless answer and proceed with printer connection? File a bug, and hopefully the developers who work on Spoolss will get a chance to look into what is required here. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 4 join error to MS Server 2003 - WERR_GENERAL_FAILURE
On Wed, 2012-11-28 at 14:52 -0800, todd kman wrote: Hi all, I am just experimenting with Samba 4. I have a Ubuntu server 12.04 with samba 4 compiled successfully. I have webmin installed as well. I am trying to connect the Ubuntu/Samba server on system GIS30 to a web domain called CODOMAIN. CODOMAIN is administered by gis-server-2 a Microsoft Windows Server 2003 R2, Standard x64 - Edition Version 5.2 (Build 3790 : Service Pack 2) (x64). Gis-server-2 is an Active Directory server, and Exchange server. (Exchange Server 2007 Microsoft Corporation Version: 08.01.0436.000) If I was to guess it looks like the Exchange server component is causing some problem. I can see others referencing the error Failed to commit objects: WERR_GENERAL_FAILURE The following thread was from July 2012 and it appears some fix was put into the main but I believe I have downloaded and compiled a more current release of Samba 4 and yet I am still getting this error. http://samba.2283325.n4.nabble.com/Can-t-join-as-DC-on-Samba4-Beta4-5-td4634916.html Is there an update on this? Failed to apply records: attribute 'msExchOWATranscodingFileTypes': value #1 on 'CN=owa (Default Web Site),CN=HTTP,CN=Protocols,CN=GIS-SERVER-2,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=CODomain,DC=local' provided more than once: Attribute or value exists Failed to commit objects: WERR_GENERAL_FAILURE Join failed - As I said on IRC (but following up here so others might understand the situation better, and so we can loop back to you about fixing this up properly): In short, your other DCs have sent you the same value twice in a multi-valued attribute. This isn't valid LDAP, and we are being stricter than Microsoft is, or we consider two values to be equivalent when Microsoft considers them distinct. The issue is that we haven't tested much with importing exchange-enabled domains so we just haven't seen this before, and so we need to work out how to handle this particular 'violation'. Mostly, we have found that AD doesn't re-check schema syntax during replication, so if somehow a duplicate does get into the system, it will not cause replication to fail. We are stricter, mostly due to the layering of our databases. We may have to turn that off. Running this: ldbsearch -Uadministrator -H ldap://ms-dc -s base -b CN=owa (Default Web Site),CN=HTTP,CN=Protocols,CN=GIS-SERVER-2,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=CODomain,DC=local msExchOWATranscodingFileTypes should give us more clues here, and help us solve this for the long term. Please file a bug with this info in the meantime, so we can track this. Thanks, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [PATCH] Re: Changing administrator password after Samba4 classic upgrade
On Sat, 2012-12-22 at 12:55 +1100, Andrew Bartlett wrote: On Thu, 2012-12-20 at 22:55 +1300, Mario Codeniera wrote: I used to upgrade samba3 to samba4 with almost successful with one problem, administrator can't access. As administrator, by default it is the only user account that is given full control over the system. My query is how to change the administrator password? we have one account which can join to the samba 4 AD based on the migrated data but the problem can't change the administrator or can't alter the domain. After that re-run the classic upgrade, and found out that the administrator SID was wrong and modified to xxx-500 where xxx domain SID and modified group Administrators because there are other domain SIDs. *- (remove the description, displaying only the last part) - Importing idmap database Importing groups Group already exists sid=S-1-5-21-1511653421-423844657-761698953-512, groupname=Domain Admins existing_groupname=Domain Admins, Ignoring. Group already exists sid=S-1-5-21-1511653421-423844657-761698953-514, groupname=Domain Guests existing_groupname=Domain Guests, Ignoring. Group already exists sid=S-1-5-21-1511653421-423844657-761698953-515, groupname=Domain Computers existing_groupname=Domain Computers, Ignoring. Group already exists sid=S-1-5-32-544, groupname=Administrators existing_groupname=Administrators, Ignoring. Group already exists sid=S-1-5-32-545, groupname=Users existing_groupname=Users, Ignoring. Group already exists sid=S-1-5-21-1511653421-423844657-761698953-513, groupname=Domain Users existing_groupname=Domain Users, Ignoring. Importing users User 'Administrator' in your existing directory has SID S-1-5-21-1511653421-423844657-761698953-20001, expected it to be S-1-5-21-1511653421-423844657-761698953-500 ERROR(class 'samba.provision.ProvisioningError'): uncaught exception - ProvisioningError: User 'Administrator' in your existing directory does not have SID ending in -500 File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py, line 1318, in run useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs) File /usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py, line 889, in upgrade_from_samba3 raise ProvisioningError(User 'Administrator' in your existing directory does not have SID ending in -500)* Finally got this with no errors, but again the administrator can't login even using the kinit. As mentioned above I used to login other user in Windows 7 and run the Windows Remote Administration Tools and able to check the data is successfully migrated including administrator (but the problem it was changed during upgrading) and I observed in the log see highlighted. And every time I run the samba-tool domain classicupgrade, the Admin password: (see other highlighted below) have different values ( 0ngHrG~IIMHZDhNIPYOUAKoN~+wPZ!Am * * SXJ96re1=zYO* *respectively). This is interesting, as at one point we had logic to not show these unused passwords. I've attached a patch that should do this, let me know if it makes the output (which I agree is very, very verbose) clearer. The attached corrected patch should work better. Sorry, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org From fa70361d2bfcc511e277fda6030bbc30a460834d Mon Sep 17 00:00:00 2001 From: Andrew Bartlett abart...@samba.org Date: Sat, 22 Dec 2012 09:28:05 +1100 Subject: [PATCH] samba-tool classicupgrade: Do not print the admin password during upgrade This changes the code to only set and show a new password if no admin user is found during the upgrade. Andrew Bartlett --- source4/scripting/python/samba/upgrade.py | 11 ++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/source4/scripting/python/samba/upgrade.py b/source4/scripting/python/samba/upgrade.py index df9415e..88b7303 100644 --- a/source4/scripting/python/samba/upgrade.py +++ b/source4/scripting/python/samba/upgrade.py @@ -35,6 +35,7 @@ from samba.credentials import Credentials from samba import dsdb from samba.ndr import ndr_pack from samba import unix2nttime +from samba import generate_random_password def import_sam_policy(samdb, policy, logger): @@ -835,11 +836,19 @@ Please fix this account before attempting to upgrade again if not (serverrole == ROLE_DOMAIN_BDC or serverrole == ROLE_DOMAIN_PDC): dns_backend = NONE +# If we found an admin user, set a fake pw that we will override. +# This avoids us printing out an admin password that we won't actually +# set. +if admin_user: +adminpass = generate_random_password(12, 32) +else: +adminpass = None
Re: [Samba] (S4) Neither AXFR nor authoritative nameserving available?
On Tue, 2012-12-18 at 11:58 -0500, Michael B. Trausch wrote: Hello all, I'd like to have redundant DNS in our setup. But it seems that Samba 4 does not yet support AXFR with its internal DNS server. Alright, that's fine, so I figured I'd configure the system such that at the very least, a caching nameserver was sitting in front of it. However, that doesn't work; the caching nameserver (BIND 9) returns SERVFAIL, apparently because Samba 4 isn't setting the authoritative bit on its DNS responses. That's odd. Please file a bug, so Kai can look into it. Is this a known issue, a configuration error on my part, or something entirely different altogether? You could run another Samba DC to get the redundant DNS. Another option is to run the bind9 server and the dlz plugin. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba3 joining W2k3 as member server
Hi Pieter,
I need to do the same, join a Ubuntu 12.04 samba server to an existing
Win2k3.
Could you post an example of the shares configuration (users and group
read and write permitions) to be used in your example of a samba server
as a domain member?
Thanks.
Carlos Pena
Santo Domingo, Dominican Republic
On 12/21/2012 5:36 PM, Pieter De Wit wrote:
On 18/12/2012 10:47, Andrew Bartlett wrote:
On Mon, 2012-12-17 at 17:00 +1300, Pieter De Wit wrote:
Hi list,
I have tried with all my might to get a samba3 server (Ubuntu
12.04.1 LTS) to join a Windows 2003 domain as a member server,
without any luck. I have used,from memory, the official way of doing
this (aka, from the samba.org website). No matter what settings I
use in smb.conf, the server always joins as a domain controller.
This doesn't seem to break the domain how ever. All I am after is
that my users do not need to enter a username/password for access
from a domain PC to shares on my Linux box.
Any pointers please or is this intended as the server does single sign?
If you can list exactly the steps you took, we might be able to help.
But to answer your question: Yes, Samba will happily join Windows 2003
as a domain member. The key command is 'net ads join'.
Andrew Bartlett
Hi Andrew,
Sorry for the delay in my reply, things has been hectic closing down
for the holidays. In a nut shell, there is what I do/did:
1) apt-get install samba winbindd krb5-user
2) Configure smb.conf as per :
[global]
workgroup = WORK
realm = WORK.LOCAL
preferred master = no
server string = Linux Test Machine
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
printcap name = cups
printing = cups
# winbind enum users = Yes
# winbind enum groups = Yes
# winbind use default domain = Yes
winbind nested groups = Yes
winbind separator = +
idmap uid = 2000-2
idmap gid = 2000-2
template shell = /bin/bash
veto files = lost+found
3) Configure krb5.conf:
[libdefaults]
default_realm = WORK.LOCAL
[realms]
YPG.LOCAL={
kdc=DC.WORK.LOCAL
}
[domain_realm]
.kerberos.server=WORK.LOCAL
4) Restart Samba/Winbind
5) In /etc/nsswitch.conf add winbind to passwd and group
5) Join the domain : net ads join -U my_admin_account
6) kinit my_admin_account
From then, users can connect to the shares on the server using Single
Sign On. The issue is that if I look under my Active Directory, the
server will state that it is a Domain Controller. Running the usual
DC Info tools they seem to think the domain is ok. I would prefer to
have the server say Member server, rather than DC :)
I would like to send you a screenshot of what Active Directory Users
and Computers shows but this will be hard to do remotely.
Thanks,
Pieter
P.S. Good work on the AD integration btw, I am using the above for
Squid aswell and it's pretty neat ! :)
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
autobuild: intermittent test failure detected
The autobuild test system has detected an intermittent failing test in the current master tree. The autobuild log of the failure is available here: http://git.samba.org/autobuild.flakey/2012-12-22-0930/flakey.log The samba3 build logs are available here: http://git.samba.org/autobuild.flakey/2012-12-22-0930/samba3.stderr http://git.samba.org/autobuild.flakey/2012-12-22-0930/samba3.stdout The source4 build logs are available here: http://git.samba.org/autobuild.flakey/2012-12-22-0930/samba.stderr http://git.samba.org/autobuild.flakey/2012-12-22-0930/samba.stdout The top commit at the time of the failure was: commit c1fb37d7bec1dd720f3eccbd0b490b6a335ca288 Author: Jeremy Allison j...@samba.org Date: Fri Dec 21 15:16:10 2012 -0800 Recent coverity changes added directory_create_or_exist() checks to many directories. These may not be needed, but in the meantime - ensure make test works again by chmod'ing the created test directories from 0777 to 0755. Reviewed-By: Andrew Bartlett abart...@samba.org Signed-off-by: Jeremy Allison j...@samba.org Autobuild-User(master): Jeremy Allison j...@samba.org Autobuild-Date(master): Sat Dec 22 02:08:33 CET 2012 on sn-devel-104
autobuild: intermittent test failure detected
The autobuild test system has detected an intermittent failing test in the current master tree. The autobuild log of the failure is available here: http://git.samba.org/autobuild.flakey/2012-12-22-1529/flakey.log The samba3 build logs are available here: http://git.samba.org/autobuild.flakey/2012-12-22-1529/samba3.stderr http://git.samba.org/autobuild.flakey/2012-12-22-1529/samba3.stdout The source4 build logs are available here: http://git.samba.org/autobuild.flakey/2012-12-22-1529/samba.stderr http://git.samba.org/autobuild.flakey/2012-12-22-1529/samba.stdout The top commit at the time of the failure was: commit c1fb37d7bec1dd720f3eccbd0b490b6a335ca288 Author: Jeremy Allison j...@samba.org Date: Fri Dec 21 15:16:10 2012 -0800 Recent coverity changes added directory_create_or_exist() checks to many directories. These may not be needed, but in the meantime - ensure make test works again by chmod'ing the created test directories from 0777 to 0755. Reviewed-By: Andrew Bartlett abart...@samba.org Signed-off-by: Jeremy Allison j...@samba.org Autobuild-User(master): Jeremy Allison j...@samba.org Autobuild-Date(master): Sat Dec 22 02:08:33 CET 2012 on sn-devel-104
autobuild: intermittent test failure detected
The autobuild test system has detected an intermittent failing test in the current master tree. The autobuild log of the failure is available here: http://git.samba.org/autobuild.flakey/2012-12-23-0528/flakey.log The samba3 build logs are available here: http://git.samba.org/autobuild.flakey/2012-12-23-0528/samba3.stderr http://git.samba.org/autobuild.flakey/2012-12-23-0528/samba3.stdout The source4 build logs are available here: http://git.samba.org/autobuild.flakey/2012-12-23-0528/samba.stderr http://git.samba.org/autobuild.flakey/2012-12-23-0528/samba.stdout The top commit at the time of the failure was: commit c1fb37d7bec1dd720f3eccbd0b490b6a335ca288 Author: Jeremy Allison j...@samba.org Date: Fri Dec 21 15:16:10 2012 -0800 Recent coverity changes added directory_create_or_exist() checks to many directories. These may not be needed, but in the meantime - ensure make test works again by chmod'ing the created test directories from 0777 to 0755. Reviewed-By: Andrew Bartlett abart...@samba.org Signed-off-by: Jeremy Allison j...@samba.org Autobuild-User(master): Jeremy Allison j...@samba.org Autobuild-Date(master): Sat Dec 22 02:08:33 CET 2012 on sn-devel-104
