Re: [Samba] human understandable log format?
Am 25.05.2011 15:45, schrieb ion coting: Anyone... help!? On Thu, May 19, 2011 at 4:19 PM, ion coting ioncot...@gmail.com wrote: Hi, I would like to look at a logfile containing simple summary lines like this: timestamp - client ip - user - action (eg. login, connect to a share) - result (ok, password wrong, permission denied, io error, etc) I find log.smb and log.nmb very complicated and smbaudit too; also i would like to have all this information in a single log gile. How can I achieve this? Is there any native samba combination of options in smb.conf that can result in achieving this type of log? Can (and how?) I configure samba in such a way that some external tools can parse and extract this information from logfiles? thank you I'd like to see this too, but I don't think it's possible. I have wasted several hours when debugging samba problems and dealing with hard-to-read logfiles. But there is no way to configure logging except for the amount (log level) and destination. It may help a bit to use substitutions in the log file destinations, so e.g.using log file = /var/log/samba/log.%I.%U in your smb.conf will create one log file per client and user on the server, like /var/log/samba/log.10.0.0.24.bob for user bob on client 10.0.0.24. Still, it's sometimes difficult to get actions and results sorted out. Bye, Andreas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] mount.cifs and Umlaut in share name
Hello, I need to mount a CIFS share (in the end via fstab, for now manually from terminal) which has both a space and a german umlaut in its name. I cannot get mount.cifs to mount it, it always complains it cannot find it. I managed to get around the space problem in fstab with the \040 trick, but I cannot find a way to correctly encode the umlaut. When looking at the output of mount.cifs --verbose '//server/Täst Freigabe' /mnt, it looks like it is accessing the correct share, but it does not work. I also got a hint here (https://bugs.launchpad.net/ubuntu/+source/gnome-vfs/+bug/414865) to pipe the share name through iconv, but mount.cifs $(echo //server/Täst Freigabe | iconv -t850) /mnt also does not work. What can I do? Changing the share name is currently not an option, there are just too many users with links/bookmarks to it. Thanks, Andreas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Machine password change fails
Hello, I posted my problem of clients loosing their domain membership a couple of days ago. I now could track it down to a problem with machine password changes in the domain. When a client changes its machine account password, it loses domain connection afterwards, i.e. 'net rpc testjoin' gives NT_STATUS_ACCESS_DENIED. I have attached a winbind log which shows the problem; it first says Changed password, then immediately afterwards the connection fails. I did a tcpdump which showed pretty much the same; first a successful password change and then a login failure. I have no idea how to debug this further. I can provide the tcpdump capture if neccessary. Clients are using Ubuntu 10.04 with samba 3.4.7 and Linux 2.6.32; Server is Debian 5.0 with samba 3.2.5 and Linux 2.6.26. PDC is configured to use LDAP as passdb backend, this is also the UNIX user db for both server and clients (using libnss-ldap/libpam-ldap). Thank you, Andreas [2010/07/19 10:47:57, 3] libsmb/namequery.c:1972(get_dc_list) get_dc_list: preferred server list: , * [2010/07/19 10:47:57, 3] libsmb/namequery.c:1225(resolve_lmhosts) resolve_lmhosts: Attempting lmhosts lookup for name AG0x1c [2010/07/19 10:47:57, 3] libsmb/namequery.c:1089(resolve_wins) resolve_wins: Attempting wins lookup for name AG0x1c [2010/07/19 10:47:57, 3] libsmb/namequery.c:1147(resolve_wins) resolve_wins: using WINS server 172.16.9.3 and tag '*' [2010/07/19 10:47:57, 2] libsmb/namequery.c:779(name_query) Got a positive name query response from 172.16.9.3 ( 172.16.9.3 ) [2010/07/19 10:47:57, 3] ../lib/util/util.c:254(fcntl_lock) fcntl_lock: fcntl lock gave errno 11 (Resource temporarily unavailable) [2010/07/19 10:47:57, 3] ../lib/util/util.c:273(fcntl_lock) fcntl_lock: lock failed at offset 0 count 1 op 13 type 0 (Resource temporarily unavailable) [2010/07/19 10:47:57, 3] libsmb/cliconnect.c:940(cli_session_setup_spnego) Doing spnego session setup (blob length=58) [2010/07/19 10:47:57, 3] libsmb/cliconnect.c:967(cli_session_setup_spnego) got OID=1.3.6.1.4.1.311.2.2.10 [2010/07/19 10:47:57, 3] libsmb/cliconnect.c:975(cli_session_setup_spnego) got principal=NONE [2010/07/19 10:47:57, 3] libsmb/ntlmssp.c:1023(ntlmssp_client_challenge) Got challenge flags: [2010/07/19 10:47:57, 3] libsmb/ntlmssp.c:62(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0x60898215 [2010/07/19 10:47:57, 3] libsmb/ntlmssp.c:1045(ntlmssp_client_challenge) NTLMSSP: Set final flags: [2010/07/19 10:47:57, 3] libsmb/ntlmssp.c:62(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0x60088215 [2010/07/19 10:47:57, 3] libsmb/ntlmssp_sign.c:342(ntlmssp_sign_init) NTLMSSP Sign/Seal - Initialising with flags: [2010/07/19 10:47:57, 3] libsmb/ntlmssp.c:62(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0x60088215 [2010/07/19 10:47:57, 1] rpc_client/cli_pipe.c:949(cli_pipe_validate_current_pdu) cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_OP_RNG_ERROR received from host MAIL! [2010/07/19 10:47:57, 3] libsmb/trusts_util.c:56(trust_pw_change_and_store_it) 2010/07/19 10:47:57 : trust_pw_change_and_store_it: Changed password. [2010/07/19 10:47:58, 3] rpc_client/cli_netlogon.c:573(rpccli_netlogon_set_trust_password) rpccli_netlogon_set_trust_password: unable to setup creds (NT_STATUS_ACCESS_DENIED)! [2010/07/19 10:47:58, 3] winbindd/winbindd_misc.c:359(winbindd_dual_list_trusted_domains) [ 1461]: list trusted domains [2010/07/19 10:47:58, 3] libsmb/ntlmssp.c:1023(ntlmssp_client_challenge) Got challenge flags: [2010/07/19 10:47:58, 3] libsmb/ntlmssp.c:62(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0x60898235 [2010/07/19 10:47:58, 3] libsmb/ntlmssp.c:1045(ntlmssp_client_challenge) NTLMSSP: Set final flags: [2010/07/19 10:47:58, 3] libsmb/ntlmssp.c:62(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0x60088235 [2010/07/19 10:47:58, 3] libsmb/ntlmssp_sign.c:342(ntlmssp_sign_init) NTLMSSP Sign/Seal - Initialising with flags: [2010/07/19 10:47:58, 3] libsmb/ntlmssp.c:62(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0x60088235 [2010/07/19 10:47:58, 1] rpc_client/cli_pipe.c:927(cli_pipe_validate_current_pdu) cli_pipe_validate_current_pdu: Bind NACK received from host MAIL! [2010/07/19 10:47:58, 0] rpc_client/cli_pipe.c:3734(cli_rpc_pipe_open_ntlmssp_internal) cli_rpc_pipe_open_ntlmssp_internal: cli_rpc_pipe_bind failed with error NT_STATUS_NETWORK_ACCESS_DENIED [2010/07/19 10:47:58, 1] rpc_client/cli_pipe.c:949(cli_pipe_validate_current_pdu) cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_OP_RNG_ERROR received from host MAIL! [2010/07/19 10:47:58, 3] winbindd/winbindd_rpc.c:1047(trusted_domains) rpc: trusted_domains [2010/07/19 10:47:58, 3] libsmb/ntlmssp.c:1023(ntlmssp_client_challenge) Got challenge flags: [2010/07/19 10:47:58, 3] libsmb/ntlmssp.c:62(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0x60898235 [2010/07/19 10:47:58, 3] libsmb/ntlmssp.c:1045(ntlmssp_client_challenge) NTLMSSP: Set final flags: [2010/07/19
[Samba] Samba clients losing domain membership
Hello, we are currently in the process of migrating Windows machines to Ubuntu 10.04. For now, these machines act as samba clients in a Windows domain (which is controlled also by a samba PDC), and are itself sharing files via SMB/CIFS. The clients are - from time to time and with no apparent reason - losing their domain membership. When this happens, access to shares on the PDC still seems to work, but access to shares served by the client do not. sudo net rpc testjoin gives: failed to get schannel session key from server PDC for Domain DOM. Error was: NT_STATUS_ACCESS_DENIED Join to Domain 'DOM' is not valid: NT_STATUS_ACCESS_DENIED Doing 'sudo net rpc join' re-establishes connection. Since the machines in question are not older than 4 weeks, I doubt it has anything to do with trust account password change or the like. Clients are using Ubuntu 10.04 with samba 3.4.7 and Linux 2.6.32; Server is Debian 5.0 with samba 3.2.5 and Linux 2.6.26. PDC is configured to use LDAP as passdb backend, this is also the UNIX user db for both server and clients (using libnss-ldap/libpam-ldap). I increased debug level to 3 and got this on client and server/PDC when trying to access a share on the client machine: Client side log: [2010/07/06 08:57:59, 3] auth/auth.c:222(check_ntlm_password) check_ntlm_password: Checking password for unmapped user [dom]\[...@[admin2-desktop] with the new password interface [2010/07/06 08:57:59, 3] auth/auth.c:225(check_ntlm_password) check_ntlm_password: mapped user is: [dom]\[...@[admin2-desktop] [2010/07/06 08:57:59, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2010/07/06 08:57:59, 3] smbd/uid.c:428(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2010/07/06 08:57:59, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2010/07/06 08:57:59, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/07/06 08:57:59, 2] auth/auth.c:320(check_ntlm_password) check_ntlm_password: Authentication for user [ah] - [ah] FAILED with error NT_STATUS_ACCESS_DENIED [2010/07/06 08:57:59, 3] smbd/error.c:60(error_packet_set) error packet at smbd/sesssetup.c(122) cmd=115 (SMBsesssetupX) NT_STATUS_ACCESS_DENIED [2010/07/06 08:57:59, 3] smbd/process.c:1459(process_smb) Transaction 3 of length 92 (0 toread) [2010/07/06 08:57:59, 3] smbd/process.c:1273(switch_message) switch message SMBsesssetupX (pid 3710) conn 0x0 [2010/07/06 08:57:59, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/07/06 08:57:59, 3] smbd/sesssetup.c:1404(reply_sesssetup_and_X) wct=13 flg2=0xc801 [2010/07/06 08:57:59, 3] smbd/sesssetup.c:1607(reply_sesssetup_and_X) Domain=[] NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[] [2010/07/06 08:57:59, 3] smbd/sesssetup.c:1623(reply_sesssetup_and_X) sesssetupX:name=[]...@[admin2-desktop] [2010/07/06 08:57:59, 3] smbd/sesssetup.c:151(check_guest_password) Got anonymous request [2010/07/06 08:57:59, 3] auth/auth.c:222(check_ntlm_password) check_ntlm_password: Checking password for unmapped user []...@[] with the new password interface [2010/07/06 08:57:59, 3] auth/auth.c:225(check_ntlm_password) check_ntlm_password: mapped user is: []...@[] [2010/07/06 08:57:59, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2010/07/06 08:57:59, 3] smbd/uid.c:428(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2010/07/06 08:57:59, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2010/07/06 08:57:59, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/07/06 08:57:59, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2010/07/06 08:57:59, 3] smbd/uid.c:428(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2010/07/06 08:57:59, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2010/07/06 08:57:59, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/07/06 08:57:59, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2010/07/06 08:57:59, 3] smbd/uid.c:428(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2010/07/06 08:57:59, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2010/07/06 08:57:59, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2 [2010/07/06 08:57:59, 3] smbd/uid.c:428(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 1 [2010/07/06 08:57:59, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2 [2010/07/06 08:57:59, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1 [2010/07/06 08:57:59, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/07/06 08:57:59, 3]
Re: [Samba] Samba as domain member to another samba PDC
Daniel Müller schrieb: Hello, with pdbedit -L on my MemberServer (Samba) I could not list the domain users and groups! With pdbedit -L it is only working on my PDC(Samba) I assume then this is - at least at the moment - normal behaviour of pdbedit. Perhaps someone else on this list can tell me if this is going to change or has already changed e.g. with Samba 4. Try getent passwd and getent group instead. If there show up your users and groups. try example: touch test.txt and then chown yourdomainuser:thisuserdomaingroup. If this function you can test next: Make a share on your SambaMemberServer. Give the rights to a user only known in your SambaDomain (no local user) . Try to connect the share as this user. If this is working you got it. I already did that, and it works. That's not the point I'm asking for. As I wrote in my first post, I want to use a GUI for creating samba shares that relies on the output of pdbedit -L for listing users which are allowed/denied access. If pdbedit -L does not work, I will either have to write my own pdbedit which wil mimic the expected output by calling ldapsearch and formatting the output like pdbedit does. Or I will have to find another suitable GUI. Thank you for your help, Andreas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba as domain member to another samba PDC
Hello, we have a somewhat unusual setup: - currently, Windows 2000 workstations in a NT4-Style domain with a samba 3 server as PDC. User account data for both UNIX and Samba is kept in LDAP. - now, several workstations should be migrated to Ubuntu, using the same LDAP directory (and NFS homes) for User account data. Users need to be able to share files with windows workstations, using samba. I have managed to join samba on the Ubuntu test machines to the domain, and any manually created shares in smb.conf can be accessed by windows users as well as other users on other Ubuntu clients. I have set in smb.conf on the client: security = domain password server = * domain = MYDOM (passdb backend is not set) But I'd like to use system-config-samba from Ubuntu as a GUI to let the users create their own shares (somewhat risky, I know, but currently the best solution). system-config-samba relies on the output of pdbedit -L to let the user choose which users can access which share. In the above setup, the output of pdbedit -L is empty. I tried adding passdb backend = ldapsam:ldap://1.2.3.4 and the neccessary ldap options to smb.conf on the client and have set the LDAP admin password using smbpasswd -W. Now, pdbedit -L complains SID 1-2-3-4-5 does not belong to our domain, and system-config-samba shows the same line instead of the users name for every user in the database. So, essentially, the question is: how can a samba domain member get a list of users using pdbedit -L? As I understand it, the whole winbind/idmap stuff is neccessary only for mapping users on a windows PDC to (temporary) UNIX users, but we already have real permanent UNIX users, so I do not need winbind/idmap, right? Thanks, Andreas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba as domain member to another samba PDC
Daniel Müller schrieb: Hello, when i have read wright. You joined an ubuntu samba pc to your samba domain! testparm gives you: ROLE_DOMAIN_MEMBER? Correct. First of all your domain member must have exactly the same users and passwords as your pdc/ldap. You can do that with installing ldapclient. Configure it with ldapserver: your pdc/ldap. Now getent passwd and getend group should show you all your users/groups kept on you pdc/ldap. I did that using libpam-ldap/libnsswitch-ldap. getent group/passwd returns what you say, and user authentication on the UNIX side works well. If you succed with this. You need in your smb.conf: security=DOMAIN password server=YOUR-PDC-LDAP I have password server = *, but explicitly setting the PDC changes nothing. For me I had to copy my ladp config section from my smb.conf on my PDC here: ldap idmap backend=ldap:ldap://YOUR-PDC-LDAP idmap uid... idmap gid I do not currently have the idmap... things, since I thought I do not need them. I tried, and it changed nothing. pdbedit -L still returns SID ... does not belong to our domain. What does it return on your machine? Bye, Andreas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Making Home Directory available for Windows Users
Hello, I am pretty sure this is described somewhere in the official docs, but anyway: Your approach #1 should work well. The [homes] section is accessible by clients using *either* \\servername\username or \\servername\homes No modifications to your example necessary. Bye, Andreas Alexander Schaber schrieb: Hello, Situation: We are in a school class every student logs on with the same account. Until now we had Shares that were accessable for everybody and it was therefore possible to look into and edit/delete other's files. Plan: Create a share that can be clicked on which then asks for User/Pass and directly maps to the User's home Directory upon auth. User auth is done through LDAP which works already. Example: Sharename: homedir User