[Samba] Changing remote Windows password from python

[Курбанов Азат]

I can change user's password on remote win-host with smbpasswd
(smbpasswd - r REMOTE_IP -U REMOTE_USER). And I see that smbpasswd
uses source3/libsmb/passchange.c, but I can't find any bindings to do
this from python. Is there python way for changing remote password?

-- 
Kurbanov Azat,
e-mail: cordal...@gmail.com

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] objectClass:posixAccount missing

[Luca Olivetti]

Al 29/08/13 01:30, En/na Marc Muehlfeld ha escrit:
 Am 29.08.2013 00:10, schrieb Luca Olivetti:
 Yeah, nslcd works well, but for AD funcionality and speed, sssd is the
 only way to go for nss on Samba4 or any m$ server.
 Just my €0.02

 I'll try it. I only used nslcd because that's what was suggested in the
 samba wiki.
 
 The Winbind and sssd Howto isn't finished yet. Currently I don't have to
 much time, but I'm working on. :-)

Don't worry, given that samba4 should work as a windows server, there
are many tutorials that explain how to configure sssd against active
directory (though my attempts so fare have been unsuccessful).

Bye
-- 
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004  Fax +34 935883007
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] profile permissions

[Michelangelo Rezzonico]

Thanks for the suggestion !

It seems to work.

The only problem is that before starting the rsync I need to create the
directory profile in the target system and set the acl permission for
this directory.

1) mkdir profile
chown user1:ntuser profile
chmod 711 profile
setfacl -m default:user1:rwx profile
setfacl -m default:group::--- profile
setfacl -m default:other:--- profile

2) rsync from source to target system



Can someone confirm me that this is the ok ?

Thanks

Michelangelo




On Thu, Aug 22, 2013 at 6:45 AM, Michelangelo Rezzonico 
mrezzon...@ticino.com wrote:

 I have a working samba-pdc installation with version 3.0.28
 The profile permissions in 3.0.28 (and all the files in this directory)
 are as follow:
 drwx--x--x  2 user1 ntuser 4096 Aug 22 12:36 profile

 I am installing a new server with samba version 3.6.3
 The profile permissions in 3.6.3 (and all the files in this directory)
 are as follow:
 drwx--x--x+  2 user1 ntuser 4096 Aug 22 12:36 profile

 The difference is the + sign that indicate acl permissions.
 How can I correctly migrate the profile from 3.0.28 to 3.6.3 in order that
 the permission are set correctly ?


How about using rsync to mirror the filesystem from source server to dest?

John
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] sambaLMPassword

[Michelangelo Rezzonico]

I have a Samba-PDC installation (version is 3.6.3) with openLDAP.
When I change the password from a client (Windows/XP and Windows/7) the
attribute sambaNTPassword is changed and I can log-in with the new
pssword.

The problem is that the content of the attribute sambaLMPassword is
deleted.
I remember that in my previous version of Samba (3.0.28) both attributes
were updated.
Is this correct ?
Where is used the attribute sambaLMPassword ?

Thanks
Michelangelo
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Odd Samba 4 (4.2.0pre1-GIT-b505111; actually only using client) behaviour #2 - accept: Software caused connection abort.

[Tris Mabbs]

Hiya Andrew,

Many thanks for the typically helpful and comprehensive reply :-)

 I think that's probably the right track :-)

 The code here is triggered when poll() indicates that the socket is
readable.
 This socket should only be readable when a new connection is being made,
and accept() should succeed.
 ...
 So, my only conclusion is that your box momentarily does not have the
resources to accept the connection,
 and because there isn't the sleep() in the source3 code, it prints this in
a loop until the resources become available.

Absolutely, and on any normal Unix implementation I'd agree entirely.  That
sort of poll()/accept()/... code is perfectly normal and exactly what
you'd expect - I've written plenty of very similar code myself over the
years ...
However this is Solaris :-(

Caught in the act:

...
16327: pollsys(0x0809B4D0, 8, 0xFEFFDF18, 0x)  = 1
16327:  fd=39 ev=POLLIN|POLLHUP rev=0
16327:  fd=38 ev=POLLIN|POLLHUP rev=0
16327:  fd=34 ev=POLLIN|POLLHUP rev=0
16327:  fd=36 ev=POLLIN|POLLHUP rev=0
16327:  fd=37 ev=POLLIN|POLLHUP rev=POLLIN
16327:  fd=35 ev=POLLIN|POLLHUP rev=0
16327:  fd=33 ev=POLLIN|POLLHUP rev=0
16327:  fd=6  ev=POLLIN|POLLHUP rev=0
16327:  timeout: 59.99900 sec
16327: accept(37, 0xFEFFDDCC, 0xFEFFDDB8, SOV_DEFAULT) = 41
16327:  AF_INET  name = X.X.X.X  port = 28986
16327: forkx(0)= 26942
16327: lwp_sigmask(SIG_SETMASK, 0x00011080, 0x, 0x,
0x) = 0xFFBFFEFF [0x]
16327: close(41)   = 0
16327: pollsys(0x0809B4D0, 8, 0xFEFFDF18, 0x)  = 1
16327:  fd=39 ev=POLLIN|POLLHUP rev=0
16327:  fd=38 ev=POLLIN|POLLHUP rev=0
16327:  fd=34 ev=POLLIN|POLLHUP rev=0
16327:  fd=36 ev=POLLIN|POLLHUP rev=0
16327:  fd=35 ev=POLLIN|POLLHUP rev=POLLIN
16327:  fd=33 ev=POLLIN|POLLHUP rev=0
16327:  fd=6  ev=POLLIN|POLLHUP rev=0
16327:  fd=37 ev=POLLIN|POLLHUP rev=0
16327:  timeout: 44.69600 sec
16327: accept(35, 0xFEFFDDCC, 0xFEFFDDB8, SOV_DEFAULT) Err#130
ECONNABORTED
...

So there's nothing odd about the poll().  Typically Solaris will flag
POLLERR in revents if it's out of resources, and POLLHUP if the remote end
closed the connection before it was fully established (remote NAKed, or
ignored, the connection SYN; terminally low on resources at t'other end of
the socket; ...).  Neither is happening here which would suggest things are
proceeding as normal for the connection establishment.

The server darn' well shouldn't be out of any resources either.  In terms of
physical resources, at the point that occurred the CPUs were at 99.9% idle,
there was 15Gb of free RAM (so not out of kernel memory then ...) and only a
total of about 400 sockets (TCP, Unix, ...) in use across the entire system,
as reported by netstat -na | wc -l - well below peak levels seen on this
system.

So it's going to be that hypothetical Solaris specific
SO_DONT_RANDOMLY_ABORT_CONNECTIONS socket() option, isn't it :-)

So could I request please, that in the source3 code, either:
a. The same sleep() is added as in the source4 code; -and/or-
b. If errno == ECONNABORTED then only log the error if the debug
level is (substantially?) higher than zero.

I think it's probably safe to assume that ECONNABORTED is generally
ignoreable; for whatever reason, Solaris seems to return this at the drop of
a metaphorical hat (and ignoring it on other OS' isn't going to be a problem
either).  Maybe the same with EAGAIN (and possibly EWOULDBLOCK), as other
Ignore this unless the user REALLY wants a lot of debug output type
errors?

This would also seem to be common practice - a quick Google for accept()
ignore ECONNABORTED comes back with a lot of results, mainly showing other
open source code having been modified specifically to ignore ECONNABORTED.

Cheers!

Tris.

-Original Message-
From: Andrew Bartlett [mailto:abart...@samba.org] 
Sent: 29 August 2013 00:41
To: Tris Mabbs
Cc: samba@lists.samba.org; samba-techni...@samba.org
Subject: Re: [Samba] Odd Samba 4 (4.2.0pre1-GIT-b505111; actually only
using client) behaviour #2 - accept: Software caused connection abort.

On Sun, 2013-08-25 at 18:50 +0100, Tris Mabbs wrote:
 Probably should have posted this to samba-technical 
 in the first place, so re-posting in case anyone has any useful ideas .
 
  
 
 From: Tris Mabbs
 
 Sent: 12 August 2013 23:08
 To: 'samba@lists.samba.org'
 Subject: Odd Samba 4 (4.2.0pre1-GIT-b505111; actually only using 
 client) behaviour #2 - accept: Software caused connection abort.
 
  
 
 Good day oh technical ones .
 
  
 
 I was running Samba 4 (client only, not using it as a 
 DC so effectively running Samba 3 code from the Samba 4 tree) and, 
 other than a little Gotcha! regarding decoding Kerberos PACs, it was 
 all 

Re: [Samba] sambaLMPassword

[Marc Muehlfeld]

Hello Michelangelo,

Am 29.08.2013 10:12, schrieb Michelangelo Rezzonico:

I have a Samba-PDC installation (version is 3.6.3) with openLDAP.
When I change the password from a client (Windows/XP and Windows/7) the
attribute sambaNTPassword is changed and I can log-in with the new
pssword.

The problem is that the content of the attribute sambaLMPassword is
deleted.


It's not a problem. It was a security decission. :-)

If there's no good reason, you should keep this new default. If you 
really want to re-enable, have a look at the smb.conf manpage and search 
for the lanman auth option.






I remember that in my previous version of Samba (3.0.28) both attributes
were updated.
Is this correct ?


Yes it is. :-) The old LanManager passwords are very insecure. And Samba 
disabled them by default somewhen around 3.3 when I remember right. On 
MS side the support for LM passwords was disabled in Vista and later, too.






Where is used the attribute sambaLMPassword ?


It is removed on password changes.



Regards,
Marc


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 Member Server not working

[steve]

On Thu, 2013-08-29 at 11:14 +1200, Andrew Bartlett wrote:
 On Wed, 2013-08-28 at 20:11 -0300, Carlos Alberto Borges Garcia wrote:
  Hi,
  
  I have one Samba4 server running as Active Directory Domain Controller.
  It's working like a charm.
  
  So I needed to add another server to be a Member Server (File Server).
  
  The server is running samba-4.0.9.
  
  Configured and compiled ok:
  
  ./configure --prefix=/usr/local/samba --sysconfdir=/etc
  --localstatedir=/var --mandir=/usr/man --bindir=/usr/bin
  --sbindir=/usr/sbin --libdir=/lib --enable-fhs --with-ads
  --with-shared-modules=idmap_ad,pam
  
  Installed ok.
  
  Kerberos OK.
  I can run kinit and klist
  
  root@MYNETSRV08:/etc/samba# kinit Administrator
  Password for administra...@mynet.net:
  root@MYSRV08:/etc/samba#
  
  root@MYNETSRV08:/etc/samba# klist
  Ticket cache: FILE:/tmp/krb5cc_0
  Default principal: administra...@mynet.net
  
  Valid startingExpires   Service principal
  28/08/2013 19:59  29/08/2013 05:59  krbtgt/mynet@mynet.net
  renew until 29/08/2013 19:59
  root@MYNETSRV08:/etc/samba#
  
  My SMB.CONF is below:
  
  [global]
  
 workgroup = MYNET
 security = ADS
 realm = MYNET.NET
 encrypt passwords = yes
  
 idmap config *:backend = tdb
 idmap config *:range = 70001-8
 idmap config MYNET:backend = ad
 idmap config MYNET:schema_mode = rfc2307
  
 idmap config MYNET:range = 500-4
  
 winbind nss info = rfc2307
 winbind trusted domains only = no
 winbind use default domain = yes
 winbind enum users  = yes
 winbind enum groups = yes
  
  [test]
 path = /mnt/files
 read only = no
  
  
  
  I can add my server to domain:
  
  root@PCOSRV08:/etc/samba# net ads join -U administrator
  Enter administrator's password:
  Using short domain name -- MYNET
  Joined 'MYNETSRV08' to dns domain 'mynet.net'
  root@MYNETSRV08:/etc/samba#
  
  libnss_winbind.so is in the right place:
  
  root@MYNETSRV08:/etc/samba# ls /lib/libnss_winbind.so*
  /lib/libnss_winbind.so  /lib/libnss_winbind.so.2
  
  The libs are loaded fine:
  
  root@MYNETSRV08:/etc/samba# ldconfig -v | grep libnss
  libnss_hesiod.so.2 - libnss_hesiod-2.13.so
  libnss_compat.so.2 - libnss_compat-2.13.so
  libnss_dns.so.2 - libnss_dns-2.13.so
  libnss_ldap.so.2 - libnss_ldap.so.2
  libnss_nis.so.2 - libnss_nis-2.13.so
  libnss_nisplus.so.2 - libnss_nisplus-2.13.so
  libnss_files.so.2 - libnss_files-2.13.so
  libnss_wins.so - libnss_wins.so.2
  libnss_winbind.so - libnss_winbind.so.2
  libnss_hesiod.so.2 - libnss_hesiod-2.13.so
  libnss_compat.so.2 - libnss_compat-2.13.so
  libnss_dns.so.2 - libnss_dns-2.13.so
  libnss_nis.so.2 - libnss_nis-2.13.so
  libnss_nisplus.so.2 - libnss_nisplus-2.13.so
  libnss_files.so.2 - libnss_files-2.13.so
  root@MYNETSRV08:/etc/samba#
  
  I added winbind to my nsswitch.conf
  
  passwd: compat winbind
  group:  compat winbind
  
  I can start the daemon without issues:
  
  smbd
  nmbd
  winbindd
  
  wbinfo -u list all my domain users
  
  wbinfo -g list all my domain groups
  
  
  Here is the problems:
  
  When I run getent passwd, it lists only the local users.
 
 For performance reasons, by default we do not list users in the AD
 domain.  See winbind enum users in your smb.conf

His smb.conf above shows that the OP has those lines for both users and
groups.
 
  When I run id Administrator, it returns No such user.
 
 You need to use 'id MYNET\\administrator'
 
smb.conf has: winbind use default domain = Yes
Do we still need MYNET\\?

Do your users have entries for:
uidNumber
and
gidNumber
in AD?

Cheers
Steve


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] objectClass:posixAccount missing

[steve]

On Thu, 2013-08-29 at 01:30 +0200, Marc Muehlfeld wrote:
 Am 29.08.2013 00:10, schrieb Luca Olivetti:
  Yeah, nslcd works well, but for AD funcionality and speed, sssd is the
  only way to go for nss on Samba4 or any m$ server.
  Just my €0.02
 
  I'll try it. I only used nslcd because that's what was suggested in the
  samba wiki.
 
 The Winbind and sssd Howto isn't finished yet. Currently I don't have to 
 much time, but I'm working on. :-)

We have sssd covered here:
http://linuxcostablanca.blogspot.com.es/2013/04/sssd-in-samba-40.html

sssd 1.11.1 was released today. I'll report back:)

HTH
Steve


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] nslcd / pam_ldap HowTo

[steve]

On Thu, 2013-08-29 at 01:41 +0200, Marc Muehlfeld wrote:

 
 https://wiki.samba.org/index.php/Local_user_management_and_authentication/nslcd
 
 
 @All: Please give some feedback. Thanks.

Hi
The first 4 bullets of 'Method 2' are unnecessary. Why don't we use what
we already have? How about this instead?

1. For a client joined to the domain, please skip to (3) below.
2. On the DC:
Extract the machine key:
samba-tool domain exportkeytab /etc/krb5.keytab --principal=DC1$
3. Get tickets and create the cache:
k5start -f /etc/krb5.keytab -U -o nslcd -K 60 -b -k /tmp/nslcd.tkt

- Switch bullets 6 and 7: edit /etc/nsswitch.conf _before_ you start
nslcd.

It's unfortunate we still have to cater for the old versions too. The
extra mappings slow things down considerably for large domains
especially as enumeration is enabled.
HTH
Steve


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] nslcd / pam_ldap HowTo

[Marc Muehlfeld]

Am 29.08.2013 12:31, schrieb steve:

The first 4 bullets of 'Method 2' are unnecessary. Why don't we use what
we already have? How about this instead?

1. For a client joined to the domain, please skip to (3) below.
2. On the DC:
Extract the machine key:
samba-tool domain exportkeytab /etc/krb5.keytab --principal=DC1$
3. Get tickets and create the cache:
k5start -f /etc/krb5.keytab -U -o nslcd -K 60 -b -k /tmp/nslcd.tkt


I had a look on my production site. I don't have a krb5.keytab on any of 
my Samba 3 or 4 servers in my AD. After some reading, I found out, that 
I must have a kerberos method entry in my smb.conf file for that. I'm 
not sure, how many people this are having this option.


As the HowTo should be usable for as many people as possible, I would 
keep this short steps. They don't bring problems and works even if 
there's already a keytab on the machine.






- Switch bullets 6 and 7: edit /etc/nsswitch.conf _before_ you start
nslcd.


Makes sense. Changed.





It's unfortunate we still have to cater for the old versions too. The
extra mappings slow things down considerably for large domains
especially as enumeration is enabled.


I think most companies running Samba in production don't use the latest 
versions of everything, because they run enterprise distributions like 
RHEL, SLES, Debian, etc.


At work we only run self compiled software, when there's a requirement 
for that, because everything that isn't updated through the paket 
manager, is extra work (steady check for security updates, manual 
patching on all servers, etc.). Also packages in the enterprise software 
are more tested and stable. That's why I think it's worth to take care 
of such situations and not only serve users running the latest versions 
(of course not ancient versions).


But I already have some comments in the configuration examples about the 
mappings. It's up to the admin to review what he/she uses in production 
and fine tune. :-)



Thanks for your comments.


Regards,
Marc
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Force user permission in specific folders

[Patric Falinder]

Hi,

It's not that often that I'm messing around with Samba but I have a dilemma
that I need some help with.

I have a share called common, users can create folders and files just
fine but I'm wondering if it's possible to force folders/files to be
created with certain user/group owner in just that specific folder.
I not I can force so that everything is created with a specific user/group,
but I want it specific to folders.

Lets say I create a file in /common/ and it will be created with the
owner that I'm logged in as, lets say the user john.
But if John, or anyone, creates a file in /common/files/ I want it to be
created with the owner james no matter who creates it.

Is this possible to achieve?

The reason I need this is because I have a Samba share with all our www/ftp
folders and they are owned by the user that's has the FTP-account for that
specific folder. If I create a folder or whatever it will change the
permission so that the FTP-user can't edit/delete it. I don't really want
to chmod 777 on everything in there.

If it's not possible, how do people mange this? Or should I not make a
Samba share like this?

Thanks,
-Patric
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] sambaLMPassword

[Michelangelo Rezzonico]

Hi Marc,

thanks a lot for your help !

Regards.
Michelangelo


Hello Michelangelo,

Am 29.08.2013 10:12, schrieb Michelangelo Rezzonico:
 I have a Samba-PDC installation (version is 3.6.3) with openLDAP.
 When I change the password from a client (Windows/XP and Windows/7)
 the attribute sambaNTPassword is changed and I can log-in with the
 new pssword.

 The problem is that the content of the attribute sambaLMPassword is
 deleted.

It's not a problem. It was a security decission. :-)

If there's no good reason, you should keep this new default. If you really
want to re-enable, have a look at the smb.conf manpage and search for the
lanman auth option.




 I remember that in my previous version of Samba (3.0.28) both
 attributes were updated.
 Is this correct ?

Yes it is. :-) The old LanManager passwords are very insecure. And Samba
disabled them by default somewhen around 3.3 when I remember right. On MS
side the support for LM passwords was disabled in Vista and later, too.




 Where is used the attribute sambaLMPassword ?

It is removed on password changes.



Regards,
Marc
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] nslcd / pam_ldap HowTo

[steve]

On Thu, 2013-08-29 at 13:08 +0200, Marc Muehlfeld wrote:
 
 I think most companies running Samba in production don't use the latest 
 versions of everything, because they run enterprise distributions like 
 RHEL, SLES, Debian, etc.
 
 At work we only run self compiled software, when there's a requirement 
 for that, because everything that isn't updated through the paket 
 manager, is extra work

Not everyone has the luxury of being able to take hardware for granted.
Most of us have to make do with what we have. E.g. running a Samba
domain in a school of 600 students with 80 10 year old machines is
simply impossible with old versions of software.

As far as AD is concerned, it is unfortunate that Red Hat have decided
to retain the 0.7 series of nss-pam-ldapd. Everyone else has at least
0.8.10, the one where AD compatibility was addressed.

Thanks for inviting comments. I think that by doing so, you are in a
strong position to produce a howto that will be accurate, useful and
above all, doable.


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Sysvol replication problem

[Antun Horvat]

Hello fellow Samba users,

I have a question that is related to sysvol replication. I have for now 
two Samba DC's that are functioning as DNS and Active Directory roles in 
my network.


As samba for now does not support sysvol replication, I am replicating 
sysvol shares via rsync with -XAavz attributes as suggested in samba wiki.


The issue is that getfacl on these two servers return different user ids 
and when I replicate these folders
with rsync, the secondary DC is using wrong IDs, and at the end, I can't 
access sysvol folder on second dc (via share).


On FSMO master getfacl radio101.local  returns:
# file: radio101.local
# owner: root
# group: 300
# flags: -s-
user::rwx
user:root:rwx
group::rwx
group:300:rwx
group:309:r-x
group:333:r-x
group:334:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:300:rwx
default:group:309:r-x
default:group:333:r-x
default:group:334:rwx
default:mask::rwx
default:other::---


while on secondary we have (after ntacl sysvolreset):
# file: radio101.local/
# owner: root
# group: 300
# flags: -s-
user::rwx
user:root:rwx
group::rwx
group:300:rwx
group:312:r-x
group:332:r-x
group:333:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:300:rwx
default:group:312:r-x
default:group:332:r-x
default:group:333:rwx
default:mask::rwx
default:other::---


What should I do next,

Thanks for your help.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Change default GID of users

[Bruno Vane]

Thank you Steve,

I had this mapping in nslcd.conf
map passwd  gidNumber   primaryGroupID

I need the gidNumber to be 100 because this is gidnumber of group users
in my Ubuntu servers.
I will disable this mapping and test if everything is OK.


2013/8/28 steve st...@steve-ss.com

 On Tue, 2013-08-27 at 16:07 -0300, Bruno Vane wrote:
  Hi Steve,
 
 
  Seems that this attribute does not matter, see my user bruno.vane:
  primaryGroupID: 513
  gidNumber: 100

 Hi

 How are you obtaining the infromation from AD?
 If you set:
  gidNumber: 100
 in the DN of a user, then that is what will be returned when e.g.
 nss-ldapd is used. It will not return primaryGroupID unless you have
 mapped that attribute to gidNumber in nslcd.conf. primaryGroupID is not
 a rfc2307 atribute.
 HTH





-- 

Bruno Vane
HPM Tecnologia
(24) 9278-7195 / (24) 3345-0002
skype: broonu

www.zamix.com.br | www.superonda.com.br
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Force user permission in specific folders

[Eric Shubert]

On 08/29/2013 04:40 AM, Patric Falinder wrote:

Hi,

It's not that often that I'm messing around with Samba but I have a dilemma
that I need some help with.

I have a share called common, users can create folders and files just
fine but I'm wondering if it's possible to force folders/files to be
created with certain user/group owner in just that specific folder.
I not I can force so that everything is created with a specific user/group,
but I want it specific to folders.

Lets say I create a file in /common/ and it will be created with the
owner that I'm logged in as, lets say the user john.
But if John, or anyone, creates a file in /common/files/ I want it to be
created with the owner james no matter who creates it.

Is this possible to achieve?

The reason I need this is because I have a Samba share with all our www/ftp
folders and they are owned by the user that's has the FTP-account for that
specific folder. If I create a folder or whatever it will change the
permission so that the FTP-user can't edit/delete it. I don't really want
to chmod 777 on everything in there.

If it's not possible, how do people mange this? Or should I not make a
Samba share like this?

Thanks,
-Patric



Use group permissions?

--
-Eric 'shubes'

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] [SOLVED] Problem authenticating from standalone servers via Samba 3.0.34 domain member servers to Samba 3.2.5 domain controller

[Eric Shubert]

I'm posting the solution for posterity.

This is sooo lame that I'm almost embarrased. The problem was that nmbd 
wasn't running on the PDC. Somewhere between 3.0 and 3.6, RH changed the 
smb init script to only control smbd, and nmbd now has its own init 
script. DOH! (Note, I do like the change though)


Solution:
# service nmb start
# chkconfig nmb on

I'm a little surprised (and disappointed) that nobody here realized 
this. It's sort of obvious to me now.


P.S. I'm not sure if this was the solution for the original poster or not.

--
-Eric 'shubes'

On 08/25/2013 09:49 AM, Eric Shubert wrote:

I think I've come across this same problem, although I'm migrating from
3.0.33 (CentOS5) to 3.6 (CentOS6).

I've migrated the domain controller from 3.0.33 to 3.6 first. I dumped
and restored the passwd, secrets and schannel_store tdb files from 3.0
to 3.6, and also migrated the linux accounts and groups. Windows XP
clients are able to log into the domain. However, the 3.0.33 file server
is unable to find the domain controller.

I can see the shares on the DC from the file server:
# net rpc -S tacs-dc.stor -U shubes SHARE
Password:
homes
admin
ops
r3i
IPC$
shubes
#

However, the file server cannot find the DC:
# net rpc trustdom list
Unable to find a suitable server
[2013/08/25 08:26:15, 0] utils/net_rpc.c:rpc_trustdom_list(6083)
   Couldn't connect to domain controller
#

I'm also seeing this in the file server's log:
[2013/08/25 07:45:43, 3] libsmb/namequery.c:get_dc_list(1495)
   get_dc_list: preferred server list: , tacs-dc.stor
[2013/08/25 07:45:43, 3] libsmb/namequery.c:resolve_lmhosts(966)
   resolve_lmhosts: Attempting lmhosts lookup for name tacs-dc.stor0x20
[2013/08/25 07:45:43, 3] libsmb/namequery.c:resolve_wins(863)
   resolve_wins: Attempting wins lookup for name tacs-dc.stor0x20
[2013/08/25 07:45:43, 3] libsmb/namequery.c:resolve_wins(866)
   resolve_wins: WINS server resolution selected and no WINS servers
listed.
[2013/08/25 07:45:43, 3] libsmb/namequery.c:resolve_hosts(1029)
   resolve_hosts: Attempting host lookup for name tacs-dc.stor0x20
[2013/08/25 07:45:48, 3] libsmb/trusts_util.c:enumerate_domain_trusts(167)
   enumerate_domain_trusts: can't locate a DC for domain R3I

The domain SID in the secrets.tdb files on both hosts match the SID of
the the DC host.

I figure there's something I've missed in migrating the DC that has
broken the trust, but haven't been able to find the problem yet.

Any ideas will be appreciated.
Thanks.





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] [Solved] PDC: System SID missing / inconsistent with domain SID

[Eric Shubert]

On 08/26/2013 07:57 PM, Eric Shubert wrote:

On 08/26/2013 01:21 PM, Eric Shubert wrote:

I'm guessing that adding a TACS-DC record to the old host would fix the
problem of not being able to get its SID.


This appears to work now.


I'm also guessing that adding a LANYARD record to the new host *might*
make it recognize that it's a domain controller. I hope to test this
later today, when users are gone.


This didn't appear to help. The new DC still doesn't recognize itself as
a DC:
# net rpc trustdom list -U shubes
Unable to find a suitable server for domain R3I
Couldn't connect to domain controller: NT_STATUS_UNSUCCESSFUL
#

I do have the SID of the domain/host that was created by this host. I
wonder if restoring those records in secrets.tdb, then using the net
command to change the SID of the domain and host might fix things up.
Does the net setdomainsid command do anything more than change the value
of the record in the tdb file? If it does, that could be a solution.

Anyone have any insight about how to go about changing the host name of
a domain controller (while migrating it)?

Thanks.



I'm posting the solution for posterity.

net setdomainsid does nothing more than change the sid in the 
secrets.db file.


Changing the host name of a PDC is simply a matter of adding a record in 
the secrets.db file with the same SID as the previous hostname record 
(which is the same SID value as the domain record there).


This is sooo lame that I'm almost embarrased. The problem was that nmbd 
wasn't running on the PDC. Somewhere between 3.0 and 3.6, RH changed the 
smb init script to only control smbd, and nmbd now has its own init 
script. DOH! (Note, I do like the change though)


Solution:
# service nmb start
# chkconfig nmb on

I'm a little surprised (and disappointed) that nobody here realized 
this. It's sort of obvious to me now.


--
-Eric 'shubes'


--
-Eric 'shubes'

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Change default GID of users

[Marc Muehlfeld]

Hello Bruno,

Am 29.08.2013 16:11, schrieb Bruno Vane:

I had this mapping in nslcd.conf
map passwd  gidNumber   primaryGroupID

I need the gidNumber to be 100 because this is gidnumber of group users
in my Ubuntu servers.
I will disable this mapping and test if everything is OK.


The mapping is not just for mapping one field to an other. You can 
replace values, too or do other things (see manpage for more).


You can hardcode the mapping:

map passwd  gidNumber  666


# getent passwd
...
Administrator:*:1:666::/home/Administrator:/bin/bash
technik:*:10001:666:Technik:/home/technik:/bin/false
demo1:*:10002:666:Demo User1:/home/demo1:/bin/sh


And all your domain accounts have primary group 666 :-)


Regards,
Marc
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Force user permission in specific folders

[TAKAHASHI Motonobu]

From: Patric Falinder patric.falin...@omg.nu
Date: Thu, 29 Aug 2013 13:40:01 +0200

 It's not that often that I'm messing around with Samba but I have a dilemma
 that I need some help with.
 
 I have a share called common, users can create folders and files just
 fine but I'm wondering if it's possible to force folders/files to be
 created with certain user/group owner in just that specific folder.
 I not I can force so that everything is created with a specific user/group,
 but I want it specific to folders.

Please use force user and force group parameters.

---
TAKAHASHI Motonobu mo...@monyo.com / @damemonyo 
   facebook.com/takahashi.motonobu

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Issues logging with trusted domain users

[Diego Lima]

Hello,

We have a situation where we have a samba 3 controller as PDC for the
domain dom.com and has a two-way trust relationship with a W2k8
controller for the domain domain.local.

We can log in on Windows workstations if we use the domain domain.local
but login fails if we just try to use domain. On the Windows machines,
however, login works if we just use DOMAIN\user (instead of
DOMAIN.LOCAL\user).

Is there something that needs to be done on Samba's side for this mapping
to work?

-- 
Diego Lima
http://www.diegolima.org
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Change default GID of users

[Bruno Vane]

Thank you Marc!


2013/8/29 Marc Muehlfeld sa...@marc-muehlfeld.de

 Hello Bruno,

 Am 29.08.2013 16:11, schrieb Bruno Vane:

  I had this mapping in nslcd.conf
 map passwd  gidNumber   primaryGroupID

 I need the gidNumber to be 100 because this is gidnumber of group
 users
 in my Ubuntu servers.
 I will disable this mapping and test if everything is OK.


 The mapping is not just for mapping one field to an other. You can replace
 values, too or do other things (see manpage for more).

 You can hardcode the mapping:

 map passwd  gidNumber  666


 # getent passwd
 ...
 Administrator:*:1:666::/**home/Administrator:/bin/bash
 technik:*:10001:666:Technik:/**home/technik:/bin/false
 demo1:*:10002:666:Demo User1:/home/demo1:/bin/sh


 And all your domain accounts have primary group 666 :-)


 Regards,
 Marc




-- 

Bruno Vane
HPM Tecnologia
(24) 9278-7195 / (24) 3345-0002
skype: broonu

www.zamix.com.br | www.superonda.com.br
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 Member Server not working

[Carlos Alberto Borges Garcia]

Hi,

Where can I enter this values in AD?


2013/8/29 steve st...@steve-ss.com

 On Thu, 2013-08-29 at 11:14 +1200, Andrew Bartlett wrote:
  On Wed, 2013-08-28 at 20:11 -0300, Carlos Alberto Borges Garcia wrote:
   Hi,
  
   I have one Samba4 server running as Active Directory Domain Controller.
   It's working like a charm.
  
   So I needed to add another server to be a Member Server (File Server).
  
   The server is running samba-4.0.9.
  
   Configured and compiled ok:
  
   ./configure --prefix=/usr/local/samba --sysconfdir=/etc
   --localstatedir=/var --mandir=/usr/man --bindir=/usr/bin
   --sbindir=/usr/sbin --libdir=/lib --enable-fhs --with-ads
   --with-shared-modules=idmap_ad,pam
  
   Installed ok.
  
   Kerberos OK.
   I can run kinit and klist
  
   root@MYNETSRV08:/etc/samba# kinit Administrator
   Password for administra...@mynet.net:
   root@MYSRV08:/etc/samba#
  
   root@MYNETSRV08:/etc/samba# klist
   Ticket cache: FILE:/tmp/krb5cc_0
   Default principal: administra...@mynet.net
  
   Valid startingExpires   Service principal
   28/08/2013 19:59  29/08/2013 05:59  krbtgt/mynet@mynet.net
   renew until 29/08/2013 19:59
   root@MYNETSRV08:/etc/samba#
  
   My SMB.CONF is below:
  
   [global]
  
  workgroup = MYNET
  security = ADS
  realm = MYNET.NET
  encrypt passwords = yes
  
  idmap config *:backend = tdb
  idmap config *:range = 70001-8
  idmap config MYNET:backend = ad
  idmap config MYNET:schema_mode = rfc2307
  
  idmap config MYNET:range = 500-4
  
  winbind nss info = rfc2307
  winbind trusted domains only = no
  winbind use default domain = yes
  winbind enum users  = yes
  winbind enum groups = yes
  
   [test]
  path = /mnt/files
  read only = no
  
  
  
   I can add my server to domain:
  
   root@PCOSRV08:/etc/samba# net ads join -U administrator
   Enter administrator's password:
   Using short domain name -- MYNET
   Joined 'MYNETSRV08' to dns domain 'mynet.net'
   root@MYNETSRV08:/etc/samba#
  
   libnss_winbind.so is in the right place:
  
   root@MYNETSRV08:/etc/samba# ls /lib/libnss_winbind.so*
   /lib/libnss_winbind.so  /lib/libnss_winbind.so.2
  
   The libs are loaded fine:
  
   root@MYNETSRV08:/etc/samba# ldconfig -v | grep libnss
   libnss_hesiod.so.2 - libnss_hesiod-2.13.so
   libnss_compat.so.2 - libnss_compat-2.13.so
   libnss_dns.so.2 - libnss_dns-2.13.so
   libnss_ldap.so.2 - libnss_ldap.so.2
   libnss_nis.so.2 - libnss_nis-2.13.so
   libnss_nisplus.so.2 - libnss_nisplus-2.13.so
   libnss_files.so.2 - libnss_files-2.13.so
   libnss_wins.so - libnss_wins.so.2
   libnss_winbind.so - libnss_winbind.so.2
   libnss_hesiod.so.2 - libnss_hesiod-2.13.so
   libnss_compat.so.2 - libnss_compat-2.13.so
   libnss_dns.so.2 - libnss_dns-2.13.so
   libnss_nis.so.2 - libnss_nis-2.13.so
   libnss_nisplus.so.2 - libnss_nisplus-2.13.so
   libnss_files.so.2 - libnss_files-2.13.so
   root@MYNETSRV08:/etc/samba#
  
   I added winbind to my nsswitch.conf
  
   passwd: compat winbind
   group:  compat winbind
  
   I can start the daemon without issues:
  
   smbd
   nmbd
   winbindd
  
   wbinfo -u list all my domain users
  
   wbinfo -g list all my domain groups
  
  
   Here is the problems:
  
   When I run getent passwd, it lists only the local users.
 
  For performance reasons, by default we do not list users in the AD
  domain.  See winbind enum users in your smb.conf

 His smb.conf above shows that the OP has those lines for both users and
 groups.
 
   When I run id Administrator, it returns No such user.
 
  You need to use 'id MYNET\\administrator'
 
 smb.conf has: winbind use default domain = Yes
 Do we still need MYNET\\?

 Do your users have entries for:
 uidNumber
 and
 gidNumber
 in AD?

 Cheers
 Steve


 --
 To unsubscribe from this list go to the following URL and read the
 instructions:  https://lists.samba.org/mailman/options/samba




-- 
http://www.endomondo.com/profile/3312580

Veja:  http://naofoiacidente.org/blog/por-quem/ 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 Member Server not working

[steve]

On Thu, 2013-08-29 at 14:21 -0300, Carlos Alberto Borges Garcia wrote:
 Hi,
 
 
 Where can I enter this values in AD?
 

Hi
If you have a recent version of Samba4, you can add them when you create
new users:

samba-tool user add --help
will give the options.

If you already have the users, just edit their entries e.g.:

ldbedit --url=/usr/local/samba/private/sam.ldb cn=carlos
Add a minimum of:
uidNumber: 1234567
gidNumber: 12345

Your winbind will then pull this information from AD when needed.

You can get sensible values for uidNumber from idmap e.g.:
wbinfo -i carlos

HTH
Steve



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 Member Server not working

[steve]

On Thu, 2013-08-29 at 19:46 +0200, steve wrote:

 You can get sensible values for uidNumber from idmap e.g.:
 wbinfo -i carlos

** Don't forget to change:
idmap config MYNET:range = 500-4
to include your new values. Something like:
300-310



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 Member Server not working

[Carlos Alberto Borges Garcia]

Still not working:

I created a test user:


dn: CN=test,CN=Users,DC=mynet,DC=net
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: test
givenName: test
instanceType: 4
whenCreated: 20130827212151.0Z
displayName: test
uSNCreated: 45308
name: teste
objectGUID: fee0d4a4-fd48-48ac-abb3-ce6fb180b10d
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid: S-1-5-21-3124563532-696977291-52706181-1501131
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: test
sAMAccountType: 805306368
userPrincipalName: t...@mynet.net
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=mynet,DC=net
pwdLastSet: 13022112112000
url: uidNumber
userAccountControl: 512
msDS-SupportedEncryptionTypes: 0
gidNumber: 12345
uidNumber: 1234567
whenChanged: 20130829175016.0Z
uSNChanged: 47069
distinguishedName: CN=test,CN=Users,DC=mynet,DC=net


But if I run:
id test
id MYNET\test
id MYNET\\test
id t...@mynet.net

I get No such ser


2013/8/29 steve st...@steve-ss.com

 On Thu, 2013-08-29 at 14:21 -0300, Carlos Alberto Borges Garcia wrote:
  Hi,
 
 
  Where can I enter this values in AD?
 

 Hi
 If you have a recent version of Samba4, you can add them when you create
 new users:

 samba-tool user add --help
 will give the options.

 If you already have the users, just edit their entries e.g.:

 ldbedit --url=/usr/local/samba/private/sam.ldb cn=carlos
 Add a minimum of:
 uidNumber: 1234567
 gidNumber: 12345

 Your winbind will then pull this information from AD when needed.

 You can get sensible values for uidNumber from idmap e.g.:
 wbinfo -i carlos

 HTH
 Steve






-- 
http://www.endomondo.com/profile/3312580

Veja:  http://naofoiacidente.org/blog/por-quem/ 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 Member Server not working

[steve]

On Thu, 2013-08-29 at 14:59 -0300, Carlos Alberto Borges Garcia wrote:
 Still not working:
 
 
 I created a test user:
 
 
 
 
 dn: CN=test,CN=Users,DC=mynet,DC=net
 objectClass: top
 objectClass: person
 objectClass: organizationalPerson
 objectClass: user
 cn: test
 givenName: test
 instanceType: 4
 whenCreated: 20130827212151.0Z
 displayName: test
 uSNCreated: 45308
 name: teste
 objectGUID: fee0d4a4-fd48-48ac-abb3-ce6fb180b10d
 badPwdCount: 0
 codePage: 0
 countryCode: 0
 badPasswordTime: 0
 lastLogoff: 0
 lastLogon: 0
 primaryGroupID: 513
 objectSid: S-1-5-21-3124563532-696977291-52706181-1501131
 accountExpires: 9223372036854775807
 logonCount: 0
 sAMAccountName: test
 sAMAccountType: 805306368
 userPrincipalName: t...@mynet.net
 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=mynet,DC=net
 pwdLastSet: 13022112112000
 url: uidNumber
 userAccountControl: 512
 msDS-SupportedEncryptionTypes: 0
 gidNumber: 12345
 uidNumber: 1234567
 whenChanged: 20130829175016.0Z
 uSNChanged: 47069
 distinguishedName: CN=test,CN=Users,DC=mynet,DC=net
 
 
 
 
 But if I run:
 id test
 id MYNET\test
 id MYNET\\test
 id t...@mynet.net
 
 
 I get No such ser
 

Change:
uidNumber: 3000100
gidNumber: 80513

and in smb.conf:
idmap config MYNET:range = 80001-310





-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] objectClass:posixAccount missing

[Luca Olivetti]

Al 29/08/13 12:06, En/na steve ha escrit:

 We have sssd covered here:
 http://linuxcostablanca.blogspot.com.es/2013/04/sssd-in-samba-40.html

Well, that's doesn't seem to be complete (at least to a kerberos newbie
like me).

For example, it's missing the step to create /etc/krb5.keytab
I used

/usr/local/samba/bin/samba-tool domain exportkeytab /etc/krb5.keytab
--principal=HP$

but then sssd complains that

[[sssd[ldap_child[2300 [ldap_child_get_tgt_sync] (0x0100): Principal
name is: [HP$@WETRON.ES]
[[sssd[ldap_child[2300 [ldap_child_get_tgt_sync] (0x0100): Using
keytab [/etc/krb5.keytab]
[[sssd[ldap_child[2300 [ldap_child_get_tgt_sync] (0x0100): Will
canonicalize principals
[[sssd[ldap_child[2300 [prepare_response] (0x0400): Building
response for result [0]
[[sssd[ldap_child[2300 [main] (0x0400): ldap_child completed
successfully
[sssd[be[default]]] [read_pipe_handler] (0x0400): EOF received, client
finished
[sssd[be[default]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0
[FILE:/var/lib/sss/db/ccache_WETRON.ES], expired on [1377842615]
[sssd[be[default]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900
[sssd[be[default]]] [sasl_bind_send] (0x0100): Executing sasl bind mech:
gssapi, user: HP$
[sssd[be[default]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed
(-2)[Local error]
[sssd[be[default]]] [sasl_bind_send] (0x0080): Extended failure message:
[SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information (Server not found in Kerberos
database)]


BTW, installing sssd from rpm (mageia 3, which provides 1.9.4) causes
locally built samba to not start anymore (since there is some
conflicting library and samba will use the bad library in /usr/lib64
instead of the one under /usr/local/samba), so, in my specific case, I
cannot really say 'you'll not believe how simple this is' ;-)

nslcd seems simpler (at least I got it working)


Bye
-- 
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004  Fax +34 935883007
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] objectClass:posixAccount missing

[steve]

On Thu, 2013-08-29 at 20:17 +0200, Luca Olivetti wrote:

 but then sssd complains that
 
 [[sssd[ldap_child[2300 [ldap_child_get_tgt_sync] (0x0100):
 Principal
 name is: [HP$@WETRON.ES]
 [[sssd[ldap_child[2300 [ldap_child_get_tgt_sync] (0x0100): Using
 keytab [/etc/krb5.keytab]
 [[sssd[ldap_child[2300 [ldap_child_get_tgt_sync] (0x0100): Will
 canonicalize principals
 [[sssd[ldap_child[2300 [prepare_response] (0x0400): Building
 response for result [0]
 [[sssd[ldap_child[2300 [main] (0x0400): ldap_child completed
 successfully
 [sssd[be[default]]] [read_pipe_handler] (0x0400): EOF received, client
 finished
 [sssd[be[default]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0
 [FILE:/var/lib/sss/db/ccache_WETRON.ES], expired on [1377842615]
 [sssd[be[default]]] [sdap_cli_auth_step] (0x0100): expire timeout is
 900
 [sssd[be[default]]] [sasl_bind_send] (0x0100): Executing sasl bind
 mech:
 gssapi, user: HP$
 [sssd[be[default]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed
 (-2)[Local error]
 [sssd[be[default]]] [sasl_bind_send] (0x0080): Extended failure
 message:
 [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.
 Minor code may provide more information (Server not found in Kerberos
 database)]

Oooof. ¡Doloroso!
Marc's howto will be here soon:)



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 Member Server not working

[Carlos Alberto Borges Garcia]

Still not working :(


2013/8/29 steve st...@steve-ss.com

 On Thu, 2013-08-29 at 14:59 -0300, Carlos Alberto Borges Garcia wrote:
  Still not working:
 
 
  I created a test user:
 
 
 
 
  dn: CN=test,CN=Users,DC=mynet,DC=net
  objectClass: top
  objectClass: person
  objectClass: organizationalPerson
  objectClass: user
  cn: test
  givenName: test
  instanceType: 4
  whenCreated: 20130827212151.0Z
  displayName: test
  uSNCreated: 45308
  name: teste
  objectGUID: fee0d4a4-fd48-48ac-abb3-ce6fb180b10d
  badPwdCount: 0
  codePage: 0
  countryCode: 0
  badPasswordTime: 0
  lastLogoff: 0
  lastLogon: 0
  primaryGroupID: 513
  objectSid: S-1-5-21-3124563532-696977291-52706181-1501131
  accountExpires: 9223372036854775807
  logonCount: 0
  sAMAccountName: test
  sAMAccountType: 805306368
  userPrincipalName: t...@mynet.net
  objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=mynet,DC=net
  pwdLastSet: 13022112112000
  url: uidNumber
  userAccountControl: 512
  msDS-SupportedEncryptionTypes: 0
  gidNumber: 12345
  uidNumber: 1234567
  whenChanged: 20130829175016.0Z
  uSNChanged: 47069
  distinguishedName: CN=test,CN=Users,DC=mynet,DC=net
 
 
 
 
  But if I run:
  id test
  id MYNET\test
  id MYNET\\test
  id t...@mynet.net
 
 
  I get No such ser
 

 Change:
 uidNumber: 3000100
 gidNumber: 80513

 and in smb.conf:
 idmap config MYNET:range = 80001-310








-- 
http://www.endomondo.com/profile/3312580

Veja:  http://naofoiacidente.org/blog/por-quem/ 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 Member Server not working

[steve]

On Thu, 2013-08-29 at 15:29 -0300, Carlos Alberto Borges Garcia wrote:
 Still not working :(

Turn off nscd? Give up? Use nslcd or sssd instead?
Can't think of anything else:(


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 Member Server not working

[steve]

On 29/08/13 20:29, Carlos Alberto Borges Garcia wrote:



 But if I run:
 id test
 id MYNET\test
 id MYNET\\test
 id t...@mynet.net mailto:t...@mynet.net


 I get No such ser




That should be:
id test
not:
id MYNET\\test


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] objectClass:posixAccount missing

[Rowland Penny]

On 29/08/13 19:17, Luca Olivetti wrote:

Al 29/08/13 12:06, En/na steve ha escrit:


We have sssd covered here:
http://linuxcostablanca.blogspot.com.es/2013/04/sssd-in-samba-40.html

Well, that's doesn't seem to be complete (at least to a kerberos newbie
like me).

For example, it's missing the step to create /etc/krb5.keytab
I used

/usr/local/samba/bin/samba-tool domain exportkeytab /etc/krb5.keytab
--principal=HP$

but then sssd complains that

[[sssd[ldap_child[2300 [ldap_child_get_tgt_sync] (0x0100): Principal
name is: [HP$@WETRON.ES]
[[sssd[ldap_child[2300 [ldap_child_get_tgt_sync] (0x0100): Using
keytab [/etc/krb5.keytab]
[[sssd[ldap_child[2300 [ldap_child_get_tgt_sync] (0x0100): Will
canonicalize principals
[[sssd[ldap_child[2300 [prepare_response] (0x0400): Building
response for result [0]
[[sssd[ldap_child[2300 [main] (0x0400): ldap_child completed
successfully
[sssd[be[default]]] [read_pipe_handler] (0x0400): EOF received, client
finished
[sssd[be[default]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0
[FILE:/var/lib/sss/db/ccache_WETRON.ES], expired on [1377842615]
[sssd[be[default]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900
[sssd[be[default]]] [sasl_bind_send] (0x0100): Executing sasl bind mech:
gssapi, user: HP$
[sssd[be[default]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed
(-2)[Local error]
[sssd[be[default]]] [sasl_bind_send] (0x0080): Extended failure message:
[SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information (Server not found in Kerberos
database)]


BTW, installing sssd from rpm (mageia 3, which provides 1.9.4) causes
locally built samba to not start anymore (since there is some
conflicting library and samba will use the bad library in /usr/lib64
instead of the one under /usr/local/samba), so, in my specific case, I
cannot really say 'you'll not believe how simple this is' ;-)

nslcd seems simpler (at least I got it working)


Bye
Hi, that should be 'samba-tool domain exportkeytab /etc/krb5.keytab -U 
Administrator'


Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] objectClass:posixAccount missing

[Luca Olivetti]

Al 29/08/13 21:02, En/na Rowland Penny ha escrit:

 Hi, that should be 'samba-tool domain exportkeytab /etc/krb5.keytab -U
 Administrator'

Thank you, that worked *but* we're back to square one: migrated users
(with the posixAccount class) show up but new users don't.

Bye
-- 
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004  Fax +34 935883007
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] objectClass:posixAccount missing

[Luca Olivetti]

Al 29/08/13 21:15, En/na Luca Olivetti ha escrit:
 Al 29/08/13 21:02, En/na Rowland Penny ha escrit:
 
 Hi, that should be 'samba-tool domain exportkeytab /etc/krb5.keytab -U
 Administrator'
 
 Thank you, that worked *but* we're back to square one: migrated users
 (with the posixAccount class) show up but new users don't.

Oops, sorry, actually it didn't work, I forgot that in the meantime I
changed nsswitch.conf to use ldap instead of nss :-(

Bye
-- 
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004  Fax +34 935883007
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] objectClass:posixAccount missing

[Rowland Penny]

On 29/08/13 20:17, Luca Olivetti wrote:

Al 29/08/13 21:15, En/na Luca Olivetti ha escrit:

Al 29/08/13 21:02, En/na Rowland Penny ha escrit:


Hi, that should be 'samba-tool domain exportkeytab /etc/krb5.keytab -U
Administrator'

Thank you, that worked *but* we're back to square one: migrated users
(with the posixAccount class) show up but new users don't.

Oops, sorry, actually it didn't work, I forgot that in the meantime I
changed nsswitch.conf to use ldap instead of nss :-(

Bye
Sorry but I am losing the plot here a bit, I thought because you wanted 
the keytab, you were now trying to get sssd to work.


Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Odd Samba 4 (4.2.0pre1-GIT-b505111; actually only using client) behaviour #2 - accept: Software caused connection abort.

[Jeremy Allison]

On Thu, Aug 29, 2013 at 10:10:38AM +0100, Tris Mabbs wrote:
 Hiya Andrew,
 
 Many thanks for the typically helpful and comprehensive reply :-)
 
  I think that's probably the right track :-)
 
  The code here is triggered when poll() indicates that the socket is
 readable.
  This socket should only be readable when a new connection is being made,
 and accept() should succeed.
  ...
  So, my only conclusion is that your box momentarily does not have the
 resources to accept the connection,
  and because there isn't the sleep() in the source3 code, it prints this in
 a loop until the resources become available.
 
 Absolutely, and on any normal Unix implementation I'd agree entirely.  That
 sort of poll()/accept()/... code is perfectly normal and exactly what
 you'd expect - I've written plenty of very similar code myself over the
 years ...
 However this is Solaris :-(
 
 Caught in the act:
 
 ...
 16327: pollsys(0x0809B4D0, 8, 0xFEFFDF18, 0x)  = 1
 16327:  fd=39 ev=POLLIN|POLLHUP rev=0
 16327:  fd=38 ev=POLLIN|POLLHUP rev=0
 16327:  fd=34 ev=POLLIN|POLLHUP rev=0
 16327:  fd=36 ev=POLLIN|POLLHUP rev=0
 16327:  fd=37 ev=POLLIN|POLLHUP rev=POLLIN
 16327:  fd=35 ev=POLLIN|POLLHUP rev=0
 16327:  fd=33 ev=POLLIN|POLLHUP rev=0
 16327:  fd=6  ev=POLLIN|POLLHUP rev=0
 16327:  timeout: 59.99900 sec
 16327: accept(37, 0xFEFFDDCC, 0xFEFFDDB8, SOV_DEFAULT) = 41
 16327:  AF_INET  name = X.X.X.X  port = 28986
 16327: forkx(0)= 26942
 16327: lwp_sigmask(SIG_SETMASK, 0x00011080, 0x, 0x,
 0x) = 0xFFBFFEFF [0x]
 16327: close(41)   = 0
 16327: pollsys(0x0809B4D0, 8, 0xFEFFDF18, 0x)  = 1
 16327:  fd=39 ev=POLLIN|POLLHUP rev=0
 16327:  fd=38 ev=POLLIN|POLLHUP rev=0
 16327:  fd=34 ev=POLLIN|POLLHUP rev=0
 16327:  fd=36 ev=POLLIN|POLLHUP rev=0
 16327:  fd=35 ev=POLLIN|POLLHUP rev=POLLIN
 16327:  fd=33 ev=POLLIN|POLLHUP rev=0
 16327:  fd=6  ev=POLLIN|POLLHUP rev=0
 16327:  fd=37 ev=POLLIN|POLLHUP rev=0
 16327:  timeout: 44.69600 sec
 16327: accept(35, 0xFEFFDDCC, 0xFEFFDDB8, SOV_DEFAULT) Err#130
 ECONNABORTED
 ...
 
 So there's nothing odd about the poll().  Typically Solaris will flag
 POLLERR in revents if it's out of resources, and POLLHUP if the remote end
 closed the connection before it was fully established (remote NAKed, or
 ignored, the connection SYN; terminally low on resources at t'other end of
 the socket; ...).  Neither is happening here which would suggest things are
 proceeding as normal for the connection establishment.
 
 The server darn' well shouldn't be out of any resources either.  In terms of
 physical resources, at the point that occurred the CPUs were at 99.9% idle,
 there was 15Gb of free RAM (so not out of kernel memory then ...) and only a
 total of about 400 sockets (TCP, Unix, ...) in use across the entire system,
 as reported by netstat -na | wc -l - well below peak levels seen on this
 system.
 
 So it's going to be that hypothetical Solaris specific
 SO_DONT_RANDOMLY_ABORT_CONNECTIONS socket() option, isn't it :-)
 
 So could I request please, that in the source3 code, either:
   a. The same sleep() is added as in the source4 code; -and/or-
   b. If errno == ECONNABORTED then only log the error if the debug
 level is (substantially?) higher than zero.

So your problem is the debug statement being triggered repeatedly ?

Adding a sleep is (IMHO) the wrong thing to do. Once the accept()
has failed the 'POLLIN' event should not be triggered repeatedly
on the polled socket. Your truss trace doesn't show enough. Does
a subsequent pollsys() keep returning fd=35 ev=POLLIN|POLLHUP rev=POLLIN
after the:

 accept(35, 0xFEFFDDCC, 0xFEFFDDB8, SOV_DEFAULT) Err#130  ECONNABORTED

?

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] objectClass:posixAccount missing

[Rowland Penny]

On 29/08/13 20:41, Luca Olivetti wrote:

Al 29/08/13 21:20, En/na Rowland Penny ha escrit:

On 29/08/13 20:17, Luca Olivetti wrote:

Al 29/08/13 21:15, En/na Luca Olivetti ha escrit:

Al 29/08/13 21:02, En/na Rowland Penny ha escrit:


Hi, that should be 'samba-tool domain exportkeytab /etc/krb5.keytab -U
Administrator'

Thank you, that worked *but* we're back to square one: migrated users
(with the posixAccount class) show up but new users don't.

Oops, sorry, actually it didn't work, I forgot that in the meantime I
changed nsswitch.conf to use ldap instead of nss :-(

Bye

Sorry but I am losing the plot here a bit, I thought because you wanted
the keytab, you were now trying to get sssd to work.

Yes, I was trying sssd, but I forgot that I switched back nsswitch.conf
to ldap, so I thought your suggestion was working while it actually
wasn't (same error with Administrator as with HP$).

Bye
Hi, I am replying to you on list, could you please post your sssd.conf 
and what version of sssd you are using, also what is your OS


Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 Member Server not working

[Carlos Alberto Borges Garcia]

I give up.
Configured the server as Secundary Domain Controller.
Now it works.


2013/8/29 steve st...@steve-ss.com

 On 29/08/13 20:29, Carlos Alberto Borges Garcia wrote:


 
  But if I run:
  id test
  id MYNET\test
  id MYNET\\test
  id t...@mynet.net mailto:t...@mynet.net

 
 
  I get No such ser
 


 That should be:
 id test
 not:
 id MYNET\\test





-- 
http://www.endomondo.com/profile/3312580

Veja:  http://naofoiacidente.org/blog/por-quem/ 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Inexplicable rejection of credentials

[Paul D. DeRocco]

I have a Windows home network with a bunch of Windows boxes and two Ubuntu
boxes. Everything can access shares on everything else, with one
exception: no one can get to the one share on the second Ubuntu box which
I just added to the system.

All my machines have one user account (admin privileges in Windows) with
the name pauld and the same password. In an effort to solve this problem
on the second Ubuntu box, I even copied the smb.conf file from the first
Ubuntu box and edited its netbios name parameter. The only difference I
can see in the configuration of the two boxes is the different computer
names, which are reflected both in their hostnames and their netbios
names. Oh, and I've rebooted everything several times.

Yet when I attempt to access the sole share on this machine, either from a
Windows machine or from the other Ubuntu box, it rejects the
username/password. (One difference: Windows boxes fail on trying to open
the machine; the older Ubuntu box can see open the machine and see the
share name, but fail on trying to open the share. Dunno if that means
anything.)

For reference, here's the smb.conf from the offending machine:

---
[global]
workgroup = WORKGROUP
netbios name = BUILD
server string = %h server (Samba, Ubuntu)
dns proxy = no
name resolve order = bcast wins
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
usershare allow guests = yes
[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
guest ok = no
read only = yes
create mask = 0700
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
[all]
comment = Everything
read only = no
path = /
browsable = yes
create mask = 755
---

Most of this stuff was created automatically by installing Samba, so I
don't really know what it means, or even if it's necessary. I stripped out
all the comments, and manually added the [all] share at the end. (And I
don't need any lectures about providing write access to root, please.) The
ONLY difference between this file and the one on the working Ubuntu
machine is the netbios name.

There are no other mysterious files in /etc/samba that could be confusing
things. No logs in /var/log/samba show any failures. So my general
question is: how do I fix this? And a more specific question is: is there
any other file somewhere that could be getting into the act, and screwing
this machine up? If there isn't an answer forthcoming, how about this: how
do I go about debugging this?

-- 

Ciao,   Paul D. DeRocco
Paulmailto:pdero...@ix.netcom.com 
 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] objectClass:posixAccount missing

[Luca Olivetti]

Al 29/08/13 21:54, En/na Rowland Penny ha escrit:

 Yes, I was trying sssd, but I forgot that I switched back nsswitch.conf
 to ldap, so I thought your suggestion was working while it actually
 wasn't (same error with Administrator as with HP$).

 Bye
 Hi, I am replying to you on list, could you please post your sssd.conf
 and what version of sssd you are using, also what is your OS

OK, now I got sssd working *but* without kerberos.
The OS is Linux, mageia 3, sssd is 1.9.4, the sssd.conf is just like the
one posted by steve
(http://linuxcostablanca.blogspot.com.es/2013/04/sssd-in-samba-40.html)
modified for my domain and with kerberos options commented out of the way:

[sssd]
services = nss, pam
config_file_version = 2
domains = default
[nss]
[pam]
[domain/default]
ldap_schema = rfc2307bis
access_provider = simple
enumerate = FALSE
cache_credentials = true
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
#krb5_realm = WETRON.ES
#krb5_server = hp.wetron.es
#krb5_kpasswd = hp.wetron.es
ldap_referrals = false
ldap_uri = ldap://localhost/
ldap_search_base = dc=wetron,dc=es
#ldap_tls_cacertdir = /usr/local/samba/private/tls
#ldap_id_use_start_tls = true
ldap_user_object_class = user
ldap_user_name = samAccountName
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_group_object_class = group
ldap_group_search_base = dc=wetron,dc=es
ldap_group_name = cn
ldap_group_member = member
#ldap_user_search_filter =((objectCategory=User)(uidNumber=*))
#dap_sasl_mech = gssapi
#ldap_sasl_authid = nslcd-connect
##for the client use:
## ldap_sasl_authid=ALGORFA$
#ldap_krb5_keytab = /etc/krb5.sssd.keytab
#ldap_krb5_init_creds = true
ldap_id_use_start_tls = false
ldap_default_bind_dn = cn=nslcd-connect,cn=Users,dc=wetron,dc=es
ldap_default_authtok_type = password
ldap_default_authtok = ---


Bye
-- 
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004  Fax +34 935883007
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Odd Samba 4 (4.2.0pre1-GIT-b505111; actually only using client) behaviour #2 - accept: Software caused connection abort.

[Tris Mabbs]

Hiya Jeremy,

 So your problem is the debug statement being triggered repeatedly ?

Yup.

 Adding a sleep is (IMHO) the wrong thing to do. 

It has the advantage of pretty much guaranteeing the problem will go away;
it has the disadvantage of blocking the thread/process.
However it is what the Samba4 client code does (so a similar change to the
Samba3 would be consistent; of course, so would a different change to both
codebases ...).

 Once the accept() has failed the 'POLLIN' event should not be triggered
repeatedly on the polled socket.
 Your truss trace doesn't show enough. Does a subsequent pollsys() keep
returning fd=35 ev=POLLIN|POLLHUP rev=POLLIN after the:

 accept(35, 0xFEFFDDCC, 0xFEFFDDB8, SOV_DEFAULT) Err#130 ECONNABORTED

Now that's a very interesting question ...

OK, a quick dig around later and we get (abridged):

pollsys(0x080849F0, 8, 0xFEFFDF58, 0x)  = 1
fd=36 ev=POLLIN|POLLHUP rev=0
fd=35 ev=POLLIN|POLLHUP rev=0
fd=34 ev=POLLIN|POLLHUP rev=0
fd=31 ev=POLLIN|POLLHUP rev=0
fd=33 ev=POLLIN|POLLHUP rev=0
fd=32 ev=POLLIN|POLLHUP rev=POLLIN
fd=6  ev=POLLIN|POLLHUP rev=0
fd=30 ev=POLLIN|POLLHUP rev=0
timeout: 32.54700 sec
accept(32, 0xFEFFDE0C, 0xFEFFDDF8, SOV_DEFAULT) Err#130 ECONNABORTED
...
write(8,  a c c e p t :   S o.., 43)  = 43
pollsys(0x080849F0, 8, 0xFEFFDF58, 0x)  = 1
fd=36 ev=POLLIN|POLLHUP rev=0
fd=35 ev=POLLIN|POLLHUP rev=0
fd=34 ev=POLLIN|POLLHUP rev=0
fd=31 ev=POLLIN|POLLHUP rev=POLLIN
fd=33 ev=POLLIN|POLLHUP rev=0
fd=6  ev=POLLIN|POLLHUP rev=0
fd=30 ev=POLLIN|POLLHUP rev=0
fd=32 ev=POLLIN|POLLHUP rev=0
timeout: 32.54600 sec
accept(31, 0xFEFFDE0C, 0xFEFFDDF8, SOV_DEFAULT) = 38
AF_INET  name = X.X.X.X  port = 55935
forkx(0)= 10502
...
pollsys(0x080849F0, 8, 0xFEFFDF58, 0x)  = 1
fd=36 ev=POLLIN|POLLHUP rev=0
fd=35 ev=POLLIN|POLLHUP rev=0
fd=34 ev=POLLIN|POLLHUP rev=0
fd=33 ev=POLLIN|POLLHUP rev=0
fd=32 ev=POLLIN|POLLHUP rev=POLLIN
fd=31 ev=POLLIN|POLLHUP rev=0
fd=6  ev=POLLIN|POLLHUP rev=0
fd=30 ev=POLLIN|POLLHUP rev=0
timeout: 31.03400 sec
accept(32, 0xFEFFDE0C, 0xFEFFDDF8, SOV_DEFAULT) Err#130 ECONNABORTED
...
write(8,  a c c e p t :   S o.., 43)  = 43
Received signal #18, SIGCLD, in pollsys() [caught]
  siginfo: SIGCLD CLD_EXITED pid=10504 status=0x
pollsys(0x080849F0, 8, 0xFEFFDF58, 0x)  Err#4 EINTR
fd=36 ev=POLLIN|POLLHUP rev=0
fd=35 ev=POLLIN|POLLHUP rev=0
fd=34 ev=POLLIN|POLLHUP rev=0
fd=33 ev=POLLIN|POLLHUP rev=0
fd=31 ev=POLLIN|POLLHUP rev=0
fd=6  ev=POLLIN|POLLHUP rev=0
fd=30 ev=POLLIN|POLLHUP rev=0
fd=32 ev=POLLIN|POLLHUP rev=0
timeout: 31.03200 sec

So that would be a no - next poll() and there's no revent flagged on that
same socket.
Which would confirm your thought that sleep() is perhaps not the way to
go.  However I don't know the Samba code (at all!) nearly well enough to
comment - that sleep() may be serving some other vital purpose under
different circumstances?

Either way, it would appear that my second suggestion would still be valid -
only log this (and possibly a couple of other error conditions) when more
debugging is enabled?

Another passing thought ...
That truss only captured 2 ECONNABORTED incidents - typical that nothing
much happens when you're specifically looking at it.
However, is it likely to be a coincidence that both were on the same socket?
FD#32 happens to be bound to port 445 on one specific interface of the
machine; tomorrow I might try a more extended test and poke lots of traffic
at that interface (and/or might stick the socket descriptor number into the
debug message) - if anything interesting presents itself (E.g., it's always
the same port, or interface, ... where the problem occurs) I'll post an
update saying so.
Probably doesn't affect the solution, but possibly technically interesting
anyway ...

Many thanks, and regards,

Tris.

-Original Message-
From: Jeremy Allison [mailto:j...@samba.org] 
Sent: 29 August 2013 20:52
To: Tris Mabbs
Cc: 'Andrew Bartlett'; samba@lists.samba.org; samba-techni...@samba.org
Subject: Re: [Samba] Odd Samba 4 (4.2.0pre1-GIT-b505111; actually only
using client) behaviour #2 - accept: Software caused connection abort.

On Thu, Aug 29, 2013 at 10:10:38AM +0100, Tris Mabbs wrote:
 Hiya Andrew,
 
 Many thanks for the typically helpful and comprehensive reply :-)
 
  I think that's probably the right track :-)
 
  The code here is triggered when poll() indicates that the socket is
 readable.
  This socket should only be readable when a new connection is being 
  made,
 and accept() should succeed.
  ...
  So, my only conclusion is that your box momentarily does not have 
  the
 resources to 

[SCM] Samba Shared Repository - branch master updated

[Björn Jacke]

The branch, master has been updated
   via  0ca9c74 provision: Rewrite named.txt to be more useful
  from  4dd1523 docs: Add man samba-regedit.8.

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 0ca9c74f91d5e727d5d37d324d4f1b396e75b1ae
Author: Andrew Bartlett abart...@samba.org
Date:   Wed Aug 28 13:35:47 2013 +1200

provision: Rewrite named.txt to be more useful

We already chown the dns.keytab file, so remove the suggestion to do that,
and instead explain why we can not use chroot (an often-requested feature).

Andrew Bartlett

Signed-off-by: Andrew Bartlett abart...@samba.org
Signed-off-by: Björn Jacke b...@sernet.de

Autobuild-User(master): Björn Jacke b...@sernet.de
Autobuild-Date(master): Thu Aug 29 13:53:25 CEST 2013 on sn-devel-104

---

Summary of changes:
 source4/setup/named.txt |   36 
 1 files changed, 20 insertions(+), 16 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/setup/named.txt b/source4/setup/named.txt
index d0657dd..511bc67 100644
--- a/source4/setup/named.txt
+++ b/source4/setup/named.txt
@@ -12,20 +12,29 @@
 #file:
 tkey-gssapi-keytab ${DNS_KEYTAB_ABS};
 
+# 2. If SELinux is enabled, ensure that all files have the appropriate 
+#SELinux file contexts.  The ${DNS_KEYTAB} file must be accessible by the 
+#BIND daemon and should have a SELinux type of named_conf_t.  This can be 
+#set with the following command:
+chcon -t named_conf_t ${DNS_KEYTAB_ABS}
+
+#Even if not using SELinux, do confirm (only) BIND can access this file as 
the 
+#user it becomes (generally not root).
+
 #
-# Common Steps for BIND 9.x.x 
+# Steps for BIND 9.x.x using BIND9_DLZ --
 #
 
-# 2. Set appropriate ownership and permissions on the ${DNS_KEYTAB} file.  
-#Note that the most distributions have BIND configured to run under a 
-#non-root user account.  For example, Fedora 9 runs BIND as the user 
-#named once the daemon relinquishes its rights.  Therefore, the file 
-#${DNS_KEYTAB} must be readable by the user that BIND run as.  If BIND 
-#is running as a non-root user, the ${DNS_KEYTAB} file must have its 
-#permissions altered to allow the daemon to read it.  Under Fedora 9, 
-#execute the following commands:
-chgrp named ${DNS_KEYTAB_ABS}
-chmod g+r ${DNS_KEYTAB_ABS}
+# 3. Disable chroot support in BIND.  
+#BIND is often configured to run in a chroot, but this is not
+#compatible with access to the dns/sam.ldb files that database
+#access and updates require.  Additionally, the DLZ plugin is
+#linked to a large number of Samba shared libraries and loads
+#additonal plugins.
+
+#
+# Steps for BIND 9.x.x using BIND9_FLATFILE --
+#
 
 # 3. Ensure the BIND zone file(s) that will be dynamically updated are in 
 #a directory where the BIND daemon can write.  When BIND performs 
@@ -38,8 +47,3 @@ chmod g+r ${DNS_KEYTAB_ABS}
 #both example zone statements at the beginning of this file were changed 
 #by prepending the directory dynamic/.
 
-# 4. If SELinux is enabled, ensure that all files have the appropriate 
-#SELinux file contexts.  The ${DNS_KEYTAB} file must be accessible by the 
-#BIND daemon and should have a SELinux type of named_conf_t.  This can be 
-#set with the following command:
-chcon -t named_conf_t ${DNS_KEYTAB_ABS}


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch master updated

[Günther Deschner]

The branch, master has been updated
   via  91910fe s3:winbind: fail ads_cached_connection_connect() if realm 
== NULL
   via  9d08ac4 s3-winbindd: remove unneded include of secrets.h from 
idmap_ad.c
   via  77d7e2a s3-winbindd: use get_trust_pw_clear() wrapper for AD 
connection code.
   via  b66ce75 s3-winbindd: make sure also the idmap code can deal with 
trusted domains.
   via  576c597 s3-winbindd: use find_domain_from_name() instead of 
find_domain_from_name_no_init().
   via  26ab219 s3-winbindd: Fix winbind on DC crash with trusted AD 
domains.
   via  57d5336 s3-winbindd: Fix memory leak in ads_cached_connection().
   via  edca1f9 s3-winbindd: remove pointless variable assigment, see the 
strdup below.
  from  0ca9c74 provision: Rewrite named.txt to be more useful

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 91910fe898e2f8ad405c5790aa1a20e82a9f8aac
Author: Michael Adam ob...@samba.org
Date:   Thu Aug 29 16:38:08 2013 +0200

s3:winbind: fail ads_cached_connection_connect() if realm == NULL

This prevents segfaults when e.g. a previous SMB_STRDUP failed..

Signed-off-by: Michael Adam ob...@samba.org
Reviewed-by: Günther Deschner g...@samba.org

Autobuild-User(master): Günther Deschner g...@samba.org
Autobuild-Date(master): Thu Aug 29 18:54:28 CEST 2013 on sn-devel-104

commit 9d08ac424cdf3166110370e94799693bdbb201af
Author: Günther Deschner g...@samba.org
Date:   Wed Aug 28 14:53:08 2013 +0200

s3-winbindd: remove unneded include of secrets.h from idmap_ad.c

Guenther

Signed-off-by: Günther Deschner g...@samba.org
Reviewed-by: Michael Adam ob...@samba.org

commit 77d7e2ad5a88dbe4c16e8b829d5bd0a2a5aea9bc
Author: Günther Deschner g...@samba.org
Date:   Wed Aug 28 14:53:08 2013 +0200

s3-winbindd: use get_trust_pw_clear() wrapper for AD connection code.

This avoids calling secrets functions directly.

Guenther

Signed-off-by: Günther Deschner g...@samba.org
Reviewed-by: Michael Adam ob...@samba.org

commit b66ce754a327a5bdb7600fb67ffb7aaac03cb7db
Author: Günther Deschner g...@samba.org
Date:   Fri Aug 23 14:56:17 2013 +0200

s3-winbindd: make sure also the idmap code can deal with trusted domains.

Guenther

Signed-off-by: Günther Deschner g...@samba.org
Reviewed-by: Michael Adam ob...@samba.org

commit 576c597ae38e788bc3c16efc5417e7481c673add
Author: Günther Deschner g...@samba.org
Date:   Wed Aug 28 15:00:06 2013 +0200

s3-winbindd: use find_domain_from_name() instead of 
find_domain_from_name_no_init().

Otherwise there is a good chance the domain has not been connected and we 
don't
know the realm name yet.

Guenther

Signed-off-by: Günther Deschner g...@samba.org
Reviewed-by: Michael Adam ob...@samba.org

commit 26ab2194f96cee80438c7917bc7de3bb7d48aa64
Author: Günther Deschner g...@samba.org
Date:   Thu Aug 22 16:36:27 2013 +0200

s3-winbindd: Fix winbind on DC crash with trusted AD domains.

Guenther

Signed-off-by: Günther Deschner g...@samba.org
Reviewed-by: Michael Adam ob...@samba.org

commit 57d5336969d089d063abce8db2fe090e7a363bc9
Author: Günther Deschner g...@samba.org
Date:   Fri Aug 23 12:33:53 2013 +0200

s3-winbindd: Fix memory leak in ads_cached_connection().

Guenther

Signed-off-by: Günther Deschner g...@samba.org
Reviewed-by: Michael Adam ob...@samba.org

commit edca1f9d4828281eb69b606dafd92f75f66fc984
Author: Günther Deschner g...@samba.org
Date:   Thu Aug 22 15:39:08 2013 +0200

s3-winbindd: remove pointless variable assigment, see the strdup below.

Guenther

Signed-off-by: Günther Deschner g...@samba.org
Reviewed-by: Michael Adam ob...@samba.org

---

Summary of changes:
 source3/winbindd/idmap_ad.c |1 -
 source3/winbindd/winbindd_ads.c |   62 ++
 2 files changed, 42 insertions(+), 21 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/winbindd/idmap_ad.c b/source3/winbindd/idmap_ad.c
index 1ed6570..8b63801 100644
--- a/source3/winbindd/idmap_ad.c
+++ b/source3/winbindd/idmap_ad.c
@@ -31,7 +31,6 @@
 #include ads.h
 #include libads/ldap_schema.h
 #include nss_info.h
-#include secrets.h
 #include idmap.h
 #include ../libcli/ldap/ldap_ndr.h
 #include ../libcli/security/security.h
diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
index 1e45ad9..4c26389 100644
--- a/source3/winbindd/winbindd_ads.c
+++ b/source3/winbindd/winbindd_ads.c
@@ -27,7 +27,6 @@
 #include ../librpc/gen_ndr/ndr_netlogon_c.h
 #include ../libds/common/flags.h
 #include ads.h
-#include secrets.h
 #include ../libcli/ldap/ldap_ndr.h
 #include ../libcli/security/security.h
 #include 

[SCM] CTDB repository - branch 1.0.114 updated - ctdb-1.0.114.6-10-g00f53a9

[Michael Adam]

The branch, 1.0.114 has been updated
   via  00f53a9a8f440be0bc993b1800383cd930fd273e (commit)
   via  6bfbc0aca625f0fb59df96beaee1e4c26178dc12 (commit)
   via  098b8fe9eb44ab7df718a7a80eb3078ed42802ba (commit)
   via  66e371d03f7a697d71aafb56257e30873c3d85cc (commit)
   via  c8470c203e2f5307e311b508b701fc75522a2d2d (commit)
   via  3c5259b88581828a9d613c81ee820c141bc5e0f3 (commit)
   via  a5329c7083f2a43c6c41abfb64bf1027fd4a8e3e (commit)
   via  b4bf0247ede40f2bbf39391ed9864dc041830fe8 (commit)
   via  7be3abc69333f58602ebf871d38ec138b908a36c (commit)
   via  0769ae857d1d6295cba93c4998070de95439863e (commit)
  from  527adf2f9a809d1d4ebc5d7c655496a510494098 (commit)

http://gitweb.samba.org/?p=ctdb.git;a=shortlog;h=1.0.114


- Log -
commit 00f53a9a8f440be0bc993b1800383cd930fd273e
Author: Sumit Bose sb...@redhat.com
Date:   Wed Aug 10 17:14:40 2011 +0200

Set FD_CLOEXEC for epoll file descriptors

Don't leak file descriptors.
This showed up as selinux AVCs on RHEL:
https://bugzilla.redhat.com/show_bug.cgi?id=728545

Reviewed-by: Michael Adam ob...@samba.org

commit 6bfbc0aca625f0fb59df96beaee1e4c26178dc12
Author: Sumit Bose sb...@redhat.com
Date:   Mon Nov 19 18:45:37 2012 +0100

Print deleted nodes as well

Signed-off-by: Amitay Isaacs ami...@gmail.com
(cherry picked from commit 0930a3b80697709c3228726e2250aef1f971)

Conflicts:

tools/ctdb.c

commit 098b8fe9eb44ab7df718a7a80eb3078ed42802ba
Author: Sumit Bose sb...@redhat.com
Date:   Thu Sep 1 15:18:46 2011 +0200

IPv6 neighbor solicit cleanup

Signed-off-by: Amitay Isaacs ami...@gmail.com
(cherry picked from commit a81edf7eb908659a379f0cb55fd5d04551dc2c37)

commit 66e371d03f7a697d71aafb56257e30873c3d85cc
Author: Sumit Bose sb...@redhat.com
Date:   Mon Nov 19 11:13:03 2012 +0100

Fix memory leak in ctdb_send_message()

Signed-off-by: Amitay Isaacs ami...@gmail.com
(cherry picked from commit da87395d29f5d11ecfedaf36b53fa060a9140bfd)

commit c8470c203e2f5307e311b508b701fc75522a2d2d
Author: Volker Lendecke v...@samba.org
Date:   Sun Mar 27 21:43:53 2011 +0200

tdb: Fix Coverity ID 2192: NO_EFFECT

(ret  0) can never be true
(cherry picked from commit 25397de589e577e32bb291576b10c18978b5bc4e)

commit 3c5259b88581828a9d613c81ee820c141bc5e0f3
Author: Sumit Bose sb...@redhat.com
Date:   Wed Aug 10 17:53:56 2011 +0200

Fixes for various issues found by Coverity

Corresponds to commit 05bfdbbd0d4abdfbcf28e3930086723508b35952 from master.

commit a5329c7083f2a43c6c41abfb64bf1027fd4a8e3e
Author: Ronnie Sahlberg ronniesahlb...@gmail.com
Date:   Fri Sep 3 11:58:27 2010 +1000

When memory allocations for recovery fails,
dont dereference a null pointer while trying to print the log message for 
the failure.

also shutdown ctdb with ctdb_fatal()
(cherry picked from commit f8642d0438c6bbb34a72c25d6a904b626e247410)

commit b4bf0247ede40f2bbf39391ed9864dc041830fe8
Author: Rusty Russell ru...@rustcorp.com.au
Date:   Mon Dec 6 13:52:38 2010 +1030

idtree: fix overflow for v. large ids on allocation and removal

(Imported from SAMBA commit 09a6538969ac).

Chris Cowan tracked down a SEGV in sub_alloc: idp-level can actually
be equal to 7 (MAX_LEVEL) there, as it can be in sub_remove.

(We unfairly blamed a shift of a signed var for this crash in commit
 2db1987f5a3a).

Signed-off-by: Rusty Russell ru...@rustcorp.com.au
(cherry picked from commit 73764104356d3738d9d20a9d06ce51535f74f475)

commit 7be3abc69333f58602ebf871d38ec138b908a36c
Author: Rusty Russell ru...@rustcorp.com.au
Date:   Tue Oct 5 13:06:19 2010 +1030

idtree: fix right shift of signed ints, crash on large ids on AIX

Right-shifting signed integers in undefined; indeed it seems that on
AIX with their compiler, doing a 30-bit shift on (INT_MAX-200) gives
0, not 1 as we might expect.

The obvious fix is to make id and oid unsigned: l (level count) is also
logically unsigned.

(Note: Samba doesn't generally get to ids  1 billion, but ctdb does)

Reported-by: Chris Cowan c...@us.ibm.com
Signed-off-by: Rusty Russell ru...@rustcorp.com.au

Autobuild-User: Rusty Russell ru...@samba.org
Autobuild-Date: Wed Oct  6 08:31:09 UTC 2010 on sn-devel-104
(cherry picked from commit 2db1987f5a3a4268ce64fe570ff598e3bf4ecc73)

commit 0769ae857d1d6295cba93c4998070de95439863e
Author: Sumit Bose sb...@redhat.com
Date:   Mon Nov 19 11:20:31 2012 +0100

Check return value of tdb_delete()

Signed-off-by: Amitay Isaacs ami...@gmail.com
(cherry picked from commit 5cdcc3d45d358ddbcd7e864898eed9cbd9935429)

---

Summary of changes:
 client/ctdb_client.c |8 ++--
 

[SCM] CTDB repository - branch 1.0.114 updated - ctdb-1.0.114.6-12-g11a20ec

[Michael Adam]

The branch, 1.0.114 has been updated
   via  11a20ecbd949bd45410189d7b7e6348b42a9729e (commit)
   via  582131cd39369973100c9ec30492cc1d606e7682 (commit)
  from  00f53a9a8f440be0bc993b1800383cd930fd273e (commit)

http://gitweb.samba.org/?p=ctdb.git;a=shortlog;h=1.0.114


- Log -
commit 11a20ecbd949bd45410189d7b7e6348b42a9729e
Author: Amitay Isaacs ami...@gmail.com
Date:   Mon Aug 12 15:50:30 2013 +1000

vacuuming: Fix vacuuming bug where requests keep bouncing between nodes 
(part 2)

This is caused by corruption of a record header such that the records
on two nodes point to each other as dmaster.  This makes a request for
that record bounce between nodes endlessly.

Signed-off-by: Amitay Isaacs ami...@gmail.com
(cherry picked from commit f0853013655ac3bedf1b793de128fb679c6db6c6)

Conflicts:

server/ctdb_recover.c

commit 582131cd39369973100c9ec30492cc1d606e7682
Author: Amitay Isaacs ami...@gmail.com
Date:   Mon Aug 12 15:51:00 2013 +1000

vacuuming: Fix vacuuming bug where requests keep bouncing between nodes 
(part 1)

This is caused by corruption of a record header such that the records
on two nodes point to each other as dmaster.  This makes a request for
that record bounce between nodes endlessly.

Signed-off-by: Amitay Isaacs ami...@gmail.com
(cherry picked from commit a610bc351f0754c84c78c27d02f9a695e60c5b0f)

---

Summary of changes:
 server/ctdb_recover.c |   34 +-
 1 files changed, 17 insertions(+), 17 deletions(-)


Changeset truncated at 500 lines:

diff --git a/server/ctdb_recover.c b/server/ctdb_recover.c
index f5fa257..4794e63 100644
--- a/server/ctdb_recover.c
+++ b/server/ctdb_recover.c
@@ -783,7 +783,7 @@ bool ctdb_recovery_lock(struct ctdb_context *ctdb, bool 
keep)
  */
 static int delete_tdb_record(struct ctdb_context *ctdb, struct ctdb_db_context 
*ctdb_db, struct ctdb_rec_data *rec)
 {
-   TDB_DATA key, data;
+   TDB_DATA key, data, data2;
struct ctdb_ltdb_header *hdr, *hdr2;

/* these are really internal tdb functions - but we need them here for
@@ -814,13 +814,13 @@ static int delete_tdb_record(struct ctdb_context *ctdb, 
struct ctdb_db_context *
return -1;
}
 
-   data = tdb_fetch(ctdb_db-ltdb-tdb, key);
-   if (data.dptr == NULL) {
+   data2 = tdb_fetch(ctdb_db-ltdb-tdb, key);
+   if (data2.dptr == NULL) {
tdb_chainunlock(ctdb_db-ltdb-tdb, key);
return 0;
}
 
-   if (data.dsize  sizeof(struct ctdb_ltdb_header)) {
+   if (data2.dsize  sizeof(struct ctdb_ltdb_header)) {
if (tdb_lock_nonblock(ctdb_db-ltdb-tdb, -1, F_WRLCK) == 0) {
if (tdb_delete(ctdb_db-ltdb-tdb, key) != 0) {
DEBUG(DEBUG_CRIT,(__location__  Failed to 
delete corrupt record\n));
@@ -829,45 +829,45 @@ static int delete_tdb_record(struct ctdb_context *ctdb, 
struct ctdb_db_context *
DEBUG(DEBUG_CRIT,(__location__  Deleted corrupt 
record\n));
}
tdb_chainunlock(ctdb_db-ltdb-tdb, key);
-   free(data.dptr);
+   free(data2.dptr);
return 0;
}

-   hdr2 = (struct ctdb_ltdb_header *)data.dptr;
+   hdr2 = (struct ctdb_ltdb_header *)data2.dptr;
 
if (hdr2-rsn  hdr-rsn) {
tdb_chainunlock(ctdb_db-ltdb-tdb, key);
DEBUG(DEBUG_INFO,(__location__  Skipping record with rsn=%llu 
- called with rsn=%llu\n,
 (unsigned long long)hdr2-rsn, (unsigned long 
long)hdr-rsn));
-   free(data.dptr);
-   return -1;  
+   free(data2.dptr);
+   return -1;
}
 
if (hdr2-dmaster == ctdb-pnn) {
tdb_chainunlock(ctdb_db-ltdb-tdb, key);
DEBUG(DEBUG_INFO,(__location__  Attempted delete record where 
we are the dmaster\n));
-   free(data.dptr);
-   return -1;  
+   free(data2.dptr);
+   return -1;
}
 
if (tdb_lock_nonblock(ctdb_db-ltdb-tdb, -1, F_WRLCK) != 0) {
tdb_chainunlock(ctdb_db-ltdb-tdb, key);
-   free(data.dptr);
-   return -1;  
+   free(data2.dptr);
+   return -1;
}
 
if (tdb_delete(ctdb_db-ltdb-tdb, key) != 0) {
tdb_unlock(ctdb_db-ltdb-tdb, -1, F_WRLCK);
tdb_chainunlock(ctdb_db-ltdb-tdb, key);
DEBUG(DEBUG_INFO,(__location__  Failed to delete record\n));
-   free(data.dptr);
-   return -1;  
+   

[SCM] Samba Shared Repository - branch master updated

[Andrew Bartlett]

The branch, master has been updated
   via  ba04400 vfs_glusterfs: Fix excessive debug output from 
vfs_gluster_open().
  from  91910fe s3:winbind: fail ads_cached_connection_connect() if realm 
== NULL

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit ba04400d01c6ad05651672e087527391da7fdaf4
Author: Christopher R. Hertel c...@redhat.com
Date:   Thu Aug 29 16:58:16 2013 -0500

vfs_glusterfs: Fix excessive debug output from vfs_gluster_open().

The vfs_gluster_open() function generates a debug message (at level 0)
for every failed attempt to open a pathname.  This includes cases in
which attempts are made to open a directory as a file (those attempts
are retried calling vfs_gluster_opendir()).  The result is that the log
file fills with messages about failed attempts to open directories, just
because they are directories.

This latest version, of the patch completely removes logging from the
vfs_gluster_open() function.  The error code returned is handled in
upper layers, and the open function in the default VFS module does not
log any errors.

Signed-off-by: Christopher R. Hertel c...@redhat.com
Reviewed-by: susant palai spa...@redhat.com
Reviewed-by: raghavendra talur rta...@redhat.com
Reviewed-by: Jose A. Rivera jar...@redhat.com

Reviewed-by: Andrew Bartlett abart...@samba.org

Autobuild-User(master): Andrew Bartlett abart...@samba.org
Autobuild-Date(master): Fri Aug 30 02:43:48 CEST 2013 on sn-devel-104

---

Summary of changes:
 source3/modules/vfs_glusterfs.c |3 ---
 1 files changed, 0 insertions(+), 3 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/modules/vfs_glusterfs.c b/source3/modules/vfs_glusterfs.c
index eac1b24..237236a 100644
--- a/source3/modules/vfs_glusterfs.c
+++ b/source3/modules/vfs_glusterfs.c
@@ -481,11 +481,8 @@ static int vfs_gluster_open(struct vfs_handle_struct 
*handle,
}
 
if (glfd == NULL) {
-   DEBUG(0, (glfs_{open[dir],creat}(%s) failed: %s\n,
- smb_fname-base_name, strerror(errno)));
return -1;
}
-
return glfd_fd_store(glfd);
 }
 


-- 
Samba Shared Repository