Re: [Samba] samba4 in a Windows workgroup
As I understand it samba4 can only be a PDC or a BDC it cannot be a stand alone server. you would need to use a samba3 server for that. On Fri, Dec 21, 2012 at 12:44 PM, Eduardo Sotomayor ea...@hotmail.com wrote: I have found a lot of information about how to setup a samba4 active directory server, but I haven't found anything about configuring a standalone server in a windows workgroup, provisioning, configuring the smb.conf file, creating users, (I read that samba4 doesn't requires to have a unix user for every samba users) how to set up permissions, network browsing setup, etc. is there any good guide or can anyone post a good guide here thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Fwd: samba_dnsupdate principal and TKEY unacceptable
Probably the way you do revers dns lookups, but I couldn't say for sure Krb is very dependent on DNS both forward and reverse. On Wed, Dec 12, 2012 at 9:16 PM, Tushar Dalvi tushar.dalvi.sa...@gmail.com wrote: Thanks for the reply Andrew. I had made sure the keytab was accessible to bind but it still failed. Looked like it was an SPN issue. samba_dnsupdate tried to use DNS/host@DOMAIN.LOCAL (not DNS/host.domain.local@DOMAIN.LOCAL). Using samba-tool, when I added an spn for DNS/host to the dns-host user and exported the keytab to dns.keytab, then bind accepted the TKEY. I am wondering what caused samba_dnsupdate to use DNS/host instead of DNS/host.domain.local spn. Regards, Tushar On Tue, Dec 11, 2012 at 7:03 PM, Andrew Dumaresq dumar...@gmail.com wrote: This probably means that bind can't read your dns keytab file make sure you have tkey-gssapi-keytab /path to/dns.keytab; in the options section of your bind config Then make sure it's readable by the bind user you might start making the file 666 and then sort it out later, in my case I set it chmod 600 and chown it to the user bind, which is way more secure. also your dns.keytab file should have a lot of entries in it: klist -k /usr/local/samba/private/dns.keytab Keytab name: FILE:/usr/local/samba/private/dns.keytab KVNO Principal -- 1 DNS/host.domain.local@DOMAIN.LOCAL 1 dns-host@DOMAIN.LOCAL 1 DNS/host.domain.local@DOMAIN.LOCAL 1 dns-host@DOMAIN.LOCAL 1 DNS/host.domain.local@DOMAIN.LOCAL 1 dns-host@DOMAIN.LOCAL 1 DNS/host.domain.local@DOMAIN.LOCAL 1 dns-host@DOMAIN.LOCAL 1 DNS/host.domain.local@DOMAIN.LOCAL 1 dns-host@DOMAIN.LOCAL On Sun, Dec 9, 2012 at 3:52 PM, Tushar Dalvi tushar.dalvi.sa...@gmail.com wrote: Hi, I am trying to run samba with bind_dlz (bind-9.9.1 - P1) on a multi-homed network. I have configured the setup as per Samba4 Howto. But when I try to do samba_dnsupdate --all-names it fails with error: dns_tkey_negotiategss: TKEY is unacceptable The kerberos ticket being used by samba_dnsupdate shows follwoing principals: klist -c /tmp/tmp6cxfgY Ticket cache: FILE:/tmp/tmp6cxfgY Default principal: DB-SERVER$@BOM.MH.IN Service principal krbtgt/BOM.MH.IN DNS/db-ser...@bom.mh.in Whereas the dns.keytab shows following principals (repeated for multiple encryption algorithms) klist -k private/dns.keytab: DNS/db-server.bom.mh...@bom.mh.in dns-db-ser...@bom.mh.in Wireshark shows that samba_dnsupdate requests TGS-REQ for DNS/ db-ser...@bom.mh.in I retried this thing with samba's internal DNS and there samba_dnsupdate requests for DNS/db-server.bom.mh...@bom.mh.in. In case of internal server the ticket cache shows up like: Service principal krbtgt/BOM.MH.IN DNS/db-server.bom.mh...@bom.mh.in As the principal being used by samba_dnsupdate in case of Bind doesn't contain domain name at its end, can this be the reason for Tkey failure? Why is there a difference in the principal names requested by samba_dnsupdate in case of Bind and Internal DNS? PS: I couldn't go ahead with samba's internal DNS because there I got Tsig verify failure as already posted here: http://permalink.gmane.org/gmane.network.samba.general/127722 Thank you folks for the awesome work! Regards, Tushar -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Fwd: samba_dnsupdate principal and TKEY unacceptable
This probably means that bind can't read your dns keytab file make sure you have tkey-gssapi-keytab /path to/dns.keytab; in the options section of your bind config Then make sure it's readable by the bind user you might start making the file 666 and then sort it out later, in my case I set it chmod 600 and chown it to the user bind, which is way more secure. also your dns.keytab file should have a lot of entries in it: klist -k /usr/local/samba/private/dns.keytab Keytab name: FILE:/usr/local/samba/private/dns.keytab KVNO Principal -- 1 DNS/host.domain.local@DOMAIN.LOCAL 1 dns-host@DOMAIN.LOCAL 1 DNS/host.domain.local@DOMAIN.LOCAL 1 dns-host@DOMAIN.LOCAL 1 DNS/host.domain.local@DOMAIN.LOCAL 1 dns-host@DOMAIN.LOCAL 1 DNS/host.domain.local@DOMAIN.LOCAL 1 dns-host@DOMAIN.LOCAL 1 DNS/host.domain.local@DOMAIN.LOCAL 1 dns-host@DOMAIN.LOCAL On Sun, Dec 9, 2012 at 3:52 PM, Tushar Dalvi tushar.dalvi.sa...@gmail.com wrote: Hi, I am trying to run samba with bind_dlz (bind-9.9.1 - P1) on a multi-homed network. I have configured the setup as per Samba4 Howto. But when I try to do samba_dnsupdate --all-names it fails with error: dns_tkey_negotiategss: TKEY is unacceptable The kerberos ticket being used by samba_dnsupdate shows follwoing principals: klist -c /tmp/tmp6cxfgY Ticket cache: FILE:/tmp/tmp6cxfgY Default principal: DB-SERVER$@BOM.MH.IN Service principal krbtgt/BOM.MH.IN DNS/db-ser...@bom.mh.in Whereas the dns.keytab shows following principals (repeated for multiple encryption algorithms) klist -k private/dns.keytab: DNS/db-server.bom.mh...@bom.mh.in dns-db-ser...@bom.mh.in Wireshark shows that samba_dnsupdate requests TGS-REQ for DNS/ db-ser...@bom.mh.in I retried this thing with samba's internal DNS and there samba_dnsupdate requests for DNS/db-server.bom.mh...@bom.mh.in. In case of internal server the ticket cache shows up like: Service principal krbtgt/BOM.MH.IN DNS/db-server.bom.mh...@bom.mh.in As the principal being used by samba_dnsupdate in case of Bind doesn't contain domain name at its end, can this be the reason for Tkey failure? Why is there a difference in the principal names requested by samba_dnsupdate in case of Bind and Internal DNS? PS: I couldn't go ahead with samba's internal DNS because there I got Tsig verify failure as already posted here: http://permalink.gmane.org/gmane.network.samba.general/127722 Thank you folks for the awesome work! Regards, Tushar -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba and SSH
Hello, I've had this working before, but I can't seem to get it working again, I'm trying to get ssh to authenticate between my hosts on my local networks, KDC is samba, and I can kinit on all my hosts, but SSHd on all my hosts has a weird problem, when I run sshd -d everything looks normal until: debug1: attempt 1 failures 0 [preauth] debug1: Unspecified GSS failure. Minor code may provide more information No key table entry found matching host/host.domain.local@ Note nothing after the @ sign. I thought this was a DNS resolution issue but both hosts resolve forward and reverse. So I have no idea why it wouldn't do @DOMAIN.LOCAL at the end. for what it's worth here's my krb5.conf: [domain_realm] .domain.local = DOMAIN.LOCAL domain.local = DOMAIN.LOCAL [libdefaults] default_realm = DOMAIN.LOCAL dns_lookup_realm = true dns_lookup_kdc = true forwardable = true proxiable = true [realms] DOMAIN.LOCAL = { kdc = kdc.domain.local:88 } [v4 domain_realm] .domain.local = DOMAIN.LOCAL domain.local = DOMAIN.LOCAL I am also not sure if this is a samba issue or an SSH issue, but I've tried messing around with DNS krb5.conf and SSH and I no matter what I do the kerb domain never gets added. What am I missing? Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] File permissions
Hi, I recently rebuilt my Domain controller and after working on it it seems that file permissions with the new Samba file server are not the same, and I'm wondering if this is expected. If I do this in smb.conf: server services = +smb -dns -s3fs dcerpc endpoint servers = +winreg +srvsvc Then when a windows users creates a file using samba on my server then the files are created using that users, uid. If I remove those lines (excep the -dns) when the windows users create the file it is created with a uid of 30: middleearth:/home/samba/public$ ls -l total 503608 ... drwxr-sr-x 2 dumaresq users 4096 Dec 8 11:47 New folder drwxrwsrwx+ 2 300 users 4096 Dec 8 11:55 New folder (2) ... The first file was created with server services = +smb -dns -s3fs dcerpc endpoint servers = +winreg +srvsvc with just -dns. I am wondering if this is expected, is the new way to create a file that nobody owns and then change the ACLs so the correct people have access, or is something wrong with my setup? Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ldapsearch with samba4 (now a question about SASL and ldaps
On 4/25/2011 10:14 AM, Matthieu Patou wrote: Hello Andrew, What -Z is supposed to do ? -Z and ldaps are pretty much the same thing as I recall... basically putting ldapsearch in SSL or TLS... Have a look at ldbsearch (our ldap like search tool). Can you try ldbsearch -H ldaps://name_of_your_dc -k 1 It should work to do GSSAPI (kerberos) and ldaps, at least it works for me ! Can you also try ldbsearch -H ldaps://name_of_your_dc -U user_in_the_ad ldbsearch does work, but I am trying to use ldap pam, which basically does ldapsearch so this solution won't work for me. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Using groups with windows
On 4/24/2011 12:45 PM, A.Dura wrote: Hi, we are using samba with ldap for our pdc. And i was told by another admin, that when you use a windows server, you can only get the Domain Users and Domain Admins groups from the samba/ldap pdc. So i tried to add a group, which i know exists on the server, to my windows server, but windows couldn't find it. Is there a way to make other groups then domain users and domain admins usable under windows? Regards, adura Which version of Samba are you using? I was able to get quite a few groups out of LDAP from samba4, but I had to add these entries to my ldap.conf: nss_map_objectclass posixGroup group nss_map_attribute uniqueMember member I also needed to add GID and a password value into the sam.ldb entries that I wanted to flow. In the end I found that some groups hung (not sure why) and the setup caused problems when I installed software (because groupadd doesn't work right). So I turned off getting groups from ldap. I am getting my users from ldap and this works well (except I can't get ssl to work). If you are using Samba3 there are lots of guides on how to do it... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ldapsearch with samba4 (now a question about SASL and ldaps
On 4/23/2011 2:34 PM, Andrew Dumaresq wrote: Hi, I've got ldapsearch mostly working: root@morannon:/usr/local/samba/private/tls# ldapsearch '(sAMAccountName=dumaresq)' SASL/GSSAPI authentication started SASL username: administrator@XXX SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base (default) with scope subtree # filter: (sAMAccountName=dumaresq) # requesting: ALL # results in here... # search result search: 5 result: 0 Success # numResponses: 2 # numEntries: 1 I cannot get ldapsearch -Z or ldaps working: ldapsearch '(sAMAccountName=dumaresq)' -Z SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Server is unwilling to perform (53) additional info: SASL:[GSSAPI]: Sign or Seal are not allowed if TLS is used Here is what I get in samba.log when I do did that command: [2011/04/23 14:29:56, 3] ../source4/lib/ldb-samba/ldb_wrap.c:319(ldb_wrap_connect) ldb_wrap open of secrets.ldb [2011/04/23 14:29:56, 3] ../source4/lib/ldb-samba/ldb_wrap.c:319(ldb_wrap_connect) ldb_wrap open of secrets.ldb [2011/04/23 14:29:56, 3] ../source4/lib/ldb-samba/ldb_wrap.c:319(ldb_wrap_connect) ldb_wrap open of secrets.ldb [2011/04/23 14:29:56, 3] ../source4/smbd/service_stream.c:62(stream_terminate_connection) Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' [2011/04/23 14:29:56, 3] ../source4/smbd/process_single.c:104(single_terminate) single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] I'm not sure where to go from here. I've tried several different options in /etc/ldap/ldap.conf and I always get that error, unless I comment out #TLS_REQCERT allow then I get: ldapsearch '(sAMAccountName=dumaresq)' -Z ldap_start_tls: Connect error (-11) additional info: (unknown error code) ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1 additional info: (unknown error code) Update... I did get ldaps and -Z working, but I can't do it with SASL, I can't find docs that say, but is it possible that SASL (GSSAPI) and ldaps are not compatible? ldapsearch -H ldaps://ldapserver.domain -Y GSSAPI SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Server is unwilling to perform (53) additional info: SASL:[GSSAPI]: Sign or Seal are not allowed if TLS is used dumaresq@morannon:~$ ldapsearch -H ldaps://ldapserver.domain -D 'CN=Administrator,CN=Users,DC=dumaresq,DC=local' -w AdminsPassword '(sAMAccountName=dumaresq)' # extended LDIF # # LDAPv3 # base (default) with scope subtree # filter: (sAMAccountName=dumaresq) # requesting: ALL # (response in here) # numResponses: 2 # numEntries: 1 So the question is are SASL and ldaps not compatible and if that is the case which is better? I like GSSAPI because I don't need to store passwords on the system, but I'm not clear on how encrypted the data being transmitted is. I did a packet capture and I do see some data that doesn't look like clear text, but that's all I know for sure :) Comments, suggestions? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] ldapsearch with samba4
Hi, I've got ldapsearch mostly working: root@morannon:/usr/local/samba/private/tls# ldapsearch '(sAMAccountName=dumaresq)' SASL/GSSAPI authentication started SASL username: administrator@XXX SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base (default) with scope subtree # filter: (sAMAccountName=dumaresq) # requesting: ALL # results in here... # search result search: 5 result: 0 Success # numResponses: 2 # numEntries: 1 I cannot get ldapsearch -Z or ldaps working: ldapsearch '(sAMAccountName=dumaresq)' -Z SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Server is unwilling to perform (53) additional info: SASL:[GSSAPI]: Sign or Seal are not allowed if TLS is used Here is what I get in samba.log when I do did that command: [2011/04/23 14:29:56, 3] ../source4/lib/ldb-samba/ldb_wrap.c:319(ldb_wrap_connect) ldb_wrap open of secrets.ldb [2011/04/23 14:29:56, 3] ../source4/lib/ldb-samba/ldb_wrap.c:319(ldb_wrap_connect) ldb_wrap open of secrets.ldb [2011/04/23 14:29:56, 3] ../source4/lib/ldb-samba/ldb_wrap.c:319(ldb_wrap_connect) ldb_wrap open of secrets.ldb [2011/04/23 14:29:56, 3] ../source4/smbd/service_stream.c:62(stream_terminate_connection) Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' [2011/04/23 14:29:56, 3] ../source4/smbd/process_single.c:104(single_terminate) single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] I'm not sure where to go from here. I've tried several different options in /etc/ldap/ldap.conf and I always get that error, unless I comment out #TLS_REQCERT allow then I get: ldapsearch '(sAMAccountName=dumaresq)' -Z ldap_start_tls: Connect error (-11) additional info: (unknown error code) ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) additional info: (unknown error code) with: [2011/04/23 14:31:29, 3] ../source4/lib/ldb-samba/ldb_wrap.c:319(ldb_wrap_connect) ldb_wrap open of secrets.ldb [2011/04/23 14:31:29, 3] ../source4/lib/ldb-samba/ldb_wrap.c:319(ldb_wrap_connect) ldb_wrap open of secrets.ldb [2011/04/23 14:31:29, 1] ../source4/lib/tls/tls_tstream.c:542(tstream_tls_retry_read) TLS ../source4/lib/tls/tls_tstream.c:542 - A record packet with illegal version was received. [2011/04/23 14:31:29, 3] ../source4/smbd/service_stream.c:62(stream_terminate_connection) Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_IO_DEVICE_ERROR' [2011/04/23 14:31:29, 3] ../source4/smbd/process_single.c:104(single_terminate) single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_IO_DEVICE_ERROR] in samba.log Neither of those are helpful, I've tried stracing, but I don't see an errors. I believe this is a cert issue, but I'm not sure exactly what the cert issue is. Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] KDC and samba4
Got it and it seems to work exactly as it should! Thanks! On 4/17/2011 8:55 AM, Matthieu Patou wrote: On 17/04/2011 04:13, Andrew Dumaresq wrote: Hi, I'm using GIT pull from a few days ago. I am trying to get ssh working with kerberos when samba is the KDC. I am having trouble getting my machine keytabs to work. Here's some of the problems I have: 1) root@morannon:~# samba-tool export keytab /tmp/test.keytab added interface ip=192.168.1.11 nmask=255.255.255.0 added interface ip=127.0.0.1 nmask=255.0.0.0 added interface ip=192.168.1.11 nmask=255.255.255.0 added interface ip=127.0.0.1 nmask=255.0.0.0 ldb_wrap open of secrets.ldb root@morannon:~# klist -k -t /tmp/test.keytab Keytab name: WRFILE:/tmp/test.keytab KVNO Timestamp Principal - 1 04/16/11 20:04:19 dumareja@DUMARESQ.LOCAL 1 04/16/11 20:04:19 dumareja@DUMARESQ.LOCAL 1 04/16/11 20:04:19 dumareja@DUMARESQ.LOCAL 2 04/16/11 20:04:19 dumaresq@DUMARESQ.LOCAL 2 04/16/11 20:04:19 dumaresq@DUMARESQ.LOCAL 2 04/16/11 20:04:19 dumaresq@DUMARESQ.LOCAL 1 04/16/11 20:04:19 emma@DUMARESQ.LOCAL 1 04/16/11 20:04:19 emma@DUMARESQ.LOCAL 1 04/16/11 20:04:19 emma@DUMARESQ.LOCAL 1 04/16/11 20:04:19 julia@DUMARESQ.LOCAL 1 04/16/11 20:04:19 julia@DUMARESQ.LOCAL 1 04/16/11 20:04:19 julia@DUMARESQ.LOCAL 1 04/16/11 20:04:19 ANCALAGON$@DUMARESQ.LOCAL 1 04/16/11 20:04:19 ANCALAGON$@DUMARESQ.LOCAL 1 04/16/11 20:04:19 ANCALAGON$@DUMARESQ.LOCAL 3 04/16/11 20:04:19 ARAGORN$@DUMARESQ.LOCAL 3 04/16/11 20:04:19 ARAGORN$@DUMARESQ.LOCAL 3 04/16/11 20:04:19 ARAGORN$@DUMARESQ.LOCAL 4 04/16/11 20:04:19 GANDALF$@DUMARESQ.LOCAL 4 04/16/11 20:04:19 GANDALF$@DUMARESQ.LOCAL 4 04/16/11 20:04:19 GANDALF$@DUMARESQ.LOCAL 3 04/16/11 20:04:19 GOLLUM$@DUMARESQ.LOCAL 3 04/16/11 20:04:19 GOLLUM$@DUMARESQ.LOCAL 3 04/16/11 20:04:19 GOLLUM$@DUMARESQ.LOCAL 3 04/16/11 20:04:19 ARWEN$@DUMARESQ.LOCAL 3 04/16/11 20:04:19 ARWEN$@DUMARESQ.LOCAL 3 04/16/11 20:04:19 ARWEN$@DUMARESQ.LOCAL 4 04/16/11 20:04:19 FRODO$@DUMARESQ.LOCAL 4 04/16/11 20:04:19 FRODO$@DUMARESQ.LOCAL 4 04/16/11 20:04:19 FRODO$@DUMARESQ.LOCAL 1 04/16/11 20:04:19 MORANNON$@DUMARESQ.LOCAL 1 04/16/11 20:04:19 MORANNON$@DUMARESQ.LOCAL 1 04/16/11 20:04:19 MORANNON$@DUMARESQ.LOCAL 1 04/16/11 20:04:19 Administrator@DUMARESQ.LOCAL 1 04/16/11 20:04:19 Administrator@DUMARESQ.LOCAL 1 04/16/11 20:04:19 Administrator@DUMARESQ.LOCAL 1 04/16/11 20:04:19 dns-morannon@DUMARESQ.LOCAL 1 04/16/11 20:04:19 dns-morannon@DUMARESQ.LOCAL 1 04/16/11 20:04:19 dns-morannon@DUMARESQ.LOCAL 1 04/16/11 20:04:19 krbtgt@DUMARESQ.LOCAL 1 04/16/11 20:04:19 krbtgt@DUMARESQ.LOCAL 1 04/16/11 20:04:19 krbtgt@DUMARESQ.LOCAL root@morannon:~# samba-tool machinepw 'MORANNON$@DUMARESQ.LOCAL' ldb_wrap open of secrets.ldb ERROR: search returned 0 records, expected 1 root@morannon:~# samba-tool machinepw 'MORANNON$' ldb_wrap open of secrets.ldb ERROR: search returned 0 records, expected 1 There was a bug, the command would only succeed when you are in the path where the secrets.ldb file is. I pushed a fix in autobuild for this, normally it should land in the master tree of Samba soon. 2) (This is likely related to my previous problem) I extracted the host keytab from Samba (using ktpass.sh with no password) and put the extract info in /etc/krb5.keytab Strange, normally you should provide a password or --password * klist -k Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal -- 1 host/morannon.dumaresq.local@DUMARESQ.LOCAL but when I try to use that to to run kinit I get this: kinit -k kinit: Client 'host/morannon.dumaresq.local@DUMARESQ.LOCAL' not found in Kerberos database while getting initial credentials Not sure that it's a bug or if it's normal but I noticed that you can't get a TGT ticket when you use a keytab with just a servicePrincipalName, you should be able thought to get for the SPN in the keytab. Matthieu. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] KDC and samba4
Hi, I'm using GIT pull from a few days ago. I am trying to get ssh working with kerberos when samba is the KDC. I am having trouble getting my machine keytabs to work. Here's some of the problems I have: 1) root@morannon:~# samba-tool export keytab /tmp/test.keytab added interface ip=192.168.1.11 nmask=255.255.255.0 added interface ip=127.0.0.1 nmask=255.0.0.0 added interface ip=192.168.1.11 nmask=255.255.255.0 added interface ip=127.0.0.1 nmask=255.0.0.0 ldb_wrap open of secrets.ldb root@morannon:~# klist -k -t /tmp/test.keytab Keytab name: WRFILE:/tmp/test.keytab KVNO Timestamp Principal - 1 04/16/11 20:04:19 dumareja@DUMARESQ.LOCAL 1 04/16/11 20:04:19 dumareja@DUMARESQ.LOCAL 1 04/16/11 20:04:19 dumareja@DUMARESQ.LOCAL 2 04/16/11 20:04:19 dumaresq@DUMARESQ.LOCAL 2 04/16/11 20:04:19 dumaresq@DUMARESQ.LOCAL 2 04/16/11 20:04:19 dumaresq@DUMARESQ.LOCAL 1 04/16/11 20:04:19 emma@DUMARESQ.LOCAL 1 04/16/11 20:04:19 emma@DUMARESQ.LOCAL 1 04/16/11 20:04:19 emma@DUMARESQ.LOCAL 1 04/16/11 20:04:19 julia@DUMARESQ.LOCAL 1 04/16/11 20:04:19 julia@DUMARESQ.LOCAL 1 04/16/11 20:04:19 julia@DUMARESQ.LOCAL 1 04/16/11 20:04:19 ANCALAGON$@DUMARESQ.LOCAL 1 04/16/11 20:04:19 ANCALAGON$@DUMARESQ.LOCAL 1 04/16/11 20:04:19 ANCALAGON$@DUMARESQ.LOCAL 3 04/16/11 20:04:19 ARAGORN$@DUMARESQ.LOCAL 3 04/16/11 20:04:19 ARAGORN$@DUMARESQ.LOCAL 3 04/16/11 20:04:19 ARAGORN$@DUMARESQ.LOCAL 4 04/16/11 20:04:19 GANDALF$@DUMARESQ.LOCAL 4 04/16/11 20:04:19 GANDALF$@DUMARESQ.LOCAL 4 04/16/11 20:04:19 GANDALF$@DUMARESQ.LOCAL 3 04/16/11 20:04:19 GOLLUM$@DUMARESQ.LOCAL 3 04/16/11 20:04:19 GOLLUM$@DUMARESQ.LOCAL 3 04/16/11 20:04:19 GOLLUM$@DUMARESQ.LOCAL 3 04/16/11 20:04:19 ARWEN$@DUMARESQ.LOCAL 3 04/16/11 20:04:19 ARWEN$@DUMARESQ.LOCAL 3 04/16/11 20:04:19 ARWEN$@DUMARESQ.LOCAL 4 04/16/11 20:04:19 FRODO$@DUMARESQ.LOCAL 4 04/16/11 20:04:19 FRODO$@DUMARESQ.LOCAL 4 04/16/11 20:04:19 FRODO$@DUMARESQ.LOCAL 1 04/16/11 20:04:19 MORANNON$@DUMARESQ.LOCAL 1 04/16/11 20:04:19 MORANNON$@DUMARESQ.LOCAL 1 04/16/11 20:04:19 MORANNON$@DUMARESQ.LOCAL 1 04/16/11 20:04:19 Administrator@DUMARESQ.LOCAL 1 04/16/11 20:04:19 Administrator@DUMARESQ.LOCAL 1 04/16/11 20:04:19 Administrator@DUMARESQ.LOCAL 1 04/16/11 20:04:19 dns-morannon@DUMARESQ.LOCAL 1 04/16/11 20:04:19 dns-morannon@DUMARESQ.LOCAL 1 04/16/11 20:04:19 dns-morannon@DUMARESQ.LOCAL 1 04/16/11 20:04:19 krbtgt@DUMARESQ.LOCAL 1 04/16/11 20:04:19 krbtgt@DUMARESQ.LOCAL 1 04/16/11 20:04:19 krbtgt@DUMARESQ.LOCAL root@morannon:~# samba-tool machinepw 'MORANNON$@DUMARESQ.LOCAL' ldb_wrap open of secrets.ldb ERROR: search returned 0 records, expected 1 root@morannon:~# samba-tool machinepw 'MORANNON$' ldb_wrap open of secrets.ldb ERROR: search returned 0 records, expected 1 2) (This is likely related to my previous problem) I extracted the host keytab from Samba (using ktpass.sh with no password) and put the extract info in /etc/krb5.keytab klist -k Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal -- 1 host/morannon.dumaresq.local@DUMARESQ.LOCAL but when I try to use that to to run kinit I get this: kinit -k kinit: Client 'host/morannon.dumaresq.local@DUMARESQ.LOCAL' not found in Kerberos database while getting initial credentials I've tried both capital and not capital HOST, I've tried every combination of FQDNs and such none of it seems to help. as a result I can't use ssh to connect using kerberos. Just make sure I didn't have a DNS issue or something like that I shutdown samba and installed a standard kdc I was able to get everything working just fine. This obviously breaks samba quite badly and I as far as I can tell samba4 can't use external kerberos. Any ideas? Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] libwbclient not found
This seems to be either an issue with maverick or with the PPA sources. I upgraded to natty (the dev version) and built samba from the GIT sources, it seems to be fine now... On Thu, Jan 20, 2011 at 4:14 PM, Andrew Dumaresq dumar...@gmail.com wrote: Hi, I've just done a fresh install of ubuntu maverick, I added the PPA sources deb http://ppa.launchpad.net/samba-team/ppa/ubuntu maverick main deb-src http://ppa.launchpad.net/samba-team/ppa/ubuntu maverick main installed Samba4 For some reason samba can't find libwbclient root@morannon:/etc/apt/sources.list.d# ldd -d -r /usr/sbin/samba linux-vdso.so.1 = (0x7fff0dbff000) libsamba-util.so.0 = /usr/lib/libsamba-util.so.0 (0x7f2229b84000) libauth.so = /usr/lib/samba/libauth.so (0x7f2229971000) libcluster.so = /usr/lib/samba/libcluster.so (0x7f222976d000) libsamba-hostconfig.so.0 = /usr/lib/libsamba-hostconfig.so.0 (0x7f2229557000) libcredentials.so = /usr/lib/samba/libcredentials.so (0x7f2229344000) libldbsamba.so = /usr/lib/samba/libldbsamba.so (0x7f2229119000) libservice.so = /usr/lib/samba/libservice.so (0x7f2228f0b000) libntvfs.so = /usr/lib/samba/libntvfs.so (0x7f2228ca2000) libndr.so.0 = /usr/lib/libndr.so.0 (0x7f2228a89000) libprocess_model.so = /usr/lib/samba/libprocess_model.so (0x7f2228886000) libevents.so = /usr/lib/samba/libevents.so (0x7f2228684000) libgensec.so.0 = /usr/lib/libgensec.so.0 (0x7f2228459000) libdcerpc.so.0 = /usr/lib/libdcerpc.so.0 (0x7f222818b000) liberrors.so = /usr/lib/samba/liberrors.so (0x7f2227f06000) libsamdb.so.0 = /usr/lib/libsamdb.so.0 (0x7f2227cf1000) libndr-samba4.so = /usr/lib/samba/libndr-samba4.so (0x7f22278fa000) libsamdb-common.so = /usr/lib/samba/libsamdb-common.so (0x7f22276d4000) libroken.so.18 = /usr/lib/libroken.so.18 (0x7f22274bf000) libldb.so.0 = /usr/lib/libldb.so.0 (0x7f2227287000) libtalloc.so.2 = /usr/lib/libtalloc.so.2 (0x7f222707c000) libpopt.so.0 = /lib/libpopt.so.0 (0x7f2226e6f000) libtevent.so.0 = /usr/lib/libtevent.so.0 (0x7f2226c63000) libpthread.so.0 = /lib/libpthread.so.0 (0x7f2226a46000) libc.so.6 = /lib/libc.so.6 (0x7f22266c2000) librt.so.1 = /lib/librt.so.1 (0x7f22264ba000) libwbclient.so = not found libsamba-sockets.so = /usr/lib/samba/libsamba-sockets.so (0x7f222629f000) libdcerpc-samba4.so = /usr/lib/samba/libdcerpc-samba4.so (0x7f2226099000) libcli-ldap.so = /usr/lib/samba/libcli-ldap.so (0x7f2225e81000) libsecurity.so = /usr/lib/samba/libsecurity.so (0x7f2225c63000) libauthkrb5.so = /usr/lib/samba/libauthkrb5.so (0x7f2225a48000) libpam.so.0 = /lib/libpam.so.0 (0x7f222583b000) libtdb-wrap.so = /usr/lib/samba/libtdb-wrap.so (0x7f2225637000) libdl.so.2 = /lib/libdl.so.2 (0x7f2225433000) libgssapi-samba4.so.2 = /usr/lib/samba/libgssapi-samba4.so.2 (0x7f22251f2000) libkrb5-samba4.so.26 = /usr/lib/samba/libkrb5-samba4.so.26 (0x7f2224e9a000) libcom_err.so.2 = /lib/libcom_err.so.2 (0x7f2224c96000) libtdb.so.1 = /usr/lib/libtdb.so.1 (0x7f2224a86000) libndr-samba.so = /usr/lib/samba/libndr-samba.so (0x7f2224767000) libwrap_xattr.so = /usr/lib/samba/libwrap_xattr.so (0x7f2224564000) libshares.so = /usr/lib/samba/libshares.so (0x7f222435b000) libcli-nbt.so = /usr/lib/samba/libcli-nbt.so (0x7f222414e000) libndr-standard.so.0 = /usr/lib/libndr-standard.so.0 (0x7f2223b9d000) libcrypt.so.1 = /lib/libcrypt.so.1 (0x7f2223964000) libresolv.so.2 = /lib/libresolv.so.2 (0x7f222374a000) /lib64/ld-linux-x86-64.so.2 (0x7f2229dba000) libnetif.so = /usr/lib/samba/libnetif.so (0x7f2223546000) libgcrypt.so.11 = /lib/libgcrypt.so.11 (0x7f22232cd000) libgnutls.so.26 = /usr/lib/libgnutls.so.26 (0x7f222302b000) libasn1.so.8 = /usr/lib/libasn1.so.8 (0x7fd9d000) libhx509.so.5 = /usr/lib/libhx509.so.5 (0x7fb57000) libwind.so.0 = /usr/lib/libwind.so.0 (0x7f92e000) libz.so.1 = /lib/libz.so.1 (0x7f715000) libgpg-error.so.0 = /lib/libgpg-error.so.0 (0x7f511000) libtasn1.so.3 = /usr/lib/libtasn1.so.3 (0x7f2ff000) libhcrypto.so.4 = /usr/lib/libhcrypto.so.4 (0x7f0cc000) undefined symbol: wbcErrorString(/usr/lib/samba/libauth.so) undefined symbol: wbcFreeMemory (/usr/lib/samba/libauth.so) undefined symbol: wbcAuthenticateUserEx (/usr/lib/samba/libauth.so) I find this odd as: ls -l /usr/lib/libwbclient.so.0 -rw-r--r-- 1 root root
[Samba] libwbclient not found
Hi, I've just done a fresh install of ubuntu maverick, I added the PPA sources deb http://ppa.launchpad.net/samba-team/ppa/ubuntu maverick main deb-src http://ppa.launchpad.net/samba-team/ppa/ubuntu maverick main installed Samba4 For some reason samba can't find libwbclient root@morannon:/etc/apt/sources.list.d# ldd -d -r /usr/sbin/samba linux-vdso.so.1 = (0x7fff0dbff000) libsamba-util.so.0 = /usr/lib/libsamba-util.so.0 (0x7f2229b84000) libauth.so = /usr/lib/samba/libauth.so (0x7f2229971000) libcluster.so = /usr/lib/samba/libcluster.so (0x7f222976d000) libsamba-hostconfig.so.0 = /usr/lib/libsamba-hostconfig.so.0 (0x7f2229557000) libcredentials.so = /usr/lib/samba/libcredentials.so (0x7f2229344000) libldbsamba.so = /usr/lib/samba/libldbsamba.so (0x7f2229119000) libservice.so = /usr/lib/samba/libservice.so (0x7f2228f0b000) libntvfs.so = /usr/lib/samba/libntvfs.so (0x7f2228ca2000) libndr.so.0 = /usr/lib/libndr.so.0 (0x7f2228a89000) libprocess_model.so = /usr/lib/samba/libprocess_model.so (0x7f2228886000) libevents.so = /usr/lib/samba/libevents.so (0x7f2228684000) libgensec.so.0 = /usr/lib/libgensec.so.0 (0x7f2228459000) libdcerpc.so.0 = /usr/lib/libdcerpc.so.0 (0x7f222818b000) liberrors.so = /usr/lib/samba/liberrors.so (0x7f2227f06000) libsamdb.so.0 = /usr/lib/libsamdb.so.0 (0x7f2227cf1000) libndr-samba4.so = /usr/lib/samba/libndr-samba4.so (0x7f22278fa000) libsamdb-common.so = /usr/lib/samba/libsamdb-common.so (0x7f22276d4000) libroken.so.18 = /usr/lib/libroken.so.18 (0x7f22274bf000) libldb.so.0 = /usr/lib/libldb.so.0 (0x7f2227287000) libtalloc.so.2 = /usr/lib/libtalloc.so.2 (0x7f222707c000) libpopt.so.0 = /lib/libpopt.so.0 (0x7f2226e6f000) libtevent.so.0 = /usr/lib/libtevent.so.0 (0x7f2226c63000) libpthread.so.0 = /lib/libpthread.so.0 (0x7f2226a46000) libc.so.6 = /lib/libc.so.6 (0x7f22266c2000) librt.so.1 = /lib/librt.so.1 (0x7f22264ba000) libwbclient.so = not found libsamba-sockets.so = /usr/lib/samba/libsamba-sockets.so (0x7f222629f000) libdcerpc-samba4.so = /usr/lib/samba/libdcerpc-samba4.so (0x7f2226099000) libcli-ldap.so = /usr/lib/samba/libcli-ldap.so (0x7f2225e81000) libsecurity.so = /usr/lib/samba/libsecurity.so (0x7f2225c63000) libauthkrb5.so = /usr/lib/samba/libauthkrb5.so (0x7f2225a48000) libpam.so.0 = /lib/libpam.so.0 (0x7f222583b000) libtdb-wrap.so = /usr/lib/samba/libtdb-wrap.so (0x7f2225637000) libdl.so.2 = /lib/libdl.so.2 (0x7f2225433000) libgssapi-samba4.so.2 = /usr/lib/samba/libgssapi-samba4.so.2 (0x7f22251f2000) libkrb5-samba4.so.26 = /usr/lib/samba/libkrb5-samba4.so.26 (0x7f2224e9a000) libcom_err.so.2 = /lib/libcom_err.so.2 (0x7f2224c96000) libtdb.so.1 = /usr/lib/libtdb.so.1 (0x7f2224a86000) libndr-samba.so = /usr/lib/samba/libndr-samba.so (0x7f2224767000) libwrap_xattr.so = /usr/lib/samba/libwrap_xattr.so (0x7f2224564000) libshares.so = /usr/lib/samba/libshares.so (0x7f222435b000) libcli-nbt.so = /usr/lib/samba/libcli-nbt.so (0x7f222414e000) libndr-standard.so.0 = /usr/lib/libndr-standard.so.0 (0x7f2223b9d000) libcrypt.so.1 = /lib/libcrypt.so.1 (0x7f2223964000) libresolv.so.2 = /lib/libresolv.so.2 (0x7f222374a000) /lib64/ld-linux-x86-64.so.2 (0x7f2229dba000) libnetif.so = /usr/lib/samba/libnetif.so (0x7f2223546000) libgcrypt.so.11 = /lib/libgcrypt.so.11 (0x7f22232cd000) libgnutls.so.26 = /usr/lib/libgnutls.so.26 (0x7f222302b000) libasn1.so.8 = /usr/lib/libasn1.so.8 (0x7fd9d000) libhx509.so.5 = /usr/lib/libhx509.so.5 (0x7fb57000) libwind.so.0 = /usr/lib/libwind.so.0 (0x7f92e000) libz.so.1 = /lib/libz.so.1 (0x7f715000) libgpg-error.so.0 = /lib/libgpg-error.so.0 (0x7f511000) libtasn1.so.3 = /usr/lib/libtasn1.so.3 (0x7f2ff000) libhcrypto.so.4 = /usr/lib/libhcrypto.so.4 (0x7f0cc000) undefined symbol: wbcErrorString(/usr/lib/samba/libauth.so) undefined symbol: wbcFreeMemory (/usr/lib/samba/libauth.so) undefined symbol: wbcAuthenticateUserEx (/usr/lib/samba/libauth.so) I find this odd as: ls -l /usr/lib/libwbclient.so.0 -rw-r--r-- 1 root root 100240 2011-01-07 04:55 /usr/lib/libwbclient.so.0 ldconfig -v |grep libwb libwbclient.so.0 - libwbclient.so.0 What am I missing? Thanks --Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 and group policy password policy
Hi, I am not sure if this a bug or a feature with Samba, but what is happening here is the LDAP server has the complexities in LDAP, and changing the Group Policy doesn't seem to have any impact (at least I wasn't able to fix it). I ended up having to manually edit the LDAP server. Sadly I can't remeber how I modified ldap now. It was months ago. Probably it would be easier to do modify the python script at install time. --Andrew On 05/15/2010 02:42 AM, Christophe Deze wrote: Hello I had the same problem during my test of samba. I disabled complexity requierement ... I can't change password with a simple one. I miss something ? thanks Le 14/04/2010 14:31, Santiago Perez Agra a écrit : Hi every one, I'm testing Samba4 with the guide posted on the wiki http://wiki.samba.org/index.php/Samba4/HOWTO#Step_1:_Download_Samba4, all our tests results ok but one of them crash: Group Policy works ok on a new organizational unit in deploy security task over desktop users but when i create a new user over this ou, with the dsa.msc group policy Computer Configuration Windows Settings Security Settings Account Policies Password Policy Password must need complexity requirement set as Not defined but when dsa.msc asks you about the new password of the user it answer that you need to meet this restrictions, this can be avoid with the linux samba command net newuser ... but what does happen when a user is asked about to change your password because password age is next to expire ... Our goal is to replace all windows XP desktops to ubuntu desktops but we have a number of desktops that is not possible to change XP so we need to implement an AD alternative and Samba 4 is perfect, with group policy support now. Thanks a lot in advance to all of you -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Dynamic DNS failures with Samba4
Hi, I've used samba3 for years, and it mostly did exactly what I wanted, In the last few weeks I decided to install Samba4. I got it installed and everything seems to be working as expected. I have one small issue, and I'm not really sure if the problem is Samba4, bind, my client PC or something else I haven't considered. I've got one Linux server, which acts as a Samba (4.0.0alpha9-GIT-27087e6) server and a DNS (BIND 9.6.1-P2) server, it is also my PDC. I've got a number of windows clients two of which are currently in the Domain. One PC which is windows XP can update its DNS entries with no issues: 17-Jan-2010 15:51:18.042 gss cred: DNS/dumaresq.lo...@dumaresq.local, GSS_C_ACCEPT, 4294965265 17-Jan-2010 15:51:18.113 gss-api source name (accept) is ganda...@dumaresq.local 17-Jan-2010 15:51:18.113 process_gsstkey(): dns_tsigerror_noerror I have another PC that is windows VISTA which cannot update its DNS entries: 17-Jan-2010 15:54:25.875 gss cred: DNS/dumaresq.lo...@dumaresq.local, GSS_C_ACCEPT, 4294965078 17-Jan-2010 15:54:25.876 failed gss_accept_sec_context: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Wrong principal in request. 17-Jan-2010 15:54:25.876 process_gsstkey(): dns_tsigerror_badkey I believe I've got BIND setup correctly since it works for the Windows XP PC but here's the relevant configs: options { directory /var/cache/bind; auth-nxdomain no;# conform to RFC1035 listen-on-v6 { any; }; tkey-gssapi-credential DNS/dumaresq.local; tkey-domain DUMARESQ.LOCAL; }; zone dumaresq.local { type master; file /etc/bind/dumaresq/db.dumaresq; update-policy { grant localhost subdomain * A ; grant DUMARESQ.LOCAL ms-self * A ; }; }; zone 1.168.192.in-addr.arpa { type master; file /etc/bind/dumaresq/db.192; update-policy { grant *.LOCAL wildcard *.1.168.192.in-addr.arpa. PTR; }; }; Here's my smb.conf file: [globals] netbios name= morannon workgroup = dumaresq realm = dumaresq.local server role = domain controller log file= /var/log/samba/log.%m log level = 2 debug level = 2 interfaces = eth1 lo bind interfaces only= yes Is this a problem with Windows vista? I'm assuming that either vista can't get the correct credentials from the KDC (which is Samba) or that Samba is delivering the wrong credentials. I see the following entry in the samba logs for the computer that fails: [Sun Jan 17 15:09:43 2010 EST, 2 auth/kerberos/krb5_init_context.c:74:smb_krb5_debug_wrapper()] Kerberos: TGS-REQ arago...@dumaresq.local from 192.168.1.222 for DNS/dumaresq.lo...@dumaresq.local [canonicalize, renewable, forwardable] So I think samba is doing what it should. I'm lost here, anybody have any thoughts? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba