[Samba] Problem with Classic-Migration and Sernet Samba4 Packages
Hi, I'm testing an classic migration from samba3/openldap to samba4 on debian wheezy. Last time i did this i used an self compiled samba4 installation. I followed the howto and used openldap with an cloned db on my new server. Now I try the same with sernet's samba4 packages. But sernet-samba-ad does already provide ldap and slapd services and also has ldap-server and slapd in Breaks so installing slapd is not possible. As an quick workaround I edited /var/lib/dpkg/status and removed ldap-server and slap from the sernet-samba-ad Breaks definitions and remove ldap and slapd from the line Provides: in /etc/init.d/serner-samba-ad. Aftewards slapd installed without errors. Thought i post this here, since slapd can also be used as an ldap proxy in conjunction with samba4. achim~ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] /var/lock/samba filling up /run/lock
Am 16.08.2013 17:49, schrieb Mark Fox: A couple of days ago, we noticed the following message appearing in syslog: Aug 14 15:09:35 zadok smbd[16067]: tdb(/var/lock/samba/locking.tdb): expand_file write of 8192 bytes failed (No space left on device) Had this issue on my debian setup. /run/lock is a tmpfs volume. It's size is defined in /etc/defaults/tmpfs on debian. I increased it from 5 to 50Mib (LOCK_SIZE=52428800) and had no isses since. achim+ Mark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [PATCH] Allow dbcheck to fix Rid Set records
Am 05.08.2013 06:52, schrieb Andrew Bartlett Thank you very much, applied the patch to sernet-samba 4.0.8 sources and deployed packages, now samba-tool dbcheck reported an error but did not break. Afterwards samba-tool dbcheck --fix also managed to fix the rid issue. Achim Gottinger The attached patch should resolve this issue. Let me know if it helps. Thanks, Andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Error running samba-tool dbtool --reset-well-known-acls
Am 28.07.2013 16:14, schrieb Achim Gottinger:
Hi,
I updated my two samba DC's from 4.0.3 to serner 4.0.7. Both servers
run debian wheezy and the add was created at the beginning of the year
with an classic upgrade to version 4.0.0.
Recent release notes do not provide information about required upgrade
tasks. So i ran.
samba-tool dbcheck --reset-well-known-acls. On the first DC it found a
few errors about missong members in computer groups whom where fixable
with samba-tool dbcheck --reset-well-known-acls --fix.
On my second DC however one issue remains.
samba-tool dbcheck --reset-well-known-acls
Checking 336 objects
Not fixing nTSecurityDescriptor on CN=RID Set,CN=DC1,OU=Domain
Controllers,DC=domain,DC=local
Please use --fix to fix these errors
Checked 336 objects (1 errors)
samba-tool dbcheck --reset-well-known-acls --fix
Checking 336 objects
Fix nTSecurityDescriptor on CN=RID Set,CN=DC1,OU=Domain
Controllers,DC=domain,DC=local? [y/N/all/none] y
Failed to fix attribute nTSecurityDescriptor : (65,
objectclass_attrs: at least one mandatory attribute ('rIDNextRID') on
entry 'CN=RID Set,CN=DC1,OU=Domain Controllers,DC=domain,DC=local'
wasn't specified!)
Checked 336 objects (1 errors)
This is the global section of my smb.conf on DC1. Only netbios name
and dns forwarder are different on DC2.
# Global parameters
[global]
workgroup = DOMAIN
realm = domain.local
netbios name = DC1
server role = active directory domain controller
dns forwarder = 192.168.200.200
idmap_ldb:use rfc2307 = yes
log level = 1
strict allocate = yes
acl:read=false
template shell = /bin/bash
wins support = Yes
deadtime = 10
socket options = TCP_NODELAY SO_KEEPALIVE TCP_KEEPIDLE=120
TCP_KEEPINTVL=10 TCP_KEEPCNT=5
ea support = yes
store dos attributes = yes
map readonly = no
map archive = no
map system = no
map hidden = no
I connected to both DC's with ADSI and checked rIDNextRID
DC1:
CN=RID Set,CN=DC1,OU=Domain Controllers,DC=domain,DC=local = 6247
CN=RID Set,CN=DC2,OU=Domain Controllers,DC=domain,DC=local = 0
DC2:
CN=RID Set,CN=DC1,OU=Domain Controllers,DC=domain,DC=local = not
defined (german Nicht Festgelegt)
CN=RID Set,CN=DC2,OU=Domain Controllers,DC=domain,DC=local = 6714
Unfortunately i was not able to change that attribute from undefined
to 0 on DC2. I want to avoid editing ldb files by guess so i'd
appreciate suggestions.
Thanks in advance
achim
Hi again,
So far this error does not seem to cause any trouble in the domain. DC1
is my rid Master.
When I try to move the rid role to DC2 i get the follwoing error:
samba-tool fsmo seize --role=rid
Attempting transfer...
FSMO transfer of 'rid' role successful
ERROR: Failed to initiate role seize of 'rid' role: objectclass: modify
message must have elements/attributes!
Afterwards the role is assigned to DC2 in samba-tool fsmo show.
I get the same error when i try to move the role back to DC1.
Does anyone have an clue what is going wrong here?
Thanks in advance,
Achim
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Error running samba-tool dbtool --reset-well-known-acls
Am 02.08.2013 18:08, schrieb Achim Gottinger:
Am 28.07.2013 16:14, schrieb Achim Gottinger:
Hi,
I updated my two samba DC's from 4.0.3 to serner 4.0.7. Both servers
run debian wheezy and the add was created at the beginning of the
year with an classic upgrade to version 4.0.0.
Recent release notes do not provide information about required
upgrade tasks. So i ran.
samba-tool dbcheck --reset-well-known-acls. On the first DC it found
a few errors about missong members in computer groups whom where
fixable with samba-tool dbcheck --reset-well-known-acls --fix.
On my second DC however one issue remains.
samba-tool dbcheck --reset-well-known-acls
Checking 336 objects
Not fixing nTSecurityDescriptor on CN=RID Set,CN=DC1,OU=Domain
Controllers,DC=domain,DC=local
Please use --fix to fix these errors
Checked 336 objects (1 errors)
samba-tool dbcheck --reset-well-known-acls --fix
Checking 336 objects
Fix nTSecurityDescriptor on CN=RID Set,CN=DC1,OU=Domain
Controllers,DC=domain,DC=local? [y/N/all/none] y
Failed to fix attribute nTSecurityDescriptor : (65,
objectclass_attrs: at least one mandatory attribute ('rIDNextRID')
on entry 'CN=RID Set,CN=DC1,OU=Domain Controllers,DC=domain,DC=local'
wasn't specified!)
Checked 336 objects (1 errors)
This is the global section of my smb.conf on DC1. Only netbios name
and dns forwarder are different on DC2.
# Global parameters
[global]
workgroup = DOMAIN
realm = domain.local
netbios name = DC1
server role = active directory domain controller
dns forwarder = 192.168.200.200
idmap_ldb:use rfc2307 = yes
log level = 1
strict allocate = yes
acl:read=false
template shell = /bin/bash
wins support = Yes
deadtime = 10
socket options = TCP_NODELAY SO_KEEPALIVE TCP_KEEPIDLE=120
TCP_KEEPINTVL=10 TCP_KEEPCNT=5
ea support = yes
store dos attributes = yes
map readonly = no
map archive = no
map system = no
map hidden = no
I connected to both DC's with ADSI and checked rIDNextRID
DC1:
CN=RID Set,CN=DC1,OU=Domain Controllers,DC=domain,DC=local = 6247
CN=RID Set,CN=DC2,OU=Domain Controllers,DC=domain,DC=local = 0
DC2:
CN=RID Set,CN=DC1,OU=Domain Controllers,DC=domain,DC=local = not
defined (german Nicht Festgelegt)
CN=RID Set,CN=DC2,OU=Domain Controllers,DC=domain,DC=local = 6714
Unfortunately i was not able to change that attribute from undefined
to 0 on DC2. I want to avoid editing ldb files by guess so i'd
appreciate suggestions.
Thanks in advance
achim
Hi again,
So far this error does not seem to cause any trouble in the domain.
DC1 is my rid Master.
When I try to move the rid role to DC2 i get the follwoing error:
samba-tool fsmo seize --role=rid
Attempting transfer...
FSMO transfer of 'rid' role successful
ERROR: Failed to initiate role seize of 'rid' role: objectclass:
modify message must have elements/attributes!
Afterwards the role is assigned to DC2 in samba-tool fsmo show.
I get the same error when i try to move the role back to DC1.
Does anyone have an clue what is going wrong here?
Thanks in advance,
Achim
Ok, seize was nor a good choice tried
samba-tool fsmo transfer--role=rid instead, which works without errors,
but it does not fix the rIDNextRID issue.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Cleanup CN=Deleted Objects, DC=DomainDnsZones, DC=domain, DC=local
Am 25.07.2013 17:32, schrieb Achim Gottinger: Am 25.07.2013 16:57, schrieb Achim Gottinger: Hi, Due to an not so well coded dns update script my /var/lib/samba/private/sam.ldb.d/DC=DOMAINDNSZONES,DC=DOMAIN,DC=LOCAL.ldb db consumes now ~500MB. So i decided to delete all the Outdated records. I prepared an list of all the DN's with Base DC=DomainDnsZones,DC=domain,DC=local and Attribute isDeleted=TRUE. There are about 8 outdated entries whom i plan to delete. If I loop over each line in my list and run ldbdel -H DC=DOMAINDNSZONES,DC=DOMAIN,DC=LOCAL.ldb [DN] it takes about an second for each entry so it would take about 22h to delete them all. Is there a way i can speed things up? Thanks in advance achim~ Found an faster solution using ldbmodify so never mind. Well it turned out that removing all these deleted dns records via ldbmodify on my two ad dc's results in an inconsistent dns database. Means i can not delete records via samba-tool or windows DNS server gui. After the deleteion and an tdbbackup of the ldb file it had shrunk to ~1MB. I assume i have to wait now till these old entries expire. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Error running samba-tool dbtool --reset-well-known-acls
Hi,
I updated my two samba DC's from 4.0.3 to serner 4.0.7. Both servers run
debian wheezy and the add was created at the beginning of the year with
an classic upgrade to version 4.0.0.
Recent release notes do not provide information about required upgrade
tasks. So i ran.
samba-tool dbcheck --reset-well-known-acls. On the first DC it found a
few errors about missong members in computer groups whom where fixable
with samba-tool dbcheck --reset-well-known-acls --fix.
On my second DC however one issue remains.
samba-tool dbcheck --reset-well-known-acls
Checking 336 objects
Not fixing nTSecurityDescriptor on CN=RID Set,CN=DC1,OU=Domain
Controllers,DC=domain,DC=local
Please use --fix to fix these errors
Checked 336 objects (1 errors)
samba-tool dbcheck --reset-well-known-acls --fix
Checking 336 objects
Fix nTSecurityDescriptor on CN=RID Set,CN=DC1,OU=Domain
Controllers,DC=domain,DC=local? [y/N/all/none] y
Failed to fix attribute nTSecurityDescriptor : (65, objectclass_attrs:
at least one mandatory attribute ('rIDNextRID') on entry 'CN=RID
Set,CN=DC1,OU=Domain Controllers,DC=domain,DC=local' wasn't specified!)
Checked 336 objects (1 errors)
This is the global section of my smb.conf on DC1. Only netbios name and
dns forwarder are different on DC2.
# Global parameters
[global]
workgroup = DOMAIN
realm = domain.local
netbios name = DC1
server role = active directory domain controller
dns forwarder = 192.168.200.200
idmap_ldb:use rfc2307 = yes
log level = 1
strict allocate = yes
acl:read=false
template shell = /bin/bash
wins support = Yes
deadtime = 10
socket options = TCP_NODELAY SO_KEEPALIVE TCP_KEEPIDLE=120
TCP_KEEPINTVL=10 TCP_KEEPCNT=5
ea support = yes
store dos attributes = yes
map readonly = no
map archive = no
map system = no
map hidden = no
I connected to both DC's with ADSI and checked rIDNextRID
DC1:
CN=RID Set,CN=DC1,OU=Domain Controllers,DC=domain,DC=local = 6247
CN=RID Set,CN=DC2,OU=Domain Controllers,DC=domain,DC=local = 0
DC2:
CN=RID Set,CN=DC1,OU=Domain Controllers,DC=domain,DC=local = not
defined (german Nicht Festgelegt)
CN=RID Set,CN=DC2,OU=Domain Controllers,DC=domain,DC=local = 6714
Unfortunately i was not able to change that attribute from undefined to
0 on DC2. I want to avoid editing ldb files by guess so i'd appreciate
suggestions.
Thanks in advance
achim~
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
[Samba] Cleanup CN=Deleted Objects, DC=DomainDnsZones, DC=domain, DC=local
Hi, Due to an not so well coded dns update script my /var/lib/samba/private/sam.ldb.d/DC=DOMAINDNSZONES,DC=DOMAIN,DC=LOCAL.ldb db consumes now ~500MB. So i decided to delete all the Outdated records. I prepared an list of all the DN's with Base DC=DomainDnsZones,DC=domain,DC=local and Attribute isDeleted=TRUE. There are about 8 outdated entries whom i plan to delete. If I loop over each line in my list and run ldbdel -H DC=DOMAINDNSZONES,DC=DOMAIN,DC=LOCAL.ldb [DN] it takes about an second for each entry so it would take about 22h to delete them all. Is there a way i can speed things up? Thanks in advance achim~ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Cleanup CN=Deleted Objects, DC=DomainDnsZones, DC=domain, DC=local
Am 25.07.2013 16:57, schrieb Achim Gottinger: Hi, Due to an not so well coded dns update script my /var/lib/samba/private/sam.ldb.d/DC=DOMAINDNSZONES,DC=DOMAIN,DC=LOCAL.ldb db consumes now ~500MB. So i decided to delete all the Outdated records. I prepared an list of all the DN's with Base DC=DomainDnsZones,DC=domain,DC=local and Attribute isDeleted=TRUE. There are about 8 outdated entries whom i plan to delete. If I loop over each line in my list and run ldbdel -H DC=DOMAINDNSZONES,DC=DOMAIN,DC=LOCAL.ldb [DN] it takes about an second for each entry so it would take about 22h to delete them all. Is there a way i can speed things up? Thanks in advance achim~ Found an faster solution using ldbmodify so never mind. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4.0.7 sysvolcheck issue
Hi, Today i upgraded an samba4 instance from self build 4.0.3 to sernet's 4.0.7 on an debian wheezy server. So far no issues because i had used lsb conform var path's. I can login with an domainaccount browse shares connect printers and so on. samba-tool dbcheck passed without errors However when I tried to run samba-tool sysvolcheck i first ran into https://bugzilla.samba.org/show_bug.cgi?id=9202. So i ran sysvolreset and now i'm getting this issue https://bugzilla.samba.org/show_bug.cgi?id=9483. (I did an classicupgrade at the beginning of the year.) Is there an way to fix this manual, by editiong idmap.ldb and fixing a few permissions on shares maybe. Thanks in advance achim~ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 AD and mail auth
Am 28.06.2013 10:31, schrieb Carsten Laun-De Lellis:
Hi list
Does anyone has experience in setting up dovecot or any other mail
system with user auth against a Samba4 AD ? If yes could I get some
advice on that Topic or even a link to a ressource where I can get some
Information. Googled a lot but didn't find something yet.
Thankx in advance.
I did it with dovecot/postfix on debian wheezy, there is alot more info
if you look for dovecot setup agains Microsoft AD.
First create an user for ldap queries:
samta-tool user add ldap [password]
Configure dovecot passdb against Samba4 AD, add or change this in your
dovecot.conf bzw. auth-ldap-conf.ext (on wheezy)
# Authentication for LDAP users
passdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap-passdb.conf.ext
}
Create /etc/dovecot/dovecot-ldap-passdb.conf.ext, can be you have to use
sAMAccountName instead of cn for auth_bind_userdn and pass_filter. On my
side these are identical because i migrated from samba3/openldap. Filter
is looking for person classes with matchin cn and an exiting mail attribute.
hosts = localhost
auth_bind = yes
auth_bind_userdn = cn=%u,cn=Users,dc=yourdomain,dc=local
ldap_version = 3
base = cn=Users,dc=yourdomain,dc=local
pass_filter = ((objectClass=person)(cn=%u)(mail=*))
Use differen ldap settings for other user lookups, this goes again into
dovecot.conf
# Users
userdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap-userdb.conf.ext
}
Create /etc/dovecot/dovecot-ldap-uesrdb.conf.ext, again you may have to
change cn to sAMAccountName in user_filter and iter_attrs. On my side I
use one system user vmail (uid:999, gid:999) for all maildirs and those
are stored under /var/lib/vmail. With such an setup attributes like
uidNumber and gidNumber are not required for every user entry in ldap so
i can hardcode all neccesary userdb lookup variables.
I use /var/lib/vmail/[cn] as the dovecot user homedir (for things like
sieve settings etc.) and /var/lib/vmail/[cn]/mail for the maildir.
hosts = localhost
dn = cn=ldap,cn=Users,DC=yourdomain,DC=local
dnpass = [password]
ldap_version = 3
base = cn=Users,DC=yourdomain,DC=local
user_attrs =
=uid=999,=gid=999,=home=/var/lib/vmail/%u,mail=/var/lib/vmail/%u/mail
user_filter = ((objectClass=person)(cn=%u)(mail=*))
# Attributes and filter to get a list of all users
iterate_attrs = cn=user
iterate_filter = (objectClass=person)
For refernce these are my maildir settings in dovecot.conf (10-mail.conf
on wheezy).
## Maildir locations and settings
mail_plugins = acl
mail_home = /var/lib/vmail/%u
mail_location = maildir:/var/lib/vmail/%u/mail
mail_uid = 999
mail_gid = 999
first_valid_uid = 999
first_valid_gid = 999
#mail_full_filesystem_access = no
mail_shared_explicit_inbox = no
maildir_very_dirty_syncs = yes
namespace {
list = no
location =
maildir:/var/lib/vmail/%%u/mail:INDEX=/var/lib/vmail/%u/mail/shared/%%u
prefix = shared/%%u/
separator = /
subscriptions = no
type = shared
}
namespace inbox {
inbox = yes
location = maildir:/var/lib/vmail/%u/mail
prefix =
separator = /
type = private
}
If you want to use kerberos with dovecot (works well with thunderbird on
domain meber workstations) you have to create an spn and an keytab.
samba-tool spn add imap/server.yourdomain.local@YOURDOMAIN.LOCAL ldap
I had trouble with the keytab but this worked so far (use ldap users
password if asked).
cd /etc/dovecot
ktutil
addent -password -p imap/server.yourdomain.local@YOURDOMAIN.LOCAL -k 1
-e arcfour-hmac
wkt dovecot.keytab
If you use dovecot for postfix authentification as well:
samba-tool spn add smtp/server.yourdomain.local@YOURDOMAIN.LOCAL ldap
cd /etc/dovecot
ktutil
addent -password -p imap/server.yourdomain.local@YOURDOMAIN.LOCAL -k 1
-e arcfour-hmac
addent -password -p smtp/server.yourdomain.local@YOURDOMAIN.LOCAL -k 1
-e arcfour-hmac
wkt dovecot.keytab
The neccesary settings in dovecot.conf (10-auth.conf on wheezy) are. The
only way i got it working was with auth_gssapi_hostname = $ALL which
may be abit insecure.
auth_mechanisms = plain login gssapi
# Kerberos
auth_gssapi_hostname = $ALL
auth_krb5_keytab = /etc/dovecot/dovecot.keytab
Hope that helps.
achim~
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 AD and mail auth
Am 28.06.2013 13:24, schrieb Carsten Laun-De Lellis:
Hi Achim
First of all thankx for your input.
The way you set it up was the way I did it. But when I go thru your
ldap configuration it doesn't really solves my Problem or, maybe more
likely, I don't understand it.
For Auth I want my users to connect to dovecot with user/Password
token. In your config I can't see where you match the Password to the
AD Password.
For authetification dovecot uses what is configured in passdb in the
corresponding ldap config you can see it uses auth_bind=yes and
auth_bind_userdn defines the dn used to auth against samb4 ldap.
As said on my side cn is identical with sAMAccountName, if it's not on
your side you may have to use cn/Password instead of
sAMAccountName/Password .
Maybe I wasn't specific enough, what I want to do. Or I don't
understand where I you match again the user Password. And again there
is a good Chance that the Problem is myself. Weinend
Thankx again.
---
Mit freundlichem Gruß
Carsten Laun-De Lellis
Hauptstrasse 13
D-67705 Trippstadt
Phone: +49 6306 992140
Fax: +49 6306 992142
Mobile: +49 151 27530865
email: carsten.delel...@delellis.net
mailto:carsten.delel...@delellis.net
http://www.linkedin.com/in/carstenlaundelellis
Am 2013-06-28 13:13, schrieb Achim Gottinger:
Am 28.06.2013 10:31, schrieb Carsten Laun-De Lellis:
Hi list Does anyone has experience in setting up dovecot or any
other mail system with user auth against a Samba4 AD ? If yes could
I get some advice on that Topic or even a link to a ressource where
I can get some Information. Googled a lot but didn't find something
yet. Thankx in advance.
I did it with dovecot/postfix on debian wheezy, there is alot more info
if you look for dovecot setup agains Microsoft AD.
First create an user for ldap queries:
samta-tool user add ldap [password]
Configure dovecot passdb against Samba4 AD, add or change this in your
dovecot.conf bzw. auth-ldap-conf.ext (on wheezy)
# Authentication for LDAP users
passdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap-passdb.conf.ext
}
Create /etc/dovecot/dovecot-ldap-passdb.conf.ext, can be you have to use
sAMAccountName instead of cn for auth_bind_userdn and pass_filter. On my
side these are identical because i migrated from samba3/openldap. Filter
is looking for person classes with matchin cn and an exiting mail attribute.
hosts = localhost
auth_bind = yes
auth_bind_userdn = cn=%u,cn=Users,dc=yourdomain,dc=local
ldap_version = 3
base = cn=Users,dc=yourdomain,dc=local
pass_filter = ((objectClass=person)(cn=%u)(mail=*))
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Successful Mail Delivery Report
Am 28.06.2013 13:28, schrieb Carsten Laun-De Lellis: Sorry Achim I didn't want to be rude, but I forgot to answer on your last Suggestion. Using Kerberos is not really an Option for me, because I want to use smartphones as well with no Thunderbird and no Domain Membership. Regards, If you add gssapi to auth_mechanisms, kerberos is just another option for authetification, i use it with smartphones and plain auth as well. To clarify the dn issue, if you create your users with RSAT on windows the dn usually looks like CN=[Firstname] [Surname],CN=Users,DC=yourdomain,DC=local so in that case you will have to use [Firstname] [Surname] instead of user(sAMAcoountName) as the username. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] There are no currently logon servers available when mappingwith net use
On my side vb-scripts work more reliable http://www.tek-tips.com/faqs.cfm?fid=5798 Am 19.03.2013 16:32, schrieb Marcio Oli: Anybody else? Any sugestion? Yours truly, Marcio Oliveira 2013/3/18 Marcio Oli marcio.oli...@gmail.com Hi TMason, Jim and Daniel. I don't know what more to do. Follow the informations to all you help me if possible. 1) .. PDC, BDC and domain member have the same version of linux, but just the domain member has a different version of samba. pdc Linux 2.6.32-220.17.1.el6.x86_64 x86_64 GNU/Linux Red Hat Enterprise Linux Server release 6.2 (Santiago) Samba: Version 3.5.10-116.el6_2 bdc Linux 2.6.32-220.17.1.el6.x86_64 x86_64 GNU/Linux Red Hat Enterprise Linux Server release 6.2 (Santiago) Samba: Version 3.5.10-116.el6_2 member of domain Linux 2.6.32-220.17.1.el6.x86_64 GNU/Linux Red Hat Enterprise Linux Server release 6.2 (Santiago) Samba: Version 3.5.6-86.el6_1.4 2) .. - About windows registry (client windows7 professional) and gpedit.msc, I altered these ones: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters] DomainCompatibilityMode=dword:0001 DNSNameResolutionRequired=dword: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] SlowLinkDetectEnabled=dword: DeleteRoamingCache=dword:0001 WaitForNetwork=dword:0050 CompatibleRUPSecurity=dword:0001 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\System] SlowLinkDetectEnabled=dword: DeleteRoamingCache=dword:0001 WaitForNetwork=dword:0050 CompatibleRUPSecurity=dword:0001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] SyncForegroundPolicy=dword:0001 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon] SyncForegroundPolicy=dword:0001 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon] SyncForegroundPolicy=dword:0001 [HotKeyLocalMachine\System\CurrentControlSet\Services\Netlogon\Parameters] DWORD RequireSignOrSeal = 1 DWORD RequireStrongKey = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] “RunLogonScriptSync”=dword:0001 [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters] ExpectedDialupDelay=dword:001e NegativeCachePeriod=dword:00014a78 [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters] MaxPacketSize=dword:0001 [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters] DisableDHCPMediaSense=dword:0001 3) .. - Dfs and dfs proxy are with default values of samba. 4) .. Yes, I use wins. My wins server is the PDC. 5) .. Look at the authentication of your member server, does the server authenticate right against your PDC/BDC? So, how do I verify this? 6) .. Sometimes, but not always, at user's log of samba appears (on the logon moment): # tail -f log.marcio.oliveira [2013/03/15 19:14:11.779186, 1] smbd/service.c:1070(make_connection_snum) pgt019874 (:::10.0.3.16) connect to service netlogon initially as user marcio.oliveira (uid=0, gid=1001) (pid 10342) [2013/03/15 19:14:13.073811, 0] passdb/pdb_ldap.c:4642(ldapuser2displayentry) sid S-1-5-21-4007841154-2593654838-2170425582-2998 does not belong to our domain [2013/03/15 19:15:06.379204, 1] smbd/service.c:1251(close_cnum) pgt019874 (:::10.0.3.16) closed connection to service netlogon Thanks, Marcio Oliveira 2013/3/18 Daniel Müller muel...@tropenklinik.de Look at the authentication of your member server, does the server authenticate right against your PDC/BDC? Which version of Samba? what about using dfs or dfs proxy on your PDC/BDC to map the share? Do you use WINS? --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Jim Potter Gesendet: Sonntag, 17. März 2013 21:33 An: c.koe...@live.com Cc: samba@lists.samba.org Betreff: Re: [Samba] There are no currently logon
Re: [Samba] Samba4 AD delegation to read userPassword attribute
Running the environment you described (beside openchange). I guess you need acl:read=false in your smb.conf. achim~ Am 14.01.2013 23:29, schrieb Christian Hailer: Hello Samba group, I ran into a problem concerning Dovecot LDAP authentication to the Samba4 Active Directory. Background: I want to install a Openchange+Samba4 environment using Sogo, Dovecot and Postfix. I didn't want to use openldap as described in the Openchange documentation, why should I use 2 LDAP databases? Fedora 17, latest updates applied Samba: Version 4.1.0pre1-GIT-813bd03 dovecot-2.1.10-4.fc17.i686 At first I tried to use the auth_bind method of Dovecot, but very soon I realized (via tcpdump) that you first have to authenticate to Samba4: ... searchResDone resultCode: operationsError (1) matchedDN: Operation unavailable without authentication ... I defined the properties in dovecot-ldap.conf like this: --- uris = ldaps://192.168.0.1:636 dn = cn=ldap,ou=USER,dc=example,dc=de dnpass = somepassword base = dc=example,dc=de scope = subtree deref = never user_attrs = sAMAccountName=uid,primaryGroupID=gid user_filter = (sAMAccountName=%u) pass_attrs = mail=user,userPassword=password pass_filter = (sAMAccountName=%u) --- So trying to authenticate to Dovecot with a telnet connection telnet localhost 143 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready. 1 login someuser somepassword results in the error message result: mail=someu...@example.de; userPassword missing A tcpdump shows the following searchRequest: --- Lightweight Directory Access Protocol LDAPMessage searchRequest(2) dc=example,dc=de wholeSubtree ... Filter: (sAMAccountName=someuser) filter: equalityMatch (3) equalityMatch attributeDesc: sAMAccountName assertionValue: someuser attributes: 2 items AttributeDescription: mail AttributeDescription: userPassword --- As a result I get: --- Lightweight Directory Access Protocol LDAPMessage searchResEntry(2) CN=someuser, OU=USER,DC=example,DC=de [1 result] ... searchResEntry objectName: CN=someuser, OU=USER,DC=example,DC=de attributes: 1 item PartialAttributeList item mail type: mail vals: 1 item AttributeValue: someu...@exchange.de --- So unfortunately the userPassword attribute is missing. Now, I remembered the Control Delegation Wizard from Microsoft AD where you have to delegate permission to read all user properties to a user account in order to be able to authenticate i.e. pam_ldap users on a linux server. I delegated the appropriate permissions to the ldap user used in dovecot-ldap.conf above, but the behaviour did not change, the userPassword attribute won't be delivered to the ldap user. Is anybody out there who ran into the same problem? Best regards, Christian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 AD delegation to read userPassword attribute
Am 15.01.2013 20:02, schrieb Christian Hailer:
Hi Achim,
thank you for this information! Unfortunately it doesn't work in my environment, the
userPassword attribute still can't be read by the ldap user...
I tried to bind with the domain administrator account, there it doesn't work
too.
Would it be possible for you to post your dovecot.conf, dovecot-ldap.conf and
smb.conf files? Maybe I made a mistake somewhere...
I use different configs for passdb and userdb for Dovecot. Dovecot
stores all mail's as user vmail.vmail(999:999) in
/var/lib/vmail/[username]/mail here so you might have to modify the
user_attrs mappings.
With these separate config for userdb and passdb, auth_bind works for
passdb and pass_attrs are not necessary.
dovecot-ldap.conf
passdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap-passdb.conf.ext
}
userdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap-userdb.conf.ext
}
dovecot-ldap-passdb.conf.ext
---
hosts = localhost
auth_bind = yes
auth_bind_userdn = cn=%u,cn=Users,dc=example,dc=de
ldap_version = 3
base = cn=Users,dc=example,dc=de
pass_filter = ((objectClass=person)(cn=%u)(mail=*))
---
dovecot-ldap-userdb.conf.ext
---
hosts = localhost
dn = cn=ldap,cn=Users,dc=example,dc=de
dnpass = password
ldap_version = 3
base = cn=Users,dc=example,dc=de
user_attrs =
=uid=999,=gid=999,=home=/var/lib/vmail/%u,=mail=/var/lib/vmail/%u/mail
user_filter = ((objectClass=person)(cn=%u)(mail=*))
# Attributes and filter to get a list of all users
iterate_attrs = cn=user
iterate_filter = (objectClass=person)
---
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 AD DC Sites / Rename Default-First-Site-Name and internal DNS
389 server-site1.gsg.local _ldap._tcp.[DOMAIN ID].domains SRV 0 100 389 server-site1.gsg.local _ldap._tcp.[DOMAIN ID].domains SRV 0 100 389 server-site2.gsg.local _kerberos._tcp.Default-First-Site-Name._sites.dc SRV 0 100 88 server-site1.gsg.local _kerberos._tcp.Default-First-Site-Name._sites.dc SRV 0 100 88 server-site2.gsg.local _ldap._tcp.Default-First-Site-Name._sites.dc SRV 0 100 389 server-site1.gsg.local _ldap._tcp.Default-First-Site-Name._sites.dc SRV 0 100 389 server-site2.gsg.local _ldap._tcp.Default-First-Site-Name._sites.gc SRV 0 100 3268 server-site1.gsg.local _ldap._tcp.Default-First-Site-Name._sites.gc SRV 0 100 3268 server-site2.gsg.local _kerberos._tcp.site1._sites.dc SRV 0 100 88 server-site1.gsg.local _ldap._tcp.site1._sites.dc SRV 0 100 389 server-site1.gsg.local _ldap._tcp.site1.gc SRV 0 100 3268 server-site1.gsg.local _kerberos._tcp.site2._sites.dc SRV 0 100 88 server-site2.gsg.local _ldap._tcp.site2._sites.dc SRV 0 100 389 server-site2.gsg.local _ldap._tcp.site2.gc SRV 0 100 3268 server-site2.gsg.local The LDAP tree has no occurence of Default-First-Site-Name now. In DNS the records for Default-First-Site-Name still point to both servers. In addition the neccesary records for site1 are there and point only to server-site1. I also created the Subnets for both sites and assigned the in the AD Location and Services Snapin. Should there be an entry for those in LDAP? After each step I performed i saved the output of ldapsearch -b DC=gsg,DC=local (after kinit Administrator). In there i can not find any references for the site subnets. Tried to assign subnet1 to site2 and vice versa and the clients all picked the servers from the other site, so it seems to be used to assign clients to the sites. 4. Try to remove all site dependant entries. Because it seemed those entries below _sites are not used and the assignement happens based on the site subnets i tried to delete all the service records below _sites. After restarting both servers Default-First-Site-Name has now completely dissapeared from DNS. There is no replacemet for these two records now. _ldap._tcp.Default-First-Site-Name._site.DomainDnsZones SRV 0 100 389 server-site1.gsg.local _ldap._tcp.Default-First-Site-Name._site.ForestDnsZones SRV 0 100 389 server-site1.gsg.local Only those two records remained _ldap._tcp.DomainDnsZones SRV 0 100 389 server-site1.gsg.local _ldap._tcp.ForestDnsZones SRV 0 100 389 server-site1.gsg.local Finaly i joined another server in subnet1 to the domain. It added it's records to site1._sites and did not create Default-First-Site-Name again. Enough testing for the 1st ;-) , happy new year. Achim Gottinger -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 AD DC Sites / Rename Default-First-Site-Name and internal DNS
Am 30.12.2012 02:03, schrieb Andrew Bartlett: On Sat, 2012-12-29 at 13:38 +0100, Achim Gottinger wrote: _ldap._tcp.Default-First-Site-Name._sites.gsg.local SRV site1.gsg.local _kerberos._tcp.Default-First-Site-Name._sites.gsg.local SRV site1.gsg.local _gc._tcp.Default-First-Site-Name._sites.gsg.local SRV site1.gsg.local _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.gsg.local SRV site1.gsg.local _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.gsg.local SRV site1.gsg.local _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.gsg.local SRV site1.gsg.local So there are no more (visible) entries left in Default-First-Site-Name._sites.gsg.local Default-First-Site-Name._sites.gc._msdcs.gsg.local Default-First-Site-Name._sites.dc._msdcs.gsg.local But the structure remains an can not be deleted. (things like _tcp.Default-First-Site-Name._sites.gsg.local). Things still seem to work at both sites but i'm curious if these leftovers can be completely removed. As you have noticed, we are very good at adding DNS records, but never remove the old ones. What you have done seems reasonable, if you have renamed the site, removing the remaining DNS references seems entirely reasonable. Please file a bug about the left-behind DNS stuff, we really should clean that up. Andrew Bartlett Well after some time and samba restarts the left over structure elements had disappeared. Had to remove two records with samba-tools because they could not be accessed from the MS DNS Snapin. samba-tool dns delete localhost gsg.local _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.gsg.local SRV server-site1.gsg.local. 389 0 100 samba-tool dns delete localhost gsg.local _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.gsg.local SRV server-site1.gsg.local. 389 0 100 Afterwards all appearances of Default-First-Site-Name disappeared. There remains however still an issue with the site dependant SRV records on an server. If a server is moved to another site or an site gets renamed. The old SRV records for that server/site remain. Achim Gottinger -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 AD DC Sites / Rename Default-First-Site-Name and internal DNS
As you have noticed, we are very good at adding DNS records, but never remove the old ones. What you have done seems reasonable, if you have renamed the site, removing the remaining DNS references seems entirely reasonable. Please file a bug about the left-behind DNS stuff, we really should clean that up. Andrew Bartlett There is this menu option cleanup old resource entries in the DNS snap-in, guess it's normal AD behaviour. :-) This does not yet work against an Samba4 AD DC. But I'll file an bugreport. I'm not 100% sure that we implement everything that is needed for a client to pickup the correct site, so you might see some issues still. It had happened in very seldom cases with the samba3/bind/openldap before. In the Samba4 test environment it happened only once after i had removed the mentioned SRV records pointig to site2's dc in site1 folders. I'll report back if it happens on an regular basis. As an last step i renamed the site Default-First-Site-Name into site1. Restarted the samba services at both sites check replication. But there are still a few DNS entries left whom i deleted manual. It's really not a good idea to delete rename the default-First site lots of Windows admins don't advise to do so, you'd better leave it empty. Matthieu So to be on the safe side you recommend i create two new sites and assign the two servers to them, leaving Default-First-Site-Name with on assigned server. I thought it is safer to leave the first server in that default site because i had read the sites thing is a work in progress. Renaming it was somethin i did after abit of online research which mentioned it is safe and not forbidden. Beside that now empty structure elements in dns the test environment is still work functional. http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/2afc3cf5-7389-4368-bdeb-887e60c0081f Beside all that for me samba4 is a great step forward an will simplify things alot compared to the previous samba3/bind/openldap solution Achim Gottinger -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4 AD DC builtin DNS / samba-tool dns add reverse zone entries / DNS Remote Management on an Win2kR2 Server
Hi, By accident i did something like this via an scrip to populate an reverse zone. ~# samba-tool dns add server 200.168.192.in-addr.arpa 1.1 PTR test.gsg.local And indeed that record was added successfully and even showed up on the DNS Remote Management on an Win2kR2 Server like this 192.168.200.1.1PTR test.gsg.local Good thing the record can be deleted but i guess it should not be possible to create such an record. Beside that the DNS Remote Management shows alot of grey folders labled with machine names on Forward Lookup Zones. Folders like _sites, ForestZones, DnsZones are also affected. Is this normal behaviour or should i be concerned about this. Thanks in advance Achim Gottinger -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 AD DC Sites / Rename Default-First-Site-Name and internal DNS
Hello, I'm running a few tests here with two locations. site1: server-site1.gsg.local subnet 192.168.200.0/24 site2: server-site2.gsg.local subnet 192.168.190.0/24 both are connected via VPN. I migrated an samba3 domain at server-site1 it gets Default-First-Site-Name assigned. Then I joined the new samba4 domain withe server-site2. Both servers work and i can join and access them with clients at both locations. I created reverse zones for both subnets and added the required static entries. Then I created an new site (name site2) and two subnets with MS AD Site Management. I assigned subnet 192.168.200.0/24 to the site Default-First-Site-Name and subnet 192.168.190.0/24 to the site site2. And moved server-site2 from Default-First-Site-Name to site2. Machines at site1 randomly picked server-site2 for logins. On site2 they always picked server-site2. So I deleted a few DNS records. _ldap._tcp.Default-First-Site-Name._sites.gsg.local SRV site2.gsg.local _kerberos._tcp.Default-First-Site-Name._sites.gsg.local SRV site2.gsg.local _gc._tcp.Default-First-Site-Name._sites.gsg.local SRV site2.gsg.local _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.gsg.local SRV site2.gsg.local And after an samba restart also _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.gsg.local SRV site2.gsg.local _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.gsg.local SRV site2.gsg.local Afterwards machines at site1 also chose server-site1 most of the time. Hope i can optimize the behaviour of logon server choosing abit more but it happened really seldom and it all ran virtualized with 1GB bandwidth for the VPN connection, which will be 1-2MBit once in production. As an last step i renamed the site Default-First-Site-Name into site1. Restarted the samba services at both sites check replication. But there are still a few DNS entries left whom i deleted manual. _ldap._tcp.Default-First-Site-Name._sites.gsg.local SRV site1.gsg.local _kerberos._tcp.Default-First-Site-Name._sites.gsg.local SRV site1.gsg.local _gc._tcp.Default-First-Site-Name._sites.gsg.local SRV site1.gsg.local _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.gsg.local SRV site1.gsg.local _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.gsg.local SRV site1.gsg.local _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.gsg.local SRV site1.gsg.local So there are no more (visible) entries left in Default-First-Site-Name._sites.gsg.local Default-First-Site-Name._sites.gc._msdcs.gsg.local Default-First-Site-Name._sites.dc._msdcs.gsg.local But the structure remains an can not be deleted. (things like _tcp.Default-First-Site-Name._sites.gsg.local). Things still seem to work at both sites but i'm curious if these leftovers can be completely removed. Thanks in advance Achim Gottinger -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Printing api_rpcTNP: \spoolss: SPOOLSS_OPENPRINTEREX failed
Last week i backported weezys 3.5.11 samba package to lenny and I still go these random errors. I went back to lenny version 3.2.5 and since then printing works fine. Guess that sorts out network related issues. Will monitor printing for an few more days and then try an samba version which supports win7 clients. achim~ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Printing api_rpcTNP: \spoolss: SPOOLSS_OPENPRINTEREX failed
Am 26.09.2011 09:52, schrieb Claus Rosenberger: Same problem here, with the crystal report software too. I tried UTF-8 and UTF8, it makes no difference. Am 16.09.2011 12:02:32, schrieb Achim Gottinger: Was tricked by randomness here, it does not make a difference here also and i'm still getting those errors. At least i captured and uploaded detailed log's of that weird error to the bug report, hope an developer will take an look next week after this microsoft ad event is over. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Printing api_rpcTNP: \spoolss: SPOOLSS_OPENPRINTEREX failed
After an day without issues i just received an phone call about an printing issue and i found a few illegal multibyte sequence errors in the log file again. Unfortunately i can not reproduce the situation where this error occured an second try to print that document out of the archive worked but since it's an crystal report form generated out of an database from our business software something may be different when printing from the archive. Hope i'll get an reproducible situation so i can grab an wireshark trace and more detailed samba log info's. achim~ Am 15.09.2011 17:01, schrieb Achim Gottinger: Update: Checked logs of all my debian print servers and none had these error messages today, i guess i had forgotten to restart samba on that server whom still showed the error. I had also found that erroro message on a few other servers with an missing unix charset line whom i all moodified and restarted. (There is still a chance that they did not print anything which triggered that error.) Here is an bug report for that problem, that's where i found that unix charset fix. https://bugzilla.samba.org/show_bug.cgi?id=8082 Checked the default if that variable is not explicity declared in smb.conf with terstparam -v and it is unix charset = UTF-8 display charset = LOCALE Seems debian has an problem with UTF-8 but not with UTF8. =-O These are my locale settings #locale LANG=de_DE.UTF-8 LC_CTYPE=de_DE.UTF-8 LC_NUMERIC=de_DE.UTF-8 LC_TIME=de_DE.UTF-8 LC_COLLATE=de_DE.UTF-8 LC_MONETARY=de_DE.UTF-8 LC_MESSAGES=de_DE.UTF-8 LC_PAPER=de_DE.UTF-8 LC_NAME=de_DE.UTF-8 LC_ADDRESS=de_DE.UTF-8 LC_TELEPHONE=de_DE.UTF-8 LC_MEASUREMENT=de_DE.UTF-8 LC_IDENTIFICATION=de_DE.UTF-8 LC_ALL= https://bugzilla.samba.org/show_bug.cgi?id=8082 Am 15.09.2011 01:04, schrieb Achim Gottinger: It is odd here also, on one server (debian lenny with samba 3.5.6 from backports) using dos charset = 850 unix charset = UTF8 fixed that issue on an other server (same osand versions) i also had to add the unix charset line and it worked for an document which did not work without and generated an error log entry like yours. looking at the log file i still see a few of those SPOOLSS error messages. Users did not report problems but i have to ask em if they have had issues with printing this week. If the error occures there is no print job generated at the cups server at all and errors like those above appear in log.smbd [2011/09/14 16:09:28.780842, 0] lib/charcnv.c:650(convert_string_talloc) Conversion error: Illegal multibyte sequence(@DD^W^THDD^X^T^A^D) [2011/09/14 16:09:28.780969, 0] rpc_server/srv_pipe.c:2439(api_rpcTNP) api_rpcTNP: \spoolss: SPOOLSS_OPENPRINTEREX failed. [2011/09/14 16:09:29.001633, 0] lib/charcnv.c:650(convert_string_talloc) Conversion error: Illegal multibyte sequence(@DD^W^THDD^X^T^A^D) [2011/09/14 16:09:29.001724, 0] rpc_server/srv_pipe.c:2439(api_rpcTNP) api_rpcTNP: \spoolss: SPOOLSS_OPENPRINTEREX failed. [2011/09/14 16:20:05.843419, 0] lib/charcnv.c:650(convert_string_talloc) Conversion error: Illegal multibyte sequence(88DF^H^NE09F^T^T`D9^K^T) [2011/09/14 16:20:05.843511, 0] rpc_server/srv_pipe.c:2439(api_rpcTNP) api_rpcTNP: \spoolss: SPOOLSS_OPENPRINTEREX failed. [2011/09/14 16:20:06.107415, 0] lib/charcnv.c:650(convert_string_talloc) Conversion error: Illegal multibyte sequence(88DF^H^NE09F^T^T`D9^K^T) [2011/09/14 16:20:06.107788, 0] rpc_server/srv_pipe.c:2439(api_rpcTNP) achim~ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Printing api_rpcTNP: \spoolss: SPOOLSS_OPENPRINTEREX failed
Update: Checked logs of all my debian print servers and none had these error messages today, i guess i had forgotten to restart samba on that server whom still showed the error. I had also found that erroro message on a few other servers with an missing unix charset line whom i all moodified and restarted. (There is still a chance that they did not print anything which triggered that error.) Here is an bug report for that problem, that's where i found that unix charset fix. https://bugzilla.samba.org/show_bug.cgi?id=8082 Checked the default if that variable is not explicity declared in smb.conf with terstparam -v and it is unix charset = UTF-8 display charset = LOCALE Seems debian has an problem with UTF-8 but not with UTF8. =-O These are my locale settings #locale LANG=de_DE.UTF-8 LC_CTYPE=de_DE.UTF-8 LC_NUMERIC=de_DE.UTF-8 LC_TIME=de_DE.UTF-8 LC_COLLATE=de_DE.UTF-8 LC_MONETARY=de_DE.UTF-8 LC_MESSAGES=de_DE.UTF-8 LC_PAPER=de_DE.UTF-8 LC_NAME=de_DE.UTF-8 LC_ADDRESS=de_DE.UTF-8 LC_TELEPHONE=de_DE.UTF-8 LC_MEASUREMENT=de_DE.UTF-8 LC_IDENTIFICATION=de_DE.UTF-8 LC_ALL= https://bugzilla.samba.org/show_bug.cgi?id=8082 Am 15.09.2011 01:04, schrieb Achim Gottinger: It is odd here also, on one server (debian lenny with samba 3.5.6 from backports) using dos charset = 850 unix charset = UTF8 fixed that issue on an other server (same osand versions) i also had to add the unix charset line and it worked for an document which did not work without and generated an error log entry like yours. looking at the log file i still see a few of those SPOOLSS error messages. Users did not report problems but i have to ask em if they have had issues with printing this week. If the error occures there is no print job generated at the cups server at all and errors like those above appear in log.smbd [2011/09/14 16:09:28.780842, 0] lib/charcnv.c:650(convert_string_talloc) Conversion error: Illegal multibyte sequence(@DD^W^THDD^X^T^A^D) [2011/09/14 16:09:28.780969, 0] rpc_server/srv_pipe.c:2439(api_rpcTNP) api_rpcTNP: \spoolss: SPOOLSS_OPENPRINTEREX failed. [2011/09/14 16:09:29.001633, 0] lib/charcnv.c:650(convert_string_talloc) Conversion error: Illegal multibyte sequence(@DD^W^THDD^X^T^A^D) [2011/09/14 16:09:29.001724, 0] rpc_server/srv_pipe.c:2439(api_rpcTNP) api_rpcTNP: \spoolss: SPOOLSS_OPENPRINTEREX failed. [2011/09/14 16:20:05.843419, 0] lib/charcnv.c:650(convert_string_talloc) Conversion error: Illegal multibyte sequence(88DF^H^NE09F^T^T`D9^K^T) [2011/09/14 16:20:05.843511, 0] rpc_server/srv_pipe.c:2439(api_rpcTNP) api_rpcTNP: \spoolss: SPOOLSS_OPENPRINTEREX failed. [2011/09/14 16:20:06.107415, 0] lib/charcnv.c:650(convert_string_talloc) Conversion error: Illegal multibyte sequence(88DF^H^NE09F^T^T`D9^K^T) [2011/09/14 16:20:06.107788, 0] rpc_server/srv_pipe.c:2439(api_rpcTNP) achim~ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Printing api_rpcTNP: \spoolss: SPOOLSS_OPENPRINTEREX failed
It is odd here also, on one server (debian lenny with samba 3.5.6 from
backports) using
dos charset = 850
unix charset = UTF8
fixed that issue on an other server (same osand versions) i also had to
add the unix charset line and it worked for an document which did not
work without and generated an error log entry like yours. looking at the
log file i still see a few of those SPOOLSS error messages. Users did
not report problems but i have to ask em if they have had issues with
printing this week.
If the error occures there is no print job generated at the cups server
at all and errors like those above appear in log.smbd
[2011/09/14 16:09:28.780842, 0] lib/charcnv.c:650(convert_string_talloc)
Conversion error: Illegal multibyte sequence(@DD^W^THDD^X^T^A^D)
[2011/09/14 16:09:28.780969, 0] rpc_server/srv_pipe.c:2439(api_rpcTNP)
api_rpcTNP: \spoolss: SPOOLSS_OPENPRINTEREX failed.
[2011/09/14 16:09:29.001633, 0] lib/charcnv.c:650(convert_string_talloc)
Conversion error: Illegal multibyte sequence(@DD^W^THDD^X^T^A^D)
[2011/09/14 16:09:29.001724, 0] rpc_server/srv_pipe.c:2439(api_rpcTNP)
api_rpcTNP: \spoolss: SPOOLSS_OPENPRINTEREX failed.
[2011/09/14 16:20:05.843419, 0] lib/charcnv.c:650(convert_string_talloc)
Conversion error: Illegal multibyte
sequence(88DF^H^NE09F^T^T`D9^K^T)
[2011/09/14 16:20:05.843511, 0] rpc_server/srv_pipe.c:2439(api_rpcTNP)
api_rpcTNP: \spoolss: SPOOLSS_OPENPRINTEREX failed.
[2011/09/14 16:20:06.107415, 0] lib/charcnv.c:650(convert_string_talloc)
Conversion error: Illegal multibyte
sequence(88DF^H^NE09F^T^T`D9^K^T)
[2011/09/14 16:20:06.107788, 0] rpc_server/srv_pipe.c:2439(api_rpcTNP)
achim~
Am 14.09.2011 14:19, schrieb Claus Rosenberger:
From the Windows side the samba connected printers show printer not
connected if the problem appears, on all clients the same time. But Cups connected
printers will be shown as Printer Ready. This situation is just a few minutes, now it was
45 minutes, but no more interesting things in the logfiles. Perhaps somebody knows whicn
keywords to search for.
Am 14.09.2011 14:03:37, schrieb Claus Rosenberger:
Thats really annoying because the printing with samba is not possible, just
printing directly to cups is possible. The clients are working with UTF-8, the
server is working with UTF-8, don't know why character conversion should be a
problem here.
More details:
[2011/09/14 13:55:24.173846, 5] rpc_server/srv_pipe.c:2367(api_pipe_request)
Requested \PIPE\\spoolss
[2011/09/14 13:55:24.173878, 4] rpc_server/srv_pipe.c:2404(api_rpcTNP)
api_rpcTNP: \spoolss op 0x45 - api_rpcTNP: rpc command: SPOOLSS_OPENPRINTEREX
[2011/09/14 13:55:24.173912, 6] rpc_server/srv_pipe.c:2434(api_rpcTNP)
api_rpc_cmds[69].fn == 0x7f844834b140
[2011/09/14 13:55:24.173953, 3] lib/charcnv.c:644(convert_string_talloc)
convert_string_talloc: Conversion error: Illegal multibyte
sequence(B3Û8A8A8AF89C^G)
[2011/09/14 13:55:24.173986, 0] lib/charcnv.c:650(convert_string_talloc)
Conversion error: Illegal multibyte sequence(B3Û8A8A8AF89C^G)
[2011/09/14 13:55:24.174017, 1] ../librpc/ndr/ndr.c:395(ndr_pull_error)
ndr_pull_error(5): Bad character conversion
[2011/09/14 13:55:24.174064, 0] rpc_server/srv_pipe.c:2439(api_rpcTNP)
api_rpcTNP: \spoolss: SPOOLSS_OPENPRINTEREX failed.
[2011/09/14 13:55:24.174099, 3]
rpc_server/srv_pipe_hnd.c:344(free_pipe_context)
free_pipe_context: destroying talloc pool of size 0
[2011/09/14 13:55:24.174130, 3]
rpc_server/srv_pipe_hnd.c:656(process_complete_pdu)
process_complete_pdu: DCE/RPC fault sent on pipe \spoolss
[2011/09/14 13:55:24.174161, 10]
rpc_server/srv_pipe_hnd.c:180(set_incoming_fault)
set_incoming_fault: Setting fault state on pipe \spoolss
[2011/09/14 13:55:24.174193, 5] rpc_parse/parse_prs.c:89(prs_debug)
00 smb_io_rpc_hdr
major : 05
0001 minor : 00
0002 pkt_type : 03
0003 flags : 23
0004 pack_type0: 10
0005 pack_type1: 00
0006 pack_type2: 00
0007 pack_type3: 00
0008 frag_len : 0020
000a auth_len :
000c call_id : 796c
[2011/09/14 13:55:24.174346, 5] rpc_parse/parse_prs.c:89(prs_debug)
10 smb_io_rpc_hdr_resp resp
0010 alloc_hint:
0014 context_id:
0016 cancel_ct : 00
0017 reserved : 00
[2011/09/14 13:55:24.174431, 5] rpc_parse/parse_prs.c:89(prs_debug)
18 smb_io_rpc_hdr_fault fault
0018 status : DCERPC_FAULT_OP_RNG_ERROR
001c reserved:
[2011/09/14 13:55:24.174487, 10]
rpc_server/srv_pipe_hnd.c:776(write_to_internal_pipe)
write_to_pipe: data_used = 2670
[2011/09/14 13:55:24.174538, 6]
rpc_server/srv_pipe_hnd.c:813(read_from_internal_pipe)
name: \spoolss len: 1024
[2011/09/14 13:55:24.174573, 10]
rpc_server/srv_pipe_hnd.c:854(read_from_internal_pipe)
read_from_pipe: \spoolss: current_pdu_len = 32, current_pdu_sent = 0
returning 32 bytes.
Am
Re: [Samba] Samba Printing api_rpcTNP: \spoolss: SPOOLSS_OPENPRINTEREX failed
I guess you need to set unix charset = utf8 had a similar issue last week, which was fixed that way. achim~ Am 11.08.2011 11:32, schrieb Claus Rosenberger: Hello, after upgrading to samba 3.5.6 of Debian Squeeze some printouts will not printed. The same prinjob will printed after a couple of tries. I increased the loglevel and there are only a few messages which showing whtat could be the problem. The printjobs doesn't arrive at cups. [2011/08/10 11:32:12.700665, 0] lib/charcnv.c:650(convert_string_talloc) Conversion error: Illegal multibyte sequence(E8DE^A^H8C^R ) [2011/08/10 11:32:12.700720, 1] ../librpc/ndr/ndr.c:395(ndr_pull_error) ndr_pull_error(5): Bad character conversion [2011/08/10 11:32:12.700756, 0] rpc_server/srv_pipe.c:2439(api_rpcTNP) api_rpcTNP: \spoolss: SPOOLSS_OPENPRINTEREX failed. [2011/08/10 11:32:13.901183, 0] lib/charcnv.c:650(convert_string_talloc) Conversion error: Illegal multibyte sequence(E8DE^A^H8C^R ) [2011/08/10 11:32:13.924149, 1] ../librpc/ndr/ndr.c:395(ndr_pull_error) ndr_pull_error(5): Bad character conversion [2011/08/10 11:32:13.924206, 0] rpc_server/srv_pipe.c:2439(api_rpcTNP) api_rpcTNP: \spoolss: SPOOLSS_OPENPRINTEREX failed. The printer is a Konica Minolta bizhup 40P, which is installed on client with Point and Print and the newest ppd files from Konica Minolta. What could be the problem? Thank you Claus -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] login failed
Achim Gottinger schrieb: denis rohou schrieb: Hello i've samba 3.022 with a ldap 2.2.26. I've no pb to join domain with my win2000, but when I reboot I'm reject (bad username ...). I find in debug that the first param sent by the client was the login and I think it must be the machines name. Any idee ? Hi denis, I have the same problem here. I can no longer login with an domain account from a win2k workstation. I have no problems leaving and joining the domain and i can connect shares maualy but the computer-account seems to be defect. This workstation worked fine for years, other w2k workstations in the domain dont have this problem. I tried to delete the account manually with smbldap-userdel rejoined and i'm still gettin rejected. Have you found a fix for your workstation? achim~ Well it turned out ldap replication had failed, after copying the master database to the slaves things worked again. :-) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] login failed
denis rohou schrieb: Hello i've samba 3.022 with a ldap 2.2.26. I've no pb to join domain with my win2000, but when I reboot I'm reject (bad username ...). I find in debug that the first param sent by the client was the login and I think it must be the machines name. Any idee ? Hi denis, I have the same problem here. I can no longer login with an domain account from a win2k workstation. I have no problems leaving and joining the domain and i can connect shares maualy but the computer-account seems to be defect. This workstation worked fine for years, other w2k workstations in the domain dont have this problem. I tried to delete the account manually with smbldap-userdel rejoined and i'm still gettin rejected. Have you found a fix for your workstation? achim~ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Disable USB storage
alejandro luna schrieb: Hello Everyone! i need to know if there is a way to send to windows XP a key reg to disable the usb storage, my samba is a PDC. the key in the window's registry is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor - Comparte video en la ventana de tus mensajes (y también tus fotos de Flickr). Usa el nuevo Yahoo! Messenger versión Beta. Visita http://mx.beta.messenger.yahoo.com/ On a samba pdc it should also be possible to write an system policy template for that registry key. Thanks for pointing to that registry key. http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/PolicyMgmt.html#id417198 achim~ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Roaming Profile gets deleted
Florian Zierer schrieb: Hi Cleper, Cleber P. de Souza wrote: On your Samba server, have you set up the Profile Path for the user? Yes of course. The profiles are working if I log in and log out and so on on the same WinXP machine. But, the Profiles are only working, until I delete the profile on the Win XP machine (as another user) or I log in on an Win XP machine where the profile is not yet loaded. Then the profile on the samba machine gets overwritten and a new default profile gets created. Any hints where I have to look to solve my problem? Thx Flo Have you tried to debug whats going on on the winxp client during profile load? - Guide to Microsoft® Windows NT® 4.0 Profiles and Policies Troubleshooting User Profiles with the UserEnv.log File The UserEnv.log is an invaluable tool for troubleshooting the process of loading and unloading User Profiles. Each step in the User Profile process is recorded in the log, including informational and error-related messages. The checked version of the UserEnv.dll is the same dynamic link library (.dll) as the retail version, except that it contains debug flags that you can set and use with the kernel debugger. This file, which is included in both the Windows NT Device Driver Kit (DDK) and the Windows NT Software Development Kit (SDK), when used in conjunction with a registry entry, generates a log file that can be used in troubleshooting and debugging problems with roaming profiles and system policies on Windows NT 4.0 clients. To enable logging: 1. Rename the file UserEnv.dll in the %systemroot%\SYSTEM32 directory to UserEnv.old or to a unique name of your choice. 2. Copy the checked version of UserEnv.dll to the %systemroot%\SYSTEM32 directory of the client machine that you want to debug. The checked version of the UserEnv file must match the version of the operating system and Service Pack installed on the client computer. 3. Start REGEDT32 and locate the following path: HKEY_LOCAL_MACHINE \SOFTWARE \Microsoft \WindowsNT \CurrentVersion \Winlogon 4. Create a new value called UserEnvDebugLevel as a REG_DWORD type. Assign the hex value 10002. 5. Reboot the computer. Logging information will be recorded in the root directory of the C drive as UserEnv.log. You can use Notepad to view the log file. A sample log is provided next. -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] object class 'sambaSamAccount' requires attribute 'sambaSID'
Greg Dickie schrieb: Hi, In the continuing saga of not being able to join machines to my openldap 2 samba 3.0.23c controlled domain I now get the above error. The schema is the one distributed with 3.0.23c. I've seen many postings about the same error but no fixes for it. Does anyone know where to look? Thanks alot, Greg Hmm have you updated samba.schema? There's a new one coming with 3.0.23c it's mentioned only between the lines in the Changelog. achim~ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] object class 'sambaSamAccount' requires attribute 'sambaSID'
Achim Gottinger schrieb: Greg Dickie schrieb: Hi, In the continuing saga of not being able to join machines to my openldap 2 samba 3.0.23c controlled domain I now get the above error. The schema is the one distributed with 3.0.23c. I've seen many postings about the same error but no fixes for it. Does anyone know where to look? Thanks alot, Greg Hmm have you updated samba.schema? There's a new one coming with 3.0.23c it's mentioned only between the lines in the Changelog. achim~ Sorry you wrote you are using the actual schema, make sure you also define the index for sambaSID. achim~ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain Groups missing
Achim Gottinger schrieb: Hi, I have a strange problem with my samba domain servers, they do no longer show the domain or local groups. I run three debian sarge machines as samba domain controllers (samba version is 3.0.23c) with an ldap backend in master/slave configuration. getent group shows all the groups, net groupmap list shows all the groups but net rpc info outputs: Domain Name: GOTTINGER Domain SID: S-1-5-21-1446910239-1605792192-310601177 Sequence number: 1160906670 Num users: 63 Num domain groups: 0 Num local groups: 0 On a w23k server acting as a fileserver the security settings for folders still show the assigned domain groups and they are still working. But i can not add new domain groups. Additionaly NT4 server management for users does no longer show the groups. I can add a new group and get an access denied warning but the group shows up in getent group afterwards. I'm not sure if this behavior is related to the update to 3.0.23c, i think i added a new folder and modified access rights on the w2k server after the update. Any clues what can cause this behavior? Thx achim~ I copied the samba and ldap configuration and database stuff to another machine, same result, no domain groups showing up in net rpc group. in net groupmap list i get two lines with multiple group names in the first row: DomDomDG Prothetik (S-1-5-21-1446910239-1605792192-310601177-5069) - DG Prothetik Removing an groupmap entry removes the whole dn entry from the ldap database. Is this due to the config line ldap delete dn = yes ? I tried to remove all the groups in the groupmap line showing in one line, but i can still not get a list of domain groups. achim~ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain Groups missing
Achim Gottinger schrieb: Hi, I have a strange problem with my samba domain servers, they do no longer show the domain or local groups. I run three debian sarge machines as samba domain controllers (samba version is 3.0.23c) with an ldap backend in master/slave configuration. getent group shows all the groups, net groupmap list shows all the groups but net rpc info outputs: Domain Name: GOTTINGER Domain SID: S-1-5-21-1446910239-1605792192-310601177 Sequence number: 1160906670 Num users: 63 Num domain groups: 0 Num local groups: 0 On a w23k server acting as a fileserver the security settings for folders still show the assigned domain groups and they are still working. But i can not add new domain groups. Additionaly NT4 server management for users does no longer show the groups. I can add a new group and get an access denied warning but the group shows up in getent group afterwards. I'm not sure if this behavior is related to the update to 3.0.23c, i think i added a new folder and modified access rights on the w2k server after the update. Any clues what can cause this behavior? Thx achim~ Hmm fixed it had to use the latest samba.schema coming with 3.0.23c now the groups are working. thx achim~ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Domain Groups missing
Hi, I have a strange problem with my samba domain servers, they do no longer show the domain or local groups. I run three debian sarge machines as samba domain controllers (samba version is 3.0.23c) with an ldap backend in master/slave configuration. getent group shows all the groups, net groupmap list shows all the groups but net rpc info outputs: Domain Name: GOTTINGER Domain SID: S-1-5-21-1446910239-1605792192-310601177 Sequence number: 1160906670 Num users: 63 Num domain groups: 0 Num local groups: 0 On a w23k server acting as a fileserver the security settings for folders still show the assigned domain groups and they are still working. But i can not add new domain groups. Additionaly NT4 server management for users does no longer show the groups. I can add a new group and get an access denied warning but the group shows up in getent group afterwards. I'm not sure if this behavior is related to the update to 3.0.23c, i think i added a new folder and modified access rights on the w2k server after the update. Any clues what can cause this behavior? Thx achim~ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Problem setting Group Permissions on Files
Hi, I run a samba-3.0.2a server as a simple file server in security=user mode. I have the following problem with a specific share: If I want to change the group permissions on a file (as a normal user owning the file) from within w2k using the security tab settings the new settings are ignored and instead the world/everyone settings are mapped to the group settings. If I change the permissions for world they are copied to the group settings too! All the users have users as their primary group and I mapped this group to the windows group Users. Here are the relevant parts of my smb.conf [global] log file = /var/log/samba3/log.%m smb passwd file = /etc/samba/private/smbpasswd socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192 guest user = nobody map to guest = bad user encrypt passwords = yes security = user max log size = 50 [data] nt acl support = yes writeable = yes public = no guest ok = no create mask = 0666 force create mode = 0666 path = /mnt/data security mask = 0666 force security mode = 000 I'm running gentoo linux the share is on an xfs fs with acl enabled and I build samba with acl support. Does anyone know what's going wrong here? thanx in advance achim~ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
