Re: [Samba] Inexplicable rejection of credentials
There are some Files in /var/lib/samba. But have you a samba User created. Try smbpasswd username Von meinem Xperia™-Smartphone gesendet Paul D. DeRocco pdero...@ix.netcom.com schrieb: I have a Windows home network with a bunch of Windows boxes and two Ubuntu boxes. Everything can access shares on everything else, with one exception: no one can get to the one share on the second Ubuntu box which I just added to the system. All my machines have one user account (admin privileges in Windows) with the name pauld and the same password. In an effort to solve this problem on the second Ubuntu box, I even copied the smb.conf file from the first Ubuntu box and edited its netbios name parameter. The only difference I can see in the configuration of the two boxes is the different computer names, which are reflected both in their hostnames and their netbios names. Oh, and I've rebooted everything several times. Yet when I attempt to access the sole share on this machine, either from a Windows machine or from the other Ubuntu box, it rejects the username/password. (One difference: Windows boxes fail on trying to open the machine; the older Ubuntu box can see open the machine and see the share name, but fail on trying to open the share. Dunno if that means anything.) For reference, here's the smb.conf from the offending machine: --- [global] workgroup = WORKGROUP netbios name = BUILD server string = %h server (Samba, Ubuntu) dns proxy = no name resolve order = bcast wins log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d encrypt passwords = true passdb backend = tdbsam obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes map to guest = bad user usershare allow guests = yes [printers] comment = All Printers browseable = no path = /var/spool/samba printable = yes guest ok = no read only = yes create mask = 0700 [print$] comment = Printer Drivers path = /var/lib/samba/printers browseable = yes read only = yes guest ok = no [all] comment = Everything read only = no path = / browsable = yes create mask = 755 --- Most of this stuff was created automatically by installing Samba, so I don't really know what it means, or even if it's necessary. I stripped out all the comments, and manually added the [all] share at the end. (And I don't need any lectures about providing write access to root, please.) The ONLY difference between this file and the one on the working Ubuntu machine is the netbios name. There are no other mysterious files in /etc/samba that could be confusing things. No logs in /var/log/samba show any failures. So my general question is: how do I fix this? And a more specific question is: is there any other file somewhere that could be getting into the act, and screwing this machine up? If there isn't an answer forthcoming, how about this: how do I go about debugging this? -- Ciao, Paul D. DeRocco Paulmailto:pdero...@ix.netcom.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Group policy management per OU
Hi all We are testing to migrate our multiple domain Samba3-LDAP system to Samba4. As Samba 4 doesn't support multiple domains, we will convert every domain into an OU, delegating the administration of each OU to a specific group of users. Our environment has about 38 OUs and thousand of users and computers, so we want each OU admin group can manage also the group policies. I have read a lot, but I have not seen anything about the creation and modification of group policies per OU, just giving permissions to and existing GPO. What I would like is to allow admin groups of each OU create and modify their own GPOs, without needing to request the central administrators to create one and give permissions to it. In brief, what I have read: - If a OU admin user wants to create a GPO, he must have rights to manage all GPOs, or a admin user have to create previously a GPO and give permissions to that GPO to the user, and then the OU admin user can link it and edit it. What I would like to: - Each OU admin user can create GPOs and modify (and link) the GPOs he has created, but not modify (or delete or link) the GPOs that other OUs admin users have created. Is this possible or just a dream? :D Regards. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Upgrading samba 2.2.8a to 3.6.15 on Solaris 9 -- 3.6.15 brings all inetd services down
Hello, Jordan Verschuer jvsamba...@gmail.com a écrit : Hi samba friends, I'm upgrading our Samba 2.2.8a server to 3.6.15 on a Solaris 9 box, we need to do this as all our latest Mac OS X 10.8 clients cannot map to the 2.2.8a network share, and need the newer Samba (well known issue for mountain lion). My first question would be, why not use the Solaris Samba? IIRC, on S9, it was patched up to 3.something, which could be enough for your needs. I've compiled 3.6.15 and this seemed to go ok, no obvious errors were shown during .configure make and make install, and smbd -V gives output and seems ok, I've updated /etc/inet/inetd.conf and also added the same users to smbpasswd, snip I agree with Marc here: why inetd? It doesn't sound good. Also, I'm maintaining the OpenCSW Samba package for Solaris (http://www.opencsw.org/packages/CSWsamba/). It's currently 3.6.18 for Solaris 10. I've checked that it still builds for Solaris 9 with no trouble. I've put S9 packages there: http://buildfarm.opencsw.org/experimental.html#laurent You're welcome to try them and tell me if they work for you. OpenCSW is focusing on S10 at the moment, but if there is interest in S9, that could be kept running for a while. Laurent -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4: Can't create shares outside sysvol and netlogon
Hi, I am trying to create shares for my users in our new Samba4 domain, but with no luck so far. My current /etc/samba/smb.conf looks like this: [global] workgroup = ADLS realm = ADLS.EXAMPLE.COM netbios name = CASTOR server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate idmap_ldb:use rfc2307 = yes [netlogon] path = /var/lib/samba/sysvol/adls.example.com/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No [homes] path = /var/lib/samba/exchange_folder read only = No map acl inherit = Yes I am connected to the server with a Win7 client, no problem to bring it into the new domain. I can view and browse sysvol and netlogon. I can create subfolders under sysvol and netlogon but clicking on my homes-share gives me error code 0x80070035. I also see no security tab when right-clicking on it. I assume bind and samba are working fine together, otherwise I shouldn't be able to join the domain at all, right? Any productive hint with this is appreciated, as I read several howtos and tried so many configuration, all with no success. BR Thoralf -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Element not found when connecting to sysvol
I have two samba DCs (4.0.9) and no Windows DCs, and group policy is failing. I've narrowed it down to an error accessing the sysvol folder. Some clients (not all clients) get the error Element not found when connecting to our sysvol folder which is \\ahc.pdc\sysvol\. The problem seems to be intermittent, a client may suddenly start working again, or suddenly stop. However, when connecting to it using the domain controller name \\BDC.ahc.pdc\sysvol\ it works 100% of the time. Unfortunately, this isn't where clients look for group policy. Some history with this domain that may/may not help... We had a DC die on us and we had to seize FSMO roles on BDC.ahc.pdc. I had to manually edit some DNS entries to get this to work as well. I've also been trying to get SSO working with Openfire, so I've used setspn a number of times... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Windows 7 and Samba
After researching win7 and samba issues we upgraded to 3.5.22. We still can not connect to shares on the RHEL 5.9 box. Odd thing is, when attempting to connect we never see anything in the logs, which makes me think its a networking issue. We've turned off the firewall on the win 7 box, but still nothing. We can ping the RHEL server from the Win 7 box. Any insights or suggestions would be appreciated. -- From my iPhone Geoffrey Myers -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Element not found when connecting to sysvol
Even more info... *Broken Client, **dfsutil /spcinfo* * * [*][bdc.ahc.pdc] [*][AHC] [*][ahc.pdc] [-][AHC] [-][ahc.pdc] Working Client, *dfsutil /spcinfo* * * [*][bdc.ahc.pdc] [*][AHC] [*][ahc.pdc] [-][AHC] [+][ahc.pdc] [-RADIUS-STORAGE.ahc.pdc] AccessStatus: 0xc0be [+BDC.ahc.pdc] AccessStatus: 0 [-PDC.ahc.pdc] * * -- * * On Tue, Sep 17, 2013 at 12:58 PM, Alan Romans arom...@ashlandhc.org wrote: I've found some more info... *Broken Client* dfsutil /pktinfo 0 entries... *Working Client* dfsutil /pktinfo 2 entries... Entry: \ahc.pdc\netlogon ShortEntry: \ahc.pdc\netlogon Expires in 561 seconds UseCount: 0 Type:0x1 ( DFS ) 0:[\RADIUS-STORAGE.ahc.pdc\netlogon] AccessStatus: 0xc0cc ( TARGETSET ) 1:[\BDC.ahc.pdc\netlogon] AccessStatus: 0 ( ACTIVE ) 2:[\PDC.ahc.pdc\netlogon] Entry: \ahc.pdc\SysVol ShortEntry: \ahc.pdc\SysVol Expires in 189 seconds UseCount: 14 Type:0x1 ( DFS ) 0:[\RADIUS-STORAGE.ahc.pdc\SysVol] AccessStatus: 0xc0be ( TARGETSET ) 1:[\BDC.ahc.pdc\SysVol] AccessStatus: 0 ( ACTIVE ) 2:[\PDC.ahc.pdc\SysVol] On Tue, Sep 17, 2013 at 10:13 AM, Alan Romans arom...@ashlandhc.orgwrote: I have two samba DCs (4.0.9) and no Windows DCs, and group policy is failing. I've narrowed it down to an error accessing the sysvol folder. Some clients (not all clients) get the error Element not found when connecting to our sysvol folder which is \\ahc.pdc\sysvol\. The problem seems to be intermittent, a client may suddenly start working again, or suddenly stop. However, when connecting to it using the domain controller name \\BDC.ahc.pdc\sysvol\ it works 100% of the time. Unfortunately, this isn't where clients look for group policy. Some history with this domain that may/may not help... We had a DC die on us and we had to seize FSMO roles on BDC.ahc.pdc. I had to manually edit some DNS entries to get this to work as well. I've also been trying to get SSO working with Openfire, so I've used setspn a number of times... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows 7 and Samba
Hello Geoffrey, Am 17.09.2013 17:45, schrieb Geoffrey Myers: After researching win7 and samba issues we upgraded to 3.5.22. We still can not connect to shares on the RHEL 5.9 box. Odd thing is, when attempting to connect we never see anything in the logs, which makes me think its a networking issue. We've turned off the firewall on the win 7 box, but still nothing. We can ping the RHEL server from the Win 7 box. Any insights or suggestions would be appreciated. - Can other clients connect to the server? - Is this a NT4 domain or just a standalone server? - Is the machine joined, if it's a domain member? - Any registry changes done on W7? See http://wiki.samba.org/index.php/Registry_changes_for_NT4-style_domains for what is neccessary and what you should avoid. - Is there a firewall on the RHEL box or between the server and the client? - Does Samba listen on all ports it should? See http://wiki.samba.org/index.php/Samba_port_usage#Port_usage_when_Samba_runs_as_NT4-domain - Is Samba listening on the right interfaces? (maybe it's just listening on localhost and not on your NIC or not on the right NIC if you have more than one). Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows 7 and Samba
On Sep 17, 2013, at 12:32 PM, Marc Muehlfeld sa...@marc-muehlfeld.de wrote: Hello Geoffrey, Am 17.09.2013 17:45, schrieb Geoffrey Myers: After researching win7 and samba issues we upgraded to 3.5.22. We still can not connect to shares on the RHEL 5.9 box. Odd thing is, when attempting to connect we never see anything in the logs, which makes me think its a networking issue. We've turned off the firewall on the win 7 box, but still nothing. We can ping the RHEL server from the Win 7 box. Any insights or suggestions would be appreciated. - Can other clients connect to the server? Other clients connect fine. Although this is the only win 7 client. The others are win xp. - Is this a NT4 domain or just a standalone server? Standalone server. - Is the machine joined, if it's a domain member? The machine is configure just as the other clients that can connect. - Any registry changes done on W7? See http://wiki.samba.org/index.php/Registry_changes_for_NT4-style_domains for what is neccessary and what you should avoid. - Is there a firewall on the RHEL box or between the server and the client? No. - Does Samba listen on all ports it should? See http://wiki.samba.org/index.php/Samba_port_usage#Port_usage_when_Samba_runs_as_NT4-domain - Is Samba listening on the right interfaces? (maybe it's just listening on localhost and not on your NIC or not on the right NIC if you have more than one). Surely the other clients would not be able to connect if this was the case? Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] LDAP Account Manager 4.3 with enhanced Samba 4 and Kolab support released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 LDAP Account Manager (LAM) 4.3 - September 17th, 2013 = LAM is a web frontend for managing accounts stored in an LDAP directory. Announcement: - - Added Unix user+group support for Samba 4. Additionally, you may now manage Kolab groups. Custom fields support read-only fields and file uploads. LAM is now PHP 5.5 compatible. Full changelog: https://www.ldap-account-manager.org/lamcms/changelog Download: https://www.ldap-account-manager.org/lamcms/releases Features: - - * management of various account types * Unix * Samba 3/4 * Kolab 2/3 * Asterisk * Zarafa * DHCP * SSH keys * and much more... * profiles for account creation * account creation via CSV file upload * automatic creation/deletion of home directories * setting file system quotas * PDF output for all accounts * schema and LDAP browser * manages multiple servers * multi-language support Demo installation: - -- You can try our demo installation online. https://www.ldap-account-manager.org/lamcms/liveDemo Support: - If you find a bug please file a bug report. For questions or implementing new features please use the mailinglist and feature request tracker at our homepage https://www.ldap-account-manager.org. Authors Copyright: - Copyright (C) 2003 - 2013: Roland Gruber p...@rolandgruber.de LAM is published under the GNU General Public License. The complete list of licenses can be found in the copyright file. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Icedove - http://www.enigmail.net/ iEYEARECAAYFAlI4oTgACgkQq/ywNCsrGZ4YHQCfVTXDV6HdI60A4x3xp3OFFk2K oGsAniC5+ehDyccYCgiv8HcPpg5Wm2MF =BXk1 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Element not found when connecting to sysvol
I've found some more info... *Broken Client* dfsutil /pktinfo 0 entries... *Working Client* dfsutil /pktinfo 2 entries... Entry: \ahc.pdc\netlogon ShortEntry: \ahc.pdc\netlogon Expires in 561 seconds UseCount: 0 Type:0x1 ( DFS ) 0:[\RADIUS-STORAGE.ahc.pdc\netlogon] AccessStatus: 0xc0cc ( TARGETSET ) 1:[\BDC.ahc.pdc\netlogon] AccessStatus: 0 ( ACTIVE ) 2:[\PDC.ahc.pdc\netlogon] Entry: \ahc.pdc\SysVol ShortEntry: \ahc.pdc\SysVol Expires in 189 seconds UseCount: 14 Type:0x1 ( DFS ) 0:[\RADIUS-STORAGE.ahc.pdc\SysVol] AccessStatus: 0xc0be ( TARGETSET ) 1:[\BDC.ahc.pdc\SysVol] AccessStatus: 0 ( ACTIVE ) 2:[\PDC.ahc.pdc\SysVol] On Tue, Sep 17, 2013 at 10:13 AM, Alan Romans arom...@ashlandhc.org wrote: I have two samba DCs (4.0.9) and no Windows DCs, and group policy is failing. I've narrowed it down to an error accessing the sysvol folder. Some clients (not all clients) get the error Element not found when connecting to our sysvol folder which is \\ahc.pdc\sysvol\. The problem seems to be intermittent, a client may suddenly start working again, or suddenly stop. However, when connecting to it using the domain controller name \\BDC.ahc.pdc\sysvol\ it works 100% of the time. Unfortunately, this isn't where clients look for group policy. Some history with this domain that may/may not help... We had a DC die on us and we had to seize FSMO roles on BDC.ahc.pdc. I had to manually edit some DNS entries to get this to work as well. I've also been trying to get SSO working with Openfire, so I've used setspn a number of times... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] S4-Winbind dumping core on password
Samba4-winbind (sernet-samba-4.0.9) on RHEL 6.4 dumps core on password authentication for a domain user (su/sudo), and so domain password authentication fails. The machine is a standalone server in a Windows AD (2008R2) domain. PuTTY logins using GSSAPI work fine, kdestroy/kinit succeeds with AD password, but su'ing to the userid from a puttty session fails. The issue seems to be related to the following line from /var/log/secure: pam_winbind(su:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR (4), NTSTATUS: NT_STATUS_IO_DEVICE_ERROR, Error message was: NT_STATUS_IO_DEVICE_ERROR Adding pam_krb5 before pam_winbind avoids the issue of winbind dumping core, but then winbind does not refresh tickets, which is a requirement. (Switching back to samba-3.6 works, but that takes away the shiny new features of samba-4 - winbind seems to communicate faster with AD, and we are testing smb2/smb3 performance improvements.) It appears that the problem can be replicated reliably by using authconfig to enable Winbind authentication and to disable Kerberos authentication in RHEL 6.4. Enabling both Winbind and Kerberos avoids the core dumping/domain password failures, but tickets are not refreshed. Question is, are changes in samba 4.1RC likely to fix this issue, or does a separate bug need filing? Additional information follows: Relevant lines from /var/log/secure: myhostname sshd[10170]: pam_unix(sshd:session): session opened for user MYUSERNAME by (uid=0) myhostname su: pam_unix(su:auth): authentication failure; logname=MYUSERNAME uid=100999 euid=0 tty=pts/0 ruser=MYUSERNAME rhost= user=MYUSERNAME myhostname su: pam_winbind(su:auth): getting password (0x0390) myhostname su: pam_winbind(su:auth): pam_get_item returned a password myhostname su: pam_winbind(su:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR (4), NTSTATUS: NT_STATUS_IO_DEVICE_ERROR, Error message was: NT_STATUS_IO_DEVICE_ERROR myhostname su: pam_winbind(su:auth): internal module error (retval = PAM_SYSTEM_ERR(4), user = 'MYUSERNAME') Winbind configuration from smb.conf: idmap config * : backend = hash idmap config * : range = 1-1000 template homedir = /srv/misc/%D/%U template shell = /bin/bash winbind use default domain = Yes allow trusted domains = No winbind enum groups = No winbind enum users = No winbind nested groups = Yes winbind refresh tickets = Yes winbind offline logon = Yes kerberos method = secrets and keytab Relevant lines from log.wb-domain (data have been modified in minor ways to protect the innocent): [2013/09/17 17:52:27.866486, 10, pid=10086, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:499(set_domain_online_request) set_domain_online_request: called for domain MYDOMAIN [2013/09/17 17:52:27.866525, 10, pid=10086, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:534(set_domain_online_request) set_domain_online_request: domain MYDOMAIN was globally offline. [2013/09/17 17:52:27.866558, 10, pid=10086, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:499(set_domain_online_request) set_domain_online_request: called for domain MYDOMAIN [2013/09/17 17:52:27.866604, 10, pid=10086, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:874(account_lockout_policy_handler) account_lockout_policy_handler called [2013/09/17 17:52:27.866648, 5, pid=10086, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cache.c:167(get_cache) get_cache: Setting ADS methods for domain MYDOMAIN [2013/09/17 17:52:27.866701, 10, pid=10086, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cache.c:459(fetch_cache_seqnum) fetch_cache_seqnum: success [MYDOMAIN][12346 @ 137945] [2013/09/17 17:52:27.866728, 10, pid=10086, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cache.c:583(refresh_sequence_number) refresh_sequence_number: MYDOMAIN seq number is now 12346 [2013/09/17 17:52:27.866794, 10, pid=10086, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cache.c:624(centry_expired) centry_expired: Key LOC_POL/MYDOMAIN for domain MYDOMAIN is good. [2013/09/17 17:52:27.866819, 10, pid=10086, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cache.c:732(wcache_fetch) wcache_fetch: returning entry LOC_POL/MYDOMAIN for domain MYDOMAIN [2013/09/17 17:52:27.866842, 10, pid=10086, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cache.c:2910(lockout_policy) lockout_policy: [Cached] - cached info for domain MYDOMAIN status: NT_STATUS_OK [2013/09/17 17:52:27.866910, 4, pid=10086, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:1549(fork_domain_child) child daemon request 13 [2013/09/17 17:52:27.866938, 10, pid=10086,
Re: [Samba] DNS forwading for host *within* AD
For the record, I couldn't make it a work in a more elegant way, so here's the quick and dirty solution (using the internal DNS server). I run this script every 10 minutes or so via cron. This updates the record for www.foo.com considering the AD domain is foo.com and the webserver www.foo.com is hosted externally. dc1 is the domain controller, 8.8.8.8 in this case is Google DNS servers: -- #!/bin/bash WWW_CURRENT=`dig @localhost www.foo.com A +short | tail -n1` WWW_NEW=`dig @8.8.8.8 www.foo.com A +short | tail -n1` if [ $WWW_CURRENT != $WWW_NEW ] [ ! -z $WWW_NEW ] then /usr/local/samba/bin/samba-tool dns update dc1 foo.com www A $WWW_CURRENT $WWW_NEW --password=adminpassword fi -- Regards! On Mon, Sep 2, 2013 at 2:57 PM, George jorgito1...@gmail.com wrote: Hi, I am currently running Samba 4.0.9 as a DC. My AD domain and Kerberos realm is domain.com. Although this was not considered when we set up the domain, now we need foo.domain.com to be resolved externally by our ISP DNS server. I tried to configure BIND as a backend and to manuallly add a zone foo.domain.com, type forward, but it does not work (Samba DLZ seems to be taking precedence). Any suggestions?? A somewhat cheap hack would be to add an A record for foo and make a cron script to update it with samba-tool on a regular basis. But first I would like to get a more proper solution. Thanks a lot. George -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 adding an index to sam.ldb
Anyone have a clue as to how I set the fINDEXED attrib? I have an additional attribute in samba4 ldap that I need indexed. - Original Message - From: Bo Kersey b...@vircio.com To: Andrew Bartlett abart...@samba.org Sent: Sunday, September 15, 2013 7:53:49 AM Subject: Re: [Samba] samba4 adding an index to sam.ldb Andrew, I'm not sure where to find that part of the schema... This is what I find for othermailbox dn: CN=Other-Mailbox,CN=Schema,CN=Configuration, objectClass: top objectClass: attributeSchema cn: Other-Mailbox instanceType: 4 whenCreated: 20130913000849.0Z whenChanged: 20130913000849.0Z uSNCreated: 1011 attributeID: 1.2.840.113556.1.4.651 attributeSyntax: 2.5.5.12 isSingleValued: FALSE uSNChanged: 1011 showInAdvancedViewOnly: TRUE adminDisplayName: Other-Mailbox adminDescription: Other-Mailbox oMSyntax: 64 searchFlags: 0 lDAPDisplayName: otherMailbox name: Other-Mailbox objectGUID: bd150920-231c-437c-a5a4-726c2c136708 schemaIDGUID: 0296c123-40da-11d1-a9c0-f80367c1 attributeSecurityGUID: e48d0154-bcf8-11d1-8702-00c04fb96050 systemOnly: FALSE objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration, distinguishedName: CN=Other-Mailbox,CN=Schema,CN=Configuration, And when I grep through the other objects at this level, I don't find an fINDEXED attrib or any /index/i attribs that make sense for that matter. Thanks! Bo - Original Message - From: Andrew Bartlett abart...@samba.org To: Bo Kersey b...@vircio.com Cc: samba@lists.samba.org Sent: Saturday, September 14, 2013 5:46:21 PM Subject: Re: [Samba] samba4 adding an index to sam.ldb On Sat, 2013-09-14 at 09:10 -0500, Bo Kersey wrote: I have a large installation 20k users. We're using samba4 for AD Authentication, and also email address validation. I'm trying to edit the @INDEXLIST in sam.ldb to add an index on otherMailbox to speed up searches (0.05 sec for indexed, vs 2.5 sec for non-indexed searches) I'm finding that when I use ldbedit to do this, it appears to add the additional @IDXATTR. However, when I go back and check via ldbsearch, the attribute is not there. Seems to be failing silently... How do I debug this? We override that list with a list from the fINDEXED attribute in the schema. Just modify that and the new index will be created. I'm also keen to hear more about how you have gone with an installation that large, as there are not many installations as large as yours, and it will help us advise others. Thanks! Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- Bo Kersey VirCIO - managed network solutions 4314 Avenue C Austin, TX 78751 phone: (512)374-0500 If it is free, you are the product. -- Bo Kersey VirCIO - managed network solutions 4314 Avenue C Austin, TX 78751 phone: (512)374-0500 -- Bo Kersey VirCIO - managed network solutions 4314 Avenue C Austin, TX 78751 phone: (512)374-0500 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via af290a0 libcli/smb: fix non mendatory signing against some vendor SMB2 servers. via 1d54d8c libcli/smb: use SMB1 MID=0 for the initial Negprot from 6ed5b1c Cleanup map return codes http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit af290a03cef63c3b08446c1980de064a3b1c8804 Author: Stefan Metzmacher me...@samba.org Date: Tue Sep 17 04:12:30 2013 +0200 libcli/smb: fix non mendatory signing against some vendor SMB2 servers. Windows and Samba always sign the final session setup response even if signing is not mendatory, but it ensures that the signing key is correctly in place. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10146 Signed-off-by: Stefan Metzmacher me...@samba.org Reviewed-by: Jeremy Allison j...@samba.org Autobuild-User(master): Stefan Metzmacher me...@samba.org Autobuild-Date(master): Tue Sep 17 09:40:10 CEST 2013 on sn-devel-104 commit 1d54d8c501afa151b6cc07b98a14caae2b31ec65 Author: Stefan Metzmacher me...@samba.org Date: Tue Sep 17 04:09:03 2013 +0200 libcli/smb: use SMB1 MID=0 for the initial Negprot Bug: https://bugzilla.samba.org/show_bug.cgi?id=10144 Signed-off-by: Stefan Metzmacher me...@samba.org Reviewed-by: Jeremy Allison j...@samba.org --- Summary of changes: libcli/smb/smbXcli_base.c | 19 ++- 1 files changed, 18 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c index 7176e8f..f59f1f7 100644 --- a/libcli/smb/smbXcli_base.c +++ b/libcli/smb/smbXcli_base.c @@ -737,6 +737,14 @@ static uint16_t smb1cli_alloc_mid(struct smbXcli_conn *conn) size_t num_pending = talloc_array_length(conn-pending); uint16_t result; + if (conn-protocol == PROTOCOL_NONE) { + /* +* This is what windows sends on the SMB1 Negprot request +* and some vendors reuse the SMB1 MID as SMB2 sequence number. +*/ + return 0; + } + while (true) { size_t i; @@ -4835,7 +4843,16 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session, session-conn-protocol, recv_iov, 3); if (!NT_STATUS_IS_OK(status)) { - return status; + /* +* Sadly some vendors don't sign the +* final SMB2 session setup response +* +* At least Windows and Samba are always doing this +* if there's a session key available. +*/ + if (conn-mandatory_signing) { + return status; + } } session-smb2-should_sign = false; -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 1c41feb s3: libsmb : The short name length is only a one byte field. from af290a0 libcli/smb: fix non mendatory signing against some vendor SMB2 servers. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 1c41feb7893ae4a4f42c035f3c83f8b2950b7816 Author: Jeremy Allison j...@samba.org Date: Mon Sep 16 19:16:52 2013 -0700 s3: libsmb : The short name length is only a one byte field. The next byte is undefined and some vendors set this to 0xff (discovered in SNIA SDC lab tests). Signed-off-by: Jeremy Allison j...@samba.org Reviewed-by: Stefan Metzmacher me...@samba.org Autobuild-User(master): Stefan Metzmacher me...@samba.org Autobuild-Date(master): Tue Sep 17 12:27:18 CEST 2013 on sn-devel-104 --- Summary of changes: source3/libsmb/cli_smb2_fnum.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/libsmb/cli_smb2_fnum.c b/source3/libsmb/cli_smb2_fnum.c index 18b03f3..3253f9d 100644 --- a/source3/libsmb/cli_smb2_fnum.c +++ b/source3/libsmb/cli_smb2_fnum.c @@ -412,7 +412,7 @@ static NTSTATUS parse_finfo_id_both_directory_info(uint8_t *dir_data, if (namelen (dir_data_length - 104)) { return NT_STATUS_INFO_LENGTH_MISMATCH; } - slen = SVAL(dir_data + 68, 0); + slen = CVAL(dir_data + 68, 0); if (slen 24) { return NT_STATUS_INFO_LENGTH_MISMATCH; } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 0099c65 docs: point out side-effects of global valid users setting. from 1c41feb s3: libsmb : The short name length is only a one byte field. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 0099c652e7b3d34e720e8af40d7f75d868cf0701 Author: Günther Deschner g...@samba.org Date: Tue Sep 17 12:47:58 2013 +0200 docs: point out side-effects of global valid users setting. Guenther Signed-off-by: Günther Deschner g...@samba.org Reviewed-by: Andreas Schneider a...@samba.org Autobuild-User(master): Günther Deschner g...@samba.org Autobuild-Date(master): Tue Sep 17 16:20:16 CEST 2013 on sn-devel-104 --- Summary of changes: docs-xml/smbdotconf/security/validusers.xml | 10 ++ 1 files changed, 10 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/docs-xml/smbdotconf/security/validusers.xml b/docs-xml/smbdotconf/security/validusers.xml index 313739d..ec3e11e 100644 --- a/docs-xml/smbdotconf/security/validusers.xml +++ b/docs-xml/smbdotconf/security/validusers.xml @@ -19,6 +19,16 @@ The current servicename is substituted for parameter moreinfo=none%S/parameter. This is useful in the [homes] section. /para + +paraemphasisNote: /emphasisWhen used in the [global] section this +parameter may have unwanted side effects. For example: If samba is configured as a MASTER BROWSER (see +parameter moreinfo=nonelocal master/parameter, +parameter moreinfo=noneos level/parameter, +parameter moreinfo=nonedomain master/parameter, +parameter moreinfo=nonepreferred master/parameter) this option +will prevent workstations from being able to browse the network. +/para + /description relatedinvalid users/related -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via eaf1b8e s3-rpc_server: fix typo in DEBUG statement. from 0099c65 docs: point out side-effects of global valid users setting. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit eaf1b8e2e3edd4e223d595bb3b091b4bcbdc2b04 Author: Günther Deschner g...@samba.org Date: Mon Aug 12 17:56:53 2013 +0200 s3-rpc_server: fix typo in DEBUG statement. Guenther Signed-off-by: Günther Deschner g...@samba.org Reviewed-by: Andreas Schneider a...@samba.org Autobuild-User(master): Günther Deschner g...@samba.org Autobuild-Date(master): Tue Sep 17 18:24:26 CEST 2013 on sn-devel-104 --- Summary of changes: source3/rpc_server/rpc_ncacn_np.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/rpc_server/rpc_ncacn_np.c b/source3/rpc_server/rpc_ncacn_np.c index 7389b3e..60f72a5 100644 --- a/source3/rpc_server/rpc_ncacn_np.c +++ b/source3/rpc_server/rpc_ncacn_np.c @@ -553,7 +553,7 @@ struct np_proxy_state *make_external_rpc_pipe_p(TALLOC_CTX *mem_ctx, GLOBAL_SECTION_SNUM, external_rpc_pipe, socket_dir, lp_ncalrpc_dir()); if (socket_dir == NULL) { - DEBUG(0, (externan_rpc_pipe:socket_dir not set\n)); + DEBUG(0, (external_rpc_pipe:socket_dir not set\n)); goto fail; } socket_np_dir = talloc_asprintf(talloc_tos(), %s/np, socket_dir); -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 17a9a0f s3: libsmb : Bug 10150 - Not all OEM servers support the ALTNAME info level. via cdc280d s3: libsmb SMB2 wrapper layer. cli_smb2_get_ea_list_path() failed to close file on exit. from eaf1b8e s3-rpc_server: fix typo in DEBUG statement. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 17a9a0f37bbb730d09b3a57b00665d44aac18ea6 Author: Jeremy Allison j...@samba.org Date: Tue Sep 17 11:24:05 2013 -0700 s3: libsmb : Bug 10150 - Not all OEM servers support the ALTNAME info level. Just ignore and print error message and an altname of if the server returns NT_STATUS_NOT_SUPPORTED. Signed-off-by: Jeremy Allison j...@samba.org Reviewed-by: Volker Lendecke v...@samba.org Autobuild-User(master): Jeremy Allison j...@samba.org Autobuild-Date(master): Tue Sep 17 23:40:08 CEST 2013 on sn-devel-104 commit cdc280deb1e6f99ec9eae05d75bc1104448662ef Author: Jeremy Allison j...@samba.org Date: Tue Sep 17 11:00:16 2013 -0700 s3: libsmb SMB2 wrapper layer. cli_smb2_get_ea_list_path() failed to close file on exit. Found at SNIA SDC plugfest. Signed-off-by: Jeremy Allison j...@samba.org Reviewed-by: Volker Lendecke v...@samba.org --- Summary of changes: source3/client/client.c| 10 +- source3/libsmb/cli_smb2_fnum.c |4 2 files changed, 13 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/client/client.c b/source3/client/client.c index bdf6c50..a348644 100644 --- a/source3/client/client.c +++ b/source3/client/client.c @@ -1709,7 +1709,15 @@ static int do_allinfo(const char *name) if (!NT_STATUS_IS_OK(status)) { d_printf(%s getting alt name for %s\n, nt_errstr(status), name); - return false; + /* +* Ignore not supported, it does not hurt if we can't list +* alternate names. +*/ + if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) { + altname[0] = '\0'; + } else { + return false; + } } d_printf(altname: %s\n, altname); diff --git a/source3/libsmb/cli_smb2_fnum.c b/source3/libsmb/cli_smb2_fnum.c index 3253f9d..202000f 100644 --- a/source3/libsmb/cli_smb2_fnum.c +++ b/source3/libsmb/cli_smb2_fnum.c @@ -1997,6 +1997,10 @@ NTSTATUS cli_smb2_get_ea_list_path(struct cli_state *cli, fail: + if (fnum != 0x) { + cli_smb2_close_fnum(cli, fnum); + } + TALLOC_FREE(frame); return status; } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 4879d08 libcli/smb: only check the SMB2 session setup signature if required and valid from 17a9a0f s3: libsmb : Bug 10150 - Not all OEM servers support the ALTNAME info level. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 4879d0810a2ad741e32ad174a7a14cd35521aeaf Author: Stefan Metzmacher me...@samba.org Date: Wed Sep 18 02:24:30 2013 +0200 libcli/smb: only check the SMB2 session setup signature if required and valid This is an update to commit af290a03cef63c3b08446c1980de064a3b1c8804 that skips the scary debug messages. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10146 Signed-off-by: Stefan Metzmacher me...@samba.org Reviewed-by: Jeremy Allison j...@samba.org Autobuild-User(master): Stefan Metzmacher me...@samba.org Autobuild-Date(master): Wed Sep 18 04:46:00 CEST 2013 on sn-devel-104 --- Summary of changes: libcli/smb/smbXcli_base.c | 26 +- 1 files changed, 21 insertions(+), 5 deletions(-) Changeset truncated at 500 lines: diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c index f59f1f7..27ac2a8 100644 --- a/libcli/smb/smbXcli_base.c +++ b/libcli/smb/smbXcli_base.c @@ -4742,12 +4742,18 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session, struct smbXcli_conn *conn = session-conn; uint16_t no_sign_flags; uint8_t session_key[16]; + bool check_signature = true; + uint32_t hdr_flags; NTSTATUS status; if (conn == NULL) { return NT_STATUS_INVALID_PARAMETER_MIX; } + if (recv_iov[0].iov_len != SMB2_HDR_BODY) { + return NT_STATUS_INVALID_PARAMETER_MIX; + } + no_sign_flags = SMB2_SESSION_FLAG_IS_GUEST | SMB2_SESSION_FLAG_IS_NULL; if (session-smb2-session_flags no_sign_flags) { @@ -4839,18 +4845,28 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session, return NT_STATUS_NO_MEMORY; } - status = smb2_signing_check_pdu(session-smb2_channel.signing_key, - session-conn-protocol, - recv_iov, 3); - if (!NT_STATUS_IS_OK(status)) { + check_signature = conn-mandatory_signing; + + hdr_flags = IVAL(recv_iov[0].iov_base, SMB2_HDR_FLAGS); + if (hdr_flags SMB2_HDR_FLAG_SIGNED) { /* * Sadly some vendors don't sign the * final SMB2 session setup response * * At least Windows and Samba are always doing this * if there's a session key available. +* +* We only check the signature if it's mandatory +* or SMB2_HDR_FLAG_SIGNED is provided. */ - if (conn-mandatory_signing) { + check_signature = true; + } + + if (check_signature) { + status = smb2_signing_check_pdu(session-smb2_channel.signing_key, + session-conn-protocol, + recv_iov, 3); + if (!NT_STATUS_IS_OK(status)) { return status; } } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via ff88694 Give slapd a second to startup via 68a4081 Add an OpenLDAP-specific extended_dn_in module from 4879d08 libcli/smb: only check the SMB2 session setup signature if required and valid http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit ff886940272354743cd6eb50717891454d8e5500 Author: Howard Chu h...@symas.com Date: Tue Sep 17 08:19:47 2013 -0700 Give slapd a second to startup Moving the sleep to the beginning of the loop avoids most occurrences of the connection failed message Signed-off-by: Howard Chu h...@symas.com Reviewed-by: Andrew Bartlett abart...@samba.org Reviewed-by: Nadezhda Ivanova nivan...@symas.com Autobuild-User(master): Nadezhda Ivanova nivan...@samba.org Autobuild-Date(master): Wed Sep 18 07:43:09 CEST 2013 on sn-devel-104 commit 68a4081dd47344651cb4dfdf57247ce8e893a96e Author: Howard Chu h...@symas.com Date: Mon Sep 16 19:51:20 2013 -0700 Add an OpenLDAP-specific extended_dn_in module Don't fix plain DNs before sending them to OpenLDAP Signed-off-by: Howard Chu h...@symas.com Reviewed-by: Andrew Bartlett abart...@samba.org Reviewed-by: Nadezhda Ivanova nivan...@symas.com --- Summary of changes: python/samba/provision/backend.py |2 +- source4/dsdb/samdb/ldb_modules/extended_dn_in.c | 25 ++- source4/dsdb/samdb/ldb_modules/samba_dsdb.c | 17 --- 3 files changed, 38 insertions(+), 6 deletions(-) Changeset truncated at 500 lines: diff --git a/python/samba/provision/backend.py b/python/samba/provision/backend.py index 58aab98..24d8675 100644 --- a/python/samba/provision/backend.py +++ b/python/samba/provision/backend.py @@ -292,6 +292,7 @@ class LDAPBackend(ProvisionBackend): while self.slapd.poll() is None: # Wait until the socket appears try: +time.sleep(1) ldapi_db = Ldb(self.ldap_uri, lp=self.lp, credentials=self.credentials) ldapi_db.search(base=, scope=SCOPE_BASE, expression=(objectClass=OpenLDAProotDSE)) @@ -299,7 +300,6 @@ class LDAPBackend(ProvisionBackend): # the LDAP server! return except LdbError: -time.sleep(1) count = count + 1 if count 15: diff --git a/source4/dsdb/samdb/ldb_modules/extended_dn_in.c b/source4/dsdb/samdb/ldb_modules/extended_dn_in.c index 034d22a..df45f75 100644 --- a/source4/dsdb/samdb/ldb_modules/extended_dn_in.c +++ b/source4/dsdb/samdb/ldb_modules/extended_dn_in.c @@ -56,6 +56,9 @@ static const char *wkattr[] = { otherWellKnownObjects, NULL }; + +static const struct ldb_module_ops ldb_extended_dn_in_openldap_module_ops; + /* An extra layer of indirection because LDB does not allow the original request to be altered */ static int extended_final_callback(struct ldb_request *req, struct ldb_reply *ares) @@ -376,7 +379,14 @@ static int extended_dn_filter_callback(struct ldb_parse_tree *tree, void *privat has_extended_component = (memchr(tree-u.equality.value.data, '', tree-u.equality.value.length) != NULL); - if (!attribute-one_way_link !has_extended_component) { + /* +* Don't turn it into an extended DN if we're talking to OpenLDAP. +* We just check the module_ops pointer instead of adding a private +* pointer and a boolean to tell us the exact same thing. +*/ + if (!has_extended_component) { + if (!attribute-one_way_link || + ldb_module_get_ops(filter_ctx-module) == ldb_extended_dn_in_openldap_module_ops) return LDB_SUCCESS; } @@ -706,8 +716,21 @@ static const struct ldb_module_ops ldb_extended_dn_in_module_ops = { .rename= extended_dn_in_rename, }; +static const struct ldb_module_ops ldb_extended_dn_in_openldap_module_ops = { + .name = extended_dn_in_openldap, + .search= extended_dn_in_search, + .modify= extended_dn_in_modify, + .del = extended_dn_in_del, + .rename= extended_dn_in_rename, +}; + int ldb_extended_dn_in_module_init(const char *version) { + int ret; LDB_MODULE_CHECK_VERSION(version); + ret = ldb_register_module(ldb_extended_dn_in_openldap_module_ops); + if (ret != LDB_SUCCESS) { + return ret; + } return ldb_register_module(ldb_extended_dn_in_module_ops); } diff --git a/source4/dsdb/samdb/ldb_modules/samba_dsdb.c b/source4/dsdb/samdb/ldb_modules/samba_dsdb.c index cde53bc..060a9d7 100644 ---