[Samba] Starting S4 in production

2013-02-11 Thread Hervé Hénoch 

Hello,

I would try to migrate S3 to S4 in production but these messages (in 
bold) blocks me to do this. I can authenticate users et computers yet !, 
So what does they mean ?


Regards


root@vspdc:~# /usr/local/samba/bin/samba-tool domain classicupgrade 
--dbdir=/root/smb3/varlib  --dns-backend=BIND9_DLZ --use-xattrs=yes  
--realm=sc.isc84.org /root/smb3/etc/smb.conf

Reading smb.conf
Provisioning
Exporting account policy
Exporting groups
*Severe DB error, sambaSamAccount can't miss the samba SIDattribute*
Ignoring group 'Domain Users' 
S-1-5-21-1031258178-388409940-3248586695-513 listed but then not found: 
Unable to enumerate group members, 
(-1073741596,NT_STATUS_INTERNAL_DB_CORRUPTION)
*Ignoring group 'Administrators' S-1-5-32-544 listed but then not found: 
Unable to enumerate members for alias, (-1073741487,NT_STATUS_NO_SUCH_ALIAS)
Ignoring group 'Account Operators' S-1-5-32-548 listed but then not 
found: Unable to enumerate members for alias, 
(-1073741487,NT_STATUS_NO_SUCH_ALIAS)
Ignoring group 'Print Operators' S-1-5-32-550 listed but then not found: 
Unable to enumerate members for alias, (-1073741487,NT_STATUS_NO_SUCH_ALIAS)
Ignoring group 'Backup Operators' S-1-5-32-551 listed but then not 
found: Unable to enumerate members for alias, 
(-1073741487,NT_STATUS_NO_SUCH_ALIAS)
Ignoring group 'Replicators' S-1-5-32-552 listed but then not found: 
Unable to enumerate members for alias, 
(-1073741487,NT_STATUS_NO_SUCH_ALIAS)*

Exporting users
Could not convert  S-1-5-21-1031258178-388409940-3248586695-5444 to SID
  Skipping wellknown rid=500 (for username=root)
Ignoring group memberships of 'nobody' 
S-1-5-21-1031258178-388409940-3248586695-2998: Unable to enumerate group 
memberships, *(-1073741596,NT_STATUS_INTERNAL_DB_CORRUPTION)*



--

Hervé Hénoch
Responsable informatique
Institut Sainte Catherine
250 chemin de Baigne-Pieds
CS 80005 --- 84918 AVIGNON cedex 9
Téléphone : 04.90.27.57.44
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] file server

2013-02-11 Thread Ali Bendriss 
Hello,

I am using samba4 as AD DC and file sharing.
I would like to setup a dedicated file server cluster on 2 nodes using ctdb to 
separate the role (authentication/file sharing), and join the cluster to the 
domain.

I am not clear on which version of samba I sould use for the file server 
cluster : latest samba 3 + krb5 or latest samba 4 (using smbd and winbindd) ?
both accept the clustering option --with-cluster-support.

thanks

--
Ali 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] S3 as domain member with S4

2013-02-11 Thread Hervé Hénoch 

Hello

How to set a S3 file server as a domain member with a S4 PDC server ?

Regards

--

Hervé Hénoch
Responsable informatique
Institut Sainte Catherine
250 chemin de Baigne-Pieds
CS 80005 — 84918 AVIGNON cedex 9
Téléphone : 04.90.27.57.44
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] S3 as domain member with S4

2013-02-11 Thread Dewayne Geraghty 
 -Original Message-
 From: samba-boun...@lists.samba.org 
 [mailto:samba-boun...@lists.samba.org] On Behalf Of Hervé Hénoch
 Sent: Monday, 11 February 2013 9:00 PM
 To: samba-liste
 Subject: [Samba] S3 as domain member with S4
 
 Hello
 
 How to set a S3 file server as a domain member with a S4 PDC server ?
 
 Regards
 
 -- 
 
 Hervé Hénoch
 Responsable informatique
 Institut Sainte Catherine
 250 chemin de Baigne-Pieds
 CS 80005 — 84918 AVIGNON cedex 9
 Téléphone : 04.90.27.57.44
 --
 To unsubscribe from this list go to the following URL and read the
 instructions:  https://lists.samba.org/mailman/options/samba
 

Treat it in a manner similar to a Windows AD DC. I'm doing the same because the 
Samba3 smbd is less than 1/10 the memory footprint
than samba4 smbd, you will need to include --with-ads when you build your 
samba3 fileserver, and change smb.conf to use
 security = ADS

I think its also important to keep in mind the different language.  Samba4 
provides a much more sophisticated feature-full Active
Directory Domain Controller (AD DC), whilst Samba3 provided a Primary Domain 
Controller (PDC).

Ref: 
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#ads-member

Regards, Dewayne.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Starting S4 in production

2013-02-11 Thread Andrew Bartlett 
On Mon, 2013-02-11 at 09:54 +0100, Hervé Hénoch wrote:
 Hello,
 
 I would try to migrate S3 to S4 in production but these messages (in 
 bold) blocks me to do this. I can authenticate users et computers yet !, 
 So what does they mean ?
 
 Regards
 
 
 root@vspdc:~# /usr/local/samba/bin/samba-tool domain classicupgrade 
 --dbdir=/root/smb3/varlib  --dns-backend=BIND9_DLZ --use-xattrs=yes  
 --realm=sc.isc84.org /root/smb3/etc/smb.conf
 Reading smb.conf
 Provisioning
 Exporting account policy
 Exporting groups
 *Severe DB error, sambaSamAccount can't miss the samba SIDattribute*
 Ignoring group 'Domain Users' 
 S-1-5-21-1031258178-388409940-3248586695-513 listed but then not found: 
 Unable to enumerate group members, 
 (-1073741596,NT_STATUS_INTERNAL_DB_CORRUPTION)
 *Ignoring group 'Administrators' S-1-5-32-544 listed but then not found: 
 Unable to enumerate members for alias, (-1073741487,NT_STATUS_NO_SUCH_ALIAS)
 Ignoring group 'Account Operators' S-1-5-32-548 listed but then not 
 found: Unable to enumerate members for alias, 
 (-1073741487,NT_STATUS_NO_SUCH_ALIAS)
 Ignoring group 'Print Operators' S-1-5-32-550 listed but then not found: 
 Unable to enumerate members for alias, (-1073741487,NT_STATUS_NO_SUCH_ALIAS)
 Ignoring group 'Backup Operators' S-1-5-32-551 listed but then not 
 found: Unable to enumerate members for alias, 
 (-1073741487,NT_STATUS_NO_SUCH_ALIAS)
 Ignoring group 'Replicators' S-1-5-32-552 listed but then not found: 
 Unable to enumerate members for alias, 
 (-1073741487,NT_STATUS_NO_SUCH_ALIAS)*
 Exporting users
 Could not convert  S-1-5-21-1031258178-388409940-3248586695-5444 to SID
Skipping wellknown rid=500 (for username=root)
 Ignoring group memberships of 'nobody' 
 S-1-5-21-1031258178-388409940-3248586695-2998: Unable to enumerate group 
 memberships, *(-1073741596,NT_STATUS_INTERNAL_DB_CORRUPTION)*

None of these errors are fatal - they are just invalid aspects of your
passdb database that we were able to skip over harmlessly.  For example,
it does not matter that we could not list members of domain users as
users a members of that group via their primary group ID.   Similarly,
as we already recreate the administrator account, the domain
administrators group and the administrators alias, these being incorrect
in your passdb is harmless.

We skipped importing 'root' as we created a new 'administrator' account
instead, and used the 'root' password.

Even the 'missing sambaSID attribute' error can't be too much of a
problem, as this cannot have been a working part of your existing domain
anyway.

If you have problems with your upgraded DC, diagnose them from what
errors are directly produced - as the upgrade appears to have progressed
fine!

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] file server

2013-02-11 Thread Andrew Bartlett 
On Mon, 2013-02-11 at 10:53 +0100, Ali Bendriss wrote:
 Hello,
 
 I am using samba4 as AD DC and file sharing.
 I would like to setup a dedicated file server cluster on 2 nodes using ctdb 
 to 
 separate the role (authentication/file sharing), and join the cluster to the 
 domain.
 
 I am not clear on which version of samba I sould use for the file server 
 cluster : latest samba 3 + krb5 or latest samba 4 (using smbd and winbindd) ?
 both accept the clustering option --with-cluster-support.

You may use whichever you feel comfortable with.  The Samba 4.0 release
is our latest production release of Samba, and all features found in
Samba 3.6 are present, except for the very few that we announced as
deprecated.  This includes CTDB support. 

I'm glad to hear you wish to separate your file server from your DC.
This is a good choice, and allows you to choose the version of Samba to
use on both independently. 

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] S3 as domain member with S4

2013-02-11 Thread Andrew Bartlett 
On Mon, 2013-02-11 at 11:00 +0100, Hervé Hénoch wrote:
 Hello
 
 How to set a S3 file server as a domain member with a S4 PDC server ?

You can join Samba 3.x or Samba 4.0 as a domain member of a Samba 4.0 AD
DC in the same way you would join any other AD domain.  eg 'net ads
join.

See
https://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#adssdm

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Strange winbindd messages

2013-02-11 Thread Andrew Bartlett 
On Fri, 2013-02-08 at 11:50 -0500, John Center wrote:
 Hi Andrew,
 
 Thanks for getting back to me.
 
 On 02/07/2013 04:52 PM, Andrew Bartlett wrote:
  On Fri, 2013-02-08 at 08:43 +1100, Andrew Bartlett wrote:
  On Wed, 2013-01-23 at 11:59 -0500, John Center wrote:
  Hi,
 
  We are running samba v3.6.3 on Ubuntu 12.04 server.  This is being used
  with FreeRADIUS for wireless authentication with AD.  We just logged a
  set of messages from winbindd that I don't understand:
 
  Jan 23 10:35:28 as3 winbindd[25371]: [2013/01/23 10:35:28.056846,  0]
  rpc_client/cli_netlogon.c:677(rpccli_netlogon_set_trust_password)
  Jan 23 10:35:28 as3 winbindd[25371]:   dcerpc_netr_ServerPasswordSet{2}
  failed: NT code 0xc2a5
  Jan 23 10:35:28 as3 winbindd[26636]: [2013/01/23 10:35:28.105143,  0]
  rpc_client/cli_netlogon.c:671(rpccli_netlogon_set_trust_password)
  Jan 23 10:35:28 as3 winbindd[26636]:   credentials chain check failed
  Jan 23 10:35:28 as3 winbindd[25518]: [2013/01/23 10:35:28.310288,  0]
  rpc_client/cli_netlogon.c:671(rpccli_netlogon_set_trust_password)
  Jan 23 10:35:28 as3 winbindd[25518]:   credentials chain check failed
  Jan 23 10:36:28 as3 winbindd[25371]: [2013/01/23 10:36:28.121861,  0]
  rpc_client/cli_netlogon.c:671(rpccli_netlogon_set_trust_password)
  Jan 23 10:36:28 as3 winbindd[25371]:   credentials chain check failed
 
  Authentications went through ok at 10:35:23  again at 10:35:29.  We
  haven't seen them before,  searching, I couldn't find much info.  What
  do these messages mean?  What would have caused them?  Do we need to be
  concerned?  Any help would be greatly appreciated.
 
  What is happening here is that we are trying and failing to change our
  machine account password.  Can you try Samba 3.6.12 and see if the
  changes in the meantime have fixed this?
 
 Can winbindd change the machine account password?  This isn't being done 
 by us manually.

Yes, it will do that every now and then.  (I don't recall the frequency
exactly). 

  Looking into this some more these links suggest a server-side error:
  http://www.tek-tips.com/viewthread.cfm?qid=1487092
  http://support.microsoft.com/kb/306091/en-us
 
 Looking at these links, are you suggesting that the DC database is being 
 locked at this point in time, so when an auth request is being made, it 
 fails?

I don't really know what is going on, but it suggests a plausible reason
why this might fail.  The issue seems to me to be related to machine
account changes, not authentication. 

  Is there anything in the server event log to match this error?
 
 I'm trying to get access to the DC event logs to look into this.

Thanks,

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] NTLM autentication problems

2013-02-11 Thread Andrew Bartlett 
On Fri, 2013-02-08 at 11:30 -0200, Natália Vaz wrote:
 I'm trying to configure Squid ntlm autentication on Samba4 DC. I followed
 Squid and Samba's documentation and i got success when  I login with user
 natalia.silva, but if I log with natalia.vaz i get the error

We would need much more detail than that.  Do you mean to say that you
can only log in as the user's samAccountName, but not as a
userPrinicpalName?

Currently, for NTLM authentication, we only accept samAccountName
values.  This may be a bug - if windows behaves differently, I'm very
happy to fix it.  If so, please file a bug in bugzilla.

Thanks,

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Classicupgrade not work

2013-02-11 Thread Jonis Maurin Ceará 
I'm trying to convert my samba3  domain to samba4 AD with samba-tool,
but i'm getting an error and i can' t find anything about it on
google.

I've enabled the log level 4 on smb.conf and here's what i got:

Home server: PANDORA
init_sam_from_ldap: Entry found for user: DIRET-ESTAG$
Home server: PANDORA
init_sam_from_ldap: Entry found for user: dsegato
Home server: PANDORA
init_sam_from_ldap: Entry found for user: lesley
Home server: PANDORA
ERROR(type 'exceptions.AttributeError'): uncaught exception -
'passdb.Samu' object has no attribute 'acct_flags'
  File 
/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py,
line 175, in _run
return self.run(*args, **kwargs)
  File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py,
line 1318, in run
useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
  File /usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py,
line 722, in upgrade_from_samba3
% (user.acct_flags, username,
[


I've copied my .tdb files to a new test server.also, i'm using
ldap backend on s3.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] S3 as domain member with S4

2013-02-11 Thread Hervé Hénoch 

Thanks

I've followed the document and i can see in the AD the server included. 
But I've the following error :


net  join -Uadministrateur
Using short domain name -- SC
Joined 'SSC011' to realm 'sc.isc84.org'
*DNS Update for ssc011.sc.isc84.org failed: ERROR_DNS_INVALID_MESSAGE
DNS update failed!*

Moreover I can't access from a window box  to my server with \\ssc011 
(the name of my server).


Regards

Le 11/02/2013 11:53, Dewayne Geraghty a écrit :

-Original Message-
From: samba-boun...@lists.samba.org
[mailto:samba-boun...@lists.samba.org] On Behalf Of Hervé Hénoch
Sent: Monday, 11 February 2013 9:00 PM
To: samba-liste
Subject: [Samba] S3 as domain member with S4

Hello

How to set a S3 file server as a domain member with a S4 PDC server ?

Regards

--

Hervé Hénoch
Responsable informatique
Institut Sainte Catherine
250 chemin de Baigne-Pieds
CS 80005 --- 84918 AVIGNON cedex 9
Téléphone : 04.90.27.57.44
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

 

Treat it in a manner similar to a Windows AD DC. I'm doing the same because the 
Samba3 smbd is less than 1/10 the memory footprint
than samba4 smbd, you will need to include --with-ads when you build your 
samba3 fileserver, and change smb.conf to use
  security = ADS

I think its also important to keep in mind the different language.  Samba4 
provides a much more sophisticated feature-full Active
Directory Domain Controller (AD DC), whilst Samba3 provided a Primary Domain 
Controller (PDC).

Ref: 
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#ads-member

Regards, Dewayne.


   


--

Hervé Hénoch
Responsable informatique
Institut Sainte Catherine
250 chemin de Baigne-Pieds
CS 80005 --- 84918 AVIGNON cedex 9
Téléphone : 04.90.27.57.44
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Classicupgrade not work

2013-02-11 Thread Thomas Simmons 
Have you tried deleting the 'lesley' user before performing the upgrade?
The error say's that user has no acct_flags. You could try locking and
unlocking this account before the upgrade. Maybe that will create the
acct_flags attribute if it really doesn't exist? I had to delete one
computer from my S3 domain before performing the upgrade because the
upgrade kept failing while processing that specific entry.

Thanks,
Thomas


On Mon, Feb 11, 2013 at 7:33 AM, Jonis Maurin Ceará jmce...@gmail.comwrote:

 I'm trying to convert my samba3  domain to samba4 AD with samba-tool,
 but i'm getting an error and i can' t find anything about it on
 google.

 I've enabled the log level 4 on smb.conf and here's what i got:

 Home server: PANDORA
 init_sam_from_ldap: Entry found for user: DIRET-ESTAG$
 Home server: PANDORA
 init_sam_from_ldap: Entry found for user: dsegato
 Home server: PANDORA
 init_sam_from_ldap: Entry found for user: lesley
 Home server: PANDORA
 ERROR(type 'exceptions.AttributeError'): uncaught exception -
 'passdb.Samu' object has no attribute 'acct_flags'
   File
 /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py,
 line 175, in _run
 return self.run(*args, **kwargs)
   File
 /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py,
 line 1318, in run
 useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
   File /usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py,
 line 722, in upgrade_from_samba3
 % (user.acct_flags, username,
 [


 I've copied my .tdb files to a new test server.also, i'm using
 ldap backend on s3.
 --
 To unsubscribe from this list go to the following URL and read the
 instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 DC log.smd flooded with Conversion error

2013-02-11 Thread Kinglok, Fong 
Dear all,

I have created another test case for the problem.

Rather testing in domU, running Debian Wheezy, I have constructed another 
machine without running xen and installed with Debian squeeze.

I have successfully setup samba 4.0.3 and create a folder called 
$BCf9AL7=b(B in share named test.  And I have used convmv to make sure 
the name is in UTF-8

root@file:/home/test# convmv * -t utf8
Your Perl version has fleas #37757 #49830 
Starting a dry run without changes...
Skipping, already UTF-8: ./$BCf9AL7=b(B
No changes to your files done. Use --notest to finally rename the files.



When I issue a command:
/usr/local/samba/bin/smbclient //localhost/test 
-UAdministrator%'verysecurepassword' -c 'ls'

The log.smbd with log level = 3 is as follows: (the same conversion error!)
=
[2013/02/11 22:19:15.472365,  3] ../source3/smbd/vfs.c:1118(check_reduced_name)
  check_reduced_name [*] [/home/test]
[2013/02/11 22:19:15.472461,  3] ../source3/smbd/vfs.c:1248(check_reduced_name)
  check_reduced_name: * reduced to /home/test/*
[2013/02/11 22:19:15.472597,  3] ../source3/smbd/dir.c:663(dptr_create)
  creating new dirptr 256 for path ., expect_close = 1
[2013/02/11 22:19:15.472886,  3] 
../source3/locking/share_mode_lock.c:408(fetch_share_mode_unlocked)
  Could not fetch share entry
[2013/02/11 22:19:15.472956,  3] 
../source3/smbd/dir.c:1136(smbd_dirptr_get_entry)
  smbd_dirptr_get_entry mask=[*] found ./. fname=. (.)
[2013/02/11 22:19:15.473110,  3] 
../source3/locking/share_mode_lock.c:408(fetch_share_mode_unlocked)
  Could not fetch share entry
[2013/02/11 22:19:15.473173,  3] 
../source3/smbd/dir.c:1136(smbd_dirptr_get_entry)
  smbd_dirptr_get_entry mask=[*] found ./.. fname=.. (..)
[2013/02/11 22:19:15.473285,  3] 
../lib/util/charset/convert_string.c:316(convert_string_handle)
  convert_string_internal: Conversion error: Illegal multibyte 
sequence($(D+#1$(C!)$(D)A14+.(B9f9b$(D+.(B9b$(C(z(B)
[2013/02/11 22:19:15.473347,  3] 
../lib/util/charset/convert_string.c:297(convert_string_handle)
  convert_string_internal: Conversion error: Incomplete multibyte 
sequence($(D1$(C!)$(D)A14+.(B9f9b$(D+.(B9b$(C(z(B)
[2013/02/11 22:19:15.473404,  3] 
../lib/util/charset/convert_string.c:297(convert_string_handle)
  convert_string_internal: Conversion error: Incomplete multibyte 
sequence($(C!)$(D)A14+.(B9f9b$(D+.(B9b$(C(z(B)
[2013/02/11 22:19:15.473462,  3] 
../lib/util/charset/convert_string.c:316(convert_string_handle)
  convert_string_internal: Conversion error: Illegal multibyte 
sequence($(D)A14+.(B9f9b$(D+.(B9b$(C(z(B)
[2013/02/11 22:19:15.473535,  3] 
../lib/util/charset/convert_string.c:297(convert_string_handle)
  convert_string_internal: Conversion error: Incomplete multibyte 
sequence($(D14+.(B9f9b$(D+.(B9b$(C(z(B)
[2013/02/11 22:19:15.473592,  3] 
../lib/util/charset/convert_string.c:297(convert_string_handle)
  convert_string_internal: Conversion error: Incomplete multibyte 
sequence($(D4+.(B9f9b$(D+.(B9b$(C(z(B)
[2013/02/11 22:19:15.473649,  3] 
../lib/util/charset/convert_string.c:316(convert_string_handle)
  convert_string_internal: Conversion error: Illegal multibyte 
sequence($(D+.(B9f9b$(D+.(B9b$(C(z(B)
[2013/02/11 22:19:15.473705,  3] 
../lib/util/charset/convert_string.c:297(convert_string_handle)
  convert_string_internal: Conversion error: Incomplete multibyte 
sequence(9f9b$(D+.(B9b$(C(z(B)
[2013/02/11 22:19:15.473762,  3] 
../lib/util/charset/convert_string.c:297(convert_string_handle)
  convert_string_internal: Conversion error: Incomplete multibyte 
sequence(9b$(D+.(B9b$(C(z(B)
[2013/02/11 22:19:15.473819,  3] 
../lib/util/charset/convert_string.c:316(convert_string_handle)
  convert_string_internal: Conversion error: Illegal multibyte 
sequence($(D+.(B9b$(C(z(B)
[2013/02/11 22:19:15.473875,  3] 
../lib/util/charset/convert_string.c:297(convert_string_handle)
  convert_string_internal: Conversion error: Incomplete multibyte 
sequence(9b$(C(z(B)
[2013/02/11 22:19:15.473964,  3] 
../source3/locking/share_mode_lock.c:408(fetch_share_mode_unlocked)
  Could not fetch share entry
==

the smb.conf
==
# Global parameters
[global]
workgroup = PLKLSP2
realm = SAMBA4.PLKLSP.EDU.HK
netbios name = FILE
server role = active directory domain controller
dns forwarder = 192.168.107.1
log level = 3

[netlogon]
path = /usr/local/samba/var/locks/sysvol/samba4.plklsp.edu.hk/scripts
read only = No

[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No

[test]
path = /home/test
read only = No



As far as I know, I think the conversion error is not caused by Xen and debian 
version.

How can I offer more help for testing / debugging this

Re: [Samba] S3 as domain member with S4

2013-02-11 Thread Hervé Hénoch 

Thanks

I've followed the document and i can see in the AD the server included. 
But I've the following error when doing the following command :


 net  join -Uadministrateur
Using short domain name -- SC
Joined 'SSC011' to realm 'sc.isc84.org'
*DNS Update for ssc011.sc.isc84.org failed: ERROR_DNS_INVALID_MESSAGE
DNS update failed!*

Moreover I can't access from a window box  to my server with \\ssc011 
(the name of my server).


My /ets/hosts

127.0.0.1   ssc011.sc.isc84.org ssc011 localhost
192.168.77.4ssc011.sc.isc84.org ssc011
192.168.77.1vspdc.sc.isc84.org vspdc

sc is the samba3 domain
192.168.77.1 - is the samba4 PDC
192.168.77.4 - is the samba 3.6 file server which has the name ssc011


Regards

Le 11/02/2013 12:02, Andrew Bartlett a écrit :

On Mon, 2013-02-11 at 11:00 +0100, Hervé Hénoch wrote:
   

Hello

How to set a S3 file server as a domain member with a S4 PDC server ?
 

You can join Samba 3.x or Samba 4.0 as a domain member of a Samba 4.0 AD
DC in the same way you would join any other AD domain.  eg 'net ads
join.

See
https://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#adssdm

   


--

Hervé Hénoch
Responsable informatique
Institut Sainte Catherine
250 chemin de Baigne-Pieds
CS 80005 — 84918 AVIGNON cedex 9
Téléphone : 04.90.27.57.44
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 DC log.smd flooded with Conversion error

2013-02-11 Thread TAKAHASHI Motonobu 
From: Kinglok, Fong busywa...@gmail.com
Date: Sun, 10 Feb 2013 09:40:49 +0800

 Thank you for your help but…
 
 I execute some commands to make sure the locale is in UTF-8 by
 dpkg-reconfigure locales and even adding setting in /etc/environment
 
 and using utility like convmv to turn all file and folder into UTF-8 (in 
 fact, they were in UTF-8 already.)
 
 I add option in smb.conf
 unix charset = UTF8
 dos charset is omitted as default (dos charset = CP850)
 
 However, when I run
 /usr/local/samba/bin/smbclient //localhost/Public 
 -UAdministrator%'verysecurepasswd' -c 'ls'
 
 The same error in my log floods……

No, you have to set 'dos charset' parameter correctly. In my Japanese
environment, same errors occur unless I set dos charset = CP932, which
means Japanese. It seems that you use Chinese.

---
TAKAHASHI Motonobu mo...@monyo.com / @damemonyo 
   facebook.com/takahashi.motonobu

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] DNS problem

2013-02-11 Thread felix 

A records added manually get the answer: unknown host.

No matter how they are added. I tried using MMC and samba-tool. I can see
them in MMC and with samba-tool, but when I do tests again my samba server
using ping or nslookup the answer is unknown host.

It happens since I moved my samba container (I'm using proxmox) from a
server to another. both hp proliant.

I guess it has something to do with keys.

I´m using:
samba Version 4.1.0pre1-GIT-UNKNOWN
bind9.9.1-P1
ntp-4.2.6p5

Any help will be really appreciated!

Felix.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba 4 : File server

2013-02-11 Thread BOTZ Franck (Informaticien) - DDT 67/SG/MGI/CI 

Hi !

I have installed a DC with samba-tool command and it works perfectly !

Control AD with the 2003 tools is very amazing, thanks for the job !

So, my next step is to install a file server as a member of the AD and 
not as a DC


I read carfully this one : 
https://wiki.samba.org/index.php/Samba4/Domain_Member


Compiling samba :

  * ./configure --with-ads --with-shared-modules=idmap_ad 
--enable-debug --enable-selftest --prefix=/samba


First of all why --with-ads ? It is not the default feature ?

  * make
  * make install

The krb5.conf was fill with that :

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = DDCS67.INTRA
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 forwardable = yes

[appdefaults]
 pam = {
  debug = false
  ticket_lifetime = 36000
  renew_lifetime = 36000
  forwardable = true
  krb4_convert = false
 }

What is appsection ? It is not necessary in a DC wich sharing a 
directory. But why not.


After that , the smb.conf

I was wondering that the smb.conf must be fill by the hand. For the DC, 
running samba-tool command will generate a smb.conf. Before doing this I 
search the options of samba-tool and i find this :


samba-tool domain join DDCS67  --realm=DDCS67.intra -U Administrator
Password for [WORKGROUP\Administrator]:
Joined domain DDCS67 (S-1-5-21-1814795784-576591386-2449700327)

Fine, the domain is  join !! And the server appear as a Computer in the 
MMC. Good !


Let's run /samba/sbin/samba

The log are :
At this time the 'samba' binary should only be used for either: 'server 
role = active directory domain controller' or to access the ntvfs file 
server with 'server services = +smb' or the rpc proxy with 'dcerpc 
endpoint servers = remote'
You should start smbd/nmbd/winbindd instead for domain member and 
standalone file server tasks


Is it me or i read the ntvfs is deprecatted ?

So I run the/samba/sbin/smbd, but with no smb.conf the server does not start

Tesparm give me :
Load smb config files from /samba/etc/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
params.c:OpenConfFile() - Unable to open configuration file 
/samba/etc/smb.conf:


Can i Genrate a valid smb.conf for a member with samba-tool ?

Regards

Franck Botz
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Unable to re-connect to roaming profile in samba4

2013-02-11 Thread Nick Semenkovich 
In case this helps anyone else with this issue:

Both these problems were resolved by switching from the Ubuntu/Debian
package (4.0.0+dfsg1-1) to the current git head (c932b139c8).

- Nick

On Fri, Feb 8, 2013 at 7:22 PM, Nick Semenkovich seme...@syndetics.net wrote:
 Still can't figure this out.

 The client-side logs show two entries:

 1. The error in the first message The processing of Group Policy failed.

 2. A DNS processing failure:
 The system failed to register host (A or ) resource records
 (RRs) for network adapter with settings ...

 At debug level 5, Samba4 shows no DNS problems, and says Got a dns
 update request. All updates allowed. http://pastebin.com/fYrd9F1W


 - Nick


 On Thu, Feb 7, 2013 at 8:59 PM, Nick Semenkovich seme...@syndetics.net 
 wrote:
 I've just configured Samba4 on Ubuntu (4.0.0+dfsg1-1), and can't seem
 to get roaming profiles working (I followed the guide at
 https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO )

 1. Logons work just fine.
 2. DNS is configured and working, running through SAMBA_INTERNAL
 3. Clients can talk to the server and see/access shares at
 \\server.corp.domain.com
 4. Clients are all Windows 8 and NTP time synced
 5. Permissions seem OK (the profiles directory is currently chmod
 777 -- without that, only the Administrator seemed to be able to
 create their own profile ...)
 6. General users can log in/out (which creates a profile, if profiles
 is chmod 777) but a subsequent login can't access it, with a generic
 Windows 8 roaming profile error.

 Not really sure where to go from here. I've tried:
 - Rebuilding the domain  re-joining machines
 - Ultra-lax permissions
 - Adding users via the samba-tool versus AD tools in Windows

 At client logon, the samba4 logs (with a debug level of 4) show a collection 
 of:

 Terminating connection - 'NT_STATUS_CONNECTION_DISCONNECTED'
 single_terminate: reason[NT_STATUS_CONNECTION_DISCONNECTED]

 and a few

 Terminating connection - 'kdc_tcp_call_loop:
 tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
 single_terminate: reason[kdc_tcp_call_loop:
 tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]

 (Not sure if they're related)


 Notably, the client machines (all on Win 8) show nearly nothing in the
 Event Log, except a Group Policy failure:
 
 The processing of Group Policy failed. Windows attempted to read the
 file 
 \\corp.domain.com\sysvol\corp.domain.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini
 from a domain controller and was not successful. Group Policy settings
 may not be applied until this event is resolved. This issue may be
 transient and could be caused by one or more of the following:
 a) Name Resolution/Network Connectivity to the current domain controller.
 b) File Replication Service Latency (a file created on another domain
 controller has not replicated to the current domain controller).
 c) The Distributed File System (DFS) client has been disabled.
 

 (Manually connecting to that gpi.ini file works perfectly)



 Not really sure what's going on here. The only oddities I see are:
 * I can't get the old add user script function to work.
 As a result, client usernames seem to just have a UID on the linux
 side (their profiles show up as: drwxr-xr-x 14 315 users 4.0K Feb
 7 20:34 test.V2)
 Any way around that?
 * When profiles are created, they're appended with .V2 -- Do I need
 to add .V2 to the profile path setting, e.g. %USERNAME%.V2? (I can't
 imagine that's the case ...)


 I've pasted my smb.conf to: http://pastebin.com/DQDkGxsv

 Any advice?


 Thanks!
 Nick
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] BDC Rejecting auth request from client + Windows 7

2013-02-11 Thread David Noriega 
We are at a university and have no control over the network, thus I made
the BDC use a dynamic ip so its on the same subnet as the clients.

The PDC is running Samba v 3.5.10-125(Centos 6.3) and the BDC is
3.5.19-44(Centos 5.8)

Both servers use the same LDAP server.

pdbedit does show the same accounts on both servers.

Here is my smb.conf for the PDC:
[global]
workgroup = 
netbios name = 
server string = PDC %v
encrypt passwords = yes
#enable privileges = yes
passdb backend = ldapsam:ldap://x.x.x.x
ldapsam:trusted = yes
domain master = yes
preferred master = yes
local master = yes
os level = 255
dns proxy = yes
wins support = yes
name resolve order = host wins lmhosts bcast
domain logons = yes
client ntlmv2 auth = yes
loglevel = 3
log file = /var/log/samba/log.%m
syslog = 0
time server = yes
ldap suffix = dc=x,dc=x,dc=x
ldap user suffix = ou=people
ldap group suffix = ou=group
ldap machine suffix = ou=machines
ldap idmap suffix = ou=Idmap
ldap ssl = start tls
ldap admin dn = cn=samba,ou=DSA,dc=x,dc=x,dc=x
logon path = \\%L\profiles\%U
logon script = netlogon.bat
time server = Yes
deadtime = 10
add user script = /usr/sbin/smbldap-useradd -m %u
delete user script = /usr/sbin/smbldap-userdel %u
add group script = /usr/sbin/smbldap-groupadd -p %g
delete group script = /usr/sbin/smbldap-groupdel %g
add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
delete user from group script = /usr/sbin/smbldap-groupmod -x %u
%g
   set primary group script = /usr/sbin/smbldap-usermod -g %g %u
   add machine script = /usr/sbin/smbldap-useradd -w %u
   case sensitive = No
   dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
   printcap name = /etc/printcap
   load printers = no
   interfaces = eth0
   bind interfaces only = yes

And for the BDC:
[global]
workgroup = 
netbios name = BDC
server string = BDC %v
encrypt passwords = yes
enable privileges = yes
passdb backend = ldapsam:ldap://pavlov.cbi.utsa.edu
ldapsam:trusted = yes
domain master = no
client ntlmv2 auth = yes
local master = yes
preferred master = yes
os level = 50
dns proxy = no
wins server = x.x.x.x
domain logons = yes
loglevel = 3
log file = /var/log/samba/log.%m
syslog = 0
time server = yes
ldap suffix = dc=x,dc=x,dc=x
ldap user suffix = ou=people
ldap group suffix = ou=group
ldap machine suffix = ou=machines
ldap idmap suffix = ou=Idmap
ldap ssl = start tls
ldap admin dn = cn=samba,ou=DSA,dc=x,dc=x,dc=x
logon path = 
logon script = netlogon.bat
remote announce = x.x.x.x/
remote browse sync = x.x.x.x
printcap name = /etc/printcap
load printers = no
interfaces = eth2
bind interfaces only = yes
add user script = /usr/sbin/smbldap-useradd -m %u
delete user script = /usr/sbin/smbldap-userdel %u
add group script = /usr/sbin/smbldap-groupadd -p %g
delete group script = /usr/sbin/smbldap-groupdel %g
add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
delete user from group script = /usr/sbin/smbldap-groupmod -x %u
%g
set primary group script = /usr/sbin/smbldap-usermod -g %g %u
add machine script = /usr/sbin/smbldap-useradd -w %u


On Fri, Feb 8, 2013 at 2:34 PM, Gaiseric Vandal
gaiseric.van...@gmail.comwrote:

 I don't quite understand-  why does the BDC have a dynamic IP address.  Or
 have a I misunderstood?   The DHCP server can provide the IP of the WINS
 servers to DHCP clients.Are the XP and Win 7 workstations on a separate
 subnet than the servers?

 What version are the samba servers?Do both samba server point to a
 single LDAP server or do they each have their own LDAP server in
 replication?Does pdbedit -Lv show the same accounts on each DC?
 Is it possible that the Windows 7 machine accounts have not replicated to
 the BDC?

 Have to specificied the ports in the smb.conf file-  by default samba uses
 ports 137,138, and 445.  In theory you can disable port 445 (it reduces
 some
 the transport warnings) but I find that causes problems with name
 resolution
 when a router or vpn is involved.   So better off just sticking with the
 defaults.


 -Original Message-
 From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org]
 On Behalf Of David Noriega
 Sent: Friday, February 08, 2013 1:56 PM
 To: samba@lists.samba.org
 Subject: [Samba] BDC Rejecting auth request from client + Windows 7

 Just some background: In our environment,

[Samba] Windows 7 against Samba+LDAP does not work with some passwords

2013-02-11 Thread Ivan Strohner 
Dear all,

I have installed Samba (3.6.6) on Debian wheezy and configured it to
authenticate against LDAP (encrypted passwords, no lanman). I want
simple shares with user security. I have configured PAM/NSS from the
same LDAP and it works fine.

WinXP works fine, smbclient works fine, but Windows 7 only works for
SOME passwords. Some work, some do not.

Samba is configured with restricted LDAP bind dn, but should see all
attributes (except for the userPassword attribute, which is not used by
samba afaik). During setup I have provided it with administrator LDAP
access to populate some basic data and to see exactly how users are
defined, but I have removed the populated samba groups from LDAP, since
we do not use Samba as domain server.

I set the password in sambaNTPassword attribute in LDAP. I have tried
with the following password examples:

ist (password matching login name): it works
  hash stored in LDAP: 96AF2AA9537DCF6C6DF9E4D347BF5E12
other primitive passwords, such as IST, ist123, istist work as well
but password such as:
T8h0KmJ3 does not work
  hash: EB2EF7BFBA2396D001A4774D21C936C5

In Windows XP or by smbclient every password works.

I have done the few tweaks of Windows 7:
 * Local Policies - Security Options - Network Security: LAN Manager
authentication level - Send LM  NTLM - use NTLMv2 session security if
negotiated
 *
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters:
DomainCompatibilityMode (1), DNSNameResolutionRequired (0)
 *
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Netlogon\Parameters: 
RequireSignOrSeal
(1), RequireStrongKey (1)

If needed I can provide some packet dumps.

Thanks in advance for any help,
Ivan


I am including:

My samba configuration:

--- 8 ---
[global]

   workgroup = DIGITALSYSTEMS
   netbios name = FILE1
   server string = File Server
   domain logons = no
   domain master = no
   wins support = no

   dns proxy = no
   log file = /var/log/samba/log.%m
   log level = 3
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   pam password change = yes

   unix password sync = no
   ldap password sync = no

   load printers = no
   printing = cups
   printcap name = cups

   passdb backend = ldapsam:ldaps://ldap.isvc.dsnet:636/
   ldap ssl = no
   ldap suffix = o=digitalsystems
   ldap admin dn = cn=file,ou=systems,o=digitalsystems

   ldap user suffix = ou=users
   ldap group suffix = ou=groups
   ldap machine suffix = ou=computers
   ldap idmap suffix = ou=idmap

   add user script = /usr/sbin/smbldap-useradd -m '%u'
   delete user script = /usr/sbin/smbldap-userdel %u
   add group script = /usr/sbin/smbldap-groupadd -p '%g'
   delete group script = /usr/sbin/smbldap-groupdel '%g'
   add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
   delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
   set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
   add machine script = /usr/sbin/smbldap-useradd -w '%u'

   security = user
   lanman auth = no
   ntlm auth = Yes
   encrypt passwords = true
--- 8 ---

Negative authentication log (the point seems to be NT MD4 password
check failed for user).

--- 8 ---
[2013/02/11 18:11:45.199144,  3] auth/auth.c:219(check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user
[coruscant]\[ist]@[CORUSCANT] with the new password interface
[2013/02/11 18:11:45.199179,  3] auth/auth.c:222(check_ntlm_password)
  check_ntlm_password:  mapped user is: [FILE1]\[ist]@[CORUSCANT]
[2013/02/11 18:11:45.199835,  2] lib/smbldap.c:1018(smbldap_open_connection)
  smbldap_open_connection: connection opened
[2013/02/11 18:11:45.205532,  3] lib/smbldap.c:1240(smbldap_connect_system)
  ldap_connect_system: successful connection to the LDAP server
[2013/02/11 18:11:45.206169,  2] passdb/pdb_ldap.c:553(init_sam_from_ldap)
  init_sam_from_ldap: Entry found for user: ist
[2013/02/11 18:11:45.207028,  2]
passdb/pdb_ldap.c:2427(init_group_from_ldap)
  init_group_from_ldap: Entry found for group: 1012
[2013/02/11 18:11:45.208209,  2]
passdb/pdb_ldap.c:2427(init_group_from_ldap)
  init_group_from_ldap: Entry found for group: 1012
[2013/02/11 18:11:45.208358,  3]
../libcli/auth/ntlm_check.c:413(ntlm_password_check)
  ntlm_password_check: NT MD4 password check failed for user ist
[2013/02/11 18:11:45.208765,  2] passdb/pdb_ldap.c:1180(init_ldap_from_sam)
  init_ldap_from_sam: Setting entry for user: ist
[2013/02/11 18:11:45.208813,  2] auth/auth.c:319(check_ntlm_password)
  check_ntlm_password:  Authentication for user [ist] - [ist] FAILED
with error NT_STATUS_WRONG_PASSWORD
[2013/02/11 18:11:45.208849,  3] smbd/error.c:81(error_packet_set)
  error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
[2013/02/11 18:11:45.212611,  3] smbd/process.c:1662(process_smb)
  Transaction 3 of length 142 (0 toread)
[2013/02/11 18:11:45.212644,  3] smbd/process.c:1467(switch_message)
  switch message

Re: [Samba] DNS problem

2013-02-11 Thread Thomas Simmons 
Have you checked the samba log for errors? Did you create the necessary
firewall exceptions on the new server? Have you ensured there is nothing
conflicting with the ports required for BIND? Can you install dig on the
server and see what it reports?


On Mon, Feb 11, 2013 at 10:56 AM, fe...@epepm.cupet.cu wrote:


 A records added manually get the answer: unknown host.

 No matter how they are added. I tried using MMC and samba-tool. I can see
 them in MMC and with samba-tool, but when I do tests again my samba server
 using ping or nslookup the answer is unknown host.

 It happens since I moved my samba container (I'm using proxmox) from a
 server to another. both hp proliant.

 I guess it has something to do with keys.

 I´m using:
 samba Version 4.1.0pre1-GIT-UNKNOWN
 bind9.9.1-P1
 ntp-4.2.6p5

 Any help will be really appreciated!

 Felix.

 --
 To unsubscribe from this list go to the following URL and read the
 instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba4: Extending the Schema

2013-02-11 Thread Varoujan Avanessians 
Hi

We are thinking of Developing a corporate Directory application the would
pull user information from Samba4 Ad. However for our needs we need some
additional User attributes that don't seem to be available as part of the
AD-schema, such as Hire Date or Emergancy contact information, so it
seems to me that I would need to Extend the Schema to make this user
attributes available. My question is: Can this be done? and if so has
anyone done something similar and can direct me to the right place for
information? Any help is greatly appreciated.

-- 
*Varouj (V.J.) Avanessians | Sr. Linux Sys Administrator | ACCO Engineered
Systems*
6265 San Fernando Rd | Glendale, California | 91201- 2214
(818)-730-5846 Mobile | (818)-244-6571 Main*
*
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4: Extending the Schema

2013-02-11 Thread Gémes Géza 

2013-02-11 20:04 keltezéssel, Varoujan Avanessians írta:

Hi

We are thinking of Developing a corporate Directory application the would
pull user information from Samba4 Ad. However for our needs we need some
additional User attributes that don't seem to be available as part of the
AD-schema, such as Hire Date or Emergancy contact information, so it
seems to me that I would need to Extend the Schema to make this user
attributes available. My question is: Can this be done? and if so has
anyone done something similar and can direct me to the right place for
information? Any help is greatly appreciated.


Hi,

As a jump-start: https://wiki.samba.org/index.php/Samba4/Schema_extenstions

Regards

Geza Gemes
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4: Extending the Schema

2013-02-11 Thread Bob Miller 

On Mon, 2013-02-11 at 20:11 +0100, Gémes Géza wrote:
 2013-02-11 20:04 keltezéssel, Varoujan Avanessians írta:
  Hi
 
  We are thinking of Developing a corporate Directory application the would
  pull user information from Samba4 Ad. However for our needs we need some
  additional User attributes that don't seem to be available as part of the
  AD-schema, such as Hire Date or Emergancy contact information, so it
  seems to me that I would need to Extend the Schema to make this user
  attributes available. My question is: Can this be done? and if so has
  anyone done something similar and can direct me to the right place for
  information? Any help is greatly appreciated.
 
 Hi,
 
 As a jump-start: https://wiki.samba.org/index.php/Samba4/Schema_extenstions
 
 Regards
 
 Geza Gemes

One thing that is not on that page that I found useful was the schema
snap in.  Google will show you how to enable it.  It is very labour
intensive if you are going to be adding tens or hundreds of attributes,
but for adding two or three attributes, I found it much faster and
easier to use than ldifs.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 : File server

2013-02-11 Thread Andrew Bartlett 
On Mon, 2013-02-11 at 16:54 +0100, BOTZ Franck (Informaticien) - DDT
67/SG/MGI/CI wrote:
 Hi !
 
 I have installed a DC with samba-tool command and it works perfectly !
 
 Control AD with the 2003 tools is very amazing, thanks for the job !
 
 So, my next step is to install a file server as a member of the AD and 
 not as a DC
 
 I read carfully this one : 
 https://wiki.samba.org/index.php/Samba4/Domain_Member
 
 Compiling samba :
 
* ./configure --with-ads --with-shared-modules=idmap_ad 
 --enable-debug --enable-selftest --prefix=/samba
 
 First of all why --with-ads ? It is not the default feature ?

It is, but what this changes is that the compile will fail (prompting
you to install some development headers, typically) if the right things
are not found.  The is very helpful, and long ago I promised to make
that the default behaviour.  Sadly I never got around to it. 

* make
* make install
 
 The krb5.conf was fill with that :
 
 [logging]
   default = FILE:/var/log/krb5libs.log
   kdc = FILE:/var/log/krb5kdc.log
   admin_server = FILE:/var/log/kadmind.log
 
 [libdefaults]
   default_realm = DDCS67.INTRA
   dns_lookup_realm = true
   dns_lookup_kdc = true
   ticket_lifetime = 24h
   forwardable = yes
 
 [appdefaults]
   pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
   }
 
 What is appsection ? It is not necessary in a DC wich sharing a 
 directory. But why not.
 
 After that , the smb.conf
 
 I was wondering that the smb.conf must be fill by the hand. For the DC, 
 running samba-tool command will generate a smb.conf. Before doing this I 
 search the options of samba-tool and i find this :
 
 samba-tool domain join DDCS67  --realm=DDCS67.intra -U Administrator
 Password for [WORKGROUP\Administrator]:
 Joined domain DDCS67 (S-1-5-21-1814795784-576591386-2449700327)
 
 Fine, the domain is  join !! And the server appear as a Computer in the 
 MMC. Good !
 
 Let's run /samba/sbin/samba
 
 The log are :
 At this time the 'samba' binary should only be used for either: 'server 
 role = active directory domain controller' or to access the ntvfs file 
 server with 'server services = +smb' or the rpc proxy with 'dcerpc 
 endpoint servers = remote'
 You should start smbd/nmbd/winbindd instead for domain member and 
 standalone file server tasks
 
 Is it me or i read the ntvfs is deprecatted ?
 
 So I run the/samba/sbin/smbd, but with no smb.conf the server does not start
 
 Tesparm give me :
 Load smb config files from /samba/etc/smb.conf
 rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
 params.c:OpenConfFile() - Unable to open configuration file 
 /samba/etc/smb.conf:
 
 Can i Genrate a valid smb.conf for a member with samba-tool ?

I do apologise for this not being as integrated as you would expect.
I'm very proud of the new level of ease of use found in 'samba-tool' and
in the AD DC configuration.  Sadly while this command will successfully
join you to the domain, it does not currently generate the smb.conf.

You don't need much, just set:

[globals]
 server role = domain member
 workgroup = DDCS67
 realm = DDCS67.intra

BTW, while I've hooked up 'samba-tool' to work, the advertised command
for joining a domain member is 'net ads join'.  We are working to
consolidate the code, but currently it is a different codebase.  From my
understanding however, it also will not generate the smb.conf.

I hope this helps, and feel free to file a bug as fixing this should not
be difficult. 

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] S3 as domain member with S4

2013-02-11 Thread Dewayne Geraghty 
 -Original Message-
 From: samba-boun...@lists.samba.org 
 [mailto:samba-boun...@lists.samba.org] On Behalf Of Hervé Hénoch
 Sent: Tuesday, 12 February 2013 1:31 AM
 To: Andrew Bartlett; samba-liste
 Subject: Re: [Samba] S3 as domain member with S4
 
 Thanks
 
 I've followed the document and i can see in the AD the server 
 included. 
 But I've the following error when doing the following command :
 
   net  join -Uadministrateur
 Using short domain name -- SC
 Joined 'SSC011' to realm 'sc.isc84.org'
 *DNS Update for ssc011.sc.isc84.org failed: 
 ERROR_DNS_INVALID_MESSAGE DNS update failed!*
 
 Moreover I can't access from a window box  to my server with 
 \\ssc011 (the name of my server).
 
 My /ets/hosts
 
 127.0.0.1   ssc011.sc.isc84.org ssc011 localhost
 192.168.77.4ssc011.sc.isc84.org ssc011
 192.168.77.1vspdc.sc.isc84.org vspdc
 
 sc is the samba3 domain
 192.168.77.1 - is the samba4 PDC
 192.168.77.4 - is the samba 3.6 file server which has the 
 name ssc011
 
 
 Regards
 
 Le 11/02/2013 12:02, Andrew Bartlett a écrit :
  On Mon, 2013-02-11 at 11:00 +0100, Hervé Hénoch wrote:
 
  Hello
 
  How to set a S3 file server as a domain member with a S4 
 PDC server ?
   
  You can join Samba 3.x or Samba 4.0 as a domain member of a 
 Samba 4.0 
  AD DC in the same way you would join any other AD domain.  
 eg 'net ads 
  join.
 
  See
  
 https://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#adss
  dm
 
 
 
 -- 
 
 Hervé Hénoch
 Responsable informatique
 Institut Sainte Catherine
 250 chemin de Baigne-Pieds
 CS 80005 — 84918 AVIGNON cedex 9
 Téléphone : 04.90.27.57.44
 --
 To unsubscribe from this list go to the following URL and read the
 instructions:  https://lists.samba.org/mailman/options/samba


Herve, 
Samba4 provides a lot of features though it does have some prerequisites; 
please review the HowTo, and particularly
https://wiki.samba.org/index.php/Samba4/HOWTO#Step_7:_Configure_DNS noting the 
first line A working DNS setup is essential to the
correct operation of Samba.

It's a hard road (if you're not familiar with being a Windows Admin) but well 
worth the effort.
Regards, Dewayne.
 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Classicupgrade not work

2013-02-11 Thread Jonis Maurin Ceará 
I will try this.

Ps. Sorry for sending the same message more than once. I tought my message
was not sending correctly.
Em 11/02/2013 11:11, Thomas Simmons twsn...@gmail.com escreveu:

 Have you tried deleting the 'lesley' user before performing the upgrade?
 The error say's that user has no acct_flags. You could try locking and
 unlocking this account before the upgrade. Maybe that will create the
 acct_flags attribute if it really doesn't exist? I had to delete one
 computer from my S3 domain before performing the upgrade because the
 upgrade kept failing while processing that specific entry.

 Thanks,
 Thomas


 On Mon, Feb 11, 2013 at 7:33 AM, Jonis Maurin Ceará jmce...@gmail.comwrote:

 I'm trying to convert my samba3  domain to samba4 AD with samba-tool,
 but i'm getting an error and i can' t find anything about it on
 google.

 I've enabled the log level 4 on smb.conf and here's what i got:

 Home server: PANDORA
 init_sam_from_ldap: Entry found for user: DIRET-ESTAG$
 Home server: PANDORA
 init_sam_from_ldap: Entry found for user: dsegato
 Home server: PANDORA
 init_sam_from_ldap: Entry found for user: lesley
 Home server: PANDORA
 ERROR(type 'exceptions.AttributeError'): uncaught exception -
 'passdb.Samu' object has no attribute 'acct_flags'
   File
 /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py,
 line 175, in _run
 return self.run(*args, **kwargs)
   File
 /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py,
 line 1318, in run
 useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
   File /usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py,
 line 722, in upgrade_from_samba3
 % (user.acct_flags, username,
 [


 I've copied my .tdb files to a new test server.also, i'm using
 ldap backend on s3.
 --
 To unsubscribe from this list go to the following URL and read the
 instructions:  https://lists.samba.org/mailman/options/samba



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] DNS problem (Solved)

2013-02-11 Thread felix 
 Have you checked the samba log for errors? Did you create the necessary
 firewall exceptions on the new server? Have you ensured there is nothing
 conflicting with the ports required for BIND? Can you install dig on the
 server and see what it reports?


 On Mon, Feb 11, 2013 at 10:56 AM, fe...@epepm.cupet.cu wrote:


 A records added manually get the answer: unknown host.

 No matter how they are added. I tried using MMC and samba-tool. I can
 see
 them in MMC and with samba-tool, but when I do tests again my samba
 server
 using ping or nslookup the answer is unknown host.

 It happens since I moved my samba container (I'm using proxmox) from a
 server to another. both hp proliant.

 I guess it has something to do with keys.

 I´m using:
 samba Version 4.1.0pre1-GIT-UNKNOWN
 bind9.9.1-P1
 ntp-4.2.6p5

 Any help will be really appreciated!


Thanks for answering.

Everything is OK after:

/usr/local/samba/sbin/samba_upgradedns --dns-backend=BIND9_DLZ

Felix

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] [PATCH] Fix classicupgrade error message (was Re: Classicupgrade not work)

2013-02-11 Thread Andrew Bartlett 
On Mon, 2013-02-11 at 10:33 -0200, Jonis Maurin Ceará wrote:
 I'm trying to convert my samba3  domain to samba4 AD with samba-tool,
 but i'm getting an error and i can' t find anything about it on
 google.
 
 I've enabled the log level 4 on smb.conf and here's what i got:
 
 Home server: PANDORA
 init_sam_from_ldap: Entry found for user: DIRET-ESTAG$
 Home server: PANDORA
 init_sam_from_ldap: Entry found for user: dsegato
 Home server: PANDORA
 init_sam_from_ldap: Entry found for user: lesley
 Home server: PANDORA
 ERROR(type 'exceptions.AttributeError'): uncaught exception -
 'passdb.Samu' object has no attribute 'acct_flags'
   File 
 /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py,
 line 175, in _run
 return self.run(*args, **kwargs)
   File 
 /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py,
 line 1318, in run
 useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
   File /usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py,
 line 722, in upgrade_from_samba3
 % (user.acct_flags, username,
 [
 
 
 I've copied my .tdb files to a new test server.also, i'm using
 ldap backend on s3.

I do apologise, there is an error in the classicupgrade script which
means that instead of printing an informative error, we print this
backtrace.  

I also attach another fix I've had in my local tree for a while, to fix
the error when we can't find the LDAP secrets. 

Please check this improves the error, and then if someone could review
and/or push this to master I would appreciate it.

Thanks,

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org

From bc6e7aaa73f52c449006b061c370e6c759c7620a Mon Sep 17 00:00:00 2001
From: Andrew Bartlett abart...@samba.org
Date: Tue, 12 Feb 2013 09:20:03 +1100
Subject: [PATCH] samba-tool domain classicupgrade: Fix typo in error path for
 multiple account flags

---
 source4/scripting/python/samba/upgrade.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source4/scripting/python/samba/upgrade.py b/source4/scripting/python/samba/upgrade.py
index e013d2c..02734cc 100644
--- a/source4/scripting/python/samba/upgrade.py
+++ b/source4/scripting/python/samba/upgrade.py
@@ -722,7 +722,7 @@ ACB_NORMAL (N, 0x%08X), ACB_WSTRUST (W 0x%08X), ACB_SVRTRUST (S 0x%08X) or ACB_D
 
 Please fix this account before attempting to upgrade again
 
-% (user.acct_flags, username,
+% (user.acct_ctrl, username,
samr.ACB_NORMAL, samr.ACB_WSTRUST, samr.ACB_SVRTRUST, samr.ACB_DOMTRUST))
 
 userdata[username] = user
-- 
1.7.11.7

From 3d6aaf2b8c8fe15deb400020e4b084071ea98094 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett abart...@samba.org
Date: Tue, 15 Jan 2013 21:53:30 +1100
Subject: [PATCH 1/6] samba-tool domain classicupgrade: Print a better error
 when the ldap backend PW was not found

---
 source4/scripting/python/samba/upgrade.py | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/source4/scripting/python/samba/upgrade.py b/source4/scripting/python/samba/upgrade.py
index d680a7c..e013d2c 100644
--- a/source4/scripting/python/samba/upgrade.py
+++ b/source4/scripting/python/samba/upgrade.py
@@ -598,7 +598,10 @@ def upgrade_from_samba3(samba3, logger, targetdir, session_info=None,
 if samba3.lp.get(passdb backend).split(:)[0].strip() == ldapsam:
 base_dn =  samba3.lp.get(ldap suffix)
 ldapuser = samba3.lp.get(ldap admin dn)
-ldappass = (secrets_db.get_ldap_bind_pw(ldapuser)).strip('\x00')
+ldappass = secrets_db.get_ldap_bind_pw(ldapuser)
+if ldappass is None:
+raise ProvisioningError(ldapsam passdb backend detected but no LDAP Bind PW found in secrets.tdb for user %s.  Please point this tool at the secrets.tdb that was used by the previous installation.)
+ldappass = ldappass.strip('\x00')
 ldap = True
 else:
 ldapuser = None
-- 
1.7.11.7

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] S4 Cannot Unlock Account

2013-02-11 Thread Thomas Simmons 
I have come across a few accounts (out of 300+) that seem to be locked that
will not unlock. These accounts were migrated from S3. Can someone advise -
what am I missing here?

I've reset the password several times via RSAT, checking the Unlock
Account checkbox, which has not helped. Resetting the user's password via
smbpasswd gives me:

pdb_try_account_unlock: Account dmscott administratively locked out with no
bad password time. Leaving locked out.

When attempting to login to WinXP, Windows states the account is locked out
and log.samba shows:

  Kerberos: ENC-TS Pre-authentication succeeded -- dmscott@DOMAIN using
arcfour-hmac-md5
[2013/02/11 18:37:40,  4] ../source4/auth/sam.c:170(authsam_account_ok)
  authsam_account_ok: Checking SMB password for user dmscott@DOMAIN
[2013/02/11 18:37:40,  2] ../source4/auth/sam.c:191(authsam_account_ok)
  authsam_account_ok: Account for user dmscott@DOMAIN was locked out.

Here is an ldapsearch output. I'm not seeing where/why this account is
locked.

# extended LDIF
#
# LDAPv3
# base cn=Users,dc=internal,dc=domain,dc=com with scope subtree
# filter: sAMAccountName=dmscott
# requesting: ALL
#

# Duser M. Scott, Users, internal.domain.com
dn: CN=Duser M. Scott,CN=Users,DC=internal,DC=domain,DC=com
instanceType: 4
whenCreated: 20121229150147.0Z
uSNCreated: 4317
objectGUID:: sQU6/um9x0+gN2VOHTpmbw==
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid:: AQUAAAUVL/+1+4rRK5lRjK88/Q4AAA==
logonCount: 0
sAMAccountName: dmscott
sAMAccountType: 805306368
objectCategory:
CN=Person,CN=Schema,CN=Configuration,DC=internal,DC=domain,DC
 =com
logonHours:: 
uidNumber: 1436
objectClass: top
objectClass: posixAccount
objectClass: person
objectClass: organizationalPerson
objectClass: user
unixHomeDirectory: /home/dmscott
gidNumber: 513
msSFU30NisDomain: domain
memberOf: CN=VPN,CN=Users,DC=internal,DC=domain,DC=com
mail: duser.m.sc...@domain.com
userPrincipalName: dmsc...@internal.domain.com
givenName: Duser
initials: M
sn: Scott
displayName: Duser M. Scott
cn: Duser M. Scott
name: Duser M. Scott
scriptPath: GCS.cmd
lockoutTime: 0
loginShell: /bin/bash
msDS-SupportedEncryptionTypes: 0
userAccountControl: 528
accountExpires: 0
pwdLastSet: 13005098906000
userParameters:
IAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC
 AAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAUAAEABoACAA
 BAEMAdAB4AEMAZgBnAFAAcgBlAHMAZQBuAHQANTUxZTBiYjAYAAgAAQBDAHQAeABDAGYAZwBGAGwA
 YQBnAHMAMQAwMGUwMDAxMBIACAABAEMAdAB4AFMAaABhAGQAbwB3ADAxMDAwMDAwKgACAAEAQwB0A
 HgATQBpAG4ARQBuAGMAcgB5AHAAdABpAG8AbgBMAGUAdgBlAGwAMDA=
whenChanged: 20130211233014.0Z
uSNChanged: 8816
distinguishedName: CN=Duser M. Scott,CN=Users,DC=internal,DC=domain,DC=com

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Wiki link / Attn:samba dev team, web maint..

2013-02-11 Thread Gregory Sloop 
The Wiki page has been SSL-only for a few days to a week or so.
[perhaps this is by design, I don't know - but it is different than it
was a week or more ago.]

But the link to it from the main samba.org page is wrong and the suggested
link doesn't get you to the wiki either. [It goes to CIFS.ORG.]

Most of us can find our way - but it probably needs addressing
sometime soon.

-Greg

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] [PATCH] Fix classicupgrade error message (was Re: Classicupgrade not work)

2013-02-11 Thread Jonis Maurin Ceará 
Tks Andrew!!
Changes that you've made worked for that problem, but now i got a new
oneand in this one i'm really stuck! Not even a field name.

This is my log (log level 12):

element 32 - now SET
element 33 - now SET
ldapsam_get_account_policy: got valid value from cache
element 19 - now SET
element 15 - now SET
element 16 - now SET
attribute sambaBadPasswordCount does not exist
attribute sambaBadPasswordTime does not exist
attribute sambaLogonHours does not exist
Adding cache entry with key =
IDMAP/SID2XID/S-1-5-21-511255529-1355219746-1726288727-3659 and
timeout = Mon Feb 18 22:58:35 2013
 (604800 seconds ahead)
Adding cache entry with key = IDMAP/UID2SID/1341 and timeout = Mon Feb
18 22:58:35 2013
 (604800 seconds ahead)
gid 1003 - sid S-1-5-21-511255529-1355219746-1726288727-3007
gid 1003 - sid S-1-5-21-511255529-1355219746-1726288727-3007
do lookup_sid(S-1-5-21-511255529-1355219746-1726288727-3007) for group
of user lesley
lookup_sid called for SID 'S-1-5-21-511255529-1355219746-1726288727-3007'
Accepting SID S-1-5-21-511255529-1355219746-1726288727 in level 1
lookup_rids called for domain sid 'S-1-5-21-511255529-1355219746-1726288727'
smbldap_search_ext: base = [ou=Users,dc=fearp,dc=usp,dc=br], filter
= 
[((objectClass=sambaSamAccount)(|(sambaSid=S-1-5-21-511255529-1355219746-1726288727-3007)))],
scope = [2]
smbldap_open: already connected to the LDAP server
smbldap_search_ext: base = [dc=fearp,dc=usp,dc=br], filter =
[((objectClass=sambaGroupMapping)(|(sambaSid=S-1-5-21-511255529-1355219746-1726288727-3007)))],
scope = [2]
smbldap_open: already connected to the LDAP server
Sid S-1-5-21-511255529-1355219746-1726288727-3007 - FEARP\pgrd(2)
Did not store value for
IDMAP/SID2XID/S-1-5-21-511255529-1355219746-1726288727-3007, we
already got it
Did not store value for IDMAP/GID2SID/1003, we already got it
Looking up login cache for user lesley
No cache entry found
No cache entry, bad count = 0, bad time = 0
element 35 - now CHANGED
ERROR(type 'exceptions.TypeError'): uncaught exception - %X format:
a number is required, not str
  File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py,
line 175, in _run
return self.run(*args, **kwargs)
  File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py,
line 1318, in run
useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
  File /usr/local/samba/lib/python2.7/site-packages/samba/upgrade.py,
line 723, in upgrade_from_samba3
samr.ACB_NORMAL, samr.ACB_WSTRUST, samr.ACB_SVRTRUST, samr.ACB_DOMTRUST))
The connection to the LDAP server was closed


2013/2/11 Andrew Bartlett abart...@samba.org:
 On Mon, 2013-02-11 at 10:33 -0200, Jonis Maurin Ceará wrote:
 I'm trying to convert my samba3  domain to samba4 AD with samba-tool,
 but i'm getting an error and i can' t find anything about it on
 google.

 I've enabled the log level 4 on smb.conf and here's what i got:

 Home server: PANDORA
 init_sam_from_ldap: Entry found for user: DIRET-ESTAG$
 Home server: PANDORA
 init_sam_from_ldap: Entry found for user: dsegato
 Home server: PANDORA
 init_sam_from_ldap: Entry found for user: lesley
 Home server: PANDORA
 ERROR(type 'exceptions.AttributeError'): uncaught exception -
 'passdb.Samu' object has no attribute 'acct_flags'
   File 
 /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py,
 line 175, in _run
 return self.run(*args, **kwargs)
   File 
 /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py,
 line 1318, in run
 useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
   File /usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py,
 line 722, in upgrade_from_samba3
 % (user.acct_flags, username,
 [


 I've copied my .tdb files to a new test server.also, i'm using
 ldap backend on s3.

 I do apologise, there is an error in the classicupgrade script which
 means that instead of printing an informative error, we print this
 backtrace.

 I also attach another fix I've had in my local tree for a while, to fix
 the error when we can't find the LDAP secrets.

 Please check this improves the error, and then if someone could review
 and/or push this to master I would appreciate it.

 Thanks,

 Andrew Bartlett

 --
 Andrew Bartletthttp://samba.org/~abartlet/
 Authentication Developer, Samba Team   http://samba.org

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] [PATCH] Fix classicupgrade error message (was Re: Classicupgrade not work)

2013-02-11 Thread Andrew Bartlett 
On Tue, 2013-02-12 at 00:01 -0200, Jonis Maurin Ceará wrote:
 Tks Andrew!!
 Changes that you've made worked for that problem, but now i got a new
 oneand in this one i'm really stuck! Not even a field name.

Sorry for the noise.  I've fixed it up in this new patch, I hope. 

Revert the previous patch, and then apply this one. 

Thanks,

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org

From 22a1661a8312cbad99eb9fe016db4deefc11a9d1 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett abart...@samba.org
Date: Tue, 12 Feb 2013 09:20:03 +1100
Subject: [PATCH] samba-tool domain classicupgrade: Fix typo in error path for
 multiple account flags

---
 source4/scripting/python/samba/upgrade.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source4/scripting/python/samba/upgrade.py b/source4/scripting/python/samba/upgrade.py
index e013d2c..8371224 100644
--- a/source4/scripting/python/samba/upgrade.py
+++ b/source4/scripting/python/samba/upgrade.py
@@ -722,7 +722,7 @@ ACB_NORMAL (N, 0x%08X), ACB_WSTRUST (W 0x%08X), ACB_SVRTRUST (S 0x%08X) or ACB_D
 
 Please fix this account before attempting to upgrade again
 
-% (user.acct_flags, username,
+% (username, user.acct_ctrl,
samr.ACB_NORMAL, samr.ACB_WSTRUST, samr.ACB_SVRTRUST, samr.ACB_DOMTRUST))
 
 userdata[username] = user
-- 
1.7.11.7

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] homes share

2013-02-11 Thread Linda W 

[homes] is a special name:

from smb.conf manpage:
The [homes] section
  If a section called [homes] is included in the configuration file,
  services connecting clients to their home directories can be 
created on

  the fly by the server.

  When the connection request is made, the existing sections are 
scanned.

  If a match is found, it is used. If no match is found, the requested
  section name is treated as a username and looked up in the local
  password file. If the name exists and the correct password has been
  given, a share is created by cloning the [homes] section.

  Some modifications are then made to the newly created share:
  ·   The share name is changed from homes to the located username.
  ·   If no path was given, the path is set to the user´s home 
directory.



  If you decide to use a path = line in your [homes] section, it may be
  useful to use the %S macro. For example:

  path = /data/pchome/%S

  is useful if you have different home directories for your PCs 
than for

  UNIX access.

  This is a fast and simple way to give a large number of clients 
access

  to their home directories with a minimum of fuss.

Hope this explains why...
Linda


Ufficiotecnico Acknow wrote:

i made a test changing [homes] to [home]
i configured letter and path from user profile in active directory 
snap-in.
works, each user gets a folder named when he logs into domain, 
subdirectory with username are created correctly




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[SCM] Samba Shared Repository - branch master updated

2013-02-11 Thread David Disseldorp 
The branch, master has been updated
   via  f25debf Fix bug #9642 - vfs_afsacl.c won't build.
  from  c932b13 Improve the configure tests for aio_suspend to get rid of 
warnings. Timur provided the wscript method, I added the configure.in 
correction.

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit f25debf2fbf988c7b3415b86ccc5880319517bdd
Author: Jeremy Allison j...@samba.org
Date:   Fri Feb 8 17:08:28 2013 -0800

Fix bug #9642 - vfs_afsacl.c won't build.

Add missing mem_ctx argument.

Signed-off-by: Jeremy Allison j...@samba.org
Reviewed-by: David Disseldorp dd...@samba.org

Autobuild-User(master): David Disseldorp dd...@samba.org
Autobuild-Date(master): Mon Feb 11 20:24:00 CET 2013 on sn-devel-104

---

Summary of changes:
 source3/modules/vfs_afsacl.c |3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/modules/vfs_afsacl.c b/source3/modules/vfs_afsacl.c
index 7d1895f..66e256c 100644
--- a/source3/modules/vfs_afsacl.c
+++ b/source3/modules/vfs_afsacl.c
@@ -700,7 +700,8 @@ static size_t afs_fto_nt_acl(struct afs_acl *afs_acl,
return 0;
}
 
-   return afs_to_nt_acl_common(afs_acl, sbuf, security_info, ppdesc);
+   return afs_to_nt_acl_common(afs_acl, sbuf, security_info,
+   mem_ctx, ppdesc);
 }
 
 static bool mappable_sid(const struct dom_sid *sid)


-- 
Samba Shared Repository

autobuild: intermittent test failure detected

2013-02-11 Thread autobuild 
The autobuild test system has detected an intermittent failing test in 
the current master tree.

The autobuild log of the failure is available here:

   http://git.samba.org/autobuild.flakey/2013-02-12-0415/flakey.log

The samba3 build logs are available here:

   http://git.samba.org/autobuild.flakey/2013-02-12-0415/samba3.stderr
   http://git.samba.org/autobuild.flakey/2013-02-12-0415/samba3.stdout

The source4 build logs are available here:

   http://git.samba.org/autobuild.flakey/2013-02-12-0415/samba.stderr
   http://git.samba.org/autobuild.flakey/2013-02-12-0415/samba.stdout
  
The top commit at the time of the failure was:

commit f25debf2fbf988c7b3415b86ccc5880319517bdd
Author: Jeremy Allison j...@samba.org
Date:   Fri Feb 8 17:08:28 2013 -0800

Fix bug #9642 - vfs_afsacl.c won't build.

Add missing mem_ctx argument.

Signed-off-by: Jeremy Allison j...@samba.org
Reviewed-by: David Disseldorp dd...@samba.org

Autobuild-User(master): David Disseldorp dd...@samba.org
Autobuild-Date(master): Mon Feb 11 20:24:00 CET 2013 on sn-devel-104

[SCM] Samba Shared Repository - branch master updated

2013-02-11 Thread Andrew Bartlett 
The branch, master has been updated
   via  efd60ae Fix some cut-and-paste and spelling in debug messages
  from  f25debf Fix bug #9642 - vfs_afsacl.c won't build.

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit efd60aeff7aac308d85b767cdf394dd866cce078
Author: Guenter Kukkukk ku...@samba.org
Date:   Tue Feb 12 05:37:09 2013 +0100

Fix some cut-and-paste and spelling in debug messages

Signed-off-by: Guenter Kukkukk ku...@samba.org

Reviewed-by: Andrew Bartlett abart...@samba.org

Autobuild-User(master): Andrew Bartlett abart...@samba.org
Autobuild-Date(master): Tue Feb 12 07:28:27 CET 2013 on sn-devel-104

---

Summary of changes:
 source4/auth/gensec/gensec_gssapi.c |   16 
 1 files changed, 8 insertions(+), 8 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/auth/gensec/gensec_gssapi.c 
b/source4/auth/gensec/gensec_gssapi.c
index 2b09665..e3bafe2 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -182,7 +182,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security 
*gensec_security)
gensec_security-settings-lp_ctx,
gensec_gssapi_state-smb_krb5_context);
if (ret) {
-   DEBUG(1,(gensec_krb5_start: krb5_init_context failed (%s)\n,
+   DEBUG(1,(gensec_gssapi_start: smb_krb5_init_context failed 
(%s)\n,
 error_message(ret)));
talloc_free(gensec_gssapi_state);
return NT_STATUS_INTERNAL_ERROR;
@@ -211,7 +211,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security 
*gensec_security)
if (realm != NULL) {
ret = gsskrb5_set_default_realm(realm);
if (ret) {
-   DEBUG(1,(gensec_krb5_start: gsskrb5_set_default_realm 
failed\n));
+   DEBUG(1,(gensec_gssapi_start: 
gsskrb5_set_default_realm failed\n));
talloc_free(gensec_gssapi_state);
return NT_STATUS_INTERNAL_ERROR;
}
@@ -220,7 +220,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security 
*gensec_security)
/* don't do DNS lookups of any kind, it might/will fail for a netbios 
name */
ret = 
gsskrb5_set_dns_canonicalize(gensec_setting_bool(gensec_security-settings, 
krb5, set_dns_canonicalize, false));
if (ret) {
-   DEBUG(1,(gensec_krb5_start: gsskrb5_set_dns_canonicalize 
failed\n));
+   DEBUG(1,(gensec_gssapi_start: gsskrb5_set_dns_canonicalize 
failed\n));
talloc_free(gensec_gssapi_state);
return NT_STATUS_INTERNAL_ERROR;
}
@@ -457,7 +457,7 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security 
*gensec_security,
 
min_stat = gsskrb5_set_send_to_kdc(send_to_kdc);
if (min_stat) {
-   DEBUG(1,(gensec_krb5_start: 
gsskrb5_set_send_to_kdc failed\n));
+   DEBUG(1,(gensec_gssapi_update: 
gsskrb5_set_send_to_kdc failed\n));
return NT_STATUS_INTERNAL_ERROR;
}
 #endif
@@ -484,7 +484,7 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security 
*gensec_security,
 
ret = gsskrb5_set_send_to_kdc(send_to_kdc);
if (ret) {
-   DEBUG(1,(gensec_krb5_start: 
gsskrb5_set_send_to_kdc failed\n));
+   DEBUG(1,(gensec_gssapi_update: 
gsskrb5_set_send_to_kdc failed\n));
return NT_STATUS_INTERNAL_ERROR;
}
 #endif
@@ -999,7 +999,7 @@ static size_t gensec_gssapi_max_input_size(struct 
gensec_security *gensec_securi
   max_input_size);
if (GSS_ERROR(maj_stat)) {
TALLOC_CTX *mem_ctx = talloc_new(NULL); 
-   DEBUG(1, (gensec_gssapi_max_input_size: determinaing signature 
size with gss_wrap_size_limit failed: %s\n, 
+   DEBUG(1, (gensec_gssapi_max_input_size: determining signature 
size with gss_wrap_size_limit failed: %s\n,
  gssapi_error_string(mem_ctx, maj_stat, min_stat, 
gensec_gssapi_state-gss_oid)));
talloc_free(mem_ctx);
return 0;
@@ -1152,7 +1152,7 @@ static NTSTATUS gensec_gssapi_sign_packet(struct 
gensec_security *gensec_securit
 
*sig = data_blob_talloc(mem_ctx, (uint8_t *)output_token.value, 
output_token.length);
 
-   dump_data_pw(gensec_gssapi_seal_packet: sig\n, sig-data, 
sig-length);
+   dump_data_pw(gensec_gssapi_sign_packet: sig\n, sig-data, 
sig-length);
 
gss_release_buffer(min_stat, output_token);
 
@@