[Samba] Changing remote Windows password from python
I can change user's password on remote win-host with smbpasswd (smbpasswd - r REMOTE_IP -U REMOTE_USER). And I see that smbpasswd uses source3/libsmb/passchange.c, but I can't find any bindings to do this from python. Is there python way for changing remote password? -- Kurbanov Azat, e-mail: cordal...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
Al 29/08/13 01:30, En/na Marc Muehlfeld ha escrit: Am 29.08.2013 00:10, schrieb Luca Olivetti: Yeah, nslcd works well, but for AD funcionality and speed, sssd is the only way to go for nss on Samba4 or any m$ server. Just my €0.02 I'll try it. I only used nslcd because that's what was suggested in the samba wiki. The Winbind and sssd Howto isn't finished yet. Currently I don't have to much time, but I'm working on. :-) Don't worry, given that samba4 should work as a windows server, there are many tutorials that explain how to configure sssd against active directory (though my attempts so fare have been unsuccessful). Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] profile permissions
Thanks for the suggestion ! It seems to work. The only problem is that before starting the rsync I need to create the directory profile in the target system and set the acl permission for this directory. 1) mkdir profile chown user1:ntuser profile chmod 711 profile setfacl -m default:user1:rwx profile setfacl -m default:group::--- profile setfacl -m default:other:--- profile 2) rsync from source to target system Can someone confirm me that this is the ok ? Thanks Michelangelo On Thu, Aug 22, 2013 at 6:45 AM, Michelangelo Rezzonico mrezzon...@ticino.com wrote: I have a working samba-pdc installation with version 3.0.28 The profile permissions in 3.0.28 (and all the files in this directory) are as follow: drwx--x--x 2 user1 ntuser 4096 Aug 22 12:36 profile I am installing a new server with samba version 3.6.3 The profile permissions in 3.6.3 (and all the files in this directory) are as follow: drwx--x--x+ 2 user1 ntuser 4096 Aug 22 12:36 profile The difference is the + sign that indicate acl permissions. How can I correctly migrate the profile from 3.0.28 to 3.6.3 in order that the permission are set correctly ? How about using rsync to mirror the filesystem from source server to dest? John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] sambaLMPassword
I have a Samba-PDC installation (version is 3.6.3) with openLDAP. When I change the password from a client (Windows/XP and Windows/7) the attribute sambaNTPassword is changed and I can log-in with the new pssword. The problem is that the content of the attribute sambaLMPassword is deleted. I remember that in my previous version of Samba (3.0.28) both attributes were updated. Is this correct ? Where is used the attribute sambaLMPassword ? Thanks Michelangelo -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Odd Samba 4 (4.2.0pre1-GIT-b505111; actually only using client) behaviour #2 - accept: Software caused connection abort.
Hiya Andrew, Many thanks for the typically helpful and comprehensive reply :-) I think that's probably the right track :-) The code here is triggered when poll() indicates that the socket is readable. This socket should only be readable when a new connection is being made, and accept() should succeed. ... So, my only conclusion is that your box momentarily does not have the resources to accept the connection, and because there isn't the sleep() in the source3 code, it prints this in a loop until the resources become available. Absolutely, and on any normal Unix implementation I'd agree entirely. That sort of poll()/accept()/... code is perfectly normal and exactly what you'd expect - I've written plenty of very similar code myself over the years ... However this is Solaris :-( Caught in the act: ... 16327: pollsys(0x0809B4D0, 8, 0xFEFFDF18, 0x) = 1 16327: fd=39 ev=POLLIN|POLLHUP rev=0 16327: fd=38 ev=POLLIN|POLLHUP rev=0 16327: fd=34 ev=POLLIN|POLLHUP rev=0 16327: fd=36 ev=POLLIN|POLLHUP rev=0 16327: fd=37 ev=POLLIN|POLLHUP rev=POLLIN 16327: fd=35 ev=POLLIN|POLLHUP rev=0 16327: fd=33 ev=POLLIN|POLLHUP rev=0 16327: fd=6 ev=POLLIN|POLLHUP rev=0 16327: timeout: 59.99900 sec 16327: accept(37, 0xFEFFDDCC, 0xFEFFDDB8, SOV_DEFAULT) = 41 16327: AF_INET name = X.X.X.X port = 28986 16327: forkx(0)= 26942 16327: lwp_sigmask(SIG_SETMASK, 0x00011080, 0x, 0x, 0x) = 0xFFBFFEFF [0x] 16327: close(41) = 0 16327: pollsys(0x0809B4D0, 8, 0xFEFFDF18, 0x) = 1 16327: fd=39 ev=POLLIN|POLLHUP rev=0 16327: fd=38 ev=POLLIN|POLLHUP rev=0 16327: fd=34 ev=POLLIN|POLLHUP rev=0 16327: fd=36 ev=POLLIN|POLLHUP rev=0 16327: fd=35 ev=POLLIN|POLLHUP rev=POLLIN 16327: fd=33 ev=POLLIN|POLLHUP rev=0 16327: fd=6 ev=POLLIN|POLLHUP rev=0 16327: fd=37 ev=POLLIN|POLLHUP rev=0 16327: timeout: 44.69600 sec 16327: accept(35, 0xFEFFDDCC, 0xFEFFDDB8, SOV_DEFAULT) Err#130 ECONNABORTED ... So there's nothing odd about the poll(). Typically Solaris will flag POLLERR in revents if it's out of resources, and POLLHUP if the remote end closed the connection before it was fully established (remote NAKed, or ignored, the connection SYN; terminally low on resources at t'other end of the socket; ...). Neither is happening here which would suggest things are proceeding as normal for the connection establishment. The server darn' well shouldn't be out of any resources either. In terms of physical resources, at the point that occurred the CPUs were at 99.9% idle, there was 15Gb of free RAM (so not out of kernel memory then ...) and only a total of about 400 sockets (TCP, Unix, ...) in use across the entire system, as reported by netstat -na | wc -l - well below peak levels seen on this system. So it's going to be that hypothetical Solaris specific SO_DONT_RANDOMLY_ABORT_CONNECTIONS socket() option, isn't it :-) So could I request please, that in the source3 code, either: a. The same sleep() is added as in the source4 code; -and/or- b. If errno == ECONNABORTED then only log the error if the debug level is (substantially?) higher than zero. I think it's probably safe to assume that ECONNABORTED is generally ignoreable; for whatever reason, Solaris seems to return this at the drop of a metaphorical hat (and ignoring it on other OS' isn't going to be a problem either). Maybe the same with EAGAIN (and possibly EWOULDBLOCK), as other Ignore this unless the user REALLY wants a lot of debug output type errors? This would also seem to be common practice - a quick Google for accept() ignore ECONNABORTED comes back with a lot of results, mainly showing other open source code having been modified specifically to ignore ECONNABORTED. Cheers! Tris. -Original Message- From: Andrew Bartlett [mailto:abart...@samba.org] Sent: 29 August 2013 00:41 To: Tris Mabbs Cc: samba@lists.samba.org; samba-techni...@samba.org Subject: Re: [Samba] Odd Samba 4 (4.2.0pre1-GIT-b505111; actually only using client) behaviour #2 - accept: Software caused connection abort. On Sun, 2013-08-25 at 18:50 +0100, Tris Mabbs wrote: Probably should have posted this to samba-technical in the first place, so re-posting in case anyone has any useful ideas . From: Tris Mabbs Sent: 12 August 2013 23:08 To: 'samba@lists.samba.org' Subject: Odd Samba 4 (4.2.0pre1-GIT-b505111; actually only using client) behaviour #2 - accept: Software caused connection abort. Good day oh technical ones . I was running Samba 4 (client only, not using it as a DC so effectively running Samba 3 code from the Samba 4 tree) and, other than a little Gotcha! regarding decoding Kerberos PACs, it was all
Re: [Samba] sambaLMPassword
Hello Michelangelo, Am 29.08.2013 10:12, schrieb Michelangelo Rezzonico: I have a Samba-PDC installation (version is 3.6.3) with openLDAP. When I change the password from a client (Windows/XP and Windows/7) the attribute sambaNTPassword is changed and I can log-in with the new pssword. The problem is that the content of the attribute sambaLMPassword is deleted. It's not a problem. It was a security decission. :-) If there's no good reason, you should keep this new default. If you really want to re-enable, have a look at the smb.conf manpage and search for the lanman auth option. I remember that in my previous version of Samba (3.0.28) both attributes were updated. Is this correct ? Yes it is. :-) The old LanManager passwords are very insecure. And Samba disabled them by default somewhen around 3.3 when I remember right. On MS side the support for LM passwords was disabled in Vista and later, too. Where is used the attribute sambaLMPassword ? It is removed on password changes. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 Member Server not working
On Thu, 2013-08-29 at 11:14 +1200, Andrew Bartlett wrote: On Wed, 2013-08-28 at 20:11 -0300, Carlos Alberto Borges Garcia wrote: Hi, I have one Samba4 server running as Active Directory Domain Controller. It's working like a charm. So I needed to add another server to be a Member Server (File Server). The server is running samba-4.0.9. Configured and compiled ok: ./configure --prefix=/usr/local/samba --sysconfdir=/etc --localstatedir=/var --mandir=/usr/man --bindir=/usr/bin --sbindir=/usr/sbin --libdir=/lib --enable-fhs --with-ads --with-shared-modules=idmap_ad,pam Installed ok. Kerberos OK. I can run kinit and klist root@MYNETSRV08:/etc/samba# kinit Administrator Password for administra...@mynet.net: root@MYSRV08:/etc/samba# root@MYNETSRV08:/etc/samba# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administra...@mynet.net Valid startingExpires Service principal 28/08/2013 19:59 29/08/2013 05:59 krbtgt/mynet@mynet.net renew until 29/08/2013 19:59 root@MYNETSRV08:/etc/samba# My SMB.CONF is below: [global] workgroup = MYNET security = ADS realm = MYNET.NET encrypt passwords = yes idmap config *:backend = tdb idmap config *:range = 70001-8 idmap config MYNET:backend = ad idmap config MYNET:schema_mode = rfc2307 idmap config MYNET:range = 500-4 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes [test] path = /mnt/files read only = no I can add my server to domain: root@PCOSRV08:/etc/samba# net ads join -U administrator Enter administrator's password: Using short domain name -- MYNET Joined 'MYNETSRV08' to dns domain 'mynet.net' root@MYNETSRV08:/etc/samba# libnss_winbind.so is in the right place: root@MYNETSRV08:/etc/samba# ls /lib/libnss_winbind.so* /lib/libnss_winbind.so /lib/libnss_winbind.so.2 The libs are loaded fine: root@MYNETSRV08:/etc/samba# ldconfig -v | grep libnss libnss_hesiod.so.2 - libnss_hesiod-2.13.so libnss_compat.so.2 - libnss_compat-2.13.so libnss_dns.so.2 - libnss_dns-2.13.so libnss_ldap.so.2 - libnss_ldap.so.2 libnss_nis.so.2 - libnss_nis-2.13.so libnss_nisplus.so.2 - libnss_nisplus-2.13.so libnss_files.so.2 - libnss_files-2.13.so libnss_wins.so - libnss_wins.so.2 libnss_winbind.so - libnss_winbind.so.2 libnss_hesiod.so.2 - libnss_hesiod-2.13.so libnss_compat.so.2 - libnss_compat-2.13.so libnss_dns.so.2 - libnss_dns-2.13.so libnss_nis.so.2 - libnss_nis-2.13.so libnss_nisplus.so.2 - libnss_nisplus-2.13.so libnss_files.so.2 - libnss_files-2.13.so root@MYNETSRV08:/etc/samba# I added winbind to my nsswitch.conf passwd: compat winbind group: compat winbind I can start the daemon without issues: smbd nmbd winbindd wbinfo -u list all my domain users wbinfo -g list all my domain groups Here is the problems: When I run getent passwd, it lists only the local users. For performance reasons, by default we do not list users in the AD domain. See winbind enum users in your smb.conf His smb.conf above shows that the OP has those lines for both users and groups. When I run id Administrator, it returns No such user. You need to use 'id MYNET\\administrator' smb.conf has: winbind use default domain = Yes Do we still need MYNET\\? Do your users have entries for: uidNumber and gidNumber in AD? Cheers Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Thu, 2013-08-29 at 01:30 +0200, Marc Muehlfeld wrote: Am 29.08.2013 00:10, schrieb Luca Olivetti: Yeah, nslcd works well, but for AD funcionality and speed, sssd is the only way to go for nss on Samba4 or any m$ server. Just my €0.02 I'll try it. I only used nslcd because that's what was suggested in the samba wiki. The Winbind and sssd Howto isn't finished yet. Currently I don't have to much time, but I'm working on. :-) We have sssd covered here: http://linuxcostablanca.blogspot.com.es/2013/04/sssd-in-samba-40.html sssd 1.11.1 was released today. I'll report back:) HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nslcd / pam_ldap HowTo
On Thu, 2013-08-29 at 01:41 +0200, Marc Muehlfeld wrote: https://wiki.samba.org/index.php/Local_user_management_and_authentication/nslcd @All: Please give some feedback. Thanks. Hi The first 4 bullets of 'Method 2' are unnecessary. Why don't we use what we already have? How about this instead? 1. For a client joined to the domain, please skip to (3) below. 2. On the DC: Extract the machine key: samba-tool domain exportkeytab /etc/krb5.keytab --principal=DC1$ 3. Get tickets and create the cache: k5start -f /etc/krb5.keytab -U -o nslcd -K 60 -b -k /tmp/nslcd.tkt - Switch bullets 6 and 7: edit /etc/nsswitch.conf _before_ you start nslcd. It's unfortunate we still have to cater for the old versions too. The extra mappings slow things down considerably for large domains especially as enumeration is enabled. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nslcd / pam_ldap HowTo
Am 29.08.2013 12:31, schrieb steve: The first 4 bullets of 'Method 2' are unnecessary. Why don't we use what we already have? How about this instead? 1. For a client joined to the domain, please skip to (3) below. 2. On the DC: Extract the machine key: samba-tool domain exportkeytab /etc/krb5.keytab --principal=DC1$ 3. Get tickets and create the cache: k5start -f /etc/krb5.keytab -U -o nslcd -K 60 -b -k /tmp/nslcd.tkt I had a look on my production site. I don't have a krb5.keytab on any of my Samba 3 or 4 servers in my AD. After some reading, I found out, that I must have a kerberos method entry in my smb.conf file for that. I'm not sure, how many people this are having this option. As the HowTo should be usable for as many people as possible, I would keep this short steps. They don't bring problems and works even if there's already a keytab on the machine. - Switch bullets 6 and 7: edit /etc/nsswitch.conf _before_ you start nslcd. Makes sense. Changed. It's unfortunate we still have to cater for the old versions too. The extra mappings slow things down considerably for large domains especially as enumeration is enabled. I think most companies running Samba in production don't use the latest versions of everything, because they run enterprise distributions like RHEL, SLES, Debian, etc. At work we only run self compiled software, when there's a requirement for that, because everything that isn't updated through the paket manager, is extra work (steady check for security updates, manual patching on all servers, etc.). Also packages in the enterprise software are more tested and stable. That's why I think it's worth to take care of such situations and not only serve users running the latest versions (of course not ancient versions). But I already have some comments in the configuration examples about the mappings. It's up to the admin to review what he/she uses in production and fine tune. :-) Thanks for your comments. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Force user permission in specific folders
Hi, It's not that often that I'm messing around with Samba but I have a dilemma that I need some help with. I have a share called common, users can create folders and files just fine but I'm wondering if it's possible to force folders/files to be created with certain user/group owner in just that specific folder. I not I can force so that everything is created with a specific user/group, but I want it specific to folders. Lets say I create a file in /common/ and it will be created with the owner that I'm logged in as, lets say the user john. But if John, or anyone, creates a file in /common/files/ I want it to be created with the owner james no matter who creates it. Is this possible to achieve? The reason I need this is because I have a Samba share with all our www/ftp folders and they are owned by the user that's has the FTP-account for that specific folder. If I create a folder or whatever it will change the permission so that the FTP-user can't edit/delete it. I don't really want to chmod 777 on everything in there. If it's not possible, how do people mange this? Or should I not make a Samba share like this? Thanks, -Patric -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] sambaLMPassword
Hi Marc, thanks a lot for your help ! Regards. Michelangelo Hello Michelangelo, Am 29.08.2013 10:12, schrieb Michelangelo Rezzonico: I have a Samba-PDC installation (version is 3.6.3) with openLDAP. When I change the password from a client (Windows/XP and Windows/7) the attribute sambaNTPassword is changed and I can log-in with the new pssword. The problem is that the content of the attribute sambaLMPassword is deleted. It's not a problem. It was a security decission. :-) If there's no good reason, you should keep this new default. If you really want to re-enable, have a look at the smb.conf manpage and search for the lanman auth option. I remember that in my previous version of Samba (3.0.28) both attributes were updated. Is this correct ? Yes it is. :-) The old LanManager passwords are very insecure. And Samba disabled them by default somewhen around 3.3 when I remember right. On MS side the support for LM passwords was disabled in Vista and later, too. Where is used the attribute sambaLMPassword ? It is removed on password changes. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nslcd / pam_ldap HowTo
On Thu, 2013-08-29 at 13:08 +0200, Marc Muehlfeld wrote: I think most companies running Samba in production don't use the latest versions of everything, because they run enterprise distributions like RHEL, SLES, Debian, etc. At work we only run self compiled software, when there's a requirement for that, because everything that isn't updated through the paket manager, is extra work Not everyone has the luxury of being able to take hardware for granted. Most of us have to make do with what we have. E.g. running a Samba domain in a school of 600 students with 80 10 year old machines is simply impossible with old versions of software. As far as AD is concerned, it is unfortunate that Red Hat have decided to retain the 0.7 series of nss-pam-ldapd. Everyone else has at least 0.8.10, the one where AD compatibility was addressed. Thanks for inviting comments. I think that by doing so, you are in a strong position to produce a howto that will be accurate, useful and above all, doable. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Sysvol replication problem
Hello fellow Samba users, I have a question that is related to sysvol replication. I have for now two Samba DC's that are functioning as DNS and Active Directory roles in my network. As samba for now does not support sysvol replication, I am replicating sysvol shares via rsync with -XAavz attributes as suggested in samba wiki. The issue is that getfacl on these two servers return different user ids and when I replicate these folders with rsync, the secondary DC is using wrong IDs, and at the end, I can't access sysvol folder on second dc (via share). On FSMO master getfacl radio101.local returns: # file: radio101.local # owner: root # group: 300 # flags: -s- user::rwx user:root:rwx group::rwx group:300:rwx group:309:r-x group:333:r-x group:334:rwx mask::rwx other::--- default:user::rwx default:user:root:rwx default:group::--- default:group:300:rwx default:group:309:r-x default:group:333:r-x default:group:334:rwx default:mask::rwx default:other::--- while on secondary we have (after ntacl sysvolreset): # file: radio101.local/ # owner: root # group: 300 # flags: -s- user::rwx user:root:rwx group::rwx group:300:rwx group:312:r-x group:332:r-x group:333:rwx mask::rwx other::--- default:user::rwx default:user:root:rwx default:group::--- default:group:300:rwx default:group:312:r-x default:group:332:r-x default:group:333:rwx default:mask::rwx default:other::--- What should I do next, Thanks for your help. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Change default GID of users
Thank you Steve, I had this mapping in nslcd.conf map passwd gidNumber primaryGroupID I need the gidNumber to be 100 because this is gidnumber of group users in my Ubuntu servers. I will disable this mapping and test if everything is OK. 2013/8/28 steve st...@steve-ss.com On Tue, 2013-08-27 at 16:07 -0300, Bruno Vane wrote: Hi Steve, Seems that this attribute does not matter, see my user bruno.vane: primaryGroupID: 513 gidNumber: 100 Hi How are you obtaining the infromation from AD? If you set: gidNumber: 100 in the DN of a user, then that is what will be returned when e.g. nss-ldapd is used. It will not return primaryGroupID unless you have mapped that attribute to gidNumber in nslcd.conf. primaryGroupID is not a rfc2307 atribute. HTH -- Bruno Vane HPM Tecnologia (24) 9278-7195 / (24) 3345-0002 skype: broonu www.zamix.com.br | www.superonda.com.br -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Force user permission in specific folders
On 08/29/2013 04:40 AM, Patric Falinder wrote: Hi, It's not that often that I'm messing around with Samba but I have a dilemma that I need some help with. I have a share called common, users can create folders and files just fine but I'm wondering if it's possible to force folders/files to be created with certain user/group owner in just that specific folder. I not I can force so that everything is created with a specific user/group, but I want it specific to folders. Lets say I create a file in /common/ and it will be created with the owner that I'm logged in as, lets say the user john. But if John, or anyone, creates a file in /common/files/ I want it to be created with the owner james no matter who creates it. Is this possible to achieve? The reason I need this is because I have a Samba share with all our www/ftp folders and they are owned by the user that's has the FTP-account for that specific folder. If I create a folder or whatever it will change the permission so that the FTP-user can't edit/delete it. I don't really want to chmod 777 on everything in there. If it's not possible, how do people mange this? Or should I not make a Samba share like this? Thanks, -Patric Use group permissions? -- -Eric 'shubes' -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [SOLVED] Problem authenticating from standalone servers via Samba 3.0.34 domain member servers to Samba 3.2.5 domain controller
I'm posting the solution for posterity. This is sooo lame that I'm almost embarrased. The problem was that nmbd wasn't running on the PDC. Somewhere between 3.0 and 3.6, RH changed the smb init script to only control smbd, and nmbd now has its own init script. DOH! (Note, I do like the change though) Solution: # service nmb start # chkconfig nmb on I'm a little surprised (and disappointed) that nobody here realized this. It's sort of obvious to me now. P.S. I'm not sure if this was the solution for the original poster or not. -- -Eric 'shubes' On 08/25/2013 09:49 AM, Eric Shubert wrote: I think I've come across this same problem, although I'm migrating from 3.0.33 (CentOS5) to 3.6 (CentOS6). I've migrated the domain controller from 3.0.33 to 3.6 first. I dumped and restored the passwd, secrets and schannel_store tdb files from 3.0 to 3.6, and also migrated the linux accounts and groups. Windows XP clients are able to log into the domain. However, the 3.0.33 file server is unable to find the domain controller. I can see the shares on the DC from the file server: # net rpc -S tacs-dc.stor -U shubes SHARE Password: homes admin ops r3i IPC$ shubes # However, the file server cannot find the DC: # net rpc trustdom list Unable to find a suitable server [2013/08/25 08:26:15, 0] utils/net_rpc.c:rpc_trustdom_list(6083) Couldn't connect to domain controller # I'm also seeing this in the file server's log: [2013/08/25 07:45:43, 3] libsmb/namequery.c:get_dc_list(1495) get_dc_list: preferred server list: , tacs-dc.stor [2013/08/25 07:45:43, 3] libsmb/namequery.c:resolve_lmhosts(966) resolve_lmhosts: Attempting lmhosts lookup for name tacs-dc.stor0x20 [2013/08/25 07:45:43, 3] libsmb/namequery.c:resolve_wins(863) resolve_wins: Attempting wins lookup for name tacs-dc.stor0x20 [2013/08/25 07:45:43, 3] libsmb/namequery.c:resolve_wins(866) resolve_wins: WINS server resolution selected and no WINS servers listed. [2013/08/25 07:45:43, 3] libsmb/namequery.c:resolve_hosts(1029) resolve_hosts: Attempting host lookup for name tacs-dc.stor0x20 [2013/08/25 07:45:48, 3] libsmb/trusts_util.c:enumerate_domain_trusts(167) enumerate_domain_trusts: can't locate a DC for domain R3I The domain SID in the secrets.tdb files on both hosts match the SID of the the DC host. I figure there's something I've missed in migrating the DC that has broken the trust, but haven't been able to find the problem yet. Any ideas will be appreciated. Thanks. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [Solved] PDC: System SID missing / inconsistent with domain SID
On 08/26/2013 07:57 PM, Eric Shubert wrote: On 08/26/2013 01:21 PM, Eric Shubert wrote: I'm guessing that adding a TACS-DC record to the old host would fix the problem of not being able to get its SID. This appears to work now. I'm also guessing that adding a LANYARD record to the new host *might* make it recognize that it's a domain controller. I hope to test this later today, when users are gone. This didn't appear to help. The new DC still doesn't recognize itself as a DC: # net rpc trustdom list -U shubes Unable to find a suitable server for domain R3I Couldn't connect to domain controller: NT_STATUS_UNSUCCESSFUL # I do have the SID of the domain/host that was created by this host. I wonder if restoring those records in secrets.tdb, then using the net command to change the SID of the domain and host might fix things up. Does the net setdomainsid command do anything more than change the value of the record in the tdb file? If it does, that could be a solution. Anyone have any insight about how to go about changing the host name of a domain controller (while migrating it)? Thanks. I'm posting the solution for posterity. net setdomainsid does nothing more than change the sid in the secrets.db file. Changing the host name of a PDC is simply a matter of adding a record in the secrets.db file with the same SID as the previous hostname record (which is the same SID value as the domain record there). This is sooo lame that I'm almost embarrased. The problem was that nmbd wasn't running on the PDC. Somewhere between 3.0 and 3.6, RH changed the smb init script to only control smbd, and nmbd now has its own init script. DOH! (Note, I do like the change though) Solution: # service nmb start # chkconfig nmb on I'm a little surprised (and disappointed) that nobody here realized this. It's sort of obvious to me now. -- -Eric 'shubes' -- -Eric 'shubes' -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Change default GID of users
Hello Bruno, Am 29.08.2013 16:11, schrieb Bruno Vane: I had this mapping in nslcd.conf map passwd gidNumber primaryGroupID I need the gidNumber to be 100 because this is gidnumber of group users in my Ubuntu servers. I will disable this mapping and test if everything is OK. The mapping is not just for mapping one field to an other. You can replace values, too or do other things (see manpage for more). You can hardcode the mapping: map passwd gidNumber 666 # getent passwd ... Administrator:*:1:666::/home/Administrator:/bin/bash technik:*:10001:666:Technik:/home/technik:/bin/false demo1:*:10002:666:Demo User1:/home/demo1:/bin/sh And all your domain accounts have primary group 666 :-) Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Force user permission in specific folders
From: Patric Falinder patric.falin...@omg.nu Date: Thu, 29 Aug 2013 13:40:01 +0200 It's not that often that I'm messing around with Samba but I have a dilemma that I need some help with. I have a share called common, users can create folders and files just fine but I'm wondering if it's possible to force folders/files to be created with certain user/group owner in just that specific folder. I not I can force so that everything is created with a specific user/group, but I want it specific to folders. Please use force user and force group parameters. --- TAKAHASHI Motonobu mo...@monyo.com / @damemonyo facebook.com/takahashi.motonobu -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Issues logging with trusted domain users
Hello, We have a situation where we have a samba 3 controller as PDC for the domain dom.com and has a two-way trust relationship with a W2k8 controller for the domain domain.local. We can log in on Windows workstations if we use the domain domain.local but login fails if we just try to use domain. On the Windows machines, however, login works if we just use DOMAIN\user (instead of DOMAIN.LOCAL\user). Is there something that needs to be done on Samba's side for this mapping to work? -- Diego Lima http://www.diegolima.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Change default GID of users
Thank you Marc! 2013/8/29 Marc Muehlfeld sa...@marc-muehlfeld.de Hello Bruno, Am 29.08.2013 16:11, schrieb Bruno Vane: I had this mapping in nslcd.conf map passwd gidNumber primaryGroupID I need the gidNumber to be 100 because this is gidnumber of group users in my Ubuntu servers. I will disable this mapping and test if everything is OK. The mapping is not just for mapping one field to an other. You can replace values, too or do other things (see manpage for more). You can hardcode the mapping: map passwd gidNumber 666 # getent passwd ... Administrator:*:1:666::/**home/Administrator:/bin/bash technik:*:10001:666:Technik:/**home/technik:/bin/false demo1:*:10002:666:Demo User1:/home/demo1:/bin/sh And all your domain accounts have primary group 666 :-) Regards, Marc -- Bruno Vane HPM Tecnologia (24) 9278-7195 / (24) 3345-0002 skype: broonu www.zamix.com.br | www.superonda.com.br -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 Member Server not working
Hi, Where can I enter this values in AD? 2013/8/29 steve st...@steve-ss.com On Thu, 2013-08-29 at 11:14 +1200, Andrew Bartlett wrote: On Wed, 2013-08-28 at 20:11 -0300, Carlos Alberto Borges Garcia wrote: Hi, I have one Samba4 server running as Active Directory Domain Controller. It's working like a charm. So I needed to add another server to be a Member Server (File Server). The server is running samba-4.0.9. Configured and compiled ok: ./configure --prefix=/usr/local/samba --sysconfdir=/etc --localstatedir=/var --mandir=/usr/man --bindir=/usr/bin --sbindir=/usr/sbin --libdir=/lib --enable-fhs --with-ads --with-shared-modules=idmap_ad,pam Installed ok. Kerberos OK. I can run kinit and klist root@MYNETSRV08:/etc/samba# kinit Administrator Password for administra...@mynet.net: root@MYSRV08:/etc/samba# root@MYNETSRV08:/etc/samba# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administra...@mynet.net Valid startingExpires Service principal 28/08/2013 19:59 29/08/2013 05:59 krbtgt/mynet@mynet.net renew until 29/08/2013 19:59 root@MYNETSRV08:/etc/samba# My SMB.CONF is below: [global] workgroup = MYNET security = ADS realm = MYNET.NET encrypt passwords = yes idmap config *:backend = tdb idmap config *:range = 70001-8 idmap config MYNET:backend = ad idmap config MYNET:schema_mode = rfc2307 idmap config MYNET:range = 500-4 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes [test] path = /mnt/files read only = no I can add my server to domain: root@PCOSRV08:/etc/samba# net ads join -U administrator Enter administrator's password: Using short domain name -- MYNET Joined 'MYNETSRV08' to dns domain 'mynet.net' root@MYNETSRV08:/etc/samba# libnss_winbind.so is in the right place: root@MYNETSRV08:/etc/samba# ls /lib/libnss_winbind.so* /lib/libnss_winbind.so /lib/libnss_winbind.so.2 The libs are loaded fine: root@MYNETSRV08:/etc/samba# ldconfig -v | grep libnss libnss_hesiod.so.2 - libnss_hesiod-2.13.so libnss_compat.so.2 - libnss_compat-2.13.so libnss_dns.so.2 - libnss_dns-2.13.so libnss_ldap.so.2 - libnss_ldap.so.2 libnss_nis.so.2 - libnss_nis-2.13.so libnss_nisplus.so.2 - libnss_nisplus-2.13.so libnss_files.so.2 - libnss_files-2.13.so libnss_wins.so - libnss_wins.so.2 libnss_winbind.so - libnss_winbind.so.2 libnss_hesiod.so.2 - libnss_hesiod-2.13.so libnss_compat.so.2 - libnss_compat-2.13.so libnss_dns.so.2 - libnss_dns-2.13.so libnss_nis.so.2 - libnss_nis-2.13.so libnss_nisplus.so.2 - libnss_nisplus-2.13.so libnss_files.so.2 - libnss_files-2.13.so root@MYNETSRV08:/etc/samba# I added winbind to my nsswitch.conf passwd: compat winbind group: compat winbind I can start the daemon without issues: smbd nmbd winbindd wbinfo -u list all my domain users wbinfo -g list all my domain groups Here is the problems: When I run getent passwd, it lists only the local users. For performance reasons, by default we do not list users in the AD domain. See winbind enum users in your smb.conf His smb.conf above shows that the OP has those lines for both users and groups. When I run id Administrator, it returns No such user. You need to use 'id MYNET\\administrator' smb.conf has: winbind use default domain = Yes Do we still need MYNET\\? Do your users have entries for: uidNumber and gidNumber in AD? Cheers Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- http://www.endomondo.com/profile/3312580 Veja: http://naofoiacidente.org/blog/por-quem/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 Member Server not working
On Thu, 2013-08-29 at 14:21 -0300, Carlos Alberto Borges Garcia wrote: Hi, Where can I enter this values in AD? Hi If you have a recent version of Samba4, you can add them when you create new users: samba-tool user add --help will give the options. If you already have the users, just edit their entries e.g.: ldbedit --url=/usr/local/samba/private/sam.ldb cn=carlos Add a minimum of: uidNumber: 1234567 gidNumber: 12345 Your winbind will then pull this information from AD when needed. You can get sensible values for uidNumber from idmap e.g.: wbinfo -i carlos HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 Member Server not working
On Thu, 2013-08-29 at 19:46 +0200, steve wrote: You can get sensible values for uidNumber from idmap e.g.: wbinfo -i carlos ** Don't forget to change: idmap config MYNET:range = 500-4 to include your new values. Something like: 300-310 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 Member Server not working
Still not working: I created a test user: dn: CN=test,CN=Users,DC=mynet,DC=net objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: test givenName: test instanceType: 4 whenCreated: 20130827212151.0Z displayName: test uSNCreated: 45308 name: teste objectGUID: fee0d4a4-fd48-48ac-abb3-ce6fb180b10d badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 objectSid: S-1-5-21-3124563532-696977291-52706181-1501131 accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: test sAMAccountType: 805306368 userPrincipalName: t...@mynet.net objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=mynet,DC=net pwdLastSet: 13022112112000 url: uidNumber userAccountControl: 512 msDS-SupportedEncryptionTypes: 0 gidNumber: 12345 uidNumber: 1234567 whenChanged: 20130829175016.0Z uSNChanged: 47069 distinguishedName: CN=test,CN=Users,DC=mynet,DC=net But if I run: id test id MYNET\test id MYNET\\test id t...@mynet.net I get No such ser 2013/8/29 steve st...@steve-ss.com On Thu, 2013-08-29 at 14:21 -0300, Carlos Alberto Borges Garcia wrote: Hi, Where can I enter this values in AD? Hi If you have a recent version of Samba4, you can add them when you create new users: samba-tool user add --help will give the options. If you already have the users, just edit their entries e.g.: ldbedit --url=/usr/local/samba/private/sam.ldb cn=carlos Add a minimum of: uidNumber: 1234567 gidNumber: 12345 Your winbind will then pull this information from AD when needed. You can get sensible values for uidNumber from idmap e.g.: wbinfo -i carlos HTH Steve -- http://www.endomondo.com/profile/3312580 Veja: http://naofoiacidente.org/blog/por-quem/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 Member Server not working
On Thu, 2013-08-29 at 14:59 -0300, Carlos Alberto Borges Garcia wrote: Still not working: I created a test user: dn: CN=test,CN=Users,DC=mynet,DC=net objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: test givenName: test instanceType: 4 whenCreated: 20130827212151.0Z displayName: test uSNCreated: 45308 name: teste objectGUID: fee0d4a4-fd48-48ac-abb3-ce6fb180b10d badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 objectSid: S-1-5-21-3124563532-696977291-52706181-1501131 accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: test sAMAccountType: 805306368 userPrincipalName: t...@mynet.net objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=mynet,DC=net pwdLastSet: 13022112112000 url: uidNumber userAccountControl: 512 msDS-SupportedEncryptionTypes: 0 gidNumber: 12345 uidNumber: 1234567 whenChanged: 20130829175016.0Z uSNChanged: 47069 distinguishedName: CN=test,CN=Users,DC=mynet,DC=net But if I run: id test id MYNET\test id MYNET\\test id t...@mynet.net I get No such ser Change: uidNumber: 3000100 gidNumber: 80513 and in smb.conf: idmap config MYNET:range = 80001-310 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
Al 29/08/13 12:06, En/na steve ha escrit: We have sssd covered here: http://linuxcostablanca.blogspot.com.es/2013/04/sssd-in-samba-40.html Well, that's doesn't seem to be complete (at least to a kerberos newbie like me). For example, it's missing the step to create /etc/krb5.keytab I used /usr/local/samba/bin/samba-tool domain exportkeytab /etc/krb5.keytab --principal=HP$ but then sssd complains that [[sssd[ldap_child[2300 [ldap_child_get_tgt_sync] (0x0100): Principal name is: [HP$@WETRON.ES] [[sssd[ldap_child[2300 [ldap_child_get_tgt_sync] (0x0100): Using keytab [/etc/krb5.keytab] [[sssd[ldap_child[2300 [ldap_child_get_tgt_sync] (0x0100): Will canonicalize principals [[sssd[ldap_child[2300 [prepare_response] (0x0400): Building response for result [0] [[sssd[ldap_child[2300 [main] (0x0400): ldap_child completed successfully [sssd[be[default]]] [read_pipe_handler] (0x0400): EOF received, client finished [sssd[be[default]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_WETRON.ES], expired on [1377842615] [sssd[be[default]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 [sssd[be[default]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: HP$ [sssd[be[default]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] [sssd[be[default]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)] BTW, installing sssd from rpm (mageia 3, which provides 1.9.4) causes locally built samba to not start anymore (since there is some conflicting library and samba will use the bad library in /usr/lib64 instead of the one under /usr/local/samba), so, in my specific case, I cannot really say 'you'll not believe how simple this is' ;-) nslcd seems simpler (at least I got it working) Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Thu, 2013-08-29 at 20:17 +0200, Luca Olivetti wrote: but then sssd complains that [[sssd[ldap_child[2300 [ldap_child_get_tgt_sync] (0x0100): Principal name is: [HP$@WETRON.ES] [[sssd[ldap_child[2300 [ldap_child_get_tgt_sync] (0x0100): Using keytab [/etc/krb5.keytab] [[sssd[ldap_child[2300 [ldap_child_get_tgt_sync] (0x0100): Will canonicalize principals [[sssd[ldap_child[2300 [prepare_response] (0x0400): Building response for result [0] [[sssd[ldap_child[2300 [main] (0x0400): ldap_child completed successfully [sssd[be[default]]] [read_pipe_handler] (0x0400): EOF received, client finished [sssd[be[default]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_WETRON.ES], expired on [1377842615] [sssd[be[default]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 [sssd[be[default]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: HP$ [sssd[be[default]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] [sssd[be[default]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)] Oooof. ¡Doloroso! Marc's howto will be here soon:) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 Member Server not working
Still not working :( 2013/8/29 steve st...@steve-ss.com On Thu, 2013-08-29 at 14:59 -0300, Carlos Alberto Borges Garcia wrote: Still not working: I created a test user: dn: CN=test,CN=Users,DC=mynet,DC=net objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: test givenName: test instanceType: 4 whenCreated: 20130827212151.0Z displayName: test uSNCreated: 45308 name: teste objectGUID: fee0d4a4-fd48-48ac-abb3-ce6fb180b10d badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 objectSid: S-1-5-21-3124563532-696977291-52706181-1501131 accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: test sAMAccountType: 805306368 userPrincipalName: t...@mynet.net objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=mynet,DC=net pwdLastSet: 13022112112000 url: uidNumber userAccountControl: 512 msDS-SupportedEncryptionTypes: 0 gidNumber: 12345 uidNumber: 1234567 whenChanged: 20130829175016.0Z uSNChanged: 47069 distinguishedName: CN=test,CN=Users,DC=mynet,DC=net But if I run: id test id MYNET\test id MYNET\\test id t...@mynet.net I get No such ser Change: uidNumber: 3000100 gidNumber: 80513 and in smb.conf: idmap config MYNET:range = 80001-310 -- http://www.endomondo.com/profile/3312580 Veja: http://naofoiacidente.org/blog/por-quem/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 Member Server not working
On Thu, 2013-08-29 at 15:29 -0300, Carlos Alberto Borges Garcia wrote: Still not working :( Turn off nscd? Give up? Use nslcd or sssd instead? Can't think of anything else:( -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 Member Server not working
On 29/08/13 20:29, Carlos Alberto Borges Garcia wrote: But if I run: id test id MYNET\test id MYNET\\test id t...@mynet.net mailto:t...@mynet.net I get No such ser That should be: id test not: id MYNET\\test -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On 29/08/13 19:17, Luca Olivetti wrote: Al 29/08/13 12:06, En/na steve ha escrit: We have sssd covered here: http://linuxcostablanca.blogspot.com.es/2013/04/sssd-in-samba-40.html Well, that's doesn't seem to be complete (at least to a kerberos newbie like me). For example, it's missing the step to create /etc/krb5.keytab I used /usr/local/samba/bin/samba-tool domain exportkeytab /etc/krb5.keytab --principal=HP$ but then sssd complains that [[sssd[ldap_child[2300 [ldap_child_get_tgt_sync] (0x0100): Principal name is: [HP$@WETRON.ES] [[sssd[ldap_child[2300 [ldap_child_get_tgt_sync] (0x0100): Using keytab [/etc/krb5.keytab] [[sssd[ldap_child[2300 [ldap_child_get_tgt_sync] (0x0100): Will canonicalize principals [[sssd[ldap_child[2300 [prepare_response] (0x0400): Building response for result [0] [[sssd[ldap_child[2300 [main] (0x0400): ldap_child completed successfully [sssd[be[default]]] [read_pipe_handler] (0x0400): EOF received, client finished [sssd[be[default]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_WETRON.ES], expired on [1377842615] [sssd[be[default]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 [sssd[be[default]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: HP$ [sssd[be[default]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] [sssd[be[default]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)] BTW, installing sssd from rpm (mageia 3, which provides 1.9.4) causes locally built samba to not start anymore (since there is some conflicting library and samba will use the bad library in /usr/lib64 instead of the one under /usr/local/samba), so, in my specific case, I cannot really say 'you'll not believe how simple this is' ;-) nslcd seems simpler (at least I got it working) Bye Hi, that should be 'samba-tool domain exportkeytab /etc/krb5.keytab -U Administrator' Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
Al 29/08/13 21:02, En/na Rowland Penny ha escrit: Hi, that should be 'samba-tool domain exportkeytab /etc/krb5.keytab -U Administrator' Thank you, that worked *but* we're back to square one: migrated users (with the posixAccount class) show up but new users don't. Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
Al 29/08/13 21:15, En/na Luca Olivetti ha escrit: Al 29/08/13 21:02, En/na Rowland Penny ha escrit: Hi, that should be 'samba-tool domain exportkeytab /etc/krb5.keytab -U Administrator' Thank you, that worked *but* we're back to square one: migrated users (with the posixAccount class) show up but new users don't. Oops, sorry, actually it didn't work, I forgot that in the meantime I changed nsswitch.conf to use ldap instead of nss :-( Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On 29/08/13 20:17, Luca Olivetti wrote: Al 29/08/13 21:15, En/na Luca Olivetti ha escrit: Al 29/08/13 21:02, En/na Rowland Penny ha escrit: Hi, that should be 'samba-tool domain exportkeytab /etc/krb5.keytab -U Administrator' Thank you, that worked *but* we're back to square one: migrated users (with the posixAccount class) show up but new users don't. Oops, sorry, actually it didn't work, I forgot that in the meantime I changed nsswitch.conf to use ldap instead of nss :-( Bye Sorry but I am losing the plot here a bit, I thought because you wanted the keytab, you were now trying to get sssd to work. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Odd Samba 4 (4.2.0pre1-GIT-b505111; actually only using client) behaviour #2 - accept: Software caused connection abort.
On Thu, Aug 29, 2013 at 10:10:38AM +0100, Tris Mabbs wrote: Hiya Andrew, Many thanks for the typically helpful and comprehensive reply :-) I think that's probably the right track :-) The code here is triggered when poll() indicates that the socket is readable. This socket should only be readable when a new connection is being made, and accept() should succeed. ... So, my only conclusion is that your box momentarily does not have the resources to accept the connection, and because there isn't the sleep() in the source3 code, it prints this in a loop until the resources become available. Absolutely, and on any normal Unix implementation I'd agree entirely. That sort of poll()/accept()/... code is perfectly normal and exactly what you'd expect - I've written plenty of very similar code myself over the years ... However this is Solaris :-( Caught in the act: ... 16327: pollsys(0x0809B4D0, 8, 0xFEFFDF18, 0x) = 1 16327: fd=39 ev=POLLIN|POLLHUP rev=0 16327: fd=38 ev=POLLIN|POLLHUP rev=0 16327: fd=34 ev=POLLIN|POLLHUP rev=0 16327: fd=36 ev=POLLIN|POLLHUP rev=0 16327: fd=37 ev=POLLIN|POLLHUP rev=POLLIN 16327: fd=35 ev=POLLIN|POLLHUP rev=0 16327: fd=33 ev=POLLIN|POLLHUP rev=0 16327: fd=6 ev=POLLIN|POLLHUP rev=0 16327: timeout: 59.99900 sec 16327: accept(37, 0xFEFFDDCC, 0xFEFFDDB8, SOV_DEFAULT) = 41 16327: AF_INET name = X.X.X.X port = 28986 16327: forkx(0)= 26942 16327: lwp_sigmask(SIG_SETMASK, 0x00011080, 0x, 0x, 0x) = 0xFFBFFEFF [0x] 16327: close(41) = 0 16327: pollsys(0x0809B4D0, 8, 0xFEFFDF18, 0x) = 1 16327: fd=39 ev=POLLIN|POLLHUP rev=0 16327: fd=38 ev=POLLIN|POLLHUP rev=0 16327: fd=34 ev=POLLIN|POLLHUP rev=0 16327: fd=36 ev=POLLIN|POLLHUP rev=0 16327: fd=35 ev=POLLIN|POLLHUP rev=POLLIN 16327: fd=33 ev=POLLIN|POLLHUP rev=0 16327: fd=6 ev=POLLIN|POLLHUP rev=0 16327: fd=37 ev=POLLIN|POLLHUP rev=0 16327: timeout: 44.69600 sec 16327: accept(35, 0xFEFFDDCC, 0xFEFFDDB8, SOV_DEFAULT) Err#130 ECONNABORTED ... So there's nothing odd about the poll(). Typically Solaris will flag POLLERR in revents if it's out of resources, and POLLHUP if the remote end closed the connection before it was fully established (remote NAKed, or ignored, the connection SYN; terminally low on resources at t'other end of the socket; ...). Neither is happening here which would suggest things are proceeding as normal for the connection establishment. The server darn' well shouldn't be out of any resources either. In terms of physical resources, at the point that occurred the CPUs were at 99.9% idle, there was 15Gb of free RAM (so not out of kernel memory then ...) and only a total of about 400 sockets (TCP, Unix, ...) in use across the entire system, as reported by netstat -na | wc -l - well below peak levels seen on this system. So it's going to be that hypothetical Solaris specific SO_DONT_RANDOMLY_ABORT_CONNECTIONS socket() option, isn't it :-) So could I request please, that in the source3 code, either: a. The same sleep() is added as in the source4 code; -and/or- b. If errno == ECONNABORTED then only log the error if the debug level is (substantially?) higher than zero. So your problem is the debug statement being triggered repeatedly ? Adding a sleep is (IMHO) the wrong thing to do. Once the accept() has failed the 'POLLIN' event should not be triggered repeatedly on the polled socket. Your truss trace doesn't show enough. Does a subsequent pollsys() keep returning fd=35 ev=POLLIN|POLLHUP rev=POLLIN after the: accept(35, 0xFEFFDDCC, 0xFEFFDDB8, SOV_DEFAULT) Err#130 ECONNABORTED ? Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On 29/08/13 20:41, Luca Olivetti wrote: Al 29/08/13 21:20, En/na Rowland Penny ha escrit: On 29/08/13 20:17, Luca Olivetti wrote: Al 29/08/13 21:15, En/na Luca Olivetti ha escrit: Al 29/08/13 21:02, En/na Rowland Penny ha escrit: Hi, that should be 'samba-tool domain exportkeytab /etc/krb5.keytab -U Administrator' Thank you, that worked *but* we're back to square one: migrated users (with the posixAccount class) show up but new users don't. Oops, sorry, actually it didn't work, I forgot that in the meantime I changed nsswitch.conf to use ldap instead of nss :-( Bye Sorry but I am losing the plot here a bit, I thought because you wanted the keytab, you were now trying to get sssd to work. Yes, I was trying sssd, but I forgot that I switched back nsswitch.conf to ldap, so I thought your suggestion was working while it actually wasn't (same error with Administrator as with HP$). Bye Hi, I am replying to you on list, could you please post your sssd.conf and what version of sssd you are using, also what is your OS Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 Member Server not working
I give up. Configured the server as Secundary Domain Controller. Now it works. 2013/8/29 steve st...@steve-ss.com On 29/08/13 20:29, Carlos Alberto Borges Garcia wrote: But if I run: id test id MYNET\test id MYNET\\test id t...@mynet.net mailto:t...@mynet.net I get No such ser That should be: id test not: id MYNET\\test -- http://www.endomondo.com/profile/3312580 Veja: http://naofoiacidente.org/blog/por-quem/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Inexplicable rejection of credentials
I have a Windows home network with a bunch of Windows boxes and two Ubuntu boxes. Everything can access shares on everything else, with one exception: no one can get to the one share on the second Ubuntu box which I just added to the system. All my machines have one user account (admin privileges in Windows) with the name pauld and the same password. In an effort to solve this problem on the second Ubuntu box, I even copied the smb.conf file from the first Ubuntu box and edited its netbios name parameter. The only difference I can see in the configuration of the two boxes is the different computer names, which are reflected both in their hostnames and their netbios names. Oh, and I've rebooted everything several times. Yet when I attempt to access the sole share on this machine, either from a Windows machine or from the other Ubuntu box, it rejects the username/password. (One difference: Windows boxes fail on trying to open the machine; the older Ubuntu box can see open the machine and see the share name, but fail on trying to open the share. Dunno if that means anything.) For reference, here's the smb.conf from the offending machine: --- [global] workgroup = WORKGROUP netbios name = BUILD server string = %h server (Samba, Ubuntu) dns proxy = no name resolve order = bcast wins log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d encrypt passwords = true passdb backend = tdbsam obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes map to guest = bad user usershare allow guests = yes [printers] comment = All Printers browseable = no path = /var/spool/samba printable = yes guest ok = no read only = yes create mask = 0700 [print$] comment = Printer Drivers path = /var/lib/samba/printers browseable = yes read only = yes guest ok = no [all] comment = Everything read only = no path = / browsable = yes create mask = 755 --- Most of this stuff was created automatically by installing Samba, so I don't really know what it means, or even if it's necessary. I stripped out all the comments, and manually added the [all] share at the end. (And I don't need any lectures about providing write access to root, please.) The ONLY difference between this file and the one on the working Ubuntu machine is the netbios name. There are no other mysterious files in /etc/samba that could be confusing things. No logs in /var/log/samba show any failures. So my general question is: how do I fix this? And a more specific question is: is there any other file somewhere that could be getting into the act, and screwing this machine up? If there isn't an answer forthcoming, how about this: how do I go about debugging this? -- Ciao, Paul D. DeRocco Paulmailto:pdero...@ix.netcom.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
Al 29/08/13 21:54, En/na Rowland Penny ha escrit: Yes, I was trying sssd, but I forgot that I switched back nsswitch.conf to ldap, so I thought your suggestion was working while it actually wasn't (same error with Administrator as with HP$). Bye Hi, I am replying to you on list, could you please post your sssd.conf and what version of sssd you are using, also what is your OS OK, now I got sssd working *but* without kerberos. The OS is Linux, mageia 3, sssd is 1.9.4, the sssd.conf is just like the one posted by steve (http://linuxcostablanca.blogspot.com.es/2013/04/sssd-in-samba-40.html) modified for my domain and with kerberos options commented out of the way: [sssd] services = nss, pam config_file_version = 2 domains = default [nss] [pam] [domain/default] ldap_schema = rfc2307bis access_provider = simple enumerate = FALSE cache_credentials = true id_provider = ldap auth_provider = ldap chpass_provider = ldap #krb5_realm = WETRON.ES #krb5_server = hp.wetron.es #krb5_kpasswd = hp.wetron.es ldap_referrals = false ldap_uri = ldap://localhost/ ldap_search_base = dc=wetron,dc=es #ldap_tls_cacertdir = /usr/local/samba/private/tls #ldap_id_use_start_tls = true ldap_user_object_class = user ldap_user_name = samAccountName ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_home_directory = unixHomeDirectory ldap_user_shell = loginShell ldap_group_object_class = group ldap_group_search_base = dc=wetron,dc=es ldap_group_name = cn ldap_group_member = member #ldap_user_search_filter =((objectCategory=User)(uidNumber=*)) #dap_sasl_mech = gssapi #ldap_sasl_authid = nslcd-connect ##for the client use: ## ldap_sasl_authid=ALGORFA$ #ldap_krb5_keytab = /etc/krb5.sssd.keytab #ldap_krb5_init_creds = true ldap_id_use_start_tls = false ldap_default_bind_dn = cn=nslcd-connect,cn=Users,dc=wetron,dc=es ldap_default_authtok_type = password ldap_default_authtok = --- Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Odd Samba 4 (4.2.0pre1-GIT-b505111; actually only using client) behaviour #2 - accept: Software caused connection abort.
Hiya Jeremy, So your problem is the debug statement being triggered repeatedly ? Yup. Adding a sleep is (IMHO) the wrong thing to do. It has the advantage of pretty much guaranteeing the problem will go away; it has the disadvantage of blocking the thread/process. However it is what the Samba4 client code does (so a similar change to the Samba3 would be consistent; of course, so would a different change to both codebases ...). Once the accept() has failed the 'POLLIN' event should not be triggered repeatedly on the polled socket. Your truss trace doesn't show enough. Does a subsequent pollsys() keep returning fd=35 ev=POLLIN|POLLHUP rev=POLLIN after the: accept(35, 0xFEFFDDCC, 0xFEFFDDB8, SOV_DEFAULT) Err#130 ECONNABORTED Now that's a very interesting question ... OK, a quick dig around later and we get (abridged): pollsys(0x080849F0, 8, 0xFEFFDF58, 0x) = 1 fd=36 ev=POLLIN|POLLHUP rev=0 fd=35 ev=POLLIN|POLLHUP rev=0 fd=34 ev=POLLIN|POLLHUP rev=0 fd=31 ev=POLLIN|POLLHUP rev=0 fd=33 ev=POLLIN|POLLHUP rev=0 fd=32 ev=POLLIN|POLLHUP rev=POLLIN fd=6 ev=POLLIN|POLLHUP rev=0 fd=30 ev=POLLIN|POLLHUP rev=0 timeout: 32.54700 sec accept(32, 0xFEFFDE0C, 0xFEFFDDF8, SOV_DEFAULT) Err#130 ECONNABORTED ... write(8, a c c e p t : S o.., 43) = 43 pollsys(0x080849F0, 8, 0xFEFFDF58, 0x) = 1 fd=36 ev=POLLIN|POLLHUP rev=0 fd=35 ev=POLLIN|POLLHUP rev=0 fd=34 ev=POLLIN|POLLHUP rev=0 fd=31 ev=POLLIN|POLLHUP rev=POLLIN fd=33 ev=POLLIN|POLLHUP rev=0 fd=6 ev=POLLIN|POLLHUP rev=0 fd=30 ev=POLLIN|POLLHUP rev=0 fd=32 ev=POLLIN|POLLHUP rev=0 timeout: 32.54600 sec accept(31, 0xFEFFDE0C, 0xFEFFDDF8, SOV_DEFAULT) = 38 AF_INET name = X.X.X.X port = 55935 forkx(0)= 10502 ... pollsys(0x080849F0, 8, 0xFEFFDF58, 0x) = 1 fd=36 ev=POLLIN|POLLHUP rev=0 fd=35 ev=POLLIN|POLLHUP rev=0 fd=34 ev=POLLIN|POLLHUP rev=0 fd=33 ev=POLLIN|POLLHUP rev=0 fd=32 ev=POLLIN|POLLHUP rev=POLLIN fd=31 ev=POLLIN|POLLHUP rev=0 fd=6 ev=POLLIN|POLLHUP rev=0 fd=30 ev=POLLIN|POLLHUP rev=0 timeout: 31.03400 sec accept(32, 0xFEFFDE0C, 0xFEFFDDF8, SOV_DEFAULT) Err#130 ECONNABORTED ... write(8, a c c e p t : S o.., 43) = 43 Received signal #18, SIGCLD, in pollsys() [caught] siginfo: SIGCLD CLD_EXITED pid=10504 status=0x pollsys(0x080849F0, 8, 0xFEFFDF58, 0x) Err#4 EINTR fd=36 ev=POLLIN|POLLHUP rev=0 fd=35 ev=POLLIN|POLLHUP rev=0 fd=34 ev=POLLIN|POLLHUP rev=0 fd=33 ev=POLLIN|POLLHUP rev=0 fd=31 ev=POLLIN|POLLHUP rev=0 fd=6 ev=POLLIN|POLLHUP rev=0 fd=30 ev=POLLIN|POLLHUP rev=0 fd=32 ev=POLLIN|POLLHUP rev=0 timeout: 31.03200 sec So that would be a no - next poll() and there's no revent flagged on that same socket. Which would confirm your thought that sleep() is perhaps not the way to go. However I don't know the Samba code (at all!) nearly well enough to comment - that sleep() may be serving some other vital purpose under different circumstances? Either way, it would appear that my second suggestion would still be valid - only log this (and possibly a couple of other error conditions) when more debugging is enabled? Another passing thought ... That truss only captured 2 ECONNABORTED incidents - typical that nothing much happens when you're specifically looking at it. However, is it likely to be a coincidence that both were on the same socket? FD#32 happens to be bound to port 445 on one specific interface of the machine; tomorrow I might try a more extended test and poke lots of traffic at that interface (and/or might stick the socket descriptor number into the debug message) - if anything interesting presents itself (E.g., it's always the same port, or interface, ... where the problem occurs) I'll post an update saying so. Probably doesn't affect the solution, but possibly technically interesting anyway ... Many thanks, and regards, Tris. -Original Message- From: Jeremy Allison [mailto:j...@samba.org] Sent: 29 August 2013 20:52 To: Tris Mabbs Cc: 'Andrew Bartlett'; samba@lists.samba.org; samba-techni...@samba.org Subject: Re: [Samba] Odd Samba 4 (4.2.0pre1-GIT-b505111; actually only using client) behaviour #2 - accept: Software caused connection abort. On Thu, Aug 29, 2013 at 10:10:38AM +0100, Tris Mabbs wrote: Hiya Andrew, Many thanks for the typically helpful and comprehensive reply :-) I think that's probably the right track :-) The code here is triggered when poll() indicates that the socket is readable. This socket should only be readable when a new connection is being made, and accept() should succeed. ... So, my only conclusion is that your box momentarily does not have the resources to
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 0ca9c74 provision: Rewrite named.txt to be more useful from 4dd1523 docs: Add man samba-regedit.8. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 0ca9c74f91d5e727d5d37d324d4f1b396e75b1ae Author: Andrew Bartlett abart...@samba.org Date: Wed Aug 28 13:35:47 2013 +1200 provision: Rewrite named.txt to be more useful We already chown the dns.keytab file, so remove the suggestion to do that, and instead explain why we can not use chroot (an often-requested feature). Andrew Bartlett Signed-off-by: Andrew Bartlett abart...@samba.org Signed-off-by: Björn Jacke b...@sernet.de Autobuild-User(master): Björn Jacke b...@sernet.de Autobuild-Date(master): Thu Aug 29 13:53:25 CEST 2013 on sn-devel-104 --- Summary of changes: source4/setup/named.txt | 36 1 files changed, 20 insertions(+), 16 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/setup/named.txt b/source4/setup/named.txt index d0657dd..511bc67 100644 --- a/source4/setup/named.txt +++ b/source4/setup/named.txt @@ -12,20 +12,29 @@ #file: tkey-gssapi-keytab ${DNS_KEYTAB_ABS}; +# 2. If SELinux is enabled, ensure that all files have the appropriate +#SELinux file contexts. The ${DNS_KEYTAB} file must be accessible by the +#BIND daemon and should have a SELinux type of named_conf_t. This can be +#set with the following command: +chcon -t named_conf_t ${DNS_KEYTAB_ABS} + +#Even if not using SELinux, do confirm (only) BIND can access this file as the +#user it becomes (generally not root). + # -# Common Steps for BIND 9.x.x +# Steps for BIND 9.x.x using BIND9_DLZ -- # -# 2. Set appropriate ownership and permissions on the ${DNS_KEYTAB} file. -#Note that the most distributions have BIND configured to run under a -#non-root user account. For example, Fedora 9 runs BIND as the user -#named once the daemon relinquishes its rights. Therefore, the file -#${DNS_KEYTAB} must be readable by the user that BIND run as. If BIND -#is running as a non-root user, the ${DNS_KEYTAB} file must have its -#permissions altered to allow the daemon to read it. Under Fedora 9, -#execute the following commands: -chgrp named ${DNS_KEYTAB_ABS} -chmod g+r ${DNS_KEYTAB_ABS} +# 3. Disable chroot support in BIND. +#BIND is often configured to run in a chroot, but this is not +#compatible with access to the dns/sam.ldb files that database +#access and updates require. Additionally, the DLZ plugin is +#linked to a large number of Samba shared libraries and loads +#additonal plugins. + +# +# Steps for BIND 9.x.x using BIND9_FLATFILE -- +# # 3. Ensure the BIND zone file(s) that will be dynamically updated are in #a directory where the BIND daemon can write. When BIND performs @@ -38,8 +47,3 @@ chmod g+r ${DNS_KEYTAB_ABS} #both example zone statements at the beginning of this file were changed #by prepending the directory dynamic/. -# 4. If SELinux is enabled, ensure that all files have the appropriate -#SELinux file contexts. The ${DNS_KEYTAB} file must be accessible by the -#BIND daemon and should have a SELinux type of named_conf_t. This can be -#set with the following command: -chcon -t named_conf_t ${DNS_KEYTAB_ABS} -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 91910fe s3:winbind: fail ads_cached_connection_connect() if realm == NULL via 9d08ac4 s3-winbindd: remove unneded include of secrets.h from idmap_ad.c via 77d7e2a s3-winbindd: use get_trust_pw_clear() wrapper for AD connection code. via b66ce75 s3-winbindd: make sure also the idmap code can deal with trusted domains. via 576c597 s3-winbindd: use find_domain_from_name() instead of find_domain_from_name_no_init(). via 26ab219 s3-winbindd: Fix winbind on DC crash with trusted AD domains. via 57d5336 s3-winbindd: Fix memory leak in ads_cached_connection(). via edca1f9 s3-winbindd: remove pointless variable assigment, see the strdup below. from 0ca9c74 provision: Rewrite named.txt to be more useful http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 91910fe898e2f8ad405c5790aa1a20e82a9f8aac Author: Michael Adam ob...@samba.org Date: Thu Aug 29 16:38:08 2013 +0200 s3:winbind: fail ads_cached_connection_connect() if realm == NULL This prevents segfaults when e.g. a previous SMB_STRDUP failed.. Signed-off-by: Michael Adam ob...@samba.org Reviewed-by: Günther Deschner g...@samba.org Autobuild-User(master): Günther Deschner g...@samba.org Autobuild-Date(master): Thu Aug 29 18:54:28 CEST 2013 on sn-devel-104 commit 9d08ac424cdf3166110370e94799693bdbb201af Author: Günther Deschner g...@samba.org Date: Wed Aug 28 14:53:08 2013 +0200 s3-winbindd: remove unneded include of secrets.h from idmap_ad.c Guenther Signed-off-by: Günther Deschner g...@samba.org Reviewed-by: Michael Adam ob...@samba.org commit 77d7e2ad5a88dbe4c16e8b829d5bd0a2a5aea9bc Author: Günther Deschner g...@samba.org Date: Wed Aug 28 14:53:08 2013 +0200 s3-winbindd: use get_trust_pw_clear() wrapper for AD connection code. This avoids calling secrets functions directly. Guenther Signed-off-by: Günther Deschner g...@samba.org Reviewed-by: Michael Adam ob...@samba.org commit b66ce754a327a5bdb7600fb67ffb7aaac03cb7db Author: Günther Deschner g...@samba.org Date: Fri Aug 23 14:56:17 2013 +0200 s3-winbindd: make sure also the idmap code can deal with trusted domains. Guenther Signed-off-by: Günther Deschner g...@samba.org Reviewed-by: Michael Adam ob...@samba.org commit 576c597ae38e788bc3c16efc5417e7481c673add Author: Günther Deschner g...@samba.org Date: Wed Aug 28 15:00:06 2013 +0200 s3-winbindd: use find_domain_from_name() instead of find_domain_from_name_no_init(). Otherwise there is a good chance the domain has not been connected and we don't know the realm name yet. Guenther Signed-off-by: Günther Deschner g...@samba.org Reviewed-by: Michael Adam ob...@samba.org commit 26ab2194f96cee80438c7917bc7de3bb7d48aa64 Author: Günther Deschner g...@samba.org Date: Thu Aug 22 16:36:27 2013 +0200 s3-winbindd: Fix winbind on DC crash with trusted AD domains. Guenther Signed-off-by: Günther Deschner g...@samba.org Reviewed-by: Michael Adam ob...@samba.org commit 57d5336969d089d063abce8db2fe090e7a363bc9 Author: Günther Deschner g...@samba.org Date: Fri Aug 23 12:33:53 2013 +0200 s3-winbindd: Fix memory leak in ads_cached_connection(). Guenther Signed-off-by: Günther Deschner g...@samba.org Reviewed-by: Michael Adam ob...@samba.org commit edca1f9d4828281eb69b606dafd92f75f66fc984 Author: Günther Deschner g...@samba.org Date: Thu Aug 22 15:39:08 2013 +0200 s3-winbindd: remove pointless variable assigment, see the strdup below. Guenther Signed-off-by: Günther Deschner g...@samba.org Reviewed-by: Michael Adam ob...@samba.org --- Summary of changes: source3/winbindd/idmap_ad.c |1 - source3/winbindd/winbindd_ads.c | 62 ++ 2 files changed, 42 insertions(+), 21 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/winbindd/idmap_ad.c b/source3/winbindd/idmap_ad.c index 1ed6570..8b63801 100644 --- a/source3/winbindd/idmap_ad.c +++ b/source3/winbindd/idmap_ad.c @@ -31,7 +31,6 @@ #include ads.h #include libads/ldap_schema.h #include nss_info.h -#include secrets.h #include idmap.h #include ../libcli/ldap/ldap_ndr.h #include ../libcli/security/security.h diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c index 1e45ad9..4c26389 100644 --- a/source3/winbindd/winbindd_ads.c +++ b/source3/winbindd/winbindd_ads.c @@ -27,7 +27,6 @@ #include ../librpc/gen_ndr/ndr_netlogon_c.h #include ../libds/common/flags.h #include ads.h -#include secrets.h #include ../libcli/ldap/ldap_ndr.h #include ../libcli/security/security.h #include
[SCM] CTDB repository - branch 1.0.114 updated - ctdb-1.0.114.6-10-g00f53a9
The branch, 1.0.114 has been updated via 00f53a9a8f440be0bc993b1800383cd930fd273e (commit) via 6bfbc0aca625f0fb59df96beaee1e4c26178dc12 (commit) via 098b8fe9eb44ab7df718a7a80eb3078ed42802ba (commit) via 66e371d03f7a697d71aafb56257e30873c3d85cc (commit) via c8470c203e2f5307e311b508b701fc75522a2d2d (commit) via 3c5259b88581828a9d613c81ee820c141bc5e0f3 (commit) via a5329c7083f2a43c6c41abfb64bf1027fd4a8e3e (commit) via b4bf0247ede40f2bbf39391ed9864dc041830fe8 (commit) via 7be3abc69333f58602ebf871d38ec138b908a36c (commit) via 0769ae857d1d6295cba93c4998070de95439863e (commit) from 527adf2f9a809d1d4ebc5d7c655496a510494098 (commit) http://gitweb.samba.org/?p=ctdb.git;a=shortlog;h=1.0.114 - Log - commit 00f53a9a8f440be0bc993b1800383cd930fd273e Author: Sumit Bose sb...@redhat.com Date: Wed Aug 10 17:14:40 2011 +0200 Set FD_CLOEXEC for epoll file descriptors Don't leak file descriptors. This showed up as selinux AVCs on RHEL: https://bugzilla.redhat.com/show_bug.cgi?id=728545 Reviewed-by: Michael Adam ob...@samba.org commit 6bfbc0aca625f0fb59df96beaee1e4c26178dc12 Author: Sumit Bose sb...@redhat.com Date: Mon Nov 19 18:45:37 2012 +0100 Print deleted nodes as well Signed-off-by: Amitay Isaacs ami...@gmail.com (cherry picked from commit 0930a3b80697709c3228726e2250aef1f971) Conflicts: tools/ctdb.c commit 098b8fe9eb44ab7df718a7a80eb3078ed42802ba Author: Sumit Bose sb...@redhat.com Date: Thu Sep 1 15:18:46 2011 +0200 IPv6 neighbor solicit cleanup Signed-off-by: Amitay Isaacs ami...@gmail.com (cherry picked from commit a81edf7eb908659a379f0cb55fd5d04551dc2c37) commit 66e371d03f7a697d71aafb56257e30873c3d85cc Author: Sumit Bose sb...@redhat.com Date: Mon Nov 19 11:13:03 2012 +0100 Fix memory leak in ctdb_send_message() Signed-off-by: Amitay Isaacs ami...@gmail.com (cherry picked from commit da87395d29f5d11ecfedaf36b53fa060a9140bfd) commit c8470c203e2f5307e311b508b701fc75522a2d2d Author: Volker Lendecke v...@samba.org Date: Sun Mar 27 21:43:53 2011 +0200 tdb: Fix Coverity ID 2192: NO_EFFECT (ret 0) can never be true (cherry picked from commit 25397de589e577e32bb291576b10c18978b5bc4e) commit 3c5259b88581828a9d613c81ee820c141bc5e0f3 Author: Sumit Bose sb...@redhat.com Date: Wed Aug 10 17:53:56 2011 +0200 Fixes for various issues found by Coverity Corresponds to commit 05bfdbbd0d4abdfbcf28e3930086723508b35952 from master. commit a5329c7083f2a43c6c41abfb64bf1027fd4a8e3e Author: Ronnie Sahlberg ronniesahlb...@gmail.com Date: Fri Sep 3 11:58:27 2010 +1000 When memory allocations for recovery fails, dont dereference a null pointer while trying to print the log message for the failure. also shutdown ctdb with ctdb_fatal() (cherry picked from commit f8642d0438c6bbb34a72c25d6a904b626e247410) commit b4bf0247ede40f2bbf39391ed9864dc041830fe8 Author: Rusty Russell ru...@rustcorp.com.au Date: Mon Dec 6 13:52:38 2010 +1030 idtree: fix overflow for v. large ids on allocation and removal (Imported from SAMBA commit 09a6538969ac). Chris Cowan tracked down a SEGV in sub_alloc: idp-level can actually be equal to 7 (MAX_LEVEL) there, as it can be in sub_remove. (We unfairly blamed a shift of a signed var for this crash in commit 2db1987f5a3a). Signed-off-by: Rusty Russell ru...@rustcorp.com.au (cherry picked from commit 73764104356d3738d9d20a9d06ce51535f74f475) commit 7be3abc69333f58602ebf871d38ec138b908a36c Author: Rusty Russell ru...@rustcorp.com.au Date: Tue Oct 5 13:06:19 2010 +1030 idtree: fix right shift of signed ints, crash on large ids on AIX Right-shifting signed integers in undefined; indeed it seems that on AIX with their compiler, doing a 30-bit shift on (INT_MAX-200) gives 0, not 1 as we might expect. The obvious fix is to make id and oid unsigned: l (level count) is also logically unsigned. (Note: Samba doesn't generally get to ids 1 billion, but ctdb does) Reported-by: Chris Cowan c...@us.ibm.com Signed-off-by: Rusty Russell ru...@rustcorp.com.au Autobuild-User: Rusty Russell ru...@samba.org Autobuild-Date: Wed Oct 6 08:31:09 UTC 2010 on sn-devel-104 (cherry picked from commit 2db1987f5a3a4268ce64fe570ff598e3bf4ecc73) commit 0769ae857d1d6295cba93c4998070de95439863e Author: Sumit Bose sb...@redhat.com Date: Mon Nov 19 11:20:31 2012 +0100 Check return value of tdb_delete() Signed-off-by: Amitay Isaacs ami...@gmail.com (cherry picked from commit 5cdcc3d45d358ddbcd7e864898eed9cbd9935429) --- Summary of changes: client/ctdb_client.c |8 ++--
[SCM] CTDB repository - branch 1.0.114 updated - ctdb-1.0.114.6-12-g11a20ec
The branch, 1.0.114 has been updated via 11a20ecbd949bd45410189d7b7e6348b42a9729e (commit) via 582131cd39369973100c9ec30492cc1d606e7682 (commit) from 00f53a9a8f440be0bc993b1800383cd930fd273e (commit) http://gitweb.samba.org/?p=ctdb.git;a=shortlog;h=1.0.114 - Log - commit 11a20ecbd949bd45410189d7b7e6348b42a9729e Author: Amitay Isaacs ami...@gmail.com Date: Mon Aug 12 15:50:30 2013 +1000 vacuuming: Fix vacuuming bug where requests keep bouncing between nodes (part 2) This is caused by corruption of a record header such that the records on two nodes point to each other as dmaster. This makes a request for that record bounce between nodes endlessly. Signed-off-by: Amitay Isaacs ami...@gmail.com (cherry picked from commit f0853013655ac3bedf1b793de128fb679c6db6c6) Conflicts: server/ctdb_recover.c commit 582131cd39369973100c9ec30492cc1d606e7682 Author: Amitay Isaacs ami...@gmail.com Date: Mon Aug 12 15:51:00 2013 +1000 vacuuming: Fix vacuuming bug where requests keep bouncing between nodes (part 1) This is caused by corruption of a record header such that the records on two nodes point to each other as dmaster. This makes a request for that record bounce between nodes endlessly. Signed-off-by: Amitay Isaacs ami...@gmail.com (cherry picked from commit a610bc351f0754c84c78c27d02f9a695e60c5b0f) --- Summary of changes: server/ctdb_recover.c | 34 +- 1 files changed, 17 insertions(+), 17 deletions(-) Changeset truncated at 500 lines: diff --git a/server/ctdb_recover.c b/server/ctdb_recover.c index f5fa257..4794e63 100644 --- a/server/ctdb_recover.c +++ b/server/ctdb_recover.c @@ -783,7 +783,7 @@ bool ctdb_recovery_lock(struct ctdb_context *ctdb, bool keep) */ static int delete_tdb_record(struct ctdb_context *ctdb, struct ctdb_db_context *ctdb_db, struct ctdb_rec_data *rec) { - TDB_DATA key, data; + TDB_DATA key, data, data2; struct ctdb_ltdb_header *hdr, *hdr2; /* these are really internal tdb functions - but we need them here for @@ -814,13 +814,13 @@ static int delete_tdb_record(struct ctdb_context *ctdb, struct ctdb_db_context * return -1; } - data = tdb_fetch(ctdb_db-ltdb-tdb, key); - if (data.dptr == NULL) { + data2 = tdb_fetch(ctdb_db-ltdb-tdb, key); + if (data2.dptr == NULL) { tdb_chainunlock(ctdb_db-ltdb-tdb, key); return 0; } - if (data.dsize sizeof(struct ctdb_ltdb_header)) { + if (data2.dsize sizeof(struct ctdb_ltdb_header)) { if (tdb_lock_nonblock(ctdb_db-ltdb-tdb, -1, F_WRLCK) == 0) { if (tdb_delete(ctdb_db-ltdb-tdb, key) != 0) { DEBUG(DEBUG_CRIT,(__location__ Failed to delete corrupt record\n)); @@ -829,45 +829,45 @@ static int delete_tdb_record(struct ctdb_context *ctdb, struct ctdb_db_context * DEBUG(DEBUG_CRIT,(__location__ Deleted corrupt record\n)); } tdb_chainunlock(ctdb_db-ltdb-tdb, key); - free(data.dptr); + free(data2.dptr); return 0; } - hdr2 = (struct ctdb_ltdb_header *)data.dptr; + hdr2 = (struct ctdb_ltdb_header *)data2.dptr; if (hdr2-rsn hdr-rsn) { tdb_chainunlock(ctdb_db-ltdb-tdb, key); DEBUG(DEBUG_INFO,(__location__ Skipping record with rsn=%llu - called with rsn=%llu\n, (unsigned long long)hdr2-rsn, (unsigned long long)hdr-rsn)); - free(data.dptr); - return -1; + free(data2.dptr); + return -1; } if (hdr2-dmaster == ctdb-pnn) { tdb_chainunlock(ctdb_db-ltdb-tdb, key); DEBUG(DEBUG_INFO,(__location__ Attempted delete record where we are the dmaster\n)); - free(data.dptr); - return -1; + free(data2.dptr); + return -1; } if (tdb_lock_nonblock(ctdb_db-ltdb-tdb, -1, F_WRLCK) != 0) { tdb_chainunlock(ctdb_db-ltdb-tdb, key); - free(data.dptr); - return -1; + free(data2.dptr); + return -1; } if (tdb_delete(ctdb_db-ltdb-tdb, key) != 0) { tdb_unlock(ctdb_db-ltdb-tdb, -1, F_WRLCK); tdb_chainunlock(ctdb_db-ltdb-tdb, key); DEBUG(DEBUG_INFO,(__location__ Failed to delete record\n)); - free(data.dptr); - return -1; +
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via ba04400 vfs_glusterfs: Fix excessive debug output from vfs_gluster_open(). from 91910fe s3:winbind: fail ads_cached_connection_connect() if realm == NULL http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit ba04400d01c6ad05651672e087527391da7fdaf4 Author: Christopher R. Hertel c...@redhat.com Date: Thu Aug 29 16:58:16 2013 -0500 vfs_glusterfs: Fix excessive debug output from vfs_gluster_open(). The vfs_gluster_open() function generates a debug message (at level 0) for every failed attempt to open a pathname. This includes cases in which attempts are made to open a directory as a file (those attempts are retried calling vfs_gluster_opendir()). The result is that the log file fills with messages about failed attempts to open directories, just because they are directories. This latest version, of the patch completely removes logging from the vfs_gluster_open() function. The error code returned is handled in upper layers, and the open function in the default VFS module does not log any errors. Signed-off-by: Christopher R. Hertel c...@redhat.com Reviewed-by: susant palai spa...@redhat.com Reviewed-by: raghavendra talur rta...@redhat.com Reviewed-by: Jose A. Rivera jar...@redhat.com Reviewed-by: Andrew Bartlett abart...@samba.org Autobuild-User(master): Andrew Bartlett abart...@samba.org Autobuild-Date(master): Fri Aug 30 02:43:48 CEST 2013 on sn-devel-104 --- Summary of changes: source3/modules/vfs_glusterfs.c |3 --- 1 files changed, 0 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/modules/vfs_glusterfs.c b/source3/modules/vfs_glusterfs.c index eac1b24..237236a 100644 --- a/source3/modules/vfs_glusterfs.c +++ b/source3/modules/vfs_glusterfs.c @@ -481,11 +481,8 @@ static int vfs_gluster_open(struct vfs_handle_struct *handle, } if (glfd == NULL) { - DEBUG(0, (glfs_{open[dir],creat}(%s) failed: %s\n, - smb_fname-base_name, strerror(errno))); return -1; } - return glfd_fd_store(glfd); } -- Samba Shared Repository