clicks on e.g. \\fileserver\homedir and is asked for User/Pass, after entering 'examplestudent1'/hispassword he sees /home/examplestudent1 . Possible approach 1: [homes] comment = Home Directories valid users = %S browseable = No read only = No inherit acls = Yes The Problem with this one is, that the User would have to type \\fileserver\examplestudent1 to get to his Homedir, which is _not_ wanted. Or can this one be modified? Possible approach 2: [homedir] comment = Home Directories read only = No browseable = Yes path = /home/%u This seems to work, but is it secure enough? What about 'valid users'? The computers are shut down after each lesson, so there won't be the case that a old session is still alive. Requirements: A share that always has the same name (e.g. homedir) but behind that there is the user's homedir or a share that lists /home and asks for a User/Pass for each dir you click on. I know this is party done by setting appropriate rights on the home dirs (700). I hope I made everything clear :) Thanks alot for your ideas! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Howto merge two domains
Hello, since I found various bits of information but no howto or similar, I'd like to ask how you would handle the following scenario: - two domains with identical name on two physically totally separated networks, but with different IP-Subents (both in the private range 172.16.x). One domain has about 50 clients and users, the other about 25 - both domains have Samba 3.0.x configured as a PDC, with Windows 2000 Clients. Both Sambas currently use the pdb backend, but a migration to LDAP is planned. Both domains use server-side profiles. - on both sides, there are additional workstations with shares, some of them having rather complex permissions (for individual users). - these two domains need to be merged into one, with one PDC. That is, the smaller domain is to move physically into the building with the larger domain. If possible, user accounts and groups should be migrated as well as profiles etc. Share permissions on the PDC itself and the other workstations should be preserved as well. Is this possible? I read about the profiles tool that it works only on NT, so it will not work with Win2K? I read about moveuser.exe but am not sure if this works with server-side profiles. How about preserving the share permissions when the SIDs change? Can the user accounts be migrated, or do they have to be re-created? Thank you, Andreas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Loss of connection when changing smb.conf?
Hello, since upgrading to Samba 3 (3.0.1 on Debian 3.0), I noticed that clients seems to sometimes lose connection to the samba server when the configuration file is changed. Today I added oplocks = no to the homes section because I wanted to track down a specific problem, and voila: 1-2 minutes later some Win2K-Clients (but probably not all, couldn't check that) lost connection to the homes share and had to sign off and sign on again. Later on I added log level = 3 to the global section and the same happened again. I'm pretty sure this didn't happen with Samba 2.2.8. Could this have something to do with smb signing? I assume SMB signing maintains some kind of state information or serial number on the packages, in order to prevent man-in-the-middle attacks; and this could information could get lost when samba reloads the smb.conf? Thanks, Andreas -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Quark Express 4.1 Saving problems
Hello, found this topic in the archives and would like to re-open this thread. I have some problems with Quark XPress Passport 4.1 on Win2K Clients and Samba 3.0.1 . Sometimes when saving a file, either an existing one or new, QuarkXPress produces an I/O-Error [-36] and cannot save the file, not even with Save as... under a different name. I turned off oplocks on this share, but it changed nothing. Other Apps seem to work fine. The problem cannot be easily reproduced, it occurs only every now and then. I set log level to 3 today and will wait till tomorrow, hope this happens again soon so I can provide log output. Has anyone else had this problem? Thanks, Andreas -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba