Re: [Samba] [samba]How to config samba4 internal dns?
I can't figure out how to fix the internal dns problem. Trying bind. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On 30/08/13 23:14, Luca Olivetti wrote: Al 30/08/13 23:44, En/na steve ha escrit: Interesting point; you've now sampled winbind, nslcd and sssd to the same end. Have you made a decision as to which you'll be going with? Well, the real deployment will take some time (measured in months rather than weeks), I have a lot more to learn and I'm busy with other things. I'm not still 100% convinced that I need to migrate from samba 3 to samba 4, and once I am I have to explain it to my boss. Anyway I think I'll go with sssd, my unscientific tests (time getent, time id) tell me it's an order of magnitude faster than nslcd (both for uncached and cached data). winbindI don't like it, for no particular reason. It also seems to be the slowest of the pack. Hi, perhaps I can tell you something that will help you make your mind up. Sometime in September, Samba 4.1 will be released, when it is, 4.0 will move to maintenance mode, 3.6 will only get security fixes and 3.5 will be discontinued. So, do you really want to be basing a new installation on a version that is either discontinued or only getting security fixes? Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Where is the DLZ zone file with the bind dns backend?
I'm testing the samba4 with bind. Samba: 4.0.9 Bind: 9.9.3-P2 I configured with the document http://wiki.samba.org/index.php/Dns-backend_bind and seems dns update completed. I trying to find out where is the DLZ zone file. Is there? Or it's just the ldb file? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
Am 31.08.2013 00:14, schrieb Luca Olivetti: I'm not still 100% convinced that I need to migrate from samba 3 to samba 4, and once I am I have to explain it to my boss. Samba 4 != AD only Samba 4 is the the next version after the 3.6 tree and contains everything + AD DC functionality. You can run Samba version 4 still as an NT4 domain if you or your boss doesn't want to migrate to AD. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Where is the DLZ zone file with the bind dns backend?
Am 31.08.2013 11:35, schrieb Sense Zeng: I'm testing the samba4 with bind. Samba: 4.0.9 Bind: 9.9.3-P2 I configured with the document http://wiki.samba.org/index.php/Dns-backend_bind and seems dns update completed. I trying to find out where is the DLZ zone file. Is there? Or it's just the ldb file? ./private/dns/sam.ldb.d/DC=DOMAINDNSZONES,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb ./private/sam.ldb.d/DC=DOMAINDNSZONES,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb Both are the same files (hard-linked). Why do you need the zone file? Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Where is the DLZ zone file with the bind dns backend?
I hope to manual edit the zone file, like adding an A host record. I test the bind backend was wish it has a DLZ zone file like the nomal bind zone file. But it's the ldb file. It seems I‘d use samba-tool. Thx. 2013/8/31 Marc Muehlfeld sa...@marc-muehlfeld.de Am 31.08.2013 11:35, schrieb Sense Zeng: I'm testing the samba4 with bind. Samba: 4.0.9 Bind: 9.9.3-P2 I configured with the document http://wiki.samba.org/index.**php/Dns-backend_bindhttp://wiki.samba.org/index.php/Dns-backend_bindand seems dns update completed. I trying to find out where is the DLZ zone file. Is there? Or it's just the ldb file? ./private/dns/sam.ldb.d/DC=**DOMAINDNSZONES,DC=SAMDOM,DC=** EXAMPLE,DC=COM.ldb ./private/sam.ldb.d/DC=**DOMAINDNSZONES,DC=SAMDOM,DC=**EXAMPLE,DC=COM.ldb Both are the same files (hard-linked). Why do you need the zone file? Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Sat, 2013-08-31 at 00:14 +0200, Luca Olivetti wrote: Al 30/08/13 23:44, En/na steve ha escrit: Interesting point; you've now sampled winbind, nslcd and sssd to the same end. Have you made a decision as to which you'll be going with? Well, the real deployment will take some time (measured in months rather than weeks), I have a lot more to learn and I'm busy with other things. I'm not still 100% convinced that I need to migrate from samba 3 to samba 4, and once I am I have to explain it to my boss. Anyway I think I'll go with sssd, my unscientific tests (time getent, time id) tell me it's an order of magnitude faster than nslcd (both for uncached and cached data). winbindI don't like it, for no particular reason. It also seems to be the slowest of the pack. One site we run has 600 users all with rfc2307. The only way we can getent the whole list is with sssd. I know it's a false test as I don't suppose you'd ever need to do it, but with enumeration, winbind grinds to around one user per minute after it's done around 200. Of course, those blessed with modern hardware need only toss a 3 way coin. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Sat, 2013-08-31 at 11:47 +0200, Marc Muehlfeld wrote: Am 31.08.2013 00:14, schrieb Luca Olivetti: I'm not still 100% convinced that I need to migrate from samba 3 to samba 4, and once I am I have to explain it to my boss. Samba 4 != AD only Hi I think the OP realises that. His main concern and problem was the usual confusion with winbind and the mystery surrounding rfc2307 and it's representation in and out of of AD. In this thread, we've thrashed the merits of winbind, nslcd and sssd to hell and soon thanks to your good self, we'll have readable howtos on all three. Let's see if that serves to relieve the never ending series of posts highlighting the lack of reliable, up to date and dare I say it plain English and readable explanations of at least how to get started. I feel we've made progress. Next time a winbind problem gets posted, we'll be able to refer to 3 democratically produced howtos. Thanks to Marc for listening to us and inviting us in on hos howtos, Luca his patience in hearing us out 'till EOT and to Rowland for keeping me sane. OpenSource at it's best. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Where is the DLZ zone file with the bind dns backend?
Am 31.08.2013 13:58, schrieb Sense Zeng: I hope to manual edit the zone file, like adding an A host record. I test the bind backend was wish it has a DLZ zone file like the nomal bind zone file. But it's the ldb file. It seems I‘d use samba-tool. Thx. Yes, you need to use samba-tool for doing changes. But you can script around it. An other way would be editing the ldb file. But I won't do that, if I have a tool like samba-tool for doing changes. Here I put a HowTo about working with Samba AD DNS: http://wiki.samba.org/index.php/DNS_Administration Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
Al 31/08/13 15:23, En/na steve ha escrit: I feel we've made progress. Next time a winbind problem gets posted, we'll be able to refer to 3 democratically produced howtos. Thanks to Marc for listening to us and inviting us in on hos howtos, Luca his patience in hearing us out 'till EOT and to Rowland for keeping me sane. OpenSource at it's best. An update on sssd+gssapi: I setup a client VM where I copied the keytab and the sssd.conf of the server. I got the same 'Server not found in Kerberos database' error. I tried many things (adding the client address in samba 4 dns, install samba 3 on the client and trying to join the domain, which, btw, I didn't manage to do, trying to follow the instructions here https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%20with%20a%20Windows%202008%20Domain%20Server, again, unsuccessfully, etc.). What seems to have solved the problem has been setting the hostname to a simple name without domain, e.g. changing it from cliente.wetron.es to cliente. I really have to study this kerberos thingie ;-) Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
Al 31/08/13 15:23, En/na steve ha escrit: On Sat, 2013-08-31 at 11:47 +0200, Marc Muehlfeld wrote: Am 31.08.2013 00:14, schrieb Luca Olivetti: I'm not still 100% convinced that I need to migrate from samba 3 to samba 4, and once I am I have to explain it to my boss. Samba 4 != AD only Hi I think the OP realises that. His main concern and problem was the usual confusion with winbind and the mystery surrounding rfc2307 and it's representation in and out of of AD. Actually, my main concern is ensuring a smooth migration with limited downtime. I think I have the windows machine covered (that's what the classicupgrade does), but I have several other services authenticating against ldap and getting users and groups information from it. They all should work equally well against an AD style LDAP and standard LDAP, but, as always, the devil is in the details. Yes, I could probably run it as an NT style domain, and I don't exclude the possibility, but while I'm at it I'd really like to simplify things instead of having to manage separate samba+ldap+dns servers. Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Sat, 2013-08-31 at 17:25 +0200, Luca Olivetti wrote: Al 31/08/13 15:23, En/na steve ha escrit: I feel we've made progress. Next time a winbind problem gets posted, we'll be able to refer to 3 democratically produced howtos. Thanks to Marc for listening to us and inviting us in on hos howtos, Luca his patience in hearing us out 'till EOT and to Rowland for keeping me sane. OpenSource at it's best. An update on sssd+gssapi: I setup a client VM where I copied the keytab and the sssd.conf of the server. I got the same 'Server not found in Kerberos database' error. I tried many things (adding the client address in samba 4 dns, install samba 3 on the client and trying to join the domain, which, btw, I didn't manage to do, trying to follow the instructions here https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%20with%20a%20Windows%202008%20Domain%20Server, again, unsuccessfully, etc.). What seems to have solved the problem has been setting the hostname to a simple name without domain, e.g. changing it from cliente.wetron.es to cliente. I really have to study this kerberos thingie ;-) Hi It doesn't work here either. The only way we can get it to authenicate or join the domain is to add: I.P.ADD.RRESS f.q.d.n short-hostname of the DC to /etc/hosts Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Sat, 2013-08-31 at 17:53 +0200, steve wrote: On Sat, 2013-08-31 at 17:25 +0200, Luca Olivetti wrote: Al 31/08/13 15:23, En/na steve ha escrit: I feel we've made progress. Next time a winbind problem gets posted, we'll be able to refer to 3 democratically produced howtos. Thanks to Marc for listening to us and inviting us in on hos howtos, Luca his patience in hearing us out 'till EOT and to Rowland for keeping me sane. OpenSource at it's best. An update on sssd+gssapi: I setup a client VM where I copied the keytab and the sssd.conf of the server. I got the same 'Server not found in Kerberos database' error. I tried many things (adding the client address in samba 4 dns, install samba 3 on the client and trying to join the domain, which, btw, I didn't manage to do, trying to follow the instructions here https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%20with%20a%20Windows%202008%20Domain%20Server, again, unsuccessfully, etc.). What seems to have solved the problem has been setting the hostname to a simple name without domain, e.g. changing it from cliente.wetron.es to cliente. I really have to study this kerberos thingie ;-) Hi It doesn't work here either. The only way we can get it to authenicate or join the domain is to add: I.P.ADD.RRESS f.q.d.n short-hostname of the DC to /etc/hosts Steve Oh, and: 127.0.0.1 localhost f.q.d.n 127.0.0.1 short-hostname -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba Digest, Vol 128, Issue 32
I am Currently out of the office and will return on Monday 9th September. My email will not be monitor , so if you require assistance please email supp...@swift-computing.co.uk. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Problem in Windows Dc replication due to Samba4
Hi all, Ours is a setup of 30 Windows multi master DCs currently running with different servers (windows 2003 , Windows 2008 , Windows 2008 R2) . Till now it is running there is no issues with replication among the Winodws servers. Now recently i joined a Samba4 DC in the network as a replicating multi master DC. Everything goes fine for few hours but suddenly i got errors in Windows DC. The Windows 2008 R2 servers can replicate only among themselves and it cannot replicate to Windows 2003 and Windows 2008 servers and Samba server. The error code and solution is given as http://support.microsoft.com/kb/837932 But none of the solutions proposed in this page works. Has anybody comes across this issue before?I dont know whether this issue has arised really due to Samba4 Dc or how it would have arised. Infact i dont want a solution for Windows DC, but want to know whether Samba can be the root cause for this. Because till the moment i start the samba server , this error was not there. This has really became big headache and somebody kindly throw some lights on this issue. -- Regards., Prema S CDAC Chennai -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
Al 31/08/13 18:00, En/na steve ha escrit: Hi It doesn't work here either. The only way we can get it to authenicate or join the domain is to add: I.P.ADD.RRESS f.q.d.n short-hostname of the DC to /etc/hosts Steve Oh, and: 127.0.0.1 localhost f.q.d.n 127.0.0.1 short-hostname That last bit did it (the I.P.ADD.RRESS f.q.d.n short-hostname was already there, one of those previous failed attempts): [root@cliente luca]# net ads join -U Administrator Enter Administrator's password: Using short domain name -- WETRON Joined 'CLIENTE' to dns domain 'wetron.es' No DNS domain configured for cliente. Unable to perform DNS Update. DNS update failed! Why is it necessary? Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Restricting Sites and services in Samba4 DC
Hi all, I want to restrict the Samba4 DC to take the replication from only one server among 30 servers in my network. So i joined the samba server with --site option samba-tool domain join test.local DC -Usuperadmin --site=win-pdc --realm=test.local But after joining the Sites and services entry for Samba DC automatically generated all the 30 servers. Deleting all the entries and manually creating only one server is of no use. With in few minutes all the servers are getting generated again. How to solve this issue in samba4. -- Regards., Prema S CDAC Chennai -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Sat, 2013-08-31 at 20:17 +0200, Luca Olivetti wrote: Al 31/08/13 18:00, En/na steve ha escrit: Hi It doesn't work here either. The only way we can get it to authenicate or join the domain is to add: I.P.ADD.RRESS f.q.d.n short-hostname of the DC to /etc/hosts Steve Oh, and: 127.0.0.1 localhost f.q.d.n 127.0.0.1 short-hostname That last bit did it (the I.P.ADD.RRESS f.q.d.n short-hostname was already there, one of those previous failed attempts): [root@cliente luca]# net ads join -U Administrator Enter Administrator's password: Using short domain name -- WETRON Joined 'CLIENTE' to dns domain 'wetron.es' No DNS domain configured for cliente. Unable to perform DNS Update. DNS update failed! Why is it necessary? I think you may have had /etc/hostname with the fqdn, whereas it _should_ only have the hostname. IOW: You have to have hostname -s return _just_ the hostname _without_ the domain. And: hostname -f return the fqdn I understand that you now have the domain join and sssd auth from the keytab without either the DNS update nor the something not found errors? Dare I mention that it is really nice with sssd v1.10 and above as it gives us dynamic dns updates on the fly for Linux clients, just like windows. Pero no digas nada a nadie lol. Salu2, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Set User cannot change password from command/script
Hi, We implemented a Samba4 server which syncs hourly with a database containing (among lots of other data) a list of users with their passwords, etc. So far everything works fine except that users shouldn't be allowed to change their samba4 password from within Windows, but only through the other database (which has its own GUI). I've been unable to find a linux command which allows me to set the *User cannot change password* property when creating or updating a user with the sync script. samba-tool doesn't provide such feature, ldapmodify because flag 64 (PASSWD_CANT_CHANGE) is protected in attribute UserAccountControl. Can anybody help me on this? Is there any way to enable/disable this user property with a command from within linux (locally on the samba4 DC server)? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Not Obeying require_membership_of winbind.so when User must change password at next logon
Okay, so I have an Active Directory server running on Windows Server 2012
Standard
I have configured Samba/Kerberos/Winbind on Ubuntu 13.04 to bind to the DC
properly.
I am able to login with my Active Directory users credentials.
When I use the 'require_membership_of' option in pam.d/common-auth for
winbind.so using the SID of the group I want to restrict access to, it works
like a charm.
There is a drawback to using this it seems. When I go into my AD server and
check the box marked User must change password at next logon then that user,
regardless of being apart of the required group, is granted access on my ubuntu
client.
Has anyone ever experienced this before? Would anyone know of a fix?
When I first install winbind and samba I run this command with a ReadOnly
account:
/usr/bin/net ads join -U ${join_user}%${join_pass}
My files are listed below
Common-Account:
Code:
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so
account requisite pam_deny.so
account required pam_permit.so
Common-Auth:
Code:
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_winbind.so
require_membership_of=S-1-5-21-555-555-555- krb5_auth
krb5_ccache_type=FILE cached_login use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_mount.so
auth optional pam_cap.so
Common-Password:
Code:
password [success=2 default=ignore] pam_unix.so obscure sha512
password [success=1 default=ignore] pam_winbind.so
password requisite pam_deny.so
password required pam_permit.so
password optional pam_gnome_keyring.so
Common-Session:
Code:
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session required pam_unix.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
session optional pam_winbind.so
session optional pam_mount.so
session optional pam_xdg_support.so
session optional pam_ck_connector.so nox11
Common-Session-NonInteractive:
Code:
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session required pam_unix.so
session optional pam_winbind.so
session optional pam_xdg_support.so
/etc/krb5.conf
Code:
[logging]
default = FILE:/var/log/krb5.log
[libdefaults]
default_realm = IN.MYCOMPANY.COM
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
IN.MYCOMPANY.COM = {
kdc = in.mycompany.com
admin_server = in.mycompany.com
default_domain = in.mycompany.com
}
[domain_realm]
.in.mycompany.com = in.mycompany.com
in.mycompany.com = in.mycompany.com
/etc/nsswitch.conf
Code:
passwd:files compat ldap winbind
group: files compat ldap winbind
shadow:files compat ldap winbind
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
networks: files
protocols: db files
services: db files
ethers:db files
rpc:db files
netgroup: nis
/etc/samba/smb.conf:
Code:
[global]
workgroup = inCOMPANY
server string = %h server (Samba, Ubuntu)
netbios name = %h
dns proxy = no
realm = IN.MYCOMPANY.COM
local master = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
wtmp directory = /var/log
utmp = yes
utmp directory = /var/run
security = ADS
client ntlmv2 auth = yes
ntlm auth = no
guest account = nobody
restrict anonymous = 2
idmap backend = tdb
idmap uid = 1000-3000
idmap gid = 1000-3000
idmap config inIS:backend = rid
idmap config inIS:range = 10-99
template shell = /bin/bash
template homedir = /home/%D/%U
winbind separator = +
winbind use default domain = yes
winbind offline logon = true
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = true
winbind cache time = 60
allow trusted domains = yes
smb ports = 445
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
password server = in.mycompany.com
client use spnego = yes
encrypt passwords = no
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
%n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
map
[Samba] no per-connection smbd process?
I always see exactly two smbd processes (via ps -x), regardless of the number of client machines actively accessing files on my samba share. From what I've read, there should be a new smbd process per connection? I'm trying to use the truss command to trace system calls made by samba, so need to find the process id. This is Samba 3.6.9 on FreeBSD 9.1, -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Set user cannot change password from command/script
Hi, We implemented a Samba4 server which syncs hourly with a database containing (among lots of other data) a list of users with their passwords, etc. So far everything works fine except that users shouldn't be allowed to change their samba4 password from within Windows, but only through the other database (which has its own GUI). I've been unable to find a linux command which allows me to set the User cannot change password property when creating or updating a user with the sync script. samba-tool doesn't provide such feature, ldapmodify because flag 64 (PASSWD_CANT_CHANGE) is protected in attribute UserAccountControl. Can anybody help me on this? Is there any way to enable/disable this user property with a command from within linux (locally on the samba4 DC server)? -- El contingut d'aquest correu electrònic i els annexos adjunts són estrictament confidencials. En cas que no sigueu el destinatari i hagiu rebut aquest missatge per error, us agrairíem que ho comuniqueu immediatament al remitent, sense difondre, emmagatzemar o copiar el seu contingut. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 consumes more CPU
Dear Andrew, As per your suggestion , I have attached the gdb log of the samba and smbd process log running in the single server mode. Also when I noted in the perf top, libndr.so consumes the maximum cpu. I noticed that it happens soon after sometime the samba process is started and the CPU is filled up. Since the samba process occupies 100% atleast two or more CPUs out of 8 CPU , the clients are not able to get authenticate to the server. Kindly go through the logs and suggest what can be done to lessen the CPU consumption. On Mon, Aug 12, 2013 at 11:45 AM, Andrew Bartlett abart...@samba.orgwrote: On Sun, 2013-08-11 at 10:12 +0530, Prema wrote: Also one more point I would like to clarify., what is the maximum User limit that Samba4 as a DC supports. I read somewhere that , there is a proportion between the system RAM + hard disk size and user limit accepted in Samba4. Is that true., and in that case, how many users can be supported by a 8 GB RAM and 500 GB hard disk size. Kindly clarify this , since we have around 6k+ users spreaded for 20 DCs. G'Day, There are a few things going on here: - The CPU utilisation isn't normal, for any use case. If you were loading your system up to the maximum number of objects, for example, it would be slower, but as incoming authentication drop of, it would decrease back to normal levels. To track down this, we need to work out what routine it consuing the CPU time, say with the linux 'perf' tools. At the very least, attach to the process spinning with 'gdb -p pid' and get me the output of 'bt full', in the hope that this indicates the spinning routine. - Samba does have limits in terms of the number of users it can currently efficiently serve, but that isn't at the 6000 user level, as far as we are aware Also you need to set your expectations regarding when I might be able to assist you: - Please send all mail, unless confidential to the samba@lists.samba.org mailing list. That way, others can help you. You may send it to me if you like, but ensure you always also send it to the list. This also means that others can learn from any answers I give, rather than them staying private, and others can help you when I'm not available. - While I work on Samba, and I'm very grateful to my employers for the time I'm able to spend on it, but you need to give us all a reasonable time to reply, understanding that we may not work the same hours and days that you do. For example, I'll be on leave most of this coming week. Finally, a crash in Samba, and this is essentially what you describe, is serious, and I certainly understand your worry. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- Regards., Prema S CDAC Chennai -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba setup
Hi all. I am a truly new to Samba so please bear with me while I ask a few questions. I am running a Pentium 366 Celeron, 128meg memory, Red Hat Linux 7.2, Linux 2.4.7-10, Samba 2.2.1a. I am running this much older version as the best book I have on Linux is Ren Hat Linux 7.2 Bible by Chris Negus. It is the most complete book I have so in order to have my experiments with Linux and Samba match the pictures ;-)), I opted to use the older version. I installed Samba as per the instructions in the book. Setting up the users, editting the samba.conf file and using SWAT all seemed to go OK. However, here is what I got upon checking it: [root@4445 root]# smbstatus Samba version 2.2.1a Serviceuidgidpidmachine --- Failed to open byte range locking database ERROR: Failed to initialize locking database Can't initialize locking module - exiting [root@4445 root]# ssmb I have the Samba printer sharing working fine, I can print from my Linux machine to my Windows printer fine. Can anyone tell me what I'm doing wrong or what I missed Thanks. Bill ** Keller Racing Performance By Design http://KellerRacing.net ** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] [samba]reload-config
HI! I have some question about smbcontrol reload-config ,please explain it to me.Thanks! Connecting samba share by windows,and modify the smb.conf(EX:modify the share record rw to ro). After that,execute smbcontrol -d 10 all reload-config. But it doesn't work on the samba connecting ,it's also the old record. How to let the samba connecting become the new record except samba service restart or disconnect the link. Wait for your write back... Ming -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] [samba]record wrong
HI! I have some question about smbcontrol reload-config ,please explain it to me.Thanks! Connecting samba share by windows,and modify the smb.conf(EX:modify the share record rw to ro). After that,execute smbcontrol -d 10 all reload-config. But it doesn't work on the samba connecting ,it's also the old record. How to let the samba connecting share become the new record except samba service restart or disconnect the link. GOOD LUCK! MING -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] SAMBA Interdomain Trust relationships
I have two SAMBA PDC's with an OpenLDAP backend. My goal is to establish an interdomain trust between the two domains so that users from each backend can login to Windows systems by specifying accounts from either domain. I've followed the steps to establish the trusts and I can see accounts and groups using wbinfo and getent. I can access resources/shares from each domain but I'm unable to logon to any windows system using the alternate domain although the alternate domain does indeed show up in the drop down. I simply get a incorrect password error and eventually lock out my account on the domain that the system is part of and not the trust domain I'm trying to authenticate to. net rpc trustdom LIST reports OK from each PDC. Trusted domains list: ABCLOTT S-1-5-21-3441751594-170090486-2794545703 Trusting domains list: ABCLOTT S-1-5-21-3441751594-170090486-2794545703 net rpc trustdom LIST Trusted domains list: XYZLOTT S-1-5-21-3045757412-1322895056-2287618393 Trusting domains list: XYZLOTT S-1-5-21-3045757412-1322895056-2287618393 I see this in the logs. check_ntlm_password: sam authentication for user [testuser] FAILED with error NT_STATUS_WRONG_PASSWORD [2013/08/28 22:29:11.556149, 10] auth/auth_winbind.c:50(check_winbind_security) Check auth for: [testuser] [2013/08/28 22:29:11.556178, 3] auth/auth_winbind.c:60(check_winbind_security) check_winbind_security: Not using winbind, requested domain [XYZLOTT] was for this SAM. [2013/08/28 22:29:11.556209, 10] auth/auth.c:259(check_ntlm_password) check_ntlm_password: winbind had nothing to say [2013/08/28 22:29:11.556238, 2] auth/auth.c:319(check_ntlm_password) check_ntlm_password: Authentication for user [testuser] - [testuser] FAILED with error NT_STATUS_WRONG_PASSWORD [2013/08/28 22:29:11.556303, 5] rpc_server/netlogon/srv_netlog_nt.c:1574(_netr_LogonSamLogon_base) _netr_LogonSamLogonEx: check_password returned status NT_STATUS_WRONG_PASSWORD [2013/08/28 22:29:11.556338, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) netr_LogonSamLogonEx: struct netr_LogonSamLogonEx out: struct netr_LogonSamLogonEx and this [2013/08/28 22:29:11.553321, 2] ../libcli/auth/ntlm_check.c:423(ntlm_password_check) ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user testuser [2013/08/28 22:29:11.553352, 3] ../libcli/auth/ntlm_check.c:442(ntlm_password_check) ntlm_password_check: Lanman passwords NOT PERMITTED for user testuser [2013/08/28 22:29:11.553382, 4] ../libcli/auth/ntlm_check.c:479(ntlm_password_check) ntlm_password_check: Checking LMv2 password with domain XYZLOTT [2013/08/28 22:29:11.553421, 4] ../libcli/auth/ntlm_check.c:508(ntlm_password_check) ntlm_password_check: Checking LMv2 password with upper-cased version of domain XYZLOTT [2013/08/28 22:29:11.553459, 4] ../libcli/auth/ntlm_check.c:536(ntlm_password_check) ntlm_password_check: Checking LMv2 password without a domain [2013/08/28 22:29:11.553497, 4] ../libcli/auth/ntlm_check.c:567(ntlm_password_check) ntlm_password_check: Checking NT MD4 password in LM field [2013/08/28 22:29:11.553527, 3] ../libcli/auth/ntlm_check.c:588(ntlm_password_check) ntlm_password_check: LM password and LMv2 failed for user testuser, and NT MD4 password in LM field not permitted I do have ntlm auth = No in smb.conf on each PDC and Use NTLMv2 only on the Windows systems and Domain logins work fine to the primary domain. Do I need to allow ntlmv1 to get intertrust domain logons to work? -Mike -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] [samba]wrong record for connetcting share
HI! I have some question about smbcontrol reload-config ,please explain it to me.Thanks! Connecting samba share by windows,and modify the smb.conf(EX:modify the share record rw to ro). After that,execute smbcontrol -d 10 all reload-config. But it doesn't work on the samba connecting ,it's also the old record. How to let the samba connecting become the new record except samba service restart or disconnect the link. Wait for your write back... Ming -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba Digest, Vol 128, Issue 33
I am Currently out of the office and will return on Monday 9th September. My email will not be monitor , so if you require assistance please email supp...@swift-computing.co.uk. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
