Re: [Samba] Cleanup CN=Deleted Objects, DC=DomainDnsZones, DC=domain, DC=local

[Achim Gottinger]

Am 25.07.2013 17:32, schrieb Achim Gottinger:

Am 25.07.2013 16:57, schrieb Achim Gottinger:

Hi,

Due to an not so well coded dns update script my 
/var/lib/samba/private/sam.ldb.d/DC=DOMAINDNSZONES,DC=DOMAIN,DC=LOCAL.ldb 
db consumes now ~500MB.

So i decided to delete all the Outdated records.
I prepared an list of all the DN's with Base 
DC=DomainDnsZones,DC=domain,DC=local and Attribute isDeleted=TRUE.
There are about 8 outdated entries whom i plan to delete. If I 
loop over each line in my list and run ldbdel -H 
DC=DOMAINDNSZONES,DC=DOMAIN,DC=LOCAL.ldb [DN] it takes about an 
second for each entry so it would take about 22h to delete them all. 
Is there a way i can speed things up?


Thanks in advance
achim~


Found an faster solution using ldbmodify so never mind.
Well it turned out that removing all these deleted dns records via 
ldbmodify on my two ad dc's results in an inconsistent dns database. 
Means i can not delete records via samba-tool or windows DNS server gui. 
After the deleteion and an tdbbackup of the ldb file it had shrunk to 
~1MB. I assume i have to wait now till these old entries expire.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Error running samba-tool dbtool --reset-well-known-acls

[Achim Gottinger]

Hi,

I updated my two samba DC's from 4.0.3 to serner 4.0.7. Both servers run 
debian wheezy and the add was created at the beginning of the year with 
an classic upgrade to version 4.0.0.
Recent release notes do not provide information about required upgrade 
tasks. So i ran.
samba-tool dbcheck --reset-well-known-acls. On the first DC it found a 
few errors about missong members in computer groups whom where fixable 
with samba-tool dbcheck --reset-well-known-acls --fix.

On my second DC however one issue remains.

samba-tool dbcheck --reset-well-known-acls
Checking 336 objects
Not fixing nTSecurityDescriptor on CN=RID Set,CN=DC1,OU=Domain 
Controllers,DC=domain,DC=local

Please use --fix to fix these errors
Checked 336 objects (1 errors)

samba-tool dbcheck --reset-well-known-acls --fix
Checking 336 objects
Fix nTSecurityDescriptor on CN=RID Set,CN=DC1,OU=Domain 
Controllers,DC=domain,DC=local? [y/N/all/none] y
Failed to fix attribute nTSecurityDescriptor : (65, objectclass_attrs: 
at least one mandatory attribute ('rIDNextRID') on entry 'CN=RID 
Set,CN=DC1,OU=Domain Controllers,DC=domain,DC=local' wasn't specified!)

Checked 336 objects (1 errors)


This is the global section of my smb.conf on DC1. Only netbios name and 
dns forwarder are different on DC2.



# Global parameters
[global]
workgroup = DOMAIN
realm = domain.local
netbios name = DC1
server role = active directory domain controller
dns forwarder = 192.168.200.200
idmap_ldb:use rfc2307 = yes
log level = 1
strict allocate = yes
acl:read=false
template shell = /bin/bash
wins support = Yes
deadtime = 10
socket options = TCP_NODELAY SO_KEEPALIVE TCP_KEEPIDLE=120 
TCP_KEEPINTVL=10 TCP_KEEPCNT=5

ea support = yes
store dos attributes = yes
map readonly = no
map archive = no
map system = no
map hidden = no

I connected to both DC's with ADSI and checked rIDNextRID

DC1:
CN=RID Set,CN=DC1,OU=Domain Controllers,DC=domain,DC=local = 6247
CN=RID Set,CN=DC2,OU=Domain Controllers,DC=domain,DC=local = 0

DC2:
CN=RID Set,CN=DC1,OU=Domain Controllers,DC=domain,DC=local = not 
defined (german Nicht Festgelegt)

CN=RID Set,CN=DC2,OU=Domain Controllers,DC=domain,DC=local = 6714

Unfortunately i was not able to change that attribute from undefined to 
0 on DC2. I want to avoid editing ldb files by guess so i'd appreciate 
suggestions.


Thanks in advance
achim~




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Win 2003 DC Demotion

[Peter Beck]

On 07/23/2013 10:49 PM, Garth Keesler wrote:
Sorry, I forgot to mention. This ONLY occurs when I join Samba 4.x to 
an existing Windows domain. When I join a Windows DC to an existing 
Samba 4.x domain, all works correctly including Forest and Domain 
bi-directional DNS repl.


Thanx,
Garth 


Hi Garth,

It was once working in my test environment, but I do not know why. We 
had a little discussion some months ago [1]. But most of the time I was 
also having issues demoting
Windows DCs (mostly with the samba-internal DNS database which told me 
the database is inconsistent as soon as I tried to add new records).
As we do have small environments with about 30 users and we do use 
puppet for deployment, I have chosen not do to migration/demoting of 
existing Windows domains.


I am starting now from scratch with new Samba4 domains which seems to 
work very well with single or multiple domain controllers.


Sorry, not really helpful but I do not have an answer to the question. 
It's just my experience.
Maybe it's because I'm using the old version which is used with Debian 
Wheezy, I don't know.


Regards
Peter


[1] https://lists.samba.org/archive/samba/2013-February/171583.html
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Windows 8 pro and Samba 4

[isscma]

I installed opensuse 12.2, and upgraded the samba 3 it came with to 
samba 4.
I successfully joined win xp, win 7 clients to the samba as domain 
controller but couldn´t join win 8 prof (it keeps displaying domain 
does not exist message). Does samba 4 really support win 8 prof or we 
have to wait for some time?


Emeka
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Windows 8 pro and Samba 4

[Marc Muehlfeld]

Hello Emeka,

Am 28.07.2013 18:39, schrieb iss...@aralar.edunet.es:

I installed opensuse 12.2, and upgraded the samba 3 it came with to
samba 4.
I successfully joined win xp, win 7 clients to the samba as domain
controller but couldn´t join win 8 prof (it keeps displaying domain does
not exist message). Does samba 4 really support win 8 prof or we have to
wait for some time?



I have one w8 prof in my Samba AD test environment and it works without 
problems.


- Are there any messages/erros in the samba/windows log?
- Can the DNS on your w8 resolve the Samba Domain?

Please give some more information. That would make it easier to help you.


Regards,
Marc


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] uid number from AD out of winbinds upper limit (1410065407)?

[Joshua McClintock]

Hello, I'm seem to be hitting an upper limit on the range in winbind for
idmap or I have something configured incorrectly...

Here are the lines from my smb.conf


   idmap config CORP:range = 10-99
   idmap config CORP:backend = ad
   idmap config CORP:schema_mode = rfc2307


[2013/07/05 14:47:09.217707,  5]
../source3/passdb/pdb_interface.c:1392(pdb_default_uid_to_sid)
  pdb_default_uid_to_sid: Did not find user joshua (1951526546)
[2013/07/05 14:47:09.217775,  5]
../source3/winbindd/idmap_tdb_common.c:397(idmap_tdb_common_unixid_to_sid)
  Requested id (1951526546) out of range (10 - 1410065407).
Filtered!

Has anyone else had this issue using uid numbers so large?

(sorry to the samba technical list, I accidentally posted there first)

Joshua
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] R2 2008 Windows Domain Contoller VS Samba

[Colb, Andrew]

Hi Rama,

Assuming that your 3.0.28 is the Solaris-provided Samba, install the various 
Samba patches per the Oracle site. This error is well known and is resolved in 
Samba 3.5 and onward in the 3. series. All that was easy for me to say. I can 
also appreciate that you are now under the gun to restore user access to 
their Samba-mediated files. Unfortunately, implementation of Sun patches is not 
that straightforward. 

Depending on the U version of Solaris 5.10, you may have a great deal of 
pre-patching to do in preparation for the Samba upgrade/patch. To avoid the 
hassle of a major patch project if your Solaris is at a very low U level, you 
may want to run Live Upgrade (which has its own patch requirements) to get to a 
relatively high U release level (i.e., U8, U9 or U10). Oracle has lots of 
documentation on running Live Upgrade, but we found that that a key preparation 
was purchasing/obtaining a bunch of used disks that have the same SUN part 
numbers as the root devices and can thus serve as target devices for the LU 
upgrade. A decent guideline is patch Samba if above U5; at or below U5 use LU 
to upgrade. But be consistent; if most of your systems are U8 with one or two 
at U5, then LU the two laggards to get to U8. You'll also need Sun media for 
the Solaris version you want to update to if going the LU route. If you don't 
want to go the LU path and you're not at too low a U releas
 e, you can probably get to 3.5 by patching and heeding the patch notes 
requests for pre-requisites and gotchas (always at the bottom of the document). 
This is a somewhat less complex problem if you have only a single Sun Samba 
server, but the strategy of making and preserving bootable root devices still 
applies. Overall, it's a long slog, but doable. 

Hope the above was useful.

Andy Colb


-Original Message-
From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On 
Behalf Of Chillara, Rama
Sent: Monday, July 01, 2013 3:19 PM
To: samba@lists.samba.org
Subject: [Samba] R2 2008 Windows Domain Contoller VS Samba

Hi,

We are using samba version 3.0.28 on Sun solaris 5.10 integrated with Windows 
2003 Domain Controller.

It has been running for couple of years without any issues.

Recently the 2003 domain controllers are upgraded to 2008 R2 domain Controllers 
and the samba server that we currently have is not authenticating

With the new domain controllers. Could you please let me know which version of 
Samba works for the 2008 R2 domain controller on Sun solaris 5.10.

Thank you in advance.

Thank you,
Rama.



/preThis message is confidential, intended only for the named 
recipient(s) and may contain information that is privileged or 
exempt from disclosure under applicable law.  If you are not 
the intended recipient(s), you are notified that the 
dissemination, distribution, or copying of this message is 
strictly prohibited.  If you receive this message in error or 
are not the named recipient(s), please notify the sender by 
return email and delete this message. Thank you.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Fwd: About samba 3.0.28 trust AD

[Wong siu yu]

Hi,

I had a RedHat 5.2 need to trust domain the Windows Server 2008 R2 (forest
level 2003).
Which package I need to install first? I am using samba-3.0.28 but I have
no samba-winbind.
May I know procedures of trust setting in Linux?

Thanks for your help.

Warm Regards,
MW
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba 4 userid mapping

[Nick B]

Complete new user here.  Setting up my first samba configuration, using
samba 4.0.6 as a primary domain controller.  I have user profiles, network
shares, active directory, and domain controller working.  But I can not
understand how to map windows userid to linux userid (and map groupid as
well).  I am struggling because much of the documentation is outdated and
meant for samba 3.x or targetted for samba as a domain member.  I followed
some documentation to try the userid mapping through active directory, but
that required Microsoft services for Unix 3.5, which will not install on 64
versions of MS.  I find myself without any orientation of how to proceed.

I am suffering from documentation overload, much of it contradictory or not
applicable.  I am not even sure how to use winbind, or if that is required
for my situation.  I really need a simple step by step howto that is
specific to samba 4 as a PDC.  If you want to reference documentation,
great, but please reference specific sections instead of whole general
chapters.  Any help greatly appreciated.  Thank you.

Configuration information follows:

Server

OS:  OpenSuSE 12.1, 64 bit
Samba:  Samba 4.0.6
Configuration:  Primary domain controller with active directory support
Using BIND 9 DNS server


Client

OS:  Windows 7 Professional, 64 bit


Samba configuration file


# Global parameters

[global]

workgroup = MYDOMAIN

realm = MYDOMAIN.ORG

netbios name = SERVER

wins support = Yes

server role = active directory domain controller

server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind,
ntp_signd, kcc, dnsupdate

encrypt passwords = yes

 # Setup user maps

idmap config * : backend = tdb

idmap config * : range = 10-19

idmap config MYDOMAIN : backend = ad

idmap config MYDOMAIN : schema_mode = rfc2307

idmap config MYDOMAIN : range = 5-9

winbind nss info = rfc2307

winbind trusted domains only = No

winbind use default domain = Yes

winbind enum users = Yes

winbind enum groups = Yes

# Logon path tells samba where to put Windows roaming profiles

logon path = \\%h\profiles\%u

  # Logon home is used to specify home directory and

# Windows 95/98/ME roaming profile location

logon home = \\%h\%u\.win_profiles

# Allow Samba to send correct time to windows

time server = Yes

# Set logging options

log file = /var/log/samba/log.odeon

# Shares configurations follows.  Not included for brevity . . .

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] domain RODC fails with default provisioning

[Andreas Calvo Gómez]

We're evaluating joining another samba domain controller in read-only mode.
With a default provisioning, when running the samba-tool domain RODC, it
fails with the following error:
ldb: ldb_trace_request: (tdb)-search
ldb: ldb_asprintf/set_errstring: NULL Base DN invalid for a base search
ldb_wrap open of hklm.ldb
ldb: start ldb transaction (nesting: 0)
ldb: ldb_trace_request: (tdb)-start_transaction
ldb: start ldb transaction error: (null)
ldb: ldb_trace_request: ADD
dn: @ATTRIBUTES
changetype: add
key: CASE_INSENSITIVE
value: CASE_INSENSITIVE


 control: NONE

ldb: ldb_trace_request: (tdb)-add
ldb: ldb_trace_request: (tdb)-prepare_commit
ldb: commit ldb transaction (nesting: 0)
ldb: ldb_trace_request: (tdb)-end_transaction
Key 'key=SOFTWARE,hive=NONE' not found
key added: key=SOFTWARE,hive=NONE
Key 'key=Microsoft,key=SOFTWARE,hive=NONE' not found
key added: key=Microsoft,key=SOFTWARE,hive=NONE
Key 'key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE' not found
key added: key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE
Key 'key=CurrentVersion,key=Windows
NT,key=Microsoft,key=SOFTWARE,hive=NONE' not found
key added: key=CurrentVersion,key=Windows
NT,key=Microsoft,key=SOFTWARE,hive=NONE
About to write CurrentVersion with type (null), length 3: 6.1
Key 'key=SYSTEM,hive=NONE' not found
key added: key=SYSTEM,hive=NONE
Key 'key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
key added: key=CurrentControlSet,key=SYSTEM,hive=NONE
Key 'key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
key added: key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
Key
'key=ProductOptions,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE'
not found
key added:
key=ProductOptions,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
About to write ProductType with type (null), length 8: LanmanNT
Key 'key=Print,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE' not
found
key added: key=Print,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
Key 'key=Terminal
Server,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
key added: key=Terminal
Server,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
Key 'key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
key added: key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
Key 'key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE'
not found
key added:
key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
Key
'key=Parameters,key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE'
not found
key added:
key=Parameters,key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
About to write RefusePasswordChange with type dword, length 8: 
Key 'key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE'
not found
key added:
key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
Key
'key=Parameters,key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE'
not found
key added:
key=Parameters,key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
lpcfg_servicenumber: couldn't find ldb
lpcfg_servicenumber: couldn't find ldb
lpcfg_servicenumber: couldn't find ldb
lpcfg_servicenumber: couldn't find ldb
partition_metadata: Migrating partition metadata
krb5_init_context failed (Invalid argument)
smb_krb5_context_init_basic failed (Invalid argument)
talloc: access after free error - first free may be at @�3
Bad talloc magic value - access after free
Aborted

Is there something special to be done prior to the domain join command?
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba Domain Rename

[Sandeep Kumar]

Hi Team,



I am using  samba 4 Domain in my production environment and everything is
working fine but now for some reason I have to rename the domain



Can you please help on this, I need to do this asap



Waiting for your response………





Many Thanks,

Sandeep Kumar

*Arbor Financial Systems Ltd***

Direct: +91 172 400 6144

Support: +44 (0) 203 070 9650

www.arborfs.com

-- 
 

www.arborfs.com

This e-mail and any attachment are confidential and contain proprietary 
information, some or all of which may be legally privileged.

It is intended solely for the use of the individual or entity to which it 
is addressed.  If you are not the intended recipient, please notify the 
author immediately by telephone or by replying to this e-mail, and then 
delete all copies of the e-mail on your system.  If you are not the 
intended recipient, you must not use, disclose, distribute, copy, print or 
rely on this e-mail.

Whilst we have taken reasonable precautions to ensure that this e-mail and 
any attachment has been checked for viruses, we cannot guarantee that they 
are virus free and we cannot accept liability for any damage sustained as a 
result of software viruses.  We would advise that you carry out your own 
virus checks, especially before opening an attachment.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba Domain Rename

[Sandeep Kumar]

Hi Team,



I am using  samba 4 Domain in my production environment and everything is
working fine but now for some reason I have to rename the domain



Can you please help on this, I need to do this asap



Waiting for your response………





Many Thanks,

Sandeep Kumar

*Arbor Financial Systems Ltd***

Direct: +91 172 400 6144

Support: +44 (0) 203 070 9650

www.arborfs.com

-- 
 

www.arborfs.com

This e-mail and any attachment are confidential and contain proprietary 
information, some or all of which may be legally privileged.

It is intended solely for the use of the individual or entity to which it 
is addressed.  If you are not the intended recipient, please notify the 
author immediately by telephone or by replying to this e-mail, and then 
delete all copies of the e-mail on your system.  If you are not the 
intended recipient, you must not use, disclose, distribute, copy, print or 
rely on this e-mail.

Whilst we have taken reasonable precautions to ensure that this e-mail and 
any attachment has been checked for viruses, we cannot guarantee that they 
are virus free and we cannot accept liability for any damage sustained as a 
result of software viruses.  We would advise that you carry out your own 
virus checks, especially before opening an attachment.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Wheezy Samba+Winbind+AD+PAM

[Aaron Gibson]

Greetings fellow Samba enthusiasts!

I am having an issue after upgrading to the latest version of wheezy 
from my former squeeze on my testing node.
I am unable to login anymore as my AD user erin.  i can do the following 
commands successfully but not getent passwd erin or logging in to the 
system via the console.
It is currently a fresh install all i did was copy my krb.conf, 
samba.conf, and pam.d/* directories or files over. I also installed all 
the packages i though i needed. I have this same setup work on 7 other 
(squeeze) machines and i got no issue with them at all.
I am enclosing a couple pastebin as well. There is a lot of information 
to look at.
If you have any questions or need more info send me an email and i will 
respond after work tonight.


Thanks so much!
Aaron G.

##INFO 

PASTEBIN:
http://sprunge.us/MXbS

ERROR:
root@testing:~# login erin
Password:

Login incorrect
testing login: ^C
root@testing:~# tail /var/log/auth.log

Jul 11 04:14:44 testing login[4821]: pam_securetty(login:auth): access 
denied: tty '/dev/pts/0' is not secure !
Jul 11 04:14:50 testing login[4821]: pam_unix(login:auth): check pass; 
user unknown
Jul 11 04:14:50 testing login[4821]: pam_unix(login:auth): 
authentication failure; logname=root uid=0 euid=0 tty=/dev/pts/0 ruser= 
rhost=
Jul 11 04:14:50 testing login[4821]: pam_winbind(login:auth): getting 
password (0x0050)
Jul 11 04:14:50 testing login[4821]: pam_winbind(login:auth): 
pam_get_item returned a password
Jul 11 04:14:50 testing login[4821]: pam_winbind(login:auth): user 
'erin' granted access
Jul 11 04:14:53 testing login[4821]: FAILED LOGIN (1) on '/dev/pts/0' 
FOR 'UNKNOWN', User not known to the underlying authentication module

root@testing:~#

oot@testing:~# ./samba-check.sh
+ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: e...@thrace.lan

Valid startingExpires   Service principal
10/07/2013 20:27  11/07/2013 06:26  krbtgt/thrace@thrace.lan
renew until 11/07/2013 20:27
+ net ads info
LDAP server: 192.168.1.219
LDAP server name: bkdc.thrace.lan
Realm: THRACE.LAN
Bind Path: dc=THRACE,dc=LAN
LDAP port: 389
Server time: Thu, 11 Jul 2013 04:14:43 EDT
KDC server: 192.168.1.219
Server time offset: -51
+ wbinfo -u
guest
administrator
krbtgt
teddy
erin
camaron
sarah
matt
ripper
nancy
summer
justin
dummy
pcthrace
nathan
+ wbinfo -g
domain computers
cert publishers
domain users
domain guests
ras and ias servers
domain admins
schema admins
enterprise admins
group policy creator owners
allowed rodc password replication group
denied rodc password replication group
enterprise read-only domain controllers
read-only domain controllers
domain controllers
dnsadmins
dnsupdateproxy
nagios
http
ssh
lan-login
computers-group
+ getent passwd erin
root@testing:~#



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Ubuntu as Samba Domain Member

[John Aviles]

Hi All,
I need your help with my problem. I want SAMBA to be the PDC for my Ubuntun 
workstations. The SAMBA in installed in Ubuntu also the version for the server 
and workstations are 12.04. I have successfully joined the workstations to the 
SAMBA server but I can't login to it using the users I created in SAMBA. Can 
you anybody tell me the steps on how to do this? Do I also need to add the 
Ubuntu workstations in SAMBA?
Regards,
John  
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] About NAS versus Samba

[Olivier BILHAUT]

Hi !

QNAP TurboNas (our model number is TS-EC1279U-RP) do successfully the 
trick. Joined as a member to our S4 AD, we use it as a cifs server in a 
mixed environnement.  The server is ssh opened, and the configuration 
files (ex : smb.conf) could be modified by hand or by an automated 
script. We've linked it to our group creation and actually offer good 
and simple services.


Cheers,

---
*** Oliver

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] oLschema2ldif segfault

[Alejandro]

This is a very good news, no only problems with BINARY (I fill the Bug 9567
to others and ever is the same problem)


2013/7/12 Andrew Bartlett abart...@samba.org

 On Thu, 2013-07-11 at 13:11 -0500, Bo Kersey wrote:
  I'm seeing a oLschema2ldif segfault when it comes across attributetypes
 with syntax '1.3.6.1.4.1.1466.115.121.1.5' that is a BINARY attribute.
 
  Is this by design?
 
  Can I store binary attributes in samba4 ldap?

 We need to remove this tool, and someone needs to write a replacement in
 python.

 Andrew Bartlett

 --
 Andrew Bartletthttp://samba.org/~abartlet/
 Authentication Developer, Samba Team   http://samba.org





-- 
Alejandro Escanero Blanco
Consultor de sistemas basados en fuentes abiertas
Desarrollador de FusionDirectory (http://www.fusiondirectory.org)
Blog: http://www.disasterproject.com
Jabber: blain...@jabberes.com
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] WARNING to those running Samba on OpenIndiana or other Illumos based systems with 16 groups

[Ira Cooper]

On Sun, Jul 14, 2013 at 8:23 AM, Andrew Bartlett abart...@samba.org wrote:

 On Wed, 2013-04-24 at 10:31 +1000, Andrew Bartlett wrote:
  Just a heads-up, because this bug took me absolutely ages to chase down,
  and I want to save others the same pain.
 
  Samba is perhaps the most prominent reason why you might find a user in
  more than 16 groups on a Unix system, and so this bug may at first
  appear to be a 'Samba issue' (that certainly is why it found it's way to
  my attention :-)
 
  https://www.illumos.org/issues/3691
 
  In short, unless the group list we supply to setgroups() is sorted, if
  there are more than 16 groups, the Illumos kernel fails to honour some
  of the groups.  Presumably there is a bisection search being done.
 
  The symptom for Samba users is that as a user is added to more groups,
  they loose access to folders they previously had access too.
 
  Attached is a total hack that appears to resolve the issue, but the real
  fix needs to be in glibc or the kernel.

 Just as a follow-up, if you experience this please also see
 https://www.illumos.org/issues/3577 and
 https://bugzilla.samba.org/show_bug.cgi?id=7588 for WORKAROUNDS if you
 cannot fix/change your host OS.  There is a patch for nss_winbind and
 smbd attached to that bug, both of which are required to ensure both
 Samba and other unix applications see all the windows groups.

 As we have now had success getting this fixed upstream I've not had time
 to get back to applying these to Samba when we run on Solaris, but the
 view was that for the small cost of a qsort we probably should.  If a
 DENY ACL is involved, this may also be a SECURITY issue, which is how we
 finally got the route cause addressed upstream.



Andrew,

As the upstream developer who fixed the issue: The fix had nothing to do
with security.  It had to do with Bjorn posting the root cause, and that
frankly I found sorting the list in samba beyond fugly.

I look at the fact you sorted the list in samba and just shake my head...
 The same qsort put in the illumos kernel fixes the issue for good.

Given our past history with such bugs, I'd expect we'll tell people to
upgrade their OS.

Thanks,

-Ira
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] smbldap-usermod timeout for Terminal Server

[roland]

Hello,

Following to this old post (Tue Jul 6 02:22:22 MDT 2010), here is the 
solution I found :

- stop nscd : /etc/init.d/nscd stop
- restart samb : /etc/init.d/samba restart
- start nscd : /etc/init.d/nscd start
...in this order !

Roland.

Hello,
When I modify a user account adding him to a customized group, there 
is a delay which can be up to 2 hours to take effect.

- the user account is already created with smbldap-useradd.
- the user account is modified later (with smbldap-usermod), adding 
him to a group which has the right allow log on through terminal 
services properties on the local security policy

The samba server act as a PDC.



I've tried a lot of things to bypass the delay :
- restart of samba
- restart of openldap
- gpupdate /force on windows server
- modify the delay in GPO : group policy refresh interval for users 
and for computers

- purge of samba cache in /var/cache/samba
- purge of nscd cache in /var/cache nscd


If I give the right directly to the user on windows server, it take 
effect immediatly and I can log on Terminal Server.


The error message I have when the policy hasn't take yet effect  is 
to log on this remote computer, you must be granted the allow log on 
through terminal services right. By default, members of the Remote 
Desktop Users group have this right. If you are not a member of remote 
desktop users group ot another group that has this right, or if the 
remote desktop user group does not have this right, you must be granted 
this right manually.



It seem that there is a cache for groups.


What service can be responsible of this delay ? Terminal server, GPO, 
samba, ldap, some cache,... ?



Thank you for your help or advice
---
Roland JARRY



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba4 migration issues (wbinfo errors and UPNs)

[Ryan Bair]

I migrated over a Samba 3/LDAP domain to Samba 4 in a test environment.
After a few bumps due to not having all my machine accounts as
posixAccounts and clashing user/group names, the migration went relatively
smoothly. Great work, Samba team!

I have a few standing issues that I haven't been able to shake out:

1. wbinfo returns various errors when run on the DC.

wbinfo -D MYDOMAIN returns a SID of S-1-2-3-4. Typing gibberish for the
domain name yields the same results.

wbinfo --dc-info= returns Could not find dc info example.com. Using the
short name doesn't work either.

wbinfo -u/-g does work. As does getent passwd/group for domain users.

The `net` command generally works for the equivalent queries however. For
instance `net ads info` returns the correct information.

Running wbinfo queries from a member server DOES seem to always work.


2. UPNs don't work on the DC (wbinfo -i, getent, pam, etc). wbinfo -i
user@domain fails with:

failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user u...@example.com

UPNs do work on Samba 4 members however.

I did spotted this interesting bit in the log:
[2013/07/16 12:37:05.642113,  6, pid=6033, effective(0, 0), real(0, 0)]
../lib/u
til/util_ldb.c:60(gendb_search_v)
  gendb_search_v: DC=ad,DC=tsasinc,DC=com ((sAMAccountName=
rb...@example.com
)(objectSid=*)) - 0
[2013/07/16 12:37:05.642192,  1, pid=6033, effective(0, 0), real(0, 0)]
../librp
c/ndr/ndr.c:282(ndr_print_function_debug)
   lsa_LookupNames: struct lsa_LookupNames
  out: struct lsa_LookupNames
  domains  : *
  domains  : *
  domains: struct lsa_RefDomainList
  count: 0x (0)
  domains  : NULL
  max_size : 0x (0)
  sids : *
  sids: struct lsa_TransSidArray
  count: 0x0001 (1)
  sids : *
  sids: ARRAY(1)
  sids: struct lsa_TranslatedSid
  sid_type :
SID_NAME_UNKNOWN (8
)
  rid  : 0x (0)
  sid_index: 0x
(4294967
295)
  count: *
  count: 0x (0)
  result   : NT_STATUS_NONE_MAPPED


That message only comes up when running wbinfo -i on the server, not on a
member. It feels a little off that its searching for the UPN in
sAMAccountName.

I'm using the sernet 4.0.7-4 packages on Centos 6.4 64bit, no Samba 3
binaries in sight. Samba logs all look clean. DNS, LDAP and Kerberos all
works as expected. I have a feeling that both issues have a common cause,
but have been unable to find it.

Any ideas on either of these issues?

Thanks
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] open_sockets_smbd: accept: Protocol error

[wbetzjr]

Hello:

I have Samba 3.0.30 running on SCO Openserver 6. It seems to work fine, but I 
get this error in /var/adm/messages:

Jul 17 08:15:03 smbd[5023]: [2013/07/17 08:15:03, 0] smbd/server.c:(527) 
Jul 17 08:15:03 smbd[5023]:   open_sockets_smbd: accept: Protocol error  
Jul 17 08:16:22 smbd[5056]: [2013/07/17 08:16:22, 0] smbd/server.c:(527) 
Jul 17 08:16:22 smbd[5056]:   open_sockets_smbd: accept: Protocol error  
Jul 17 08:26:14 smbd[5056]: [2013/07/17 08:26:14, 0] smbd/server.c:(527) 
Jul 17 08:26:14 smbd[5056]:   open_sockets_smbd: accept: Protocol error  
Jul 17 08:27:09 smbd[5088]: [2013/07/17 08:27:09, 0] smbd/server.c:(527) 
Jul 17 08:27:09 smbd[5088]:   open_sockets_smbd: accept: Protocol error  
Jul 17 08:28:34 smbd[5103]: [2013/07/17 08:28:34, 0] smbd/server.c:(527) 
Jul 17 08:28:34 smbd[5103]:   open_sockets_smbd: accept: Protocol error  
Jul 17 08:57:35 smbd[5103]: [2013/07/17 08:57:35, 0] smbd/server.c:(527) 
Jul 17 08:57:35 smbd[5103]:   open_sockets_smbd: accept: Protocol error  

Anyone know how to fix this?

Here is my smb.conf:

[global]
workgroup = COMPANY 
server string = OSR6 Samba Server   
interfaces = net0, lo0  
bind interfaces only = Yes  
password server =   
passdb backend = tdbsam 
log level = 3 passdb:5 tdb:10 auth:10   
log file = /var/log/samba/log.%m
max log size = 50   
socket options = TCP_NODELAY=0 SO_KEEPALIVE=1 SO_RCVBUF=8192 SO_SNDBUF=8
192 
preferred master = No   
local master = No   
dns proxy = No  
admin users = root, bjrtb   
  
hosts allow = 192.168.1., 192.168.2., 127.  

[print] 
comment = Print Writeable   
path = /usr/print   
valid users = bjrtb 
 
read only = No  
create mask = 0765  

The entire samba log is below.
Thanks,
Bill Betz 

# cat sm.log
  Copyright Andrew Tridgell and the Samba Team 1992-2008
[2013/07/17 08:28:33, 2] param/loadparm.c:(3811)
  Processing section [print]  
[2013/07/17 08:28:33, 2] param/loadparm.c:(3811)
  Processing section [printpublic]
[2013/07/17 08:28:33, 2] param/loadparm.c:(3811)
  Processing section [root]   
[2013/07/17 08:28:33, 3] param/loadparm.c:(2725)
  adding IPC service
[2013/07/17 08:28:33, 3] printing/pcap.c:(117)  
  reloading printcap cache  
[2013/07/17 08:28:33, 3] printing/pcap.c:(223)  
  reload status: ok 
[2013/07/17 08:28:33, 3] printing/pcap.c:(117)  
  reloading printcap cache  
[2013/07/17 08:28:33, 3] printing/pcap.c:(223)  
  reload status: ok 
[2013/07/17 08:28:33, 2] lib/interface.c:(81)   
  added interface ip=192.168.1.18 bcast=192.168.1.255 nmask=255.255.255.0   
[2013/07/17 08:28:33, 2] lib/interface.c:(81)   
  added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0
[2013/07/17 08:28:33, 3] smbd/server.c:(982)
  loaded services   
[2013/07/17 08:28:33, 3] 

[Samba] Samba4 and classicupgrade and winbind

[Stéphane PURNELLE]

Hi,

I found the source of my problem with set_nt_acl_no_snum: fset_nt_acl 
returned NT_STATUS_INVALID_OWNER (I hope).

The problem is dut to winbind.

In my ldap tree, I have uid and gid.
Why samba 4 don't use theses informations ?

In attached file : output of classic-upgrade (debug level 5)



I don't want to use winbind.
I just want to use pam_ldap or nslcd for have unix information from samba 
ldb

regards

Stéphane

---
Stéphane PURNELLE Admin. Systèmes et Réseaux 
Service Informatique   Corman S.A.   Tel : 00 32 (0)87/342467-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba 3.6.16 and kinit

[Eugene M. Zheganin]

Hi.

When I'm trying to join a machine to a domain via ADS I get
kerberos_kinit_password d...@norma.com failed: Looping detected inside
krb5_get_in_tkt. In the same time plain kinit d...@norma.com from a
console gives me a ticket without errors. Is this a bug (so I should
report it) or can this still be some misconfiguration on my side ? I'm
doing this on testparm-approved config file from 3.5.x.

P.S. FreeBSD 10.0-CURRENT.

Thanks.
Eugene.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Git- Samba 4.1 Glusterfs 3.4, CentOs 6.4

[Christopher R. Hertel]

Hmmm...  Odd...

Okay.  Open a bug for it in the Samba Bugzilla and I will follow up.

Chris -)-

On Wed, Jul 24, 2013 at 08:24:20AM +0200, Daniel M?ller wrote:
 This is the result when deleting the vfs-glusterfs.c and then running make:#
 
 Project rules pass
 Waf: Leaving directory `/root/samba4/samba-master/bin'
 source not found: 'vfs_glusterfs.c' in
 'dir:///root/samba4/samba-master/source3/modules'
 make: *** [all] Fehler 1
 
 I am afraid there is more to do in configure and configure.developer
 
 ---
 EDV Daniel M?ller
 
 Leitung EDV
 Tropenklinik Paul-Lechler-Krankenhaus
 Paul-Lechler-Str. 24
 72076 T?bingen
 
 Tel.: 07071/206-463, Fax: 07071/206-499
 eMail: muel...@tropenklinik.de
 Internet: www.tropenklinik.de
 ---
 
 -Urspr?ngliche Nachricht-
 Von: Christopher R. Hertel [mailto:c...@ubiqx.mn.org] 
 Gesendet: Mittwoch, 24. Juli 2013 07:55
 An: Daniel M?ller
 Cc: samba@lists.samba.org; samba-techni...@samba.org
 Betreff: Re: Git- Samba 4.1 Glusterfs 3.4, CentOs 6.4
 
 Daniel,
 
 If we can reproduce the build bug, we will certainly work to fix it.  The
 vfs_glusterfs module is, however, fairly new so there has not been time to
 produce useful documentation.  If you would like to contribute
 documentation, we'll be happy to review it.  The Gluster VFS project is
 hosted on forge.gluster.org.
 
 Please provide the BZ number of the Bugzilla bug you're created for this.
 
 Also, you should be able to work around the problem by deleting the
 vfs_glustefs.c file from the source tree.  You'll find it in
 source3/modules/.
 
 Chris -)-
 
 On Wed, Jul 24, 2013 at 07:40:34AM +0200, Daniel M?ller wrote:
  Dear all,
  to your notice:Samba 4.1 pulled from git will not compile under CentOs 
  6.4 if Glusterfs 3.4 is installed from epel-repo.
  Make will die with an error concerning vfs modul glusterfs.
  There should be more documentation about the vfs modul glusterfs.
  
  Daniel
  
  ---
  EDV Daniel M?ller
  
  Leitung EDV
  Tropenklinik Paul-Lechler-Krankenhaus
  Paul-Lechler-Str. 24
  72076 T?bingen
  
  Tel.: 07071/206-463, Fax: 07071/206-499
  eMail: muel...@tropenklinik.de
  Internet: www.tropenklinik.de
  ---
  
 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Git- Samba 4.1 Glusterfs 3.4, CentOs 6.4

[Christopher R. Hertel]

Daniel,

If we can reproduce the build bug, we will certainly work to fix it.  The 
vfs_glusterfs module is, however, fairly new so there has not been time to 
produce useful documentation.  If you would like to contribute 
documentation, we'll be happy to review it.  The Gluster VFS project is 
hosted on forge.gluster.org.

Please provide the BZ number of the Bugzilla bug you're created for this.

Also, you should be able to work around the problem by deleting the 
vfs_glustefs.c file from the source tree.  You'll find it in 
source3/modules/.

Chris -)-

On Wed, Jul 24, 2013 at 07:40:34AM +0200, Daniel M?ller wrote:
 Dear all,
 to your notice:Samba 4.1 pulled from git will not compile under CentOs 6.4
 if Glusterfs 3.4 is installed from epel-repo.
 Make will die with an error concerning vfs modul glusterfs.
 There should be more documentation about the vfs modul glusterfs.
 
 Daniel 
 
 ---
 EDV Daniel M?ller
 
 Leitung EDV
 Tropenklinik Paul-Lechler-Krankenhaus
 Paul-Lechler-Str. 24
 72076 T?bingen
 
 Tel.: 07071/206-463, Fax: 07071/206-499
 eMail: muel...@tropenklinik.de
 Internet: www.tropenklinik.de
 ---
 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Advice Migrate Samba 3 to Samba 4

[ArthyD]

Hello, 
I've to migrate my old Samba 3 server on fedora 11 (without ldap) to Samba 4 
on fedora 18 (on a new machine).

I've read many topics about samba migration but i can't find one about my
case.
Indeed since Fedora 15 linux users and groups IDs have passed from above 500
to above 1000.

So I have to change those IDs (witch will change rid...).

Will this modification interfere in the migration process?
- If not when should I change UIDs/GIDs: after Fedora migration, after Samba
migration?
- Otherwise what should I do?

I would prefer that my clients can connect to the new server without having
to do any change.

regards, 
AD 



--
View this message in context: 
http://samba.2283325.n4.nabble.com/Advice-Migrate-Samba-3-to-Samba-4-tp4651525.html
Sent from the Samba - General mailing list archive at Nabble.com.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Problem with Microsoft.com domain address translation in Samba 4 AD.

[Adrian Kastrau]

Hi,


First of all I’d like to thank Samba 4 Dev Team. New Samba is a great product. 


I want to replace old Windows 2000 SBS in my school network. I’mtesting Samba 
in Virtualbox with 2 network cards. 1st network card (eth0) is connected to the 
Internet. Next card is connected to the Internal network (eth1)


All of interfaces have assigned static IP


I use Internal DNS, I also added iptables rules to redirect traffic to the 
router (of course I configured DNS server). I have Ubuntu Server 12.04 LTS. 






When I’ve tried visit Microsoft.com I get DNS error. I haven’t any problems 
with other websites such as Google or Youtube.


I don’t know what I should do in that case.


Best regards.


Adrian Kastrau
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] How to migrate to Samba4 with samba-tool

[ArthyD]

If you need more informations just let me know... :)



--
View this message in context: 
http://samba.2283325.n4.nabble.com/How-to-migrate-to-Samba4-with-samba-tool-tp4651564p4651565.html
Sent from the Samba - General mailing list archive at Nabble.com.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] WinXP not print - Samba3.6.6

[Gints Neimanis]

Hi,

maybe this will help you:

[printers]
...
use client driver = yes
...

On 07/24/2013 11:46 PM, Thiago Parolin wrote:

Hi,
After upgrading samba from 3.5 to 3.6, WinXP can not print, and the samba
log shows:

[2013/07/24 17:40:00.377907, 0]
rpc_server/spoolss/srv_spoolss_nt.c:1748(_spoolss_OpenPrinterEx)
   _spoolss_OpenPrinterEx: Cannot open a printer handle for printer \\spsi

All other systems are ok. (until now)
Any hint to fix this?



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] SAMBA MIGRATION: Help!

[ArthyD]

I wrote this topic because I want to migrate my Samba 3 server (on fedora).

I've read almost *every* topics about the subject on this mail list and many
other on the web. 
Following those tutorials I tried in so many way to move my server on Samba4
(fedora 18) but no one worked.
I begin to be a little bit frustrated by the situation so I want to retry
from de beginning but I need your advices.

How would you migrate Samba in my case?


Old Server: Samba 3 Fedora 11 without LAPD
New server (new machine): Samba 4 Fedora 18 without LAPD
*Rq: Linux users and groups IDs have changed  (500 on F11 to 1000 on F18)*

My configuration:
[global]
workgroup = SAMBA-TEST
netbios name = serveurtest
server string = %h
encrypt passwords = yes
NT ACL SUPPORT = yes
security = user
map to guest = Bad User
hosts allow = 127. 192.
log file = /var/log/samba/%m.log
max log size = 50
passdb backend = smbpasswd
os level = 33
domain master = yes
preferred master = yes
domain logons = yes
logon script = logon.bat
logon path = \\%L\Profiles\%U\%a
  logon home = 
wins support = yes
dns proxy = no
unix password sync = yes
passwd program = /usr/bin/passwd %u

#log level = 10

[profiles]
comment = User profiles
path =  /home/samba/profiles
create mask = 0600
directory mask = 0700
writeable = yes
hide files = /desktop.ini/thumbs.db/
hide dot files = yes
browseable = no

[profiles.V2]
copy = profiles

[netlogon]
comment = Script de login
path = /home/samba/netlogon
root preexec = /home/samba/netlogon/scriptserveur.sh %U %m %T %I %a 
'login'
root postexec = /home/samba/netlogon/scriptserveur.sh %U %m %T %I %a
'logout'
readonly = yes
guest ok = yes

[partage]
comment = partage
path = /home/partage
public = yes
writable = yes
read only = no
browseable = yes
printable = no


Thx for any help you can provide :)




--
View this message in context: 
http://samba.2283325.n4.nabble.com/SAMBA-MIGRATION-Help-tp4651582.html
Sent from the Samba - General mailing list archive at Nabble.com.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 Slow Performance

[Richard Sharpe]

On Sat, Jul 27, 2013 at 8:20 AM, Kinglok, Fong busywa...@gmail.com wrote:
 Dear all,

 After using samba 3 for two years, I have just spent totally one week 
 finishing setting
 up a samba 4 file system in my working school.  There are about 200 computers,
 80+ staff, 1000 students and 10 printers.  The AD was properly setup, 
 mandatory
 profile and one GPO policy (which is printer download trust) is effective for 
 all users.
 Logon script is for mapping four shares and 10 printers from the file server. 
   Also, I
 have setup two additional DCs (with AD replication and DHCP server) for two 
 other
 subnets in the hope to speed up the logon process.

Hmmm, some further info might be useful.

Is the Samba server an AD DC or a simple member server?

Do you know (perhaps from a capture) whether the excess logon time is
mostly caused by the initial authentication or by trying to retrieve
the GPO and/or roaming profiles?

Do you know whether or not Kerberos is being used or if the client is
falling back to NTLM?

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Fwd: About samba 3.0.28 trust AD

[Marc Muehlfeld]

Hello,

Am 06.07.2013 15:26, schrieb Wong siu yu:

I had a RedHat 5.2 need to trust domain the Windows Server 2008 R2 (forest
level 2003).
Which package I need to install first? I am using samba-3.0.28 but I have
no samba-winbind.
May I know procedures of trust setting in Linux?


Please have a look here first:

http://wiki.samba.org/index.php/FAQ#How_to_do_or_fix_..._in_an_outdated_Samba_version.3F



Regards,
Marc

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba 4 userid mapping

[steve]

On Tue, 2013-07-09 at 18:22 -0700, Nick B wrote:

Hi
None of this works on a s4 DC
 
  # Setup user maps
 
 idmap config * : backend = tdb
 
 idmap config * : range = 10-19
 
 idmap config MYDOMAIN : backend = ad
 
 idmap config MYDOMAIN : schema_mode = rfc2307
 
 idmap config MYDOMAIN : range = 5-9
 
 winbind nss info = rfc2307
 
 winbind trusted domains only = No
 
 winbind use default domain = Yes
 
 winbind enum users = Yes
 
 winbind enum groups = Yes

replace it with this:
idmap_ldb use:rfc2307 = Yes

make the winbind links:
ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib64/libnss_winbind.so
ln -s libnss_winbind.so /lib64/libnss_winbind.so.2

and the nss stuff in /etc/nsswitch.conf:
passwd:  files winbind
group:   files winbind

Now add the uidNumber and gidNumber attributes to the user or group DN
in AD. YOu can use ldbmodify or ldbedit for that. If you are brave, you
can build the master and use samba-tool add the attributes when you
create the user.

Note: if you want the whole of rfc2307 as your smb.conf suggests, then
use sssd and forget about winbind.

HTH
Steve


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Fwd: About samba 3.0.28 trust AD

[Nico Kadel-Garcia]

On Sun, Jul 28, 2013 at 5:39 PM, Marc Muehlfeld sa...@marc-muehlfeld.de wrote:
 Hello,

 Am 06.07.2013 15:26, schrieb Wong siu yu:

 I had a RedHat 5.2 need to trust domain the Windows Server 2008 R2 (forest
 level 2003).
 Which package I need to install first? I am using samba-3.0.28 but I have
 no samba-winbind.
 May I know procedures of trust setting in Linux?


 Please have a look here first:

 http://wiki.samba.org/index.php/FAQ#How_to_do_or_fix_..._in_an_outdated_Samba_version.3F

Red Hat 5.2 (which is amazingly old now), or RHEL 5.2 (which is only 5
years old)? If RHEL 5.2, you should at least remove the samba-*
packages and replace them with the samba3x-* packages, which include
samba3x-winbind and are version 3.6.6, instead of the much older
samba-3.0.33 which is the last update from a licensed RHEL host.

If your RHEL license has expired, you can also consider using the
CentOS or Scientific Linux versions of the package. And if you really
need them, I've been publishing clean tools for building samba-3.6.12
RPM's at https://github.com/nkadel/samba-3.6.12-srpm.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Win 2003 DC Demotion

[Caio Zanolla]

I remember having issues trying to demote a windows server.

What I did was seise the roles from that dc, turn of the machine and
manually clean up the old DC records from samba using rsat.

I still have lingering records under the root zone though.

Atenciosamente,
Caio Zanolla


On Sun, Jul 28, 2013 at 12:50 PM, Peter Beck pe...@datentraeger.li wrote:

 On 07/23/2013 10:49 PM, Garth Keesler wrote:

 Sorry, I forgot to mention. This ONLY occurs when I join Samba 4.x to an
 existing Windows domain. When I join a Windows DC to an existing Samba 4.x
 domain, all works correctly including Forest and Domain bi-directional DNS
 repl.

 Thanx,
 Garth


 Hi Garth,

 It was once working in my test environment, but I do not know why. We had
 a little discussion some months ago [1]. But most of the time I was also
 having issues demoting
 Windows DCs (mostly with the samba-internal DNS database which told me the
 database is inconsistent as soon as I tried to add new records).
 As we do have small environments with about 30 users and we do use puppet
 for deployment, I have chosen not do to migration/demoting of existing
 Windows domains.

 I am starting now from scratch with new Samba4 domains which seems to work
 very well with single or multiple domain controllers.

 Sorry, not really helpful but I do not have an answer to the question.
 It's just my experience.
 Maybe it's because I'm using the old version which is used with Debian
 Wheezy, I don't know.

 Regards
 Peter


 [1] 
 https://lists.samba.org/**archive/samba/2013-February/**171583.htmlhttps://lists.samba.org/archive/samba/2013-February/171583.html

 --
 To unsubscribe from this list go to the following URL and read the
 instructions:  
 https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] SAMBA not broadcasting server info

[Leslie Rhorer]

Up until a few days ago, I had SAMBA running just fine on several
different systems, but very recently on of the server has quit announcing
itself to the newtwork.  Smbd, nmbd, and winbindd are all running on the
server, and the machines on the network can all still reach the shares on
the system, but an attempt to browse for the server and its available shares
from a client PC does not produce a listing of the system.  The other
systems show up just fine.  I can't find any errors of any sort in the logs.
I have made a number of changes to the system recently, including an upgrade
to Debian Wheezy, but I cannot figure out where the issue might have arisen.
Where can I look for the issue?  I have not made any changes to the config
file, but here it is, anyway:

AID-Server:/var/log# cat /etc/samba/smb.conf
# Samba config file created using SWAT
# from UNKNOWN (192.168.1.121)
# Date: 2013/07/27 09:43:41

[global]
workgroup = HOME
map to guest = Bad User
guest account = lrhorer
printcap name = cups
disable spoolss = Yes
mangle prefix = 6
domain master = No
ldap ssl = no
idmap config * : range = 
idmap config * : backend = tdb

[Server-Main]
path = /RAID/Server-Main/
valid users = lrhorer
admin users = lrhorer
read only = No
guest ok = Yes

[TiVo-Music]
path = /RAID/Music/
admin users = lrhorer
read only = No
guest ok = Yes

[Video]
path = /RAID/Recordings/
admin users = lrhorer
read only = No
guest ok = Yes

[Leslie]
path = /RAID/Personal_Folders/Leslie/
valid users = lrhorer, Leslie A Rhorer
admin users = lrhorer, Leslie A Rhorer
read only = No
guest ok = Yes
strict locking = No

[Liza]
path = /RAID/Personal_Folders/Liza/
valid users = lgates
admin users = lgates
read only = No
guest ok = Yes
strict locking = No

[Tiffany]
path = /RAID/Personal_Folders/Tiffany/
valid users = tgates
admin users = tgates
browseable = No
strict locking = No
available = No

[V-Edit]
path = /V-Edit/
admin users = lrhorer
read only = No
guest ok = Yes

[Photos]
path = /RAID/Photos/
admin users = lrhorer
read only = No
guest ok = Yes

[HP_940C]
path = /home/smbprint
printer admin = lrhorer
create mask = 0700
guest only = Yes
guest ok = Yes
printable = Yes
print ok = Yes

[DVD_Rip]
path = /RAID/DVD
valid users = lrhorer
read only = No
guest ok = Yes

[Thermostat]
path = /usr/share/thermostat
username = root
valid users = lrhorer
admin users = lrhorer
read only = No
guest ok = Yes

[html]
path = /var/www
valid users = lrhorer
admin users = lrhorer
read only = No
guest ok = Yes
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 Slow Performance

[Andrew Bartlett]

On Sat, 2013-07-27 at 23:20 +0800, Kinglok, Fong wrote:
 Dear all,
 
 After using samba 3 for two years, I have just spent totally one week
 finishing setting up a samba 4 file system in my working school.
 There are about 200 computers, 80+ staff, 1000 students and 10
 printers.  The AD was properly setup, mandatory profile and one GPO
 policy (which is printer download trust) is effective for all users.
 Logon script is for mapping four shares and 10 printers from the file
 server.   Also, I have setup two additional DCs (with AD replication
 and DHCP server) for two other subnets in the hope to speed up the
 logon process.
 
 The benefits of Samba 4 are clear: more robust file serving
 (supporting the windows ACL), speedy printing (with the help of point
 and printer driver) and administration of AD through with windows
 remote admin tool.  However, logon speed is just far from good.
 
 In the days of Samba 3.6, users can logon the system within 20
 seconds, even with more than 80 users logon in the same time (two
 classes students login during computer lesson).  Now, with only one
 user logging in (who is me), it takes nearly 60 seconds to do the
 logon.  I have tried disabling drive and printer mapping in logon
 script and applying a registry hack (note 1) shorten the profile
 waiting time in windows 7 client side but it makes no difference in
 logon speed.
 
 I have taken a look on the document in sambaXP 2013:
 http://sambaxp.org/fileadmin/user_upload/SambaXP2013-DATA/thu/track1/Matthieu_Patou-Smaller_Faster_Scalier.pdf
 
 and two thread in samba-technical mailing list:
 https://lists.samba.org/archive/samba-technical/2013-January/089755.html
 https://lists.samba.org/archive/samba-technical/2013-May/092332.html
 
 It seems that samba team is doing some great work in spotting the
 unindexed search in LDB as one of block in performance. 

It is one block, but it is the one we expect to really hit at around
1, not 1000-2000.  As Richard has indicated, what we need from you
is an indication of what operation is slow.  Timeouts of this order
indicate something different to a slow database - they indicate things
like DNS timeing out. 

Once you work out which specific operation is blocking, we can
investigate more - be it in regards to your network, or our code, we
don't mind either way, but we need to work out which to look into.

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org
Samba Developer, Catalyst IT   http://catalyst.net.nz


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Fwd: About samba 3.0.28 trust AD

[Jonathan Buzzard]

On 29/07/13 00:48, Nico Kadel-Garcia wrote:

On Sun, Jul 28, 2013 at 5:39 PM, Marc Muehlfeldsa...@marc-muehlfeld.de  wrote:

Hello,

Am 06.07.2013 15:26, schrieb Wong siu yu:


I had a RedHat 5.2 need to trust domain the Windows Server 2008 R2 (forest
level 2003).
Which package I need to install first? I am using samba-3.0.28 but I have
no samba-winbind.
May I know procedures of trust setting in Linux?



Please have a look here first:

http://wiki.samba.org/index.php/FAQ#How_to_do_or_fix_..._in_an_outdated_Samba_version.3F


Red Hat 5.2 (which is amazingly old now), or RHEL 5.2 (which is only 5
years old)? If RHEL 5.2, you should at least remove the samba-*
packages and replace them with the samba3x-* packages, which include
samba3x-winbind and are version 3.6.6, instead of the much older
samba-3.0.33 which is the last update from a licensed RHEL host.



That requires something much more recent than RHEL5.2. As I recall 
samba3x first came with RHEL 5.6



If your RHEL license has expired, you can also consider using the
CentOS or Scientific Linux versions of the package.


He needs to do more than that. The version of RHEL he is running has 
more than one remote root exploit, with Samba being one of them. Just 
replacing the Samba packages with something more recent is insufficient 
to secure that machine. As a matter of some urgency the box should be 
upgraded to latest, and if the RHEL license has expired then switched 
to CentOS/Scientific Linux. Personally my choice is CentOS because a 
range of third part software e.g. all the Dell firmware updates 
recognize CentOS and work where they consider Scientific Linux as 
unsupported without fiddling with things.



JAB.

--
Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba