Re: [Samba] SAMBA 4 acting as Domain Server- Is Exchange 2010 capable of being installed?
I think you would be better with SOGo/Openchange as substitute of Exchange. --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Matthew Gear Gesendet: Freitag, 11. Januar 2013 05:03 An: samba@lists.samba.org Betreff: [Samba] SAMBA 4 acting as Domain Server- Is Exchange 2010 capable of being installed? Hello All, SAMBA 4 is a great advancement, and I have it up and running in a lab environment authenticating Cisco UCM LDAP queries... I am attempting to install an Exchange 2010 deployment for integrated UM testing. As I attempted to extend the schema of the SAMBA 4 AD (setup /ps), the setup program came back and reported the following: The Domain Controller 'smb4.homelab.int' is running the 4.0.0 version of the operating system. Minimal requested version is 5.2 (3790) Service Pack 1. Is it possible to install Exchange 2010 in a Samba4 Active Directory environment ? Is Exchange supported? Many Thanks, -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SAMBA 4 acting as Domain Server- Is Exchange 2010 capable of being installed?
Thank you for the reply Daniel! Unfortunately, in my test scenario, Openchange does not have UM (Voicemail) capabilities, and hence the reason I am attempting to install Exchange (with UM). This is a Call Manager Cluster integrated with SAMBA4, and hence I am trying to setup a VM system with this cluster. Asterisk will not work for this integration either, I would like to use SAMBA4 as my DC userbase resource, but if I cannot, I might have to go back to the windows DC :( On Fri, Jan 11, 2013 at 3:03 AM, Daniel Müller muel...@tropenklinik.dewrote: I think you would be better with SOGo/Openchange as substitute of Exchange. --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Matthew Gear Gesendet: Freitag, 11. Januar 2013 05:03 An: samba@lists.samba.org Betreff: [Samba] SAMBA 4 acting as Domain Server- Is Exchange 2010 capable of being installed? Hello All, SAMBA 4 is a great advancement, and I have it up and running in a lab environment authenticating Cisco UCM LDAP queries... I am attempting to install an Exchange 2010 deployment for integrated UM testing. As I attempted to extend the schema of the SAMBA 4 AD (setup /ps), the setup program came back and reported the following: The Domain Controller 'smb4.homelab.int' is running the 4.0.0 version of the operating system. Minimal requested version is 5.2 (3790) Service Pack 1. Is it possible to install Exchange 2010 in a Samba4 Active Directory environment ? Is Exchange supported? Many Thanks, -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SAMBA 4 acting as Domain Server- Is Exchange 2010 capable of being installed?
On 11 January 2013 05:02, Matthew Gear matthewj.g...@gmail.com wrote: I am attempting to install an Exchange 2010 deployment for integrated UM testing. As I attempted to extend the schema of the SAMBA 4 AD (setup /ps), the setup program came back and reported the following: The Domain Controller 'smb4.homelab.int' is running the 4.0.0 version of the operating system. Minimal requested version is 5.2 (3790) Service Pack 1. Is it possible to install Exchange 2010 in a Samba4 Active Directory environment ? Hmm. You could experiment with setting the 'server string' variable in smb.conf to something like Windows Server 2003 R2 5.2 and seeing if the Exchange deployment is parsing server string or some other attribute in the samba publication. I don't believe there are currently any other options in smb.conf for masquerading Samba server type from UNIX to an arbitrary Windows. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SAMBA 4 acting as Domain Server- Is Exchange 2010 capable of being installed?
I it is only for authentication this my work EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de Von: Matthew Gear [mailto:matthewj.g...@gmail.com] Gesendet: Freitag, 11. Januar 2013 09:15 An: muel...@tropenklinik.de Cc: samba@lists.samba.org Betreff: Re: [Samba] SAMBA 4 acting as Domain Server- Is Exchange 2010 capable of being installed? Thank you for the reply Daniel! Unfortunately, in my test scenario, Openchange does not have UM (Voicemail) capabilities, and hence the reason I am attempting to install Exchange (with UM). This is a Call Manager Cluster integrated with SAMBA4, and hence I am trying to setup a VM system with this cluster. Asterisk will not work for this integration either, I would like to use SAMBA4 as my DC userbase resource, but if I cannot, I might have to go back to the windows DC :( On Fri, Jan 11, 2013 at 3:03 AM, Daniel Müller muel...@tropenklinik.de wrote: I think you would be better with SOGo/Openchange as substitute of Exchange. --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Matthew Gear Gesendet: Freitag, 11. Januar 2013 05:03 An: samba@lists.samba.org Betreff: [Samba] SAMBA 4 acting as Domain Server- Is Exchange 2010 capable of being installed? Hello All, SAMBA 4 is a great advancement, and I have it up and running in a lab environment authenticating Cisco UCM LDAP queries... I am attempting to install an Exchange 2010 deployment for integrated UM testing. As I attempted to extend the schema of the SAMBA 4 AD (setup /ps), the setup program came back and reported the following: The Domain Controller 'smb4.homelab.int' is running the 4.0.0 version of the operating system. Minimal requested version is 5.2 (3790) Service Pack 1. Is it possible to install Exchange 2010 in a Samba4 Active Directory environment ? Is Exchange supported? Many Thanks, -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba-tool dbcheck produces wrong instancetype errors
On Thu, 2013-01-10 at 16:50 +, Chris Lewis wrote: Hi All, I have joined a samba4 instance to en existing W2k8 AD domain as an additional domain controller. When I do samba-tool dbcheck I get (example) : ERROR: wrong instanceType 4 on CN=INVIEW-DC2,OU=Domain Controllers,DC=inview,DC=local, should be 0 Not changing instanceType from 4 to 0 on CN=INVIEW-DC2,OU=Domain Controllers,DC=inview,DC=local This happens for 644 out of 655 of the objects in directory. I have attempted to fix one or two less important objects and the error does not appear again. Before I go ahead and fix them all, I want to find out whether doing this would have any unwanted ramifications? Can anyone explain what causes these errors and if fixing them might break something? That's a very interesting question. 0 seems the wrong value, if you are a read-write DC. I suspect we are getting the domain join stuff wrong, so we then trigger this incorrectly in dbcheck. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4 TSIG Error NOTIMP
Hi! I've got troubles with dynamic dns updates. Ubuntu: 12.04 / Samba 4.0.0 / followed off. howto Winsrv: Server 2k8R2 root@tuxsrv:/home/schau# samba -V Version 4.1.0pre1-GIT-94f11e9 root@tuxsrv:/home/schau# kinit administrator@SCHAU.LOCAL Password for administrator@SCHAU.LOCAL: root@tuxsrv:/home/schau# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator@SCHAU.LOCAL Valid starting ExpiresService principal 11/01/13 14:24:08 12/01/13 00:24:10 krbtgt/SCHAU.LOCAL@SCHAU.LOCAL renew until 12/01/13 00:24:08 My configs: /etc/ntp.conf server 127.127.1.0 fudge 127.127.1.0 stratum 10 server 0.pool.ntp.org iburst prefer server 1.pool.ntp.org iburst prefer driftfile /var/lib/ntp/ntp.drift logfile /var/log/ntp ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/ restrict default kod nomodify notrap nopeer mssntp restrict 127.0.0.1 restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery /etc/krb5.conf [libdefaults] default_realm = SCHAU.LOCAL dns_lookup_realm = false dns_lookup_kdc = true ~ /usr/local/samba/etc/smb.conf read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No [test] path = /data/test comment = Test Share read only = No [printers] comment = All Printers path = /usr/local/samba/var/spool browsable = Yes read only = No printable = Yes [print$] comment = Point and Print Printer Drivers path = /usr/local/samba/var/print read only = No /etc/network/interfaces # The loopback network interface auto lo iface lo inet loopback # The primary network interface auto eth0 iface eth0 inet static address 10.0.0.20 netmask 255.0.0.0 network 10.0.0.0 broadcast 10.255.255.255 gateway 10.0.0.1 # dns-* options are implemented by the resolvconf package, if installed dns-nameservers 10.0.0.20 dns-search schau.local dns-domain schau.local /etc/resolv.conf # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 10.0.0.20 search schau.local when i test it with: # /usr/local/samba/sbin/samba_dnsupdate --verbose --all-names I get following error: root@tuxsrv:/home/schau# /usr/local/samba/sbin/samba_dnsupdate --verbose --all-names IPs: ['fe80::a00:27ff:fe3b:4013%eth0', '10.0.0.20'] Calling nsupdate for A schau.local 10.0.0.20 Outgoing update query: ;; -HEADER- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: schau.local.900 IN A 10.0.0.20 Calling nsupdate for A tuxsrv.schau.local 10.0.0.20 Outgoing update query: ;; -HEADER- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: tuxsrv.schau.local. 900 IN A 10.0.0.20 Calling nsupdate for A gc._msdcs.schau.local 10.0.0.20 Outgoing update query: ;; -HEADER- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: gc._msdcs.schau.local. 900 IN A 10.0.0.20 ; TSIG error with server: tsig verify failure update failed: NOTIMP Failed nsupdate: 2 Calling nsupdate for CNAME e22551f7-0de8-4773-a526-435b44971594._msdcs.schau.local tuxsrv.schau.local Outgoing update query: ;; -HEADER- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: e22551f7-0de8-4773-a526-435b44971594._msdcs.schau.local. 900 IN CNAME tuxsrv.schau.local. ; TSIG error with server: tsig verify failure update failed: NOTIMP Failed nsupdate: 2 Calling nsupdate for SRV _kpasswd._tcp.schau.local tuxsrv.schau.local 464 Outgoing update query: ;; -HEADER- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kpasswd._tcp.schau.local. 900 IN SRV 0 100 464 tuxsrv.schau.local. Calling nsupdate for SRV _kpasswd._udp.schau.local tuxsrv.schau.local 464 Outgoing update query: ;; -HEADER- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kpasswd._udp.schau.local. 900 IN SRV 0 100 464 tuxsrv.schau.local. Calling nsupdate for SRV _kerberos._tcp.schau.local tuxsrv.schau.local 88 Outgoing update query: ;; -HEADER- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kerberos._tcp.schau.local. 900 IN SRV 0 100 88 tuxsrv.schau.local. Calling nsupdate for SRV _kerberos._tcp.dc._msdcs.schau.local tuxsrv.schau.local 88 Outgoing update query: ;; -HEADER- opcode: UPDATE, status: NOERROR, id: 0 ;;
Re: [Samba] Move from roaming to local profiles
On Wednesday, January 9, 2013 04:23 PM CST, Donny Brooks dbro...@mdah.state.ms.us wrote: On Wednesday, January 9, 2013 04:13 PM CST, Norberto Bensa nbensa+sa...@gmail.com wrote: On Wed, Jan 9, 2013 at 6:57 PM, Donny Brooks dbro...@mdah.state.ms.us wrote: Ok, I tested this on a couple of our windows 7 machines. I did as you said and changed the profile to a local one, removed it from the existing domain, added it to the new domain, and logged in as the user again. It gave me a new profile. Looking in C:\Users I see the username folder and username.NEWDOMAIN. It is creating a new profile for the same user on the new domain. Is there a way to do this? I have searched but only see directions for doing local profiles to roaming. Figures I would be going against the grain here. Add the machine to the new domain. Change permisions on the username folder. Also, you'll need to load the user's registry and change permissions. I really can't remember if you also need to change something else in the user's registry. I'll ask our technicians tomorrow and I'll let you know. BTW, the same username in two domains is a different user (different SID). That's why you see username.NEWDOMAIN. Regards, Norberto Thanks for that. I tried changing the permissions on the folder but totally forgot about the registry. Also I tried the program reprofiler as it is supposed to automate alot of this but I couldn't get it just right either. -- Donny B. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba I spent all day yesterday on this and never got anywhere until just before I left work. I tried everything I could think of and every way of doing it. Here is just one way of what I tried: 1. Log in as user on old domain, verify stuff works 2. Log out and in as local administrator 3. Change from olddomain to newdomain, reboot 4. Log in as user on newdomain, creates new profile (obviously since it is a new user) 5. Reboot to make sure profile is not locked and log in as local administrator 6. Copy contents of olddomain profile over to newdomain folder 7. Change permissions recursively on newdomain profile folder and NTUSER.DAT to allow newdomain user full control 8. Reboot 9. Log in as user, profile is there but no file on desktop is able to be opened. Also could not open Windows Explorer. Finally what worked for me was after step 4 I would navigate to C:\Users\oldprofile as the user on the newdomain, with administrator escalation of course, and copy over only the contents of the specific folders I wanted. For instance the contents of Desktop, certain folders out of AppData/Roaming, etc. This seems to have worked so far. The only issue is that they lose their customizations to windows. But that is not a huge deal. This is just so if anyone else has these problems in the future. -- Donny B. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Move from roaming to local profiles
Hello, first, I'm sorry for making you wait for so long. I had some personal problems that required my attention. On Fri, Jan 11, 2013 at 12:32 PM, Donny Brooks dbro...@mdah.state.ms.us wrote: 1. Log in as user on old domain, verify stuff works 2. Log out and in as local administrator 3. Change from olddomain to newdomain, reboot Ok 4. Log in as user on newdomain, creates new profile (obviously since it is a new user) Nope. You should remain logged as administrator, change permissions on the user folder to the user of the newdomain. Then, from regedit, load the user registry and change its permissions. 5. Reboot to make sure profile is not locked and log in as local administrator Yes. Everything else is unnecessary, just login as the user in the new domain and it should work. HTH, Norberto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] /home with Samba4 and Windows Server 2012
Hi, we have installed Samba4 to work with a Windows 2012 server. By now users may log on (remotely) to the Windows Server using domain authentification. Now we were trying to include /home for the users. I understand this is now working in a different fashion than with Samba3, but makes use of the RSAT tools. As far as I have found out the server administration console in Win2012 server does the job of RSAT, but I am not able to administrate the Samba server. Does anyone know how to add the Samba server to the server console under Win Server 2012? And how do I use /home correctly then? Best regards, Felix -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] [SAMBA] Samba 4: Workstations unable to join, The specified network name is no longer available
Hi, first of all, sorry for my poor english. I have installed Samba4 (stable tarball) on a fresh Centos 6.3 x64 server, with the classicupgrade command. With great difficulty I managed to correctly configure the DNS server (bind). kinit, smbclient and samba_dnsupdate - verbose - all-names give the desired output. Starting samba daemon, this is the output: lpcfg_load: refreshing parameters from /etc/samba/smb.conf params.c:pm_process() - Processing configuration file /etc/samba/smb.conf samba version 4.0.0 started. Copyright Andrew Tridgell and the Samba Team 1992-2012 GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'sasl-DIGEST-MD5' registered GENSEC backend 'schannel' registered GENSEC backend 'spnego' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered NTPTR backend 'simple_ldb' NTVFS backend 'default' for type 1 registered NTVFS backend 'posix' for type 1 registered NTVFS backend 'unixuid' for type 1 registered NTVFS backend 'unixuid' for type 3 registered NTVFS backend 'unixuid' for type 2 registered NTVFS backend 'cifs' for type 1 registered NTVFS backend 'smb2' for type 1 registered NTVFS backend 'simple' for type 1 registered NTVFS backend 'cifsposix' for type 1 registered NTVFS backend 'default' for type 3 registered NTVFS backend 'default' for type 2 registered NTVFS backend 'nbench' for type 1 registered PROCESS_MODEL 'single' registered PROCESS_MODEL 'onefork' registered PROCESS_MODEL 'prefork' registered PROCESS_MODEL 'standard' registered AUTH backend 'sam' registered AUTH backend 'sam_ignoredomain' registered AUTH backend 'anonymous' registered AUTH backend 'winbind' registered AUTH backend 'winbind_wbclient' registered AUTH backend 'name_to_ntstatus' registered AUTH backend 'unix' registered SHARE backend [classic] registered. SHARE backend [ldb] registered. ldb_wrap open of privilege.ldb samba: using 'standard' process model DCERPC endpoint server 'rpcecho' registered DCERPC endpoint server 'epmapper' registered DCERPC endpoint server 'remote' registered DCERPC endpoint server 'srvsvc' registered DCERPC endpoint server 'wkssvc' registered DCERPC endpoint server 'unixinfo' registered DCERPC endpoint server 'samr' registered DCERPC endpoint server 'winreg' registered DCERPC endpoint server 'netlogon' registered DCERPC endpoint server 'dssetup' registered DCERPC endpoint server 'lsarpc' registered DCERPC endpoint server 'backupkey' registered DCERPC endpoint server 'spoolss' registered DCERPC endpoint server 'drsuapi' registered DCERPC endpoint server 'browser' registered DCERPC endpoint server 'eventlog6' registered DCERPC endpoint server 'dnsserver' registered ldb_wrap open of secrets.ldb ldb_wrap open of idmap.ldb dreplsrv_partition[CN=Configuration,DC=sede,DC=i-node,DC=it] loaded dreplsrv_partition[CN=Schema,CN=Configuration,DC=sede,DC=i-node,DC=it] loaded dreplsrv_partition[DC=sede,DC=i-node,DC=it] loaded dreplsrv_partition[DC=DomainDnsZones,DC=sede,DC=i-node,DC=it] loaded dreplsrv_partition[DC=ForestDnsZones,DC=sede,DC=i-node,DC=it] loaded kccsrv_partition[DC=sede,DC=i-node,DC=it] loaded kccsrv_partition[CN=Configuration,DC=sede,DC=i-node,DC=it] loaded kccsrv_partition[CN=Schema,CN=Configuration,DC=sede,DC=i-node,DC=it] loaded kccsrv_partition[DC=DomainDnsZones,DC=sede,DC=i-node,DC=it] loaded kccsrv_partition[DC=ForestDnsZones,DC=sede,DC=i-node,DC=it] loaded Calling DNS name update script Calling SPN name update script /usr/sbin/smbd: smbd version 4.0.0 started. /usr/sbin/smbd: Copyright Andrew Tridgell and the Samba Team 1992-2012 /usr/sbin/smbd: standard input is not a socket, assuming -D option Terminating connection - 'wbsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' single_terminate: reason[wbsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] Completed SPN update check OK Completed DNS update check OK These two lines Terminating connection - 'wbsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' single_terminate: reason[wbsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] are very suspicious, and reappear everytime I try to connect a PC to the server, with a slightly different text: Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] After a minute, I see this message on the Windows Computer: The specified network name is no longer available These errors appear even if I try a different samba 4 version, by compiling it from GIT or by installing a beta RPM from a repo. I've tried also with a fresh samba setup (no import from samba 3), still with the same errors. There's something I'm missing, does anyone know how to resolve
[Samba] werr_access_denied when running setdriver for a printer
Hi all, I'm getting WERR_ACCESS_DENIED error for some of the printers when running setdriver printer_name printer_driver as part of the cupsaddsmb step. Weirdly, it works for some printers, and never works for others, while all the printers have the same settings. Samba 3.5.20 with CUPS 1.5.4. Does this part of log give any clue of why could this happen? function print_access_check() -- where does it take its data to check for printer access? [2013/01/11 15:57:10.794623, 10] smbd/share_access.c:238(user_ok_token) user_ok_token: share myprinter1 is ok for unix user korobkin [2013/01/11 15:57:10.794666, 10] lib/util_seaccess.c:58(se_map_generic) se_map_generic(): mapped mask 0x20020008 to 0x00020008 [2013/01/11 15:57:10.794701, 10] lib/util_seaccess.c:58(se_map_generic) se_map_generic(): mapped mask 0x100f000c to 0x000f000c [2013/01/11 15:57:10.794722, 10] lib/util_seaccess.c:58(se_map_generic) se_map_generic(): mapped mask 0x100f000c to 0x000f000c [2013/01/11 15:57:10.794743, 10] lib/util_seaccess.c:58(se_map_generic) se_map_generic(): mapped mask 0x100f000c to 0x000f000c [2013/01/11 15:57:10.794763, 10] lib/util_seaccess.c:58(se_map_generic) se_map_generic(): mapped mask 0x100f000c to 0x000f000c [2013/01/11 15:57:10.794785, 4] printing/nt_printing.c:5722(print_access_check) access check was FAILURE [2013/01/11 15:57:10.794937, 3] rpc_server/srv_spoolss_nt.c:1772(_spoolss_OpenPrinterEx) access DENIED for printer open [2013/01/11 15:57:10.794965, 4] rpc_server/srv_lsa_hnd.c:219(find_policy_by_hnd_internal) Found policy hnd[0] [] 00 00 00 00 02 00 00 00 00 00 00 00 F0 50 56 36 .PV6 [0010] 55 7F 00 00 U... [2013/01/11 15:57:10.795008, 4] rpc_server/srv_lsa_hnd.c:219(find_policy_by_hnd_internal) Found policy hnd[0] [] 00 00 00 00 02 00 00 00 00 00 00 00 F0 50 56 36 .PV6 [0010] 55 7F 00 00 U... [2013/01/11 15:57:10.795049, 3] rpc_server/srv_lsa_hnd.c:258(close_policy_hnd) Closed policy [2013/01/11 15:57:10.795070, 1] ../librpc/ndr/ndr.c:251(ndr_print_function_debug) spoolss_OpenPrinterEx: struct spoolss_OpenPrinterEx out: struct spoolss_OpenPrinterEx handle : * handle: struct policy_handle handle_type : 0x (0) uuid : ---- result : WERR_ACCESS_DENIED Thanks in advance. -Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 on AIX with XLC
Sorry to be an annoyance, but I'm at a loss here and begging for help... The Python-based build says it completes successfully, and the make install also says it completes successfully. Yet it doesn't copy all the required shared libraries, and the resultant binaries don't run. I copied the missing shared objects by hand, which may or may not be a very good solution. I put them all in /opt/samba-4.0.0/lib, but I suspect some of them were intended to live in different subdirectories thereof. Once the named libraries were copied, it then tells me it can't find the following symbols: aixacl_to_smbacl aixacl_smb_to_aixacl Don't know what to do next... So, my questions are: 1. What can be done about the libraries not getting copied? Is this a bug in my build, or in the build system? 2. Do I need to move certain ones of them to other subdirectories in the lib directory? 3. If I tracked down the ones below and copied them by hand, might there be others still that I missed? 4. With all the subdirectories under lib, am I going to have to define a pretty complicated LD_LIBRARY_PATH to get this to run? 5. Is there a way I can build the whole thing static from the Python-based build system? I didn't see an option for that with ./configure --help. Anyway, I think we're crazy close, but I'm still missing that last little hurdle. Many thanks in advance!! -Ben From: samba-boun...@lists.samba.org [samba-boun...@lists.samba.org] on behalf of Benjamin Huntsman [bhunts...@mail2.cu-portland.edu] Sent: Wednesday, January 09, 2013 3:18 PM To: samba@lists.samba.org Subject: Re: [Samba] Samba 4 on AIX with XLC Just FYI, here are at least some of the shared objects that don't get copied to the destination when running make install: libtalloc.so libgssapi-samba4.so libtdb.so libtevent.so libkrb5-samba4.so libroken-samba4.so libasn1-samba4.so libhcrypto-samba4.so libcom_err-samba4.so libwind-samba4.so libldb.so libheimbase-samba4.so libhx509-samba4.so libpyldb-util.so There may be others, but by copying those into /opt/samba-4.0.0/lib, I was able to get my compiled smbd to at least spit out the following message: bash-3.2# /opt/samba-4.0.0/sbin/smbd -b exec(): 0509-036 Cannot load program /opt/samba-4.0.0/sbin/smbd because of the following errors: rtld: 0712-001 Symbol aixacl_to_smbacl was referenced from module /opt/samba-4.0.0/lib/private/libsmbd_base.so(), but a runtime definition of the symbol was not found. rtld: 0712-001 Symbol aixacl_smb_to_aixacl was referenced from module /opt/samba-4.0.0/lib/private/libsmbd_base.so(), but a runtime definition of the symbol was not found. bash-3.2# So looks like I'm still missing aixacl_to_smbacl and aixacl_smb_to_aixacl. Any idea where I'd get those, and why they're not being found? Thanks! -Ben -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] cannot join an existing AD as either a RODC or DC w/ samba4
I'm stuck trying to figure out what the next step should be. Any hints on what I could try? On Thu, Jan 10, 2013 at 04:53:59PM -0500, Mike Edwards babbled thus: I'm unable to have samba4 join an existing AD domain as either an RODC (preferrable) or merely a DC. AD domain is Win2k3, but we recently added a pair of Win2k8 DCs to it. Domain functional level is Win2k3. ### Adding samba4 as an RODC ### *chomp* ### Adding samba4 as a DC ### *chomp* -- Mike Edwards| If this email address disappears, Unsolicited advertisments to| assume it was spammed to death. To this address are not welcome. | reach me in that case, s/-.*@/@/ Our progress as a nation can be no swifter than our progress in education. The human mind is our fundamental resource. -- John F. Kennedy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Move from roaming to local profiles
On Friday, January 11, 2013 10:21 AM CST, Norberto Bensa nbensa+sa...@gmail.com wrote: Hello, first, I'm sorry for making you wait for so long. I had some personal problems that required my attention. On Fri, Jan 11, 2013 at 12:32 PM, Donny Brooks dbro...@mdah.state.ms.us wrote: 1. Log in as user on old domain, verify stuff works 2. Log out and in as local administrator 3. Change from olddomain to newdomain, reboot Ok 4. Log in as user on newdomain, creates new profile (obviously since it is a new user) Nope. You should remain logged as administrator, change permissions on the user folder to the user of the newdomain. Then, from regedit, load the user registry and change its permissions. I did as you said and changed permissions on the files and registry. Still when I logged in as the user on the new domain it created a username.NEWDOMAIN folder. It's not a big deal if I have to do it the way I was able to make it work. Kind of cuts down on the user profile garbage. 5. Reboot to make sure profile is not locked and log in as local administrator Yes. Everything else is unnecessary, just login as the user in the new domain and it should work. HTH, Norberto -- Donny B. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SAMBA 4 acting as Domain Server- Is Exchange 2010 capable of being installed?
Thank you Dominic, I will try this and see how it goes. I will update and let you know FYI. Thank you for the interjection! On Fri, Jan 11, 2013 at 5:14 AM, Dominic Evans oldma...@gmail.com wrote: On 11 January 2013 05:02, Matthew Gear matthewj.g...@gmail.com wrote: I am attempting to install an Exchange 2010 deployment for integrated UM testing. As I attempted to extend the schema of the SAMBA 4 AD (setup /ps), the setup program came back and reported the following: The Domain Controller 'smb4.homelab.int' is running the 4.0.0 version of the operating system. Minimal requested version is 5.2 (3790) Service Pack 1. Is it possible to install Exchange 2010 in a Samba4 Active Directory environment ? Hmm. You could experiment with setting the 'server string' variable in smb.conf to something like Windows Server 2003 R2 5.2 and seeing if the Exchange deployment is parsing server string or some other attribute in the samba publication. I don't believe there are currently any other options in smb.conf for masquerading Samba server type from UNIX to an arbitrary Windows. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Switching between
My organization is in the position of having to support full Windows ACLs on CIFS shares. We've been successfully utilizing Samba 3.5.10-125 and vfs_acl_tdb to accomplish that. However, the size of the resulting /var/lib/samba/state/file_ntacls.tdb[.unique-extension] file(s) has introduced some new problems for me to solve. In our environment, it seems on average each stored ACL causes file_ntacls.tdb to grow by almost 1000 bytes. That's what I've observed with my customers - YMMV. We have to support millions of files per server, and we've seen TDB files larger than 2 GB. Is there any server change I can make to reduce the storage demands of the acl_tdb module? Separately, we're considering switching from the acl_tdb module to the acl_xattr module. Do you know of any way to migrate or transfer the NTFS ACL data for each file from the TDB to an extended attribute? I'm trying to find a server-side solution to the migration problem. A client-side solution might be to rewrite each file (and resend the ACL data) after switching the Samba server configuration, but that puts a lot on the customers. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Switching between
That Subject line should read Switching between vfs_acl_tdb and vfs_acl_attr I'm guessing double quotes are a no-no in the Subject field. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 on AIX with XLC
On 01/10/2013 12:18 AM, Benjamin Huntsman wrote: There may be others, but by copying those into /opt/samba-4.0.0/lib, I was able to get my compiled smbd to at least spit out the following message: bash-3.2# /opt/samba-4.0.0/sbin/smbd -b exec(): 0509-036 Cannot load program /opt/samba-4.0.0/sbin/smbd because of the following errors: rtld: 0712-001 Symbol aixacl_to_smbacl was referenced from module /opt/samba-4.0.0/lib/private/libsmbd_base.so(), but a runtime definition of the symbol was not found. rtld: 0712-001 Symbol aixacl_smb_to_aixacl was referenced from module /opt/samba-4.0.0/lib/private/libsmbd_base.so(), but a runtime definition of the symbol was not found. bash-3.2# So looks like I'm still missing aixacl_to_smbacl and aixacl_smb_to_aixacl. Any idea where I'd get those, and why they're not being found? Those should have been linked into smbd directly as configure on AIX adds vfs_aixacl to the list of modules to be compiled statically. Would you mind opening a bug on https://bugzilla.samba.org for tracking? Cheers, Christian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 on AIX with XLC
On 01/11/2013 06:04 PM, Benjamin Huntsman wrote: 1. What can be done about the libraries not getting copied? Is this a bug in my build, or in the build system? I can see this as well on my AIX6.1 system. So it's probably an issue with the build system. 2. Do I need to move certain ones of them to other subdirectories in the lib directory? No, the buildsystem should have copied them there as well. 3. If I tracked down the ones below and copied them by hand, might there be others still that I missed? Once the problem with the buildsystem gets sorted out, you wouldn't have to care. Please open a bug so we can track this problem. 4. With all the subdirectories under lib, am I going to have to define a pretty complicated LD_LIBRARY_PATH to get this to run? No, the binaries should be linked against those libraries with absolute paths. You might only need to set LD_LIBRARY_PATH for libs like libtalloc and libtdb that are supposed to be installed under a standard library path like /usr/lib/. The private libs will be installed somewhere else, but still be found due to the absolute linking. 5. Is there a way I can build the whole thing static from the Python-based build system? I didn't see an option for that with ./configure --help. Not with the waf buildsystem. If you are only interested in the file/print serving part, you can give the old buildsystem in source3 a try instead. Cheers, Christian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Switching between
On Fri, Jan 11, 2013 at 07:07:26PM +, Steve Tice wrote: My organization is in the position of having to support full Windows ACLs on CIFS shares. We've been successfully utilizing Samba 3.5.10-125 and vfs_acl_tdb to accomplish that. However, the size of the resulting /var/lib/samba/state/file_ntacls.tdb[.unique-extension] file(s) has introduced some new problems for me to solve. In our environment, it seems on average each stored ACL causes file_ntacls.tdb to grow by almost 1000 bytes. That's what I've observed with my customers - YMMV. We have to support millions of files per server, and we've seen TDB files larger than 2 GB. Is there any server change I can make to reduce the storage demands of the acl_tdb module? Separately, we're considering switching from the acl_tdb module to the acl_xattr module. Do you know of any way to migrate or transfer the NTFS ACL data for each file from the TDB to an extended attribute? I'm trying to find a server-side solution to the migration problem. A client-side solution might be to rewrite each file (and resend the ACL data) after switching the Samba server configuration, but that puts a lot on the customers. There's no code in Samba to do this unless you're doing it via a client. You could write custom code to pull the data out of the tdb and re-store as EA's on the files, but that's outside the scope of the tools we provide. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Switching between
Jeremy Allison jra at samba.org writes: There's no code in Samba to do this unless you're doing it via a client. You could write custom code to pull the data out of the tdb and re-store as EA's on the files, but that's outside the scope of the tools we provide. Jeremy. Thanks Jeremy for confirming what I expected. I imagine the best documentation for writing such a migration would be the source for the VFS modules. Are there any other places to look for such info? For example, something that shows how to fetch a record from a TDB, and something that shows how to store ACL data in an EA. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Switching between
On Fri, Jan 11, 2013 at 08:31:57PM +, Steve Tice wrote: Jeremy Allison jra at samba.org writes: There's no code in Samba to do this unless you're doing it via a client. You could write custom code to pull the data out of the tdb and re-store as EA's on the files, but that's outside the scope of the tools we provide. Jeremy. Thanks Jeremy for confirming what I expected. I imagine the best documentation for writing such a migration would be the source for the VFS modules. Are there any other places to look for such info? For example, something that shows how to fetch a record from a TDB, and something that shows how to store ACL data in an EA. No, this is all in the source code and that's where you'll have to look I'm afraid. The tdb library documentation will tell you how to fetch the tdb records - the tdb key will be hashed device/inode number. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Switching between
On Fri, Jan 11, 2013 at 12:59:08PM -0800, Jeremy Allison wrote: On Fri, Jan 11, 2013 at 08:31:57PM +, Steve Tice wrote: Jeremy Allison jra at samba.org writes: There's no code in Samba to do this unless you're doing it via a client. You could write custom code to pull the data out of the tdb and re-store as EA's on the files, but that's outside the scope of the tools we provide. Jeremy. Thanks Jeremy for confirming what I expected. I imagine the best documentation for writing such a migration would be the source for the VFS modules. Are there any other places to look for such info? For example, something that shows how to fetch a record from a TDB, and something that shows how to store ACL data in an EA. No, this is all in the source code and that's where you'll have to look I'm afraid. The tdb library documentation will tell you how to fetch the tdb records - the tdb key will be hashed device/inode number. As a side note, just wildly brainstorming: I would guess that there's a lot of duplicate acls in the tdb. Might an a bit more complex scheme with refcounted acls and pointers be possible? Maybe with an offline dedup tool or some scheme based on a hash value of the secdesc blob? The inode just points at the hash value of the secdesc blob, behind the hash we have the refcounted secdesc itself. Volker -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kont...@sernet.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Switching between
Jeremy Allison jra at samba.org writes: No, this is all in the source code and that's where you'll have to look I'm afraid. The tdb library documentation will tell you how to fetch the tdb records - the tdb key will be hashed device/inode number. Jeremy. Thanks again Jeremy. I'm sure the source files will be adequate. Had to ask if anything else (that might help get it done faster) existed, but it's all good. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Switching between
On Fri, 2013-01-11 at 12:13 -0800, Jeremy Allison wrote: On Fri, Jan 11, 2013 at 07:07:26PM +, Steve Tice wrote: My organization is in the position of having to support full Windows ACLs on CIFS shares. We've been successfully utilizing Samba 3.5.10-125 and vfs_acl_tdb to accomplish that. However, the size of the resulting /var/lib/samba/state/file_ntacls.tdb[.unique-extension] file(s) has introduced some new problems for me to solve. In our environment, it seems on average each stored ACL causes file_ntacls.tdb to grow by almost 1000 bytes. That's what I've observed with my customers - YMMV. We have to support millions of files per server, and we've seen TDB files larger than 2 GB. Is there any server change I can make to reduce the storage demands of the acl_tdb module? Separately, we're considering switching from the acl_tdb module to the acl_xattr module. Do you know of any way to migrate or transfer the NTFS ACL data for each file from the TDB to an extended attribute? I'm trying to find a server-side solution to the migration problem. A client-side solution might be to rewrite each file (and resend the ACL data) after switching the Samba server configuration, but that puts a lot on the customers. There's no code in Samba to do this unless you're doing it via a client. You could write custom code to pull the data out of the tdb and re-store as EA's on the files, but that's outside the scope of the tools we provide. Using Samba 4.0.0, the python bindings or even samba-tool ntacl get/set would be quite a good choice here. We can read directly the NT ACL from the tdb and then set it using the xattr code. At a shell level, try something (untested) like: samba-tool ntacl get file then change the smb.conf setting and set it with samba-tool ntacl set file This should be enough, perhaps pointing at two different smb.conf files. Some other options that you shouldn't need, but I will describe are: --xattr-backend=tdb --use-ntvfs This combination might be handy, allowing you to directly read the NT ACL in the tdb, even when the smb.conf is configured to use the xattr. (Be warned, the comparison with the posix permissions to see which was set last will not be performed in this case). Also see the python API in samba.ntacls, which may allow you to implement a 'samba-tool ntacl migrate file' command. I'm very happy to help out if you have any more questions here, as we certainly do have a good range of tools that should be able to help you out. Jeremy will need to confirm (and your testing will be important) that the resulting database from 4.0.0 will be compatible with Samba 3.5. That said, we haven't deliberately changed anything about the on-disk format here, as far as I'm aware. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Solaris 11.1 Samba 3.6.6 oddity: wbinfo is good, but getent is not.
Hi all. I've been searching various archives and lists to see if I can track down what I'm doing wrong – but I suspect something is getting in my way (bug perhaps)? I thought I'd ask on the list to see if others have any experience here. Situation is as follows: 1. Solaris 11.1 box, successfully bound to active directory domain using traditional net join ads syntax. 2. Can kinit just fine. I have a krb5.conf and krb5.keytab in place in /etc/krb5/ 3. Can wbinfo –u and wbinfo –g just fine to list all the groups in the organisation and in the users, too. 4. I configured my /etc/nsswitch.conf to look like so: passwd: files winbind group: files winbind I am guessing my winbind is kind of working, on the basis that wbinfo is querying correctly and returns values from –u and –g. My very thin smb.conf looks like this: [global] wins server = some.fqdn.goes.here, some.fqdn.goes.here security = ADS workgroup = SOMEWORKGROUP realm = SOME.BIG.PLACE machine password timeout = 0 server string = FILESERVER_TEST log file = /var/samba/log/log.%m log level = 1 debug pid = true dns proxy = no domain master = no local master = no preferred master = no strict locking = no # All the weird ID mapping strategy bits winbind separator = + winbind enum users = yes winbind enum groups = yes template homedir = /expor/home/%U template shell = /bin/bash idmap config * : default = yes idmap config * : backend = tdb idmap config * : range = 100-199 idmap cache time = 604800 NB: These are default Solaris 11.1 support packages. Samba version is 3.6.6 Root@sol11-ads:/var/samba/log# smbd -V Version 3.6.6 It is compiled with all the right modules to the best of my understanding. root@sol11-ads:/var/samba/log# smbd -b | grep -i win/ads/ldap WITH_WINBIND WITH_WINBIND WITH_ADS WITH_ADS HAVE_LDAP_H HAVE_HAVE_LDAP_MOZ HAVE_LDAP HAVE_LDAP_ADD_RESULT_ENTRY HAVE_LDAP_INIT HAVE_LDAP_OPEN HAVE_LDAP_SET_REBIND_PROC HAVE_LIBLDAP LDAP_SET_REBIND_PROC_ARGS idmap_ldap_init pdb_ldap pdb_smbpasswd pdb_tdbsam pdb_wbc_sam idmap_tdb idmap_passdb idmap_nss nss_info_template auth_sam auth_unix auth_winbind auth_wbc auth_server auth_domain auth_builtin vfs_default vfs_solarisacl So, no matter what I do, I just can't convince getent to return anything other than local groups and users. It hangs for quite a while waiting to complete, but never finds anything outside of local users and groups. I had some heart, because wbinfo was working so well, and I'd actually managed to get Solaris 11.1 to join to a domain at all – but it seems I've come unstuck. My apologies in advance for what is probably an easily remedied issue and a silly question. I'm only just getting back into Samba after not having to touch it for a bout 5 years. I just get the feeling something else might be wrong (as in, a functional issue with 3.6.6, perhaps?). Thank you for your time and assistance. --JC -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 on AIX with XLC
Those should have been linked into smbd directly as configure on AIX adds vfs_aixacl to the list of modules to be compiled statically. Would you mind opening a bug on https://bugzilla.samba.org for tracking? Cheers, Christian Hi there! Thanks for the reply! I have added Bug 9557: https://bugzilla.samba.org/show_bug.cgi?id=9557 Any chance it'll be patched by the end of next week? :) har har. In the mean time, I think I'm going to revert to trying to build the most recent stable version of Samba 3.6.x. I'll happily provide whatever data I can and assist with testing to get Samba 4 building and running on AIX... Just let me know. Thanks again! -Ben -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 Domain Account Lockout
First off, I apologize if this is a duplicate - I had some issues with the first email I tried to join this list with! I'm currently using samba4 as an AD DC (domain and forest are both configured with the samba-tool command to be at the 2008_R2 functional level) for both Windows and Linux systems. I've got the default password settings set using the samba-tool domain passwordsettings command and I have all the GPOs configured as I need them for clients. However, I would like to configure how the account lockout functions for the domain accounts. I read in the archive for this list that there isn't currently support for server side GPOs, so I'm not certain how to configure this, or if its even possible. To be clear, I'm using Zentyal 3.0 (distro built from Ubuntu 12.04) which has a pre-built zentyal-samba package installed but from what I can tell it's just samba4.0 (that's what it tells me when I use samba --version) What I've tried thus far: 1. Use testparm -v to get a complete list of all possible smb.conf values - didn't see much in there that looked like account lockout 2. Manually edit the account_policy.tdb database within the samba folder identified in the current smb.conf file with tdbtool - it looks like there ARE settings here that might apply, but for some reason changes aren't being reflected. For example, when I use the samba-tool domain passwordsettings set --min-pwd-age=5 command the account_policy.tdb key corresponding to pass min age does NOT get updated, but I have validated that the changes DO take immediate effect. Maybe the account_policy.tdb file is legacy and not used when the active role is DC with a 2008_R2 functional level? The password policy, and I'm presuming all account related policy, is clearly being stored and enforced somewhere - I just haven't figured out what all it includes and where it is... My question with respect to samba is two fold: is it even POSSIBLE to have samba detect multiple failed login attempts to a domain account (e.g., the default domain administrator) and lock the account once a certain threshold has been reached and if so how is that configured? Thanks so much for any information you can provide! -Chris Stoneburner -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch v4-0-test updated
The branch, v4-0-test has been updated via e663d18 smb.conf(5): update list of available protocols (bug #9552) via 6817ae1 samba_dnsupdate: set KRB5_CONFIG for nsupdate command (bug #9517) via 0843231 s4:drsuapi: try to behave more like windows for usn order (bug #9508) via 4a876d3 s4:drsuapi: make use of LDB_TYPESAFE_QSORT() and pass getnc_state via 807f319 s4:drsuapi: make sure we report the meta data from the cycle start (bug #9508) via de07dfc s4:drsuapi: check the source_dsa_invocation_id (bug #9508) via 6a0fe0a s4:drsuapi: make sure we never return the same highwatermark twice in a replication cycle (bug #9508) via 5ea3a3d s4:drsuapi: add drsuapi_DsReplicaHighWaterMark_cmp() via 5da4cb2 s4:drsuapi: always use the current uptodateness_vector via c6cbf63 s4:drsuapi: avoid a ldb_dn_copy() and use talloc_move() instead via 9061634 s4:drsuapi: remove unused 'highest_usn' from drsuapi_getncchanges_state via 3a40d61 s4:drsuapi: move struct drsuapi_getncchanges_state to the top of getncchanges.c via b308c26 s4:dsdb/drepl: update the source_dsa_obj/invocation_id in repsFrom via 29cffea s4:dsdb/common: use 01.01.1970 as last_sync_success for our entry in the uptodatevector via d2b0b9c s4:dsdb/common: use LDB_SEQ_HIGHEST_SEQ for our entry in the uptodatevector via b7f3b06 s4:dsdb/repl_meta_data: don't merge highwatermark and uptodatevector (bug #9508) via 9274d76 s4:dsdb/repl_meta_data: also update the last_sync_success in replUpToDateVector via 834b597 s4:dsdb/repl_meta_data: store the last results and timestamps in the repsFrom via a749a74 s4:dsdb/repl_meta_data: always treat the highwatermark as opaque (bug #9508) via 36b44b5 s4:scripting/python: always treat the highwatermark as opaque (bug #9508) from 4659595 s4:lib/messaging: terminate the irpc_servers_byname() result with server_id_set_disconnected() (bug #9540) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test - Log - commit e663d1848e4e3d264dfe4a452980eb367f00a2ee Author: Björn Baumbach b...@sernet.de Date: Tue Dec 11 13:39:11 2012 +0100 smb.conf(5): update list of available protocols (bug #9552) Update protocol listing in variable substitution list. Signed-off-by: Bjoern Baumbach b...@sernet.de Reviewed by: Jeremy Allison j...@samba.org Autobuild-User(master): Jeremy Allison j...@samba.org Autobuild-Date(master): Wed Jan 9 21:22:18 CET 2013 on sn-devel-104 (cherry picked from commit 313da9dc7d8cb16f943ea7bde1c1d7bf8f02c0f0) Autobuild-User(v4-0-test): Karolin Seeger ksee...@samba.org Autobuild-Date(v4-0-test): Fri Jan 11 12:26:50 CET 2013 on sn-devel-104 commit 6817ae1125f11f5dad38cab187d405879346fb5d Author: Björn Baumbach b...@sernet.de Date: Thu Dec 20 15:57:43 2012 +0100 samba_dnsupdate: set KRB5_CONFIG for nsupdate command (bug #9517) Let nslookup use krb5.conf, which is set in our KRB5_CONFIG. Signed-off-by: Björn Baumbach b...@sernet.de Reviewed-by: Stefan Metzmacher me...@samba.org Reviewed-by: Andrew Bartlett abart...@samba.org (cherry picked from commit 4d1fd0b7daa089bd8863f0efcaf258bf30192c29) commit 084323168ef89d04eda01d3bf41e18cb28c4e327 Author: Stefan Metzmacher me...@samba.org Date: Sat Dec 15 10:18:08 2012 +0100 s4:drsuapi: try to behave more like windows for usn order (bug #9508) We don't behave completely like a Windows server, but it's much more identical than before. The partition head is always the first object followed by the rest sorted by uSNChanged. Signed-off-by: Stefan Metzmacher me...@samba.org Reviewed-by: Andrew Bartlett abart...@samba.org Autobuild-User(master): Stefan Metzmacher me...@samba.org Autobuild-Date(master): Tue Jan 1 21:09:42 CET 2013 on sn-devel-104 (cherry picked from commit f77bfed088b93f3ed0f00d0c172ad495c6c2b09b) commit 4a876d3a0f030f2ebaa527d3b182b6bdb78de79f Author: Stefan Metzmacher me...@samba.org Date: Tue Dec 18 15:16:28 2012 +0100 s4:drsuapi: make use of LDB_TYPESAFE_QSORT() and pass getnc_state Signed-off-by: Stefan Metzmacher me...@samba.org Reviewed-by: Andrew Bartlett abart...@samba.org (cherry picked from commit 16aef75c4f83c114206aa7637fedc9c2c2486877) commit 807f319c13c17faad82454cf0adfee3bccb7425c Author: Stefan Metzmacher me...@samba.org Date: Tue Dec 18 14:59:20 2012 +0100 s4:drsuapi: make sure we report the meta data from the cycle start (bug #9508) We should build the final highwatermark and uptodatevector of a replication cycle at the start of the cycle. Before we search for the currently missing objects. Otherwise we risk that some objects get lost. Signed-off-by: Stefan Metzmacher
[SCM] Samba Shared Repository - branch v4-0-test updated
The branch, v4-0-test has been updated via 46d52b3 s3:smb2_negprot: set the 'remote_proto' value (bug #9499) from e663d18 smb.conf(5): update list of available protocols (bug #9552) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test - Log - commit 46d52b396ffd01c5d8a53b8c13b8c5641fa642ba Author: Stefan Metzmacher me...@samba.org Date: Thu Dec 13 10:44:07 2012 +0100 s3:smb2_negprot: set the 'remote_proto' value (bug #9499) Signed-off-by: Stefan Metzmacher me...@samba.org Reviewed-by: Andrew Bartlett abart...@samba.org (cherry picked from commit 5d721de7fdc250c6cb423c553134dd687590c1a0) Autobuild-User(v4-0-test): Karolin Seeger ksee...@samba.org Autobuild-Date(v4-0-test): Fri Jan 11 18:01:07 CET 2013 on sn-devel-104 --- Summary of changes: source3/smbd/smb2_negprot.c |8 1 files changed, 8 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/smbd/smb2_negprot.c b/source3/smbd/smb2_negprot.c index 11ec2a5..2c1d7a1 100644 --- a/source3/smbd/smb2_negprot.c +++ b/source3/smbd/smb2_negprot.c @@ -25,6 +25,8 @@ #include ../lib/tsocket/tsocket.h #include ../librpc/ndr/libndr.h +extern fstring remote_proto; + /* * this is the entry point if SMB2 is selected via * the SMB negprot and the given dialect. @@ -234,6 +236,12 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req) set_remote_arch(RA_VISTA); } + fstr_sprintf(remote_proto, SMB%X_%02X, +(dialect 8) 0xFF, dialect 0xFF); + + reload_services(req-sconn, conn_snum_used, true); + DEBUG(3,(Selected protocol %s\n, remote_proto)); + /* negprot_spnego() returns a the server guid in the first 16 bytes */ negprot_spnego_blob = negprot_spnego(req, req-sconn); if (negprot_spnego_blob.data == NULL) { -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 8ae1c46 winbind: Fix some missing NULL checks via 54e01f6 winbind: Fix error check in unpack_tdc_domains via aea49ed dbwrap: Use INCOMPATIBLE_HASH for dbwrap_watchers.tdb from edbc26b scripting/samba_upgradedns: Only look for IPv4/IPv6 addresses if we actually them http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 8ae1c4636ebfbdb8d77a04dbad6edb52dfb671fc Author: Volker Lendecke v...@samba.org Date: Fri Jan 11 14:51:42 2013 +0100 winbind: Fix some missing NULL checks Reviewed-by: Stefan Metzmacher me...@samba.org Autobuild-User(master): Stefan Metzmacher me...@samba.org Autobuild-Date(master): Fri Jan 11 18:55:41 CET 2013 on sn-devel-104 commit 54e01f68e7a6869a203bfdbdcc6c0294835b841f Author: Volker Lendecke v...@samba.org Date: Fri Jan 11 14:02:52 2013 +0100 winbind: Fix error check in unpack_tdc_domains Reviewed-by: Stefan Metzmacher me...@samba.org commit aea49ed37afe49d12fbb6303f6ea5e7f984b2fda Author: Volker Lendecke v...@samba.org Date: Fri Jan 11 17:04:39 2013 +0100 dbwrap: Use INCOMPATIBLE_HASH for dbwrap_watchers.tdb Reviewed-by: Stefan Metzmacher me...@samba.org --- Summary of changes: source3/lib/dbwrap/dbwrap_watch.c |7 ++-- source3/winbindd/winbindd_cache.c | 60 + 2 files changed, 38 insertions(+), 29 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/lib/dbwrap/dbwrap_watch.c b/source3/lib/dbwrap/dbwrap_watch.c index d7392a3..d8f1b74 100644 --- a/source3/lib/dbwrap/dbwrap_watch.c +++ b/source3/lib/dbwrap/dbwrap_watch.c @@ -31,9 +31,10 @@ static struct db_context *dbwrap_record_watchers_db(void) static struct db_context *watchers_db; if (watchers_db == NULL) { - watchers_db = db_open(NULL, lock_path(dbwrap_watchers.tdb), - 0, TDB_CLEAR_IF_FIRST, O_RDWR|O_CREAT, - 0600, DBWRAP_LOCK_ORDER_3); + watchers_db = db_open( + NULL, lock_path(dbwrap_watchers.tdb), 0, + TDB_CLEAR_IF_FIRST | TDB_INCOMPATIBLE_HASH, + O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_3); } return watchers_db; } diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c index 76970d6..252cf4a 100644 --- a/source3/winbindd/winbindd_cache.c +++ b/source3/winbindd/winbindd_cache.c @@ -4455,7 +4455,9 @@ static size_t unpack_tdc_domains( unsigned char *buf, int buflen, } for ( i=0; inum_domains; i++ ) { - len += tdb_unpack( buf+len, buflen-len, fffddd, + int this_len; + + this_len = tdb_unpack( buf+len, buflen-len, fffddd, domain_name, dns_name, sid_string, @@ -4463,11 +4465,12 @@ static size_t unpack_tdc_domains( unsigned char *buf, int buflen, attribs, type ); - if ( len == -1 ) { + if ( this_len == -1 ) { DEBUG(5,(unpack_tdc_domains: Failed to unpack domain array\n)); TALLOC_FREE( list ); return 0; } + len += this_len; DEBUG(11,(unpack_tdc_domains: Unpacking domain %s (%s) SID %s, flags = 0x%x, attribs = 0x%x, type = 0x%x\n, @@ -4602,6 +4605,33 @@ bool wcache_tdc_add_domain( struct winbindd_domain *domain ) return ret; } +static struct winbindd_tdc_domain *wcache_tdc_dup_domain( + TALLOC_CTX *mem_ctx, const struct winbindd_tdc_domain *src) +{ + struct winbindd_tdc_domain *dst; + + dst = talloc(mem_ctx, struct winbindd_tdc_domain); + if (dst == NULL) { + goto fail; + } + dst-domain_name = talloc_strdup(dst, src-domain_name); + if (dst-domain_name == NULL) { + goto fail; + } + dst-dns_name = talloc_strdup(dst, src-dns_name); + if (dst-dns_name == NULL) { + goto fail; + } + sid_copy(dst-sid, src-sid); + dst-trust_flags = src-trust_flags; + dst-trust_type = src-trust_type; + dst-trust_attribs = src-trust_attribs; + return dst; +fail: + TALLOC_FREE(dst); + return NULL; +} + /* / @@ -4629,17 +4659,7 @@ struct winbindd_tdc_domain * wcache_tdc_fetch_domain( TALLOC_CTX *ctx, const cha