Re: [Samba] Dynamic dns updat­es fail for (most) xp, vi­sta and win7 clients

2013-05-03 Thread Felix Mason 
My mistake. The time was not being synced due to the same permissions issue 
that was preventing dns updates.

 
The solution was to log on to each client as a domain admin and issue the 
following commands

 
net time /domain /set /y

ipconfig /registerdns

 
On one windows 7 clinet I had to do the folllowing:

1) Sync the time with the net time command

2) drop the machine off the network and rejoin it under a different name 

3) register dns with the ipconfig command.

 
I have no idea why that one machine was difficult but other then that you were 
right it was a time issue.
 
-Original message-
From:Felix Mason 
Sent:Sat 27-04-2013 11:49
Subject:RE: [Samba] Dynamic dns updat­es fail for (most) xp, vi­sta and win7 
clients
CC:samba@lists.samba.org; 
To:?icro MEGAS ; 
 

Hi Lucas

 
Thanks, but the time is in sync on all clients and is updated on login by a 
login script. There's is no discrepancy in this regard between those clients 
that work and those that don't. :)

 
On Wed 24-04-2013 10:47:?icro MEGAS  wrote
 Check your time sync between clients and server. If the time is not in sync, 
it can result to Kerberos errors and therefore no updates.

Cheers,
Lucas

Втр 23 Апр 2013 22:36:48 +0400, Felix Mason  
написал:
Hi  
 
Banging my head against a wall with this. Dynamic dns updates for windows 
clients are failing. 
 
Log exceprt: 
 
Apr 13 00:20:50 server named[30147]: samba_dlz: disallowing update of 
signer=newboywin7\$\@example.lan name=newboywin7.example.lan type= 
error=insufficient access rights 
Apr 13 00:20:50 server named[30147]: client 192.168.12.205#61162: updating zone 
'example.lan/NONE': update failed: rejected by secure update (REFUSED) 
Apr 13 00:20:50 server named[30147]: samba_dlz: cancelling transaction on zone 
example.lan 
Apr 13 00:20:50 server named[30147]: samba_dlz: starting transaction on zone 
example.lan 
Apr 13 00:20:50 server named[30147]: client 192.168.12.205#62052: update 
'example.lan/IN' denied 
Apr 13 00:20:50 server named[30147]: samba_dlz: cancelling transaction on zone 
example.lan 
Apr 13 00:20:50 server named[30147]: samba_dlz: starting transaction on zone 
example.lan 
Apr 13 00:20:50 server named[30147]: samba_dlz: disallowing update of 
signer=newboywin7\$\@example.lan name=newboywin7.example.lan type= 
error=insufficient access rights 
Apr 13 00:20:50 server named[30147]: client 192.168.12.205#64861: updating zone 
'example.lan/NONE': update failed: rejected by secure update (REFUSED) 
 
First two clients I got this problem with were winxp and win7. I did the 
following: 
sudo samba_upgradedns --dns-backend=BIND9_DLZ  
They started working. Since then I have the same problem and this doesn't 
resolve the issue. 
 
Someone previously suggested this  
ldbdel -H /opt/samba4/private/sam.ldb 
"DC=wxp1,DC=Kernevil.lan,CN=MicrosoftDNS,DC=Kernevil,DC=lan" 
 
It doesn't work I don't find any entries for the affected workstations + they 
were not added to the domain with beta versions of samba. 
 
I'm running Zentyal which is a version of ubuntu 12.4, samba package 
4.0.4-zentyal1. 
 
Have posted a question to there formum (with no success here) 
http://forum.zentyal.org/index.php/topic,14152.0.html 
 
 
Any help appreciated - this is infuriating. 
 
cheers 
 
sean 
 
  
  
-- 
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba 

 
 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] [samba4] Build requires libncurses-dev

2013-05-03 Thread Ricky Nance 
I'd like to get a dev's input as to why this is now required, I have no
problem adding it to the wiki as long as they expect it and it wasn't just
something that crept in. If Jeremy or Andrew (or any other dev that sees
this) would confirm this I will add it.

Ricky


On Fri, May 3, 2013 at 2:23 PM, Nick Semenkovich wrote:

> +1 for this. Looks like a new dependency that just popped up in the
> last few commits.
>
> On Fri, May 3, 2013 at 6:02 AM, Michael De Groote
>  wrote:
> > I tried building the latest master from git on debian wheezy.
> > It seems to require libncurses-dev.
> >
> > I thought to add it into the wiki as a required package to install, but
> it
> > seems one needs to ask for a login to the wiki. No prob ;)
> >
> > Could someone add it to the wiki? Or is this an unintentional dependency
> > that will be removed?
> >
> > --
> > Michael De Groote
> > ICT-coordinator Sint-Pietersschool Korbeek-Lo
> > ICT-support Sancta Maria Basisschool Leuven
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] New Windows 8 RSAT and "OU=Domain Controllers" support?

2013-05-03 Thread Andrew Bartlett 
On Fri, 2013-05-03 at 19:21 +0300, Pekka L.J. Jalkanen wrote:
> On 26.4.2013 13:05, Pekka L.J. Jalkanen wrote:
> > 
> > So it seems that for some reason, exporting the keytab from Samba DC
> > doesn't work. I tried to kinit first using the domain admin account, but
> > to no avail--exportkeytab still throws the same error.
> > 
> > Now, for the purposes of bug 9828 I could probably export it from our
> > Windows DC using ktpass.exe, but I'd naturally like to know what's wrong
> > here.
> > 
> > What should I do? Am I missing something here?
> 
> I forgot this for some time... as the samba-tool exportkeytab didn't
> work, the easiest way to get a proper keytab for decrypting the capture
> was apparently just copy secrets.keytab from the Samba DC and feed that
> file to Wireshark. At least I've now managed to decrypt the stuff myself.

It would be useful to know why samba-tool exportkeytab didn't work, it
is tested in our make test.  Perhaps run it with -d10 and see if it
gives more clues?

> However, as this is not a test domain, I can't just post such a
> sensitive piece of information to Bugzilla. I am, however, ready to send
> it in a GPG-encrypted message to Andrew (currently assigned to the bug)
> or another trusted Samba dev working on the bug. Would that be OK?

Can you reproduce this on a test domain?  That would be better.  While I
do take GPG encrypted stuff, I prefer not to unless I'm actually fixing
database errors in databases or other things that would never be
reproduced again.

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Password server behaves differently for clients from Windows 7 Professional and Windows 7 Enterprise

2013-05-03 Thread Bryan Chan 


Hi,

I have been using Samba as a file server and a domain controller in a mixed
AIX/Windows environment for a long time. Due to changes in the network
infrastructure in my lab, I have to stop using my own LDAP server and Samba
domain controller, and migrate all my user accounts to a central
proprietary
directory server. On AIX, I now use a proprietary loadable authentication
module on AIX to talk to that server. To Samba, the accounts just look like
local accounts, except that passwords are not managed locally.

I want to continue serving files using Samba on my AIX box, but I cannot
use a
local smbpasswd file because there is no way to sync passwords between the
proprietary server with the local smbpasswd file. So I tried using server
security and delegating authentication to a SMB interface provided by the
directory server. Here are the relevant parts of my smb.conf:

netbios name = MILAN
security = server
password server = tlbgsa.ibm.com
encrypt passwords = yes

ntlm auth = no
lanman auth = no
use spnego = no
server schannel = no
server signing = disabled

client plaintext auth = no
client lanman auth = no
client ntlmv2 auth = yes
client schannel = no
client signing = auto
client use spnego = no

When clients on Windows XP, Windows Server 2003, and Windows 7 Professional
connect to shares on \\milan, they are successfully authenticated by the
password server:

[2013/05/02 17:08:17,  3] auth/auth_sam.c:check_sam_security(282)
  check_sam_security: Couldn't find user 'bryanpkc' in passdb.
[2013/05/02 17:08:17,  5] auth/auth.c:check_ntlm_password(272)
  check_ntlm_password: sam authentication for user [bryanpkc] FAILED with
error NT_STATUS_NO_SUCH_USER
[2013/05/02 17:08:18,  3] auth/auth.c:check_ntlm_password(269)
  check_ntlm_password: smbserver authentication for user [bryanpkc]
succeeded
[2013/05/02 17:08:18,  5] auth/auth.c:check_ntlm_password(295)
  check_ntlm_password:  PAM Account for user [bryanpkc] succeeded
[2013/05/02 17:08:18,  2] auth/auth.c:check_ntlm_password(308)
  check_ntlm_password:  authentication for user [bryanpkc] -> [bryanpkc] ->
[bryanpkc] succeeded

However, when I try the same operation on Windows Server 2008, Windows
Vista,
and Windows 7 Enterprise, the authentication attempt is rejected by the
password server:

[2013/05/02 17:01:06,  5] auth/auth.c:check_ntlm_password(272)
  check_ntlm_password: sam authentication for user [bryanpkc] FAILED with
error NT_STATUS_NO_SUCH_USER
[2013/05/02 17:01:06,  1] auth/auth_server.c:check_smbserver_security(410)
  password server TLBGSA.IBM.COM rejected the password:
NT_STATUS_LOGON_FAILURE
[2013/05/02 17:01:06,  5] auth/auth.c:check_ntlm_password(272)
  check_ntlm_password: smbserver authentication for user [bryanpkc] FAILED
with error NT_STATUS_LOGON_FAILURE
[2013/05/02 17:01:06,  2] auth/auth.c:check_ntlm_password(318)

I have more verbose logs (log level = 10) that show the different
behaviours,
but I am not able to tell why the connection attempt works on some machines
but not on others. Any suggestion? I can send the log files if necessary.

Thanks,
--
Bryan Chan
bryan.c...@ca.ibm.com
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] ACL defaults and masks

2013-05-03 Thread Andrew Bartlett 
On Tue, 2013-04-30 at 15:56 +0400, Александр Свиридов wrote:
>  Hello!
> 
> In samba 3 we used create mask , force create..   to set file
> permisions. In samba 4 as I understand those options are  ignored and
> default acls are used instead. But, is it possible to set  by default
> different permisions on files and folders?  For example   on folders
> rwx, and on files rw-. Because I dont want to give x  permision to
> file as I think it can be dangerous. Thanks in advance.

These options are not ignored, but you can set an inheriting ACL if you
are using ACLs on that directory. 

Earlier Samba 4.0.x versions did incorrectly force these parameters, and
we made a security release and issued instructions on fixing the
permissions so incorrectly generated:

https://www.samba.org/samba/security/CVE-2013-1863

In terms of unix security, it is not a risk to have all files marked
execute, it may not look 'right', but any script can just be run with
it's interpreter, and any binary can be run with ld-*.so

Andrew Bartlett
-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba4 / Lots of "Oplock break failed for file" errors

2013-05-03 Thread Nick Semenkovich 
On samba4 (git, from 5/2/13 version 5f82641553) I see a number of
errors in the smbd log, like:

[2013/05/03 14:16:15.431156,  0]
../source3/smbd/oplock.c:333(oplock_timeout_handler)
  Oplock break failed for file
user1/AppData/Roaming/Microsoft/Templates/NormalEmail.dotm -- replying
anyway



Any thoughts on debugging / addressing these errors?

I've seen a number of suggestions regarding Samba 3, though I'm not
sure what's applicable to locking in Samba 4.


- Nick
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] [samba4] Build requires libncurses-dev

2013-05-03 Thread Nick Semenkovich 
+1 for this. Looks like a new dependency that just popped up in the
last few commits.

On Fri, May 3, 2013 at 6:02 AM, Michael De Groote
 wrote:
> I tried building the latest master from git on debian wheezy.
> It seems to require libncurses-dev.
>
> I thought to add it into the wiki as a required package to install, but it
> seems one needs to ask for a login to the wiki. No prob ;)
>
> Could someone add it to the wiki? Or is this an unintentional dependency
> that will be removed?
>
> --
> Michael De Groote
> ICT-coordinator Sint-Pietersschool Korbeek-Lo
> ICT-support Sancta Maria Basisschool Leuven
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] New Windows 8 RSAT and "OU=Domain Controllers" support?

2013-05-03 Thread Pekka L.J. Jalkanen 
On 26.4.2013 13:05, Pekka L.J. Jalkanen wrote:
> 
> So it seems that for some reason, exporting the keytab from Samba DC
> doesn't work. I tried to kinit first using the domain admin account, but
> to no avail--exportkeytab still throws the same error.
> 
> Now, for the purposes of bug 9828 I could probably export it from our
> Windows DC using ktpass.exe, but I'd naturally like to know what's wrong
> here.
> 
> What should I do? Am I missing something here?

I forgot this for some time... as the samba-tool exportkeytab didn't
work, the easiest way to get a proper keytab for decrypting the capture
was apparently just copy secrets.keytab from the Samba DC and feed that
file to Wireshark. At least I've now managed to decrypt the stuff myself.

However, as this is not a test domain, I can't just post such a
sensitive piece of information to Bugzilla. I am, however, ready to send
it in a GPG-encrypted message to Andrew (currently assigned to the bug)
or another trusted Samba dev working on the bug. Would that be OK?


Pekka L.J. Jalkanen
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] dns entries look weird in remote administration dns tool

2013-05-03 Thread Denis Cardon 

Hi Chantal and Alex,


yes exactly like that Alex! Well, with other entries ofcourse :)


I have the same strange MS DNS console display here on multiple samba4 
production installs (both with classicupgrad'ed server and servers 
joined to MS AD). I first noticed it at the beta or rc stage, so I 
didn't care much about it at that time since it does not seems to have 
any issue with real dns queries.


However I still have the same issue as you have with samba 4.0.5.

Cheers,

Denis



On 05/02/2013 02:32 PM, Alex Matthews wrote:

Hiya,

My Windows based DNS utility always looks like this:
http://i.imgur.com/hhGmm0w.png
Is that similar to what you're referring to Chantal?

I've not noticed it cause a problem. Although I'm sure it shouldn't be
like it!

Thanks,

Alex

On 02/05/2013 08:13, Chantal Rosmuller wrote:

Hi,

On our samba 4 testserver we inserted the dns records from our dns
server using samba-tool. Everything seems to work ok but when I look
at the dns
entries with the windows dns remote administration tool it all looks
very weird. Here's an example:

This is the insert command:

samba-tool dns add samba4.example.com example.com www1 A
192.168.0.120 -U administrator

When I query the dns with samba-tool I get this (looks fine to me);

[root@samba4 ~]# samba-tool dns query localhost example.com www1 A -U
administrator
Password for [EXAMPLE\administrator]:
  Name=, Records=1, Children=0
A: 192.168.0.120 (flags=f0, serial=280, ttl=900)

In the windows dns tools however the record for www1 shows up twice,
one looks normal, the other doesn't have any values for type data and
timestamp.

Can anyone explain this, we would like to be sure everything is ok
before we start using the server in our production environment.

our OS: CentOS release 6.3 (Final)
samba version: samba 4.0.3

Thanks!







--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Recently joined 2k3, shut down primary, seized roles, now have slight dns (maybe) problem.

2013-05-03 Thread Caio Zanolla 
One more detail. When browsing "Domain Controllers" on AD Users and
Computers it says there are no domain controllers and the folder gets an
exclamation mark. Also Im not sure it should, but the samba DC is not
listed on the Computers list.

Atenciosamente,
Caio Zanolla


On Fri, May 3, 2013 at 11:27 AM, Caio Zanolla  wrote:

> Hello All,
>
> As per the subject, we have recently joined a w2k3 domain folowing
> instructions on wiki as well as well as relying on valuble information on
> the list. The steps we took were the following:
>
> Join samba as secondary
> Created dns records by hand (ldbsearch, samba-tool dns add)
> Checked replication
> Copied sysvol
> Transferred some roles from windows
> Transferred some roles from samba (fsmo transfer)
> Shut down primary
> Seized remaining roles (fsmo seize)
> Changed SOA to point to samba
> Deleted old DCs objects from ldb (ldbdelete)
> Deleted old records from dns (nsupdate)
>
> Everything seems to be working fine except for dns management.
>
> We cannot manage dns from RAT dns which says it cannot contact the samba
> host "Active Directory service was not found". Made sure dnsrpc was running
> on samba, but it wont connect.
>
> We can create/delete records using nsupdate and samba-tool, but some
> records we cannot manage. When running some specific queries (or
> updates/deletes) samba-tool will exit with message:
>
> root@smb01:/usr/local/samba/var# samba-tool dns query smb01 grupofw.local
> grupofw.local SOA
> Password for [administrator@GRUPOFW.LOCAL]:
> ERROR(runtime): uncaught exception - (9717,
> 'WERR_DNS_ERROR_DS_UNAVAILABLE')
>   File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
> return self.run(*args, **kwargs)
>   File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/dns.py",
> line 974, in run
> None, record_type, select_flags, None, None)
>
>
>
> Also, we cannot delete NS records pointing to old DCs. Tried nsupdate,
> which gives no error message. Also tried specifying the zone, also wo
> success.
>
> root@smb02:~# nsupdate -d
> > server 192.168.0.158
> > update delete grupofw.local in ns serv-pdc03.grupofw.local.
> > update delete grupofw.local in ns serv-pfw01.grupofw.local.
> > update delete grupofw.local in ns serv-pdc02.grupofw.local.
> > update delete grupofw.local in ns serv-pdc01.grupofw.local.
> > send
> Reply from SOA query:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  56115
> ;; flags: qr aa ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> ;; QUESTION SECTION:
> ;grupofw.local. IN  SOA
>
> ;; ANSWER SECTION:
> grupofw.local.  3600IN  SOA smb01.grupofw.local.
> hostmaster. 16363 900 600 86400 3600
>
> Found zone name: grupofw.local
> The master is: smb01.grupofw.local
> Sending update to 192.168.0.158#53
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  52219
> ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 4, ADDITIONAL: 0
> ;; UPDATE SECTION:
> grupofw.local.  0   NONENS  serv-pdc03.grupofw.local.
> grupofw.local.  0   NONENS  serv-pfw01.grupofw.local.
> grupofw.local.  0   NONENS  serv-pdc02.grupofw.local.
> grupofw.local.  0   NONENS  serv-pdc01.grupofw.local.
>
>
> Reply from update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  52219
> ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 4, ADDITIONAL: 0
> ;; ZONE SECTION:
> ;grupofw.local. IN  SOA
>
> ;; UPDATE SECTION:
> grupofw.local.  0   NONENS  serv-pdc03.grupofw.local.
> grupofw.local.  0   NONENS  serv-pfw01.grupofw.local.
> grupofw.local.  0   NONENS  serv-pdc02.grupofw.local.
> grupofw.local.  0   NONENS  serv-pdc01.grupofw.local.
>
>
>
> After the update dns query still returns old DCs records.
>
> root@smb02:~# dig -t soa grupofw.local @192.168.0.158
>
> ; <<>> DiG 9.8.1-P1 <<>> -t soa grupofw.local @192.168.0.158
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51461
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;grupofw.local. IN  SOA
>
> ;; ANSWER SECTION:
> grupofw.local.  3600IN  SOA smb01.grupofw.local.
> hostmaster. 16363 900 600 86400 3600
>
> ;; Query time: 7 msec
> ;; SERVER: 192.168.0.158#53(192.168.0.158)
> ;; WHEN: Fri May  3 11:25:28 2013
> ;; MSG SIZE  rcvd: 83
>
> root@smb02:~# dig -t ns grupofw.local @192.168.0.158
>
> ; <<>> DiG 9.8.1-P1 <<>> -t ns grupofw.local @192.168.0.158
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14304
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;grupofw.local. IN  NS
>
> ;; ANSWER SECTION:
> grupofw.local.  3600IN

[Samba] Slow copy from windows

2013-05-03 Thread Facundo Russo 
Samba 3.6.3-23.2.0-41-generic-paeUbuntu 12.04Realtek 8111B
Whenever I try to copy a file to a samba share from windows 7 or xp machine the 
copy is too slowaround 800-1000 KBps8FTP or SCP works 10 times faster
also when copying from the share to my PC it also goes fast
the problem occurs only when copying files to the samba share
tried changing the NIC and the problem persist
here is my smb.conf i've skipped shares for readability
[global]workgroup = HACIENDA_SALTAnetbios name = procuracionrealm = 
salta02.localpassword server = salta02.salta02.localpreferred master = noserver 
string = Files Serversecurity = ADSencrypt passwords = truelog level = 2 
vfs:2log file = /var/log/samba/%U.%m.logmax log size = 1syslog = 0
lanman auth = yesclient lanman auth = yesclient plaintext auth = yes
name resolve order = wins lmhosts hosts

strict sync = yessync always = yeskernel change notify = yesdns proxy = no
acl map full control = yesacl check permissions = Truewinbind enum users = 
Yeswinbind enum groups = Yeswinbind use default domain = Yeswinbind separator = 
/preserve case = Yesshort preserve case = Yescase sensitive = noidmap uid = 
11000-13000idmap gid = 11000-13000template shell = /bin/nologintemplate homedir 
= /files2/muni/homes/%D/%Udomain master = nousername map = /etc/samba/smbusers
hosts allow = 172.16. 10.0.100. 10.0.101. 10.0.102. 127.interfaces = lo eth0 
x.x.x.x/16
max smbd processes = 300usershare max shares = 100panic action = 
/usr/share/samba/panic-action %d
load printers = no
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] guest share on a " security = user" server

2013-05-03 Thread Chris Smith 
My blog has the method I've used for years:

http://blog.realcomputerguy.com/2010/12/samba-and-guest-shares-with-security.html

On Fri, May 3, 2013 at 6:44 AM, Michael Wood  wrote:
> On 3 May 2013 12:42, Michael Wood  wrote:
> [...]
>> Maybe the "map to guest" option will help you solve your problem?
>
> Never mind, I see you've tried that.
>
> --
> Michael Wood 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Recently joined 2k3, shut down primary, seized roles, now have slight dns (maybe) problem.

2013-05-03 Thread Caio Zanolla 
Hello All,

As per the subject, we have recently joined a w2k3 domain folowing
instructions on wiki as well as well as relying on valuble information on
the list. The steps we took were the following:

Join samba as secondary
Created dns records by hand (ldbsearch, samba-tool dns add)
Checked replication
Copied sysvol
Transferred some roles from windows
Transferred some roles from samba (fsmo transfer)
Shut down primary
Seized remaining roles (fsmo seize)
Changed SOA to point to samba
Deleted old DCs objects from ldb (ldbdelete)
Deleted old records from dns (nsupdate)

Everything seems to be working fine except for dns management.

We cannot manage dns from RAT dns which says it cannot contact the samba
host "Active Directory service was not found". Made sure dnsrpc was running
on samba, but it wont connect.

We can create/delete records using nsupdate and samba-tool, but some
records we cannot manage. When running some specific queries (or
updates/deletes) samba-tool will exit with message:

root@smb01:/usr/local/samba/var# samba-tool dns query smb01 grupofw.local
grupofw.local SOA
Password for [administrator@GRUPOFW.LOCAL]:
ERROR(runtime): uncaught exception - (9717, 'WERR_DNS_ERROR_DS_UNAVAILABLE')
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/dns.py",
line 974, in run
None, record_type, select_flags, None, None)



Also, we cannot delete NS records pointing to old DCs. Tried nsupdate,
which gives no error message. Also tried specifying the zone, also wo
success.

root@smb02:~# nsupdate -d
> server 192.168.0.158
> update delete grupofw.local in ns serv-pdc03.grupofw.local.
> update delete grupofw.local in ns serv-pfw01.grupofw.local.
> update delete grupofw.local in ns serv-pdc02.grupofw.local.
> update delete grupofw.local in ns serv-pdc01.grupofw.local.
> send
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  56115
;; flags: qr aa ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;grupofw.local. IN  SOA

;; ANSWER SECTION:
grupofw.local.  3600IN  SOA smb01.grupofw.local.
hostmaster. 16363 900 600 86400 3600

Found zone name: grupofw.local
The master is: smb01.grupofw.local
Sending update to 192.168.0.158#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  52219
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 4, ADDITIONAL: 0
;; UPDATE SECTION:
grupofw.local.  0   NONENS  serv-pdc03.grupofw.local.
grupofw.local.  0   NONENS  serv-pfw01.grupofw.local.
grupofw.local.  0   NONENS  serv-pdc02.grupofw.local.
grupofw.local.  0   NONENS  serv-pdc01.grupofw.local.


Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  52219
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 4, ADDITIONAL: 0
;; ZONE SECTION:
;grupofw.local. IN  SOA

;; UPDATE SECTION:
grupofw.local.  0   NONENS  serv-pdc03.grupofw.local.
grupofw.local.  0   NONENS  serv-pfw01.grupofw.local.
grupofw.local.  0   NONENS  serv-pdc02.grupofw.local.
grupofw.local.  0   NONENS  serv-pdc01.grupofw.local.



After the update dns query still returns old DCs records.

root@smb02:~# dig -t soa grupofw.local @192.168.0.158

; <<>> DiG 9.8.1-P1 <<>> -t soa grupofw.local @192.168.0.158
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51461
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;grupofw.local. IN  SOA

;; ANSWER SECTION:
grupofw.local.  3600IN  SOA smb01.grupofw.local.
hostmaster. 16363 900 600 86400 3600

;; Query time: 7 msec
;; SERVER: 192.168.0.158#53(192.168.0.158)
;; WHEN: Fri May  3 11:25:28 2013
;; MSG SIZE  rcvd: 83

root@smb02:~# dig -t ns grupofw.local @192.168.0.158

; <<>> DiG 9.8.1-P1 <<>> -t ns grupofw.local @192.168.0.158
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14304
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;grupofw.local. IN  NS

;; ANSWER SECTION:
grupofw.local.  3600IN  NS  serv-pdc03.grupofw.local.
grupofw.local.  3600IN  NS  serv-pfw01.grupofw.local.
grupofw.local.  3600IN  NS  serv-pdc01.grupofw.local.
grupofw.local.  3600IN  NS  serv-pdc02.grupofw.local.
grupofw.local.  3600IN  NS  smb01.grupofw.local.

;; Query time: 5 msec
;; SERVER: 192.168.0.158#53(192.168.0.158)
;; WHEN: Fri May  3 11:25:37 2013
;; MSG SIZE  rcvd: 151



Any pointers?


kind regards,
Caio.
-- 
To unsubscribe from this list go to the following URL and

[Samba] Help required for samba -3.0.5.1-0

2013-05-03 Thread Bharath Balareddy 
Hello,

I am trying to use  samba -3.0.5.1-0 to transfer a file to an windows 8 machine 
but it  fails when windows-8 is under work group or domain.
Could you please provide help and let me know the reason for transfer failure.

Steps followed to transfer the file from linux system (2.4 kernel) to windows 8 
system.

1) smbclient -U % -d 3 //  command from terminal.

result: connection is established, prompt changes to smb.

2)mput .

Sometimes 0KB file is transferred or samba transfer fails .




Regards,
Bharath Kumar.B





SASKEN BUSINESS DISCLAIMER: This message may contain confidential, proprietary 
or legally privileged information. In case you are not the original intended 
Recipient of the message, you must not, directly or indirectly, use, disclose, 
distribute, print, or copy any part of this message and you are requested to 
delete it and inform the sender. Any views expressed in this message are those 
of the individual sender unless otherwise stated. Nothing contained in this 
message shall be construed as an offer or acceptance of any offer by Sasken 
Communication Technologies Limited ("Sasken") unless sent with that express 
intent and with due authority of Sasken. Sasken has taken enough precautions to 
prevent the spread of viruses. However the company accepts no liability for any 
damage caused by any virus transmitted by this email.
Read Disclaimer at http://www.sasken.com/extras/mail_disclaimer.html
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] win 7 client can't map drive: getpeername failed

2013-05-03 Thread Ed Strong 
Hi,

this is my first foray in samba (and newsgroups) so go easy :)

I'm trying to map a network drive from a windows 7 pro client to a QNAP NAS:
  net use s: \\qnap\share

I've posted on several forums and got good advice but the problem remains.
Rather than repost all the detail, please see my original posts:

http://forum.qnap.com/viewtopic.php?f=185&t=74639
http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/11d35b0c-ac95-489f-b5d1-0486b9774603
http://www.edugeek.net/forums/windows-7/112309-map-network-drive-nas-but-get-error-64-58-a.html

I've managed to ssh onto the QNAP via putty and found this in the logs
(getpeername failed)

[/var/log] # pwd
/var/log
[/var/log] # tail -f log.smbd
[2013/05/01 09:36:17.135999,  0] lib/util_sock.c:474(read_fd_with_timeout)
[2013/05/01 09:36:17.136096,  0]
lib/util_sock.c:1440(get_peer_addr_internal)
  getpeername failed. Error was Transport endpoint is not connected
  read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by
peer.
[2013/05/01 09:36:17.137700,  1] smbd/server.c:299(remove_child_pid)
  Scheduled cleanup of brl and lock database after unclean shutdown
[2013/05/01 09:36:17.178522,  1] smbd/service.c:1073(make_connection_snum)
  172.24.120.139 (172.24.120.139) connect to service Staff initially as
user DOMAIN+admin (uid=10001423, gid=1514) (pid

25771)
[2013/05/01 09:36:17.179093,  0] lib/util_sock.c:474(read_fd_with_timeout)
[2013/05/01 09:36:17.179173,  0]
lib/util_sock.c:1440(get_peer_addr_internal)
  getpeername failed. Error was Transport endpoint is not connected
  read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by
peer.
[2013/05/01 09:36:17.179289,  1] smbd/service.c:1254(close_cnum)
  172.24.120.139 (172.24.120.139) closed connection to service Staff
[2013/05/01 09:36:37.142714,  1] smbd/server.c:272(cleanup_timeout_fn)
  Cleaning up brl and lock database after unclean shutdown


and some version info:

[/var/log] # ps -ef | grep smb
 4016 admin  3104 S   /usr/local/samba/sbin/winbindd -s
/etc/config/smb.conf
 4017 admin  3728 S   /usr/local/samba/sbin/winbindd -s
/etc/config/smb.conf
 4366 admin  1840 S   /usr/local/samba/sbin/winbindd -s
/etc/config/smb.conf
 4877 admin  3300 S   /usr/local/samba/sbin/winbindd -s
/etc/config/smb.conf
 4902 admin  3952 S   /usr/local/samba/sbin/winbindd -s
/etc/config/smb.conf
 4978 admin  4132 S   /usr/local/samba/sbin/smbd -l /var/log -D -s
/etc/config/smb.conf
 4979 admin  3356 S   /usr/local/samba/sbin/winbindd -s
/etc/config/smb.conf
 4980 admin  1224 S   /usr/local/samba/sbin/winbindd -s
/etc/config/smb.conf
 4995 admin  1016 S   /usr/local/samba/sbin/smbd -l /var/log -D -s
/etc/config/smb.conf
 5063 admin  2068 S   /usr/local/samba/sbin/winbindd -s
/etc/config/smb.conf
 9509 admin  1664 S   /usr/local/samba/sbin/nmbd -l /var/log -D -s
/etc/config/smb.conf
25540 admin   544 S   grep smb
[/var/log] # /usr/local/samba/sbin/smbd -V
Version 3.5.2


Also got MS network monitor on client and did a capture
but don't really know what I'm looking for.

Not sure how to troubleshoot this further so any advice welcome

Thanks
Ed

PS I initially tried to post this on google group linux.samba but was
rejected by the
moderation robot which said "Please submit your message to the mailing list
address"
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] [samba4] Build requires libncurses-dev

2013-05-03 Thread Michael De Groote 
I tried building the latest master from git on debian wheezy.
It seems to require libncurses-dev.

I thought to add it into the wiki as a required package to install, but it
seems one needs to ask for a login to the wiki. No prob ;)

Could someone add it to the wiki? Or is this an unintentional dependency
that will be removed?

-- 
Michael De Groote
ICT-coordinator Sint-Pietersschool Korbeek-Lo
ICT-support Sancta Maria Basisschool Leuven
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba4 and Ubuntu 12.10 : problem to get it working...

2013-05-03 Thread Thierry Gonon 
Hi all,

I'm new to samba : I've just installed it (version 4.0.5) on a 'fresh' Ubuntu 
12.10 server (32 bit version), following the HOWTO we can find on the sambawiki.
Everything is OK, up to the $ /usr/local/samba/bin/smbclient -L localhost -U% 
command (running as root)
I get the following errors : NT_STATUS_CONNECTION_REFUSED, even if I replace % 
by Administrator...
What am I doing wrong..?
Also, when checking the running processes (via ps aux), I get 2 smbd processes 
with the same options. Is that behaviour normal ? 

I hope someone can help me !!

Thank you very much

Thierry
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] guest share on a " security = user" server

2013-05-03 Thread Michael Wood 
On 3 May 2013 12:42, Michael Wood  wrote:
[...]
> Maybe the "map to guest" option will help you solve your problem?

Never mind, I see you've tried that.

-- 
Michael Wood 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] guest share on a " security = user" server

2013-05-03 Thread Michael Wood 
Hi

On 2 May 2013 14:37, Andreas Moroder  wrote:
> Hello,
>
> our samba server runs in  security = user mode.
> Now I need a share people can connect to, even if they are not in the domain.
>
> I tried this configuration
>
> [open]
> comment = Fuer Scripte die via Mcafee gestartet werden
> guest only = yes
> #security = share
> path = /san/san-lacie/abteilungen/allgemein/mcafee
> read only = no
> writable = no

Sorry, I don't know the answer to your question, but I noticed the
above two lines.

"read only = no" is the opposite of "writable = no".  It makes no
sense to have both specified.

Maybe the "map to guest" option will help you solve your problem?

-- 
Michael Wood 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Two departments on two different locations

2013-05-03 Thread Daniel Müller 
Samba4-A/GLUSTER--glusterfs-repliactingBrickA-VPNSamba4-B/GL
USTER-glusterfs---replicatingBrickB
   +
 Backup(if you like)Samba4-C--glusterfs-client(mount if
backup needed)

Just to think about. Mount as much Bricks you want with GLUSTER. Copy is
synced in real time.

Greetings
Daniel 
---
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: muel...@tropenklinik.de
Internet: www.tropenklinik.de
---
-Ursprüngliche Nachricht-
Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im
Auftrag von Ulrich Schinz
Gesendet: Freitag, 3. Mai 2013 09:12
An: samba@lists.samba.org
Betreff: [Samba] Two departments on two different locations

Hi there,

like topic sais, I'd like to build a domain-system with two locations. 
Our users work one day here the other day in the other place.
The two locations are connected via VPN (10MBit).

To have one datastore in sync on both locations I was thinking about
something like a distributed filesystem (e.g. ceph). Why?

I hope to be able to setup the cluster between the two locations with a
limited traffic between the two locations. So we would have a identical
database on both locations.

I want to have this identical datastore to have the profile and outlook.pst
loaded at login fast. So I'd like to build something like two gateways in
the two locations, both mounting same datastore. 
Placement of files in this datastore is configured to hold one copy of each
file in each location. So conecting to one gateway should deliver a "local"
copy in each location. I hope it's clear, what I mean.

Maybe some ascii-art ;)


  --   -  - 
---  
|clients location a|-|Fileserver "gatewayA"|| CEPHCLUSTER |---|
Fileserver "gatewayB" || clients location b |
  --   -  - 
---  

I'm not that skilled artist ;)

The gateway idea is, because in the usermanagement of AD I can give only one
profile-path. So I wanted to "trick" that, and have different dns-entries in
the two locations for the same name. So I could achieve the local access to
the datastore

On both locations there is a samba4-AD of the same domain.

So maybe one of you has some hints, how to achieve this. I fear that it's
not possible to mount ceph from two clients at the same time.
Maybe it is possible ??? Alternatives?
Some other solution for that problem?

Any hint and ideas concerning this problem is welcome!

Kind regards
Uli



--
Ulrich Schinz


ulrich.sch...@ksfh.de

___



Katholische Stiftungsfachhochschule München

Abteilung Benediktbeuern

Don Bosco Str. 1

83671 Benediktbeuern

Telefon +49 8857 88 506

www.ksfh.de



Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte
Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail
irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und
vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte
Weitergabe dieser Mail ist nicht gestattet.



This e-mail may contain confidential and/or privileged information. If you
are not the intended recipient (or have received this e-mail in error)
please notify the sender immediately and destroy this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Two departments on two different locations

2013-05-03 Thread Ulrich Schinz 

Hi there,

like topic sais, I'd like to build a domain-system with two locations. 
Our users work one day here the other day in the other place.

The two locations are connected via VPN (10MBit).

To have one datastore in sync on both locations I was thinking about 
something like a distributed filesystem (e.g. ceph). Why?


I hope to be able to setup the cluster between the two locations with a 
limited traffic between the two locations. So we would have a

identical database on both locations.

I want to have this identical datastore to have the profile and 
outlook.pst loaded at login fast. So I'd like to build something like
two gateways in the two locations, both mounting same datastore. 
Placement of files in this datastore is configured to hold one copy
of each file in each location. So conecting to one gateway should 
deliver a "local" copy in each location. I hope it's clear, what I mean.


Maybe some ascii-art ;)


 --   -  - 
---  
|clients location a|-|Fileserver "gatewayA"|| CEPHCLUSTER |---| 
Fileserver "gatewayB" || clients location b |
 --   -  - 
---  


I'm not that skilled artist ;)

The gateway idea is, because in the usermanagement of AD I can give only 
one profile-path. So I wanted to "trick" that, and have different
dns-entries in the two locations for the same name. So I could achieve 
the local access to the datastore


On both locations there is a samba4-AD of the same domain.

So maybe one of you has some hints, how to achieve this. I fear that 
it's not possible to mount ceph from two clients at the same time.

Maybe it is possible ??? Alternatives?
Some other solution for that problem?

Any hint and ideas concerning this problem is welcome!

Kind regards
Uli



--
Ulrich Schinz


ulrich.sch...@ksfh.de

___



Katholische Stiftungsfachhochschule München

Abteilung Benediktbeuern

Don Bosco Str. 1

83671 Benediktbeuern

Telefon +49 8857 88 506

www.ksfh.de



Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. 
Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten 
haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. 
Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht 
gestattet.



This e-mail may contain confidential and/or privileged information. If you are 
not the intended recipient (or have received this e-mail in error) please 
notify the sender immediately and destroy this e-mail. Any unauthorized 
copying, disclosure or distribution of the material in this e-mail is strictly 
forbidden.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba