Re: [Samba] Im just curious

[Marc Muehlfeld]

Hello,

Am 16.05.2013 22:41, schrieb Sandbox:

Is it possible (well, look like it works) to include a preconfigured
bind zone to samba named.conf, so I don't get that annoying zone
conflict error message while I start bind?
Actualy, the important question is, this kind of configuration could
interfere with samba4 if the server is configured to use BIND9_DLZ?


Do you mean, that you have already a zone in Bind and now you want the 
BIND9_DLZ module to use that zone for your AD? A "mixed zonefile" (samba 
LDB and Bind)? I think this is not possible and you won't be able to 
administrate it from windows or by samba-tool.


There was a BIND9_flatfile option for provisioning in the past. But Kai 
Blin (he wrote the internal DNS server) told me yesterday on SambaXP, 
that this option is very old and there's not really a documentation how 
to make it run. So this isn't a good solution, either.


But you could write a small script, to import your existing records with 
samba-tool into the samba LDB (of course you can keep Bind and use the 
DLZ module, if you like that backend).



Regards,
Marc

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 Trust Relationship AD

[Steve Thompson]

On Fri, 17 May 2013, Marc Muehlfeld wrote:


Samba can be trusted, but can't trust yet.


And that's the way it should be!

-s
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 Trust Relationship AD

[Marc Muehlfeld]

Hello Ricardo,

Am 16.05.2013 21:42, schrieb Ricardo Suguita:

does anybody knows if Samba 4 supports Trust
Relationship with Active Directory 2003, 2008 ?


Trusts are currently not finished implemented.
Samba can be trusted, but can't trust yet.


Regards,
Marc

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 3.x server with LDAP backend doesn't work

[Gaiseric Vandal]

And just to clarify you can use ldapsearch with the samba admin 
credentials as well?



What is the ldap server?  (Openldap ?)




On 05/16/13 16:44, Gollapalli, Prakash wrote:

Did you try w/o start TLS support?   I realize this can have security

implications, so this is only to see if the problem is with TLS or with
the configuration in general.

I have tried without TLS support and without SSL (replaced ldaps with ldap)

passdb backend = ldapsam:ldap:///
ldap ssl = off
ldap admin dn = cn=Adminid,dc=xxx,dc=yyy,dc=zzz
ldap suffix = dc=xxx,dc=yyy,dc=zzz
ldap delete dn = no
ldap user suffix = ou=People
ldap group suffix = ou=Groups

Now I get the following error:
[2013/05/16 16:38:14,  0] lib/smbldap.c:1052(smbldap_connect_system)
   failed to bind to server ldap:/// with 
dn="cn=Adminid,dc=xxx,dc=yyy,dc=zzz" Error: Confidentiality required
 (unknown)


It the LDAP server is on the same server as the samba server then I

don't think you will need TLS encryption, since there isn't LAN traffic
to snoop.

Our LDAP server is not on the same server. It is a central enterprise server


don't forget to set set the ldap password with "smbpasswd -w"

I did this part for the Adminid


Also I think "ldaps" means ldap over SSL, not ldap+tls.   I would also

use ldapclient tools (e.g. the command line ldapsearch or the gui Apache
Directory Studio ldap browser and editor) to make sure you can connect
to the ldap server via LDAP, LDAP+TLS and/or LDAPS-over-SSL. You
need to make sure you have all the certificates configured correctly.

LDAP authentication works perfectly directly from our AIX server. I can do 
ldapsearches and can login with my ldap credentials etc.. Only samba 
authentication doesn't work

Thanks, Prakash
**
Electronic Mail is not secure, may not be read every day, and should not be 
used for urgent or sensitive issues


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Failure to join existing domain Windows 2003 Server domain

[Tony Nelson]

I compiled samba-4.0.5 from source on Ubuntu 12.04 and was following the 
instructions here:

http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC

The exact command I executed was:

root@va-dc:/usr/local/samba# bin/samba-tool domain join 
win.starpoint.com DC -Uadministrator 
--realm=win.starpoint.com --dns-backend=BIND9_DLZ 
--workgroup win --server 
va-bdc.win.starpoint.com

I added the server parameter to force the replication to use a DC local to me.

The join seemed to be going along fine until I hit this error:

Partition[CN=Configuration,DC=WIN,DC=STARPOINT,DC=COM] objects[2321] 
linked_values[0]
Partition[CN=Configuration,DC=WIN,DC=STARPOINT,DC=COM] objects[2497] 
linked_values[53]
Failed to apply records: Failed to find GUID for (null): Invalid DN syntax
Failed to commit objects: WERR_GENERAL_FAILURE
Join failed - cleaning up
checking sAMAccountName
Deleted CN=VA-DC,OU=Domain Controllers,DC=WIN,DC=STARPOINT,DC=COM
Deleted CN=NTDS 
Settings,CN=VA-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=WIN,DC=STARPOINT,DC=COM
Deleted 
CN=VA-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=WIN,DC=STARPOINT,DC=COM
ERROR(): uncaught exception - Failed to process 
chunk: NT_STATUS_UNSUCCESSFUL
  File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", 
line 175, in _run
return self.run(*args, **kwargs)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", 
line 552, in run
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line 1104, 
in join_DC
ctx.do_join()
  File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line 1009, 
in do_join
ctx.join_replicate()
  File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line 734, 
in join_replicate
replica_flags=ctx.replica_flags)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/drs_utils.py", line 
252, in replicate
schema=schema, req_level=req_level, req=req)

I reran the command a few times specifying slightly higher debug levels (1,2,3) 
but didn't get any more information just before the exception but I did see 
warnings like this:

Analyze and apply schema objects
../source4/dsdb/schema/schema_syntax.c:1021: Unknown governsID 0x00030006
Warning: Failed to convert schema object 
CN=ms-Exch-MHS-Link-Monitoring-Config,CN=Schema,CN=Configuration,DC=WIN,DC=STARPOINT,DC=COM
 into ldb msg
../source4/dsdb/schema/schema_syntax.c:1021: Unknown governsID 0x00030006
Warning: Failed to convert schema object 
CN=ms-Exch-MHS-Server-Monitoring-Config,CN=Schema,CN=Configuration,DC=WIN,DC=STARPOINT,DC=COM
 into ldb msg
../source4/dsdb/schema/schema_syntax.c:1021: Unknown governsID 0x00030041
Warning: Failed to convert schema object 
CN=ms-Exch-Protocol-Cfg-Shared-Site,CN=Schema,CN=Configuration,DC=WIN,DC=STARPOINT,DC=COM
 into ldb msg
../source4/dsdb/schema/schema_syntax.c:1021: Unknown governsID 0x00030002
Warning: Failed to convert schema object 
CN=ms-Exch-DX-Requestor,CN=Schema,CN=Configuration,DC=WIN,DC=STARPOINT,DC=COM 
into ldb msg

What should I do to further troubleshoot this?

Thanks in advance for any suggestions.

Tony Nelson
Starpoint Solutions

Below is the entire output of the command in case I missed anything useful.

root@va-dc:/usr/local/samba# bin/samba-tool domain join 
win.starpoint.com DC -Uadministrator 
--realm=win.starpoint.com --dns-backend=BIND9_DLZ 
--workgroup win --server 
va-bdc.win.starpoint.com -d 3
lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
params.c:pm_process() - Processing configuration file 
"/usr/local/samba/etc/smb.conf"
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Password for [WIN\administrator]:
workgroup is WIN
realm is WIN.STARPOINT.COM
checking sAMAccountName
Adding CN=VA-DC,OU=Domain Controllers,DC=WIN,DC=STARPOINT,DC=COM
Adding 
CN=VA-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=WIN,DC=STARPOINT,DC=COM
Adding CN=NTDS 
Settings,CN=VA-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=WIN,DC=STARPOINT,DC=COM
Using binding 
ncacn_ip_tcp:va-bdc.win.starpoint.com[,seal]
Adding SPNs to CN=VA-DC,OU=Domain Controllers,DC=WIN,DC=STARPOINT,DC=COM
Setting account password for VA-DC$
Enabling account
Calling bare provision
lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
params.c:pm_process() - Processing configuration file 
"

Re: [Samba] Samba 3.x server with LDAP backend doesn't work

[Gollapalli, Prakash]

>Did you try w/o start TLS support?   I realize this can have security
implications, so this is only to see if the problem is with TLS or with
the configuration in general.

I have tried without TLS support and without SSL (replaced ldaps with ldap)

   passdb backend = ldapsam:ldap:///
   ldap ssl = off
   ldap admin dn = cn=Adminid,dc=xxx,dc=yyy,dc=zzz
   ldap suffix = dc=xxx,dc=yyy,dc=zzz
   ldap delete dn = no
   ldap user suffix = ou=People
   ldap group suffix = ou=Groups

Now I get the following error:
[2013/05/16 16:38:14,  0] lib/smbldap.c:1052(smbldap_connect_system)
  failed to bind to server ldap:/// with 
dn="cn=Adminid,dc=xxx,dc=yyy,dc=zzz" Error: Confidentiality required
(unknown)

>It the LDAP server is on the same server as the samba server then I
don't think you will need TLS encryption, since there isn't LAN traffic
to snoop.

Our LDAP server is not on the same server. It is a central enterprise server

>don't forget to set set the ldap password with "smbpasswd -w"

I did this part for the Adminid

>Also I think "ldaps" means ldap over SSL, not ldap+tls.   I would also
use ldapclient tools (e.g. the command line ldapsearch or the gui Apache
Directory Studio ldap browser and editor) to make sure you can connect
to the ldap server via LDAP, LDAP+TLS and/or LDAPS-over-SSL. You
need to make sure you have all the certificates configured correctly.

LDAP authentication works perfectly directly from our AIX server. I can do 
ldapsearches and can login with my ldap credentials etc.. Only samba 
authentication doesn't work

Thanks, Prakash
**
Electronic Mail is not secure, may not be read every day, and should not be 
used for urgent or sensitive issues 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Im just curious

[Sandbox]

Hi,

Is it possible (well, look like it works) to include a preconfigured 
bind zone to samba named.conf, so I don't get that annoying zone 
conflict error message while I start bind?
Actualy, the important question is, this kind of configuration could 
interfere with samba4 if the server is configured to use BIND9_DLZ?


--
Kind regards:

Robert



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba4 Trust Relationship AD

[Ricardo Suguita]

Hi,

does anybody knows if Samba 4 supports Trust
Relationship with Active Directory 2003, 2008 ?

Thanks!

--
Ricardo Suguita
Analista de Redes
CSCO11723146
Prefeitura Unicamp
Ramal 14619 // Fone +55(19)3521-4619
http://www.prefeitura.unicamp.br
Cidade Universitária Zeferino Vaz
Rua Roxo Moreira, 1831
Campinas, SP – Brasil

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Procedure for installing Windows drivers on Samba with CUPS

[Gerry Reno]

On 05/16/2013 10:46 AM, steve wrote:
> On Thu, 2013-05-16 at 15:22 +0200, Tim Vangehugten wrote:
>> if
>> only the printing in samba 4.0.5 would work that would be nice...
> Hi
> The printing doesn't work in 4.0.5
> https://bugzilla.samba.org/show_bug.cgi?id=9745
>
> maybe you could add this thread/your use case to the bugzilla?
> Cheers,
> Steve
>

4.0.5 is useless without printing.

I've backed out of 4.0.5.


.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 3.x server with LDAP backend doesn't work

[Gaiseric Vandal]

Did you try w/o start TLS support?   I realize this can have security 
implications, so this is only to see if the problem is with TLS or with 
the configuration in general.


It the LDAP server is on the same server as the samba server then I 
don't think you will need TLS encryption, since there isn't LAN traffic 
to snoop.


don't forget to set set the ldap password with "smbpasswd -w"

Also I think "ldaps" means ldap over SSL, not ldap+tls.   I would also 
use ldapclient tools (e.g. the command line ldapsearch or the gui Apache 
Directory Studio ldap browser and editor) to make sure you can connect 
to the ldap server via LDAP, LDAP+TLS and/or LDAPS-over-SSL. You 
need to make sure you have all the certificates configured correctly.






On 05/16/13 11:27, Gollapalli, Prakash wrote:

We have a central LDAP server for our enterprise on a Linux box.  I have 
installed Samba 3.4.4 server on an AIX server and trying to get users 
authenticated via LDAP server.   So far my efforts have been unsuccessful.  
Here is my ldap section of the smb.conf file:

passdb backend = ldapsam:ldaps:///
ldap ssl = start tls
ldap suffix = dc=xxx,dc=yyy,dc=zzz
ldap delete dn = no
ldap user suffix = ou=People
ldap group suffix = ou=Groups

Here is the error I am seeing in the Samba errorlog:

[2013/05/16 11:08:14,  0] lib/smbldap.c:656(smb_ldap_start_tls)
   Failed to issue the StartTLS instruction: Can't contact LDAP server
[2013/05/16 11:08:14,  1] lib/smbldap.c:1231(another_ldap_try)
   Connection to LDAP server failed for the 1 try!

Is there a documented procedure on how to connect samba users to a backend ldap 
server?

Any help with is greatly appreciated

Thanks, Prakash
**
Electronic Mail is not secure, may not be read every day, and should not be 
used for urgent or sensitive issues


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 3.x server with LDAP backend doesn't work

[miguelmedalha]

Is there a documented procedure on how to connect samba users to a  
backend ldap server?





Chapter 5 of "Samba 3 by Example"

http://www.samba.org/samba/docs/man/Samba-Guide/happy.html


PDF version:

http://www.samba.org/samba/docs/Samba3-ByExample.pdf

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba 3.x server with LDAP backend doesn't work

[Gollapalli, Prakash]

We have a central LDAP server for our enterprise on a Linux box.  I have 
installed Samba 3.4.4 server on an AIX server and trying to get users 
authenticated via LDAP server.   So far my efforts have been unsuccessful.  
Here is my ldap section of the smb.conf file:

passdb backend = ldapsam:ldaps:///
ldap ssl = start tls
ldap suffix = dc=xxx,dc=yyy,dc=zzz
ldap delete dn = no
ldap user suffix = ou=People
ldap group suffix = ou=Groups

Here is the error I am seeing in the Samba errorlog:

[2013/05/16 11:08:14,  0] lib/smbldap.c:656(smb_ldap_start_tls)
  Failed to issue the StartTLS instruction: Can't contact LDAP server
[2013/05/16 11:08:14,  1] lib/smbldap.c:1231(another_ldap_try)
  Connection to LDAP server failed for the 1 try!

Is there a documented procedure on how to connect samba users to a backend ldap 
server?

Any help with is greatly appreciated

Thanks, Prakash
**
Electronic Mail is not secure, may not be read every day, and should not be 
used for urgent or sensitive issues 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] frequent tdb corruption

[Adam Thorn]

On Thu, 2013-05-16 at 13:29 +0200, Volker Lendecke wrote:

> "use mmap = no" might provide another data point.

Hi Volker,

Thanks, but I tried setting that some time ago - I continued to see tdb
corruption, so have since returned to not explicitly setting any value
for "use mmap".

Adam


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] frequent tdb corruption

[Adam Thorn]

> > In case it's relevant: the samba config files are stored on a
different
> > filesystem. There are a set of multiple disks which are mirrored
over
> > the network with FreeBSD's HAST (pretty much equivalent to DRBD),
and
> > the HAST devices are then combined into a RAIDZ2 pool.
> 
> I think this is what Andrew was asking about.
> 
> DRDB, unless you have a cluster filesystem, needs to have only a
> single machine accessing the filesystem at a time.  HAST's homepage
> says the same:
> 
> "HAST works in Primary-Secondary (Master-Backup, Master-Slave)
> configuration, which means that only one of the cluster nodes can be
> active at any given time."
> 
> I think Andrew was asking if perhaps you had two machine accessing the
> filesystem at once.

Ah, I see. In which case, the answer is no: it'll never have been
running in a primary/primary configuration. Also, just to reiterate -
although my samba config files are on the HAST, the tdbs are very
definitely local.

> Do you still get the corruption with a local ZFS filesystem?

I can certainly move my samba config to local disk to see if it improves
matters. I'm just curious if there's an obvious problem with having the
config files on the HAST? (given that we take every possible precaution
to avoid primary/primary situations, and our automated monitoring pays
close attention to that).

Thanks,

Adam


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Procedure for installing Windows drivers on Samba with CUPS

[steve]

On Thu, 2013-05-16 at 15:22 +0200, Tim Vangehugten wrote:
> if
> only the printing in samba 4.0.5 would work that would be nice...

Hi
The printing doesn't work in 4.0.5
https://bugzilla.samba.org/show_bug.cgi?id=9745

maybe you could add this thread/your use case to the bugzilla?
Cheers,
Steve

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba3/4: libpopt version

[Helmut Hullen]

Hallo,

I'm just playing with samba-4.0.5 (slackware), running as samba3 (and  
replacing/updating samba-3.6.x).


Seems to work fine - many thanks!

Perhaps one problem: when I start the server or when I run "smbclient -N  
-L " (and perhaps with some other start commands) then samba  
tells me

smbclient: /usr/lib/libpopt.so.0: no version information available  
(required by smbclient)
smbclient: /usr/lib/libpopt.so.0: no version information available (required by 
/usr/lib/libpopt_samba3.so)

My actual slackware distribution comes with "popt-1.16".

Is that message only a remark, or is it a warning, or is it an error  
message?

Viele Gruesse!
Helmut
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Procedure for installing Windows drivers on Samba with CUPS

[Tim Vangehugten]

Hi,

I have spend a lot of time searching for a solution to automatically
install printerdrivers over the network until I stumbled on this.
I followed your method with samba 4.0.5 in Ubuntu 12.04 and a windows 7
professional x64 client and everything worked. I had some problems at
finding ntprint at first but this tutorial:
http://techsugar.wordpress.com/2011/04/26/obtaining-ntprint-inf-file-when-installing-x86-printer-drivers-on-windows-server-2008-64-bit/has
helped me to obtain it. Now my drivers are automatically installed, if
only the printing in samba 4.0.5 would work that would be nice...

Best regards
Tim Vangehugten




2013/5/13 Adam Nielsen 

> Hi all,
>
> This isn't a plea for help, but rather I have just been through the
> procedure for installing Windows drivers on a Samba machine using CUPS, and
> I thought I'd post my notes in case it helps someone one day as the
> documentation doesn't focus too strongly on my particular set up (it
> focuses on using Windows drivers without CUPS, or PostScript drivers with
> CUPS, but there's less about using Windows drivers with CUPS.)
>
> So if you are using CUPS and Samba, and you want to use "point-n-print" on
> your Windows machines with the manufacturer's drivers (in this case Ricoh
> MFDs) here is the process, which has only been tested on Win 7 64-bit, and
> assumes you have already set up the print$ share and can write to it from
> the Windows machine you will be using for this procedure.
>
>  1. Create a new CUPS print queue.  IPP works best, but any protocol will
> do (IPP causes usernames and job titles to appear on our machines' front
> panels.)
>
>  2. Select the "Raw" manufacturer, with the "Raw Queue" model and continue
> until the queue is ready.
>
>  3. "killall -HUP smbd" to make it see the new printer, possibly even
> killing your own session ("smbstatus | grep username" then "kill" those
> PIDs.)
>
>  4. Run \\server and on the menu below the normal menu (where it says
> Organize, Search, etc.) choose the last option "View remote printers". This
> view allows remote printers to be examined without trying to install them.
>
>  5. If the printer is not visible, in the address bar type in
> \\server\queuename and then cancel anything that comes up, and go back and
> refresh the list of printers.  The missing queue should now be visible.  It
> seems to take a while before it will show up reliably.
>
>  6. Right-click properties on the new printer, and when asked to install
> the '' driver, it is *very* important to say no.
>
>  7. On the Advanced tab click New Driver, then follow the prompts.  If the
> New Driver button is greyed out, you need to give yourself more
> permissions.  Giving permission to an AD group doesn't seem to work, you
> seem to have to grant your own (Windows) user print management permissions
> with the 'net' command (on the Linux box.)  This worked for me:
>
>   $ net -U server\\root rpc rights grant 'DOMAIN\username'
> SePrintOperatorPrivilege
>
> 8. In the New Driver window, click Have Disk and find the driver you want
> to install.
>
> 9. If you get an error about needing x64 drivers, edit the driver's .inf
> file in the driver and replace all instances of "NT.5.1" (or higher) with
> "NT.5.0".  If this doesn't work, duplicating the 64-bit stuff and putting
> it in a header for 32-bit works too (but this is only advisable if you
> don't have any 32-bit Windows machines.)
>
> 10. Click OK to close the printer properties and don't worry if you get a
> weird error.
>
> 11. Click properties again and you should see the full printer properties
> with the new driver.
>
> 12. On the Sharing tab click "Additional Drivers" and install the x64
> drivers (it seems to install only 32-bit ones.)  If you are prompted for
> where to install them from select the same driver again.
>
> 13. On the Advanced tab make sure you click Printing Defaults and change
> something and apply the changes so the default settings aren't null (you
> can change it back, but usually you have to change it to A4 or set
> paper-to-tray assignments anyway.)
>
> 14. On the General tab make sure the queue name matches the CUPS queue
> name.  Some drivers change this from something like "my-queue" to "Bob's
> Fantastic Printer Company PCL 6", but you won't be able to install the
> printer on client machines if the names don't match.
>
> 15. You should be able to double-click on the printers from client
> machines normally and have the driver install automatically now.  If you
> get prompted for admin access and you're connected to a domain, add your
> Samba server in to the approppriate group policy so drivers can be
> installed from it with no elevation required.  Plenty of pages on Google
> explaining this.
>
> 16. If you get an error installing the printer (something about being
> unable to install the driver), wait for a few hours as this often helps.
>  Maybe restarting Samba would help too, but for us it was a production
> machine so that wasn't possib

Re: [Samba] frequent tdb corruption

[Volker Lendecke]

On Thu, May 16, 2013 at 11:15:51AM +0100, Adam Thorn wrote:
> Hi Andrew,
> 
> > Can you please clarify:
> > 
> >  - Is the filesystem on this disk in any way shared?
> >  - Is the block device involved in any way shared?
> 
> I'm not 100% sure what you mean by "shared" in this context, but the
> filesystem where the tdbs are stored is: pair of local disks => mirrored
> together via zfs => zfs filesystem.
> 
> In case it's relevant: the samba config files are stored on a different
> filesystem. There are a set of multiple disks which are mirrored over
> the network with FreeBSD's HAST (pretty much equivalent to DRBD), and
> the HAST devices are then combined into a RAIDZ2 pool. I have recently
> had some disk problems with the filesystem where the samba config files
> are stored (but no problems with the filesystem which stores the tdbs) -
> is there any mechanism whereby e.g. a timeout in smbd trying to read
> it's config file could cause problems with the tdbs?
> 
> >  - Has the server ever had a unexpected poweroff?
> 
> No; I installed a different version of FreeBSD (downgraded from 9.1 to
> 9.0) a week ago to see if it made any difference. The OS partitions were
> totally wiped and reinstalled, and since then the server has been
> powered-up and stable, and still exhibiting corrupt tdbs.
> 
> >  - Do Samba processes ever crash?
> 
> No.
> 
> > If the answer is no to all these, then I would strongly suspect a
> > hardware or OS/kernel issue.  
> 
> I'd have said the same, but I've seen this problem on two (nominally)
> identical pieces of hardware (whilst that doesn't rule out hardware, I
> think it reduces the likelihood). I do plan to run memtest etc when I
> can, though.  Also, I'm running the same OS/kernel on another server
> which is *almost* identical hardware, and that's been completely
> trouble-free for over a year.
> 
> > Could you put your TDB files on a different file system, to rule in our
> > out ZFS (or the glue between FreeBSD and ZFS)?
> 
> I can certainly give that a go!

"use mmap = no" might provide another data point.

Volker

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-37-0, fax: +49-551-37-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kont...@sernet.de
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] frequent tdb corruption

[Michael Wood]

Hi

On 16 May 2013 12:15, Adam Thorn  wrote:
> Hi Andrew,
>
>> Can you please clarify:
>>
>>  - Is the filesystem on this disk in any way shared?
>>  - Is the block device involved in any way shared?
>
> I'm not 100% sure what you mean by "shared" in this context, but the
> filesystem where the tdbs are stored is: pair of local disks => mirrored
> together via zfs => zfs filesystem.
>
> In case it's relevant: the samba config files are stored on a different
> filesystem. There are a set of multiple disks which are mirrored over
> the network with FreeBSD's HAST (pretty much equivalent to DRBD), and
> the HAST devices are then combined into a RAIDZ2 pool.

I think this is what Andrew was asking about.

DRDB, unless you have a cluster filesystem, needs to have only a
single machine accessing the filesystem at a time.  HAST's homepage
says the same:

"HAST works in Primary-Secondary (Master-Backup, Master-Slave)
configuration, which means that only one of the cluster nodes can be
active at any given time."

I think Andrew was asking if perhaps you had two machine accessing the
filesystem at once.

Do you still get the corruption with a local ZFS filesystem?

-- 
Michael Wood 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] frequent tdb corruption

[Adam Thorn]

Hi Andrew,

> Can you please clarify:
> 
>  - Is the filesystem on this disk in any way shared?
>  - Is the block device involved in any way shared?

I'm not 100% sure what you mean by "shared" in this context, but the
filesystem where the tdbs are stored is: pair of local disks => mirrored
together via zfs => zfs filesystem.

In case it's relevant: the samba config files are stored on a different
filesystem. There are a set of multiple disks which are mirrored over
the network with FreeBSD's HAST (pretty much equivalent to DRBD), and
the HAST devices are then combined into a RAIDZ2 pool. I have recently
had some disk problems with the filesystem where the samba config files
are stored (but no problems with the filesystem which stores the tdbs) -
is there any mechanism whereby e.g. a timeout in smbd trying to read
it's config file could cause problems with the tdbs?

>  - Has the server ever had a unexpected poweroff?

No; I installed a different version of FreeBSD (downgraded from 9.1 to
9.0) a week ago to see if it made any difference. The OS partitions were
totally wiped and reinstalled, and since then the server has been
powered-up and stable, and still exhibiting corrupt tdbs.

>  - Do Samba processes ever crash?

No.

> If the answer is no to all these, then I would strongly suspect a
> hardware or OS/kernel issue.  

I'd have said the same, but I've seen this problem on two (nominally)
identical pieces of hardware (whilst that doesn't rule out hardware, I
think it reduces the likelihood). I do plan to run memtest etc when I
can, though.  Also, I'm running the same OS/kernel on another server
which is *almost* identical hardware, and that's been completely
trouble-free for over a year.

> Could you put your TDB files on a different file system, to rule in our
> out ZFS (or the glue between FreeBSD and ZFS)?

I can certainly give that a go!

Thanks for the help,

Adam

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Access Denied when creating a GPO with any other domain admins than administrator

[steve]

On 14/05/13 18:40, Antoine Vacher wrote:

Hello,

I have a strange issue with Samba 4 as an AD DC regarding GPO creation.

I use the following packages on Debian wheezy:

dpkg -l | grep samba
ii  libsamba-credentials0:i386   4.0.0+dfsg1-1i386  
   Samba Credentials management library
ii  libsamba-hostconfig0:i3864.0.0+dfsg1-1i386  
   Samba host configuration library
ii  libsamba-policy0:i3864.0.0+dfsg1-1i386  
   Samba policy management
ii  libsamba-util0:i386  4.0.0+dfsg1-1i386  
   Samba utility function library
ii  python-samba 4.0.0+dfsg1-1i386  
   Python bindings for Samba
rc  samba2:3.6.6-3i386  
   SMB/CIFS file, print, and login server for Unix
ii  samba-common 2:3.6.10-1   all   
   common files used by both the Samba server and client
ii  samba-common-bin 2:3.6.10-1   i386  
   common files used by both the Samba server and client
ii  samba-dsdb-modules   4.0.0+dfsg1-1i386  
   Samba Directory Services Database
ii  samba4   4.0.0+dfsg1-1i386  
   SMB/CIFS file, NT domain and active directory server (version 4)
ii  samba4-clients   4.0.0+dfsg1-1i386  
   client utilities from Samba 4
ii  samba4-common-bin4.0.0+dfsg1-1i386  
   Samba 4 common files used by both the server and the client

I created an administrative account called "admin-domain" which is member of 
the following groups:
- Administrators
- Domain Admins
- Domain Users
- Group Policy Creator Owners

If I logon with the "administrator" account, then there is no problem to create 
a new GPO with the group policy management application from the windows 8 client.
However, if I logon with the "admin-domain" account, is is not possible to create a GPO. 
The error given is "Access Denied"

I checked and there is no problem for "admin-domain" to write in the sysvol 
share.
For me being member of Domain Admins and writing to sysvol rights shall be 
enough to write a GPO.

Apart from that, the GPO are correctly applied and I see no other issue.
:



I am sure missing something, but I can't figure out what...

Thanks for your help.

Antoine


Hi
A quick check, try running:
samba-tool ntacl sysvolreset


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Access Denied when creating a GPO with any other domain admins than administrator

[Antoine Vacher]

Hello,

I have a strange issue with Samba 4 as an AD DC regarding GPO creation.

I use the following packages on Debian wheezy:

dpkg -l | grep samba
ii  libsamba-credentials0:i386   4.0.0+dfsg1-1i386  
   Samba Credentials management library
ii  libsamba-hostconfig0:i3864.0.0+dfsg1-1i386  
   Samba host configuration library
ii  libsamba-policy0:i3864.0.0+dfsg1-1i386  
   Samba policy management
ii  libsamba-util0:i386  4.0.0+dfsg1-1i386  
   Samba utility function library
ii  python-samba 4.0.0+dfsg1-1i386  
   Python bindings for Samba
rc  samba2:3.6.6-3i386  
   SMB/CIFS file, print, and login server for Unix
ii  samba-common 2:3.6.10-1   all   
   common files used by both the Samba server and client
ii  samba-common-bin 2:3.6.10-1   i386  
   common files used by both the Samba server and client
ii  samba-dsdb-modules   4.0.0+dfsg1-1i386  
   Samba Directory Services Database
ii  samba4   4.0.0+dfsg1-1i386  
   SMB/CIFS file, NT domain and active directory server (version 4)
ii  samba4-clients   4.0.0+dfsg1-1i386  
   client utilities from Samba 4
ii  samba4-common-bin4.0.0+dfsg1-1i386  
   Samba 4 common files used by both the server and the client

I created an administrative account called "admin-domain" which is member of 
the following groups:
- Administrators
- Domain Admins
- Domain Users
- Group Policy Creator Owners

If I logon with the "administrator" account, then there is no problem to create 
a new GPO with the group policy management application from the windows 8 
client.
However, if I logon with the "admin-domain" account, is is not possible to 
create a GPO. The error given is "Access Denied"

I checked and there is no problem for "admin-domain" to write in the sysvol 
share.
For me being member of Domain Admins and writing to sysvol rights shall be 
enough to write a GPO.

Apart from that, the GPO are correctly applied and I see no other issue.

I am sure missing something, but I can't figure out what... 

Thanks for your help.

Antoine
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] About Samba for SCOUnix

[David Bocaletti]

Greetings, we got  a SCO Unix Openserver runnin Samba Printing Service, by
the day when try to print in Windows 8 it's impossible, the job is sended
and the server doesn't send any error but the page never comes out.Do
you have any idea about the problem or where can I found a solution?

 

Thanks.

 

David Antonio Bocaletti Comparini

Asistente Tecnico Informatica

Laboratorios Donovan Werke A.G.,S.A.

Tel. 24126200 ext 6161

 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] WERR_GENERAL_FAILURE joining Samba4 to Win 2k3 domain with Exchange 2007

[Jay Carter]

Hello,
I am having a problem joining a Debian/Samba4 machine as a DC to a Windows 
2003 level AD domain. The domain has Exchange Server 2007 schema extensions 
wiht a single Exchange Server which is also the domain controller.
 
 I ran the domian join with debug level 10 set, here is what I see:
...
 a:;CN=owa (Default Web Site),
 CN=HTTP,CN=Protocols,CN=servername,CN=Servers,CN=Exchange Administrative Group 
(
 FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft 
 Exchange,CN=Services,CN=Configuration,DC=jaydcarter,DC=com,DC=local
msExchOWATranscodingMimeTypes: S:52:  
  a:;CN=owa (Default Web Si
 te),CN=HTTP,CN=Protocols,CN=servername,CN=Servers,CN=Exchange Administrative 
Gro
 up (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Micros
 oft Exchange,CN=Services,CN=Configuration,DC=jaydcarter,DC=com,DC=local
msExchOWATranscodingMimeTypes: S:58:  
    a:;CN=owa (Default 
 Web Site),CN=HTTP,CN=Protocols,CN=servername,CN=Servers,CN=Exchange 
Administrati
 ve Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=
 Microsoft Exchange,CN=Services,CN=Configuration,DC=jaydcarter,DC=com,DC=local
msExchOWATranscodingFlags: 1
msExchVersion: 4535486012416
../source4/dsdb/samdb/ldb_modules/linked_attributes.c:164: Failed to find GUID 
for dn (null)
replmd_op_callback failure. Error is: Invalid DN syntax
Failed to apply records: Failed to find GUID for (null): Invalid DN syntax
Failed to commit objects: WERR_GENERAL_FAILURE
Join failed - cleaning up
...
 
If I am reading the log correctly, msExchVersion is the last directory element 
that was successfully loaded; what I need to know is the next element which 
apparently fails - there are about 15 elements remaining inside the 'owa 
(Default Web Site)' cn  tha have not been imported so I can't tell exactly 
which one is failing. 
 
I have found several references to the WERR_GENERAL_FAILURE occurring with 
Exchange Server in the schema, but nothing that points to a solution.
 
Samba is version 4.0.5, running on Linux core 3.2.0-4-amd64 #1 SMP Debian 
3.2.35-2 x86_64 GNU/Linux
 
Any ideas or suggestions appreciated!
 
Thanks,
Jay D. Carter
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba