[Samba] Strange nslcd error with ldap database
Greetings, I've got a S4 DC joined to a Windows 2008 R2 DC. I'm using the s4bind scripts to add uidNumber/gidNumber/etc entries to LDAP, and I've got nss-pam-ldap installed on the S4 server. I had this working back in December, but since installing the latest stable build, getent passwd is throwing this error, [8b4567] passwd=myuser passwd entry CN=myuser,CN=Users,DC=...,DC=...,DC=... does not contain uidNumber value Interestingly, after creating a user on the linux side, if I point nslcd at the Windows DC, it retrieves the ldap entry just fine. I get nothing from the S4 server. I've done ldbsearch on the local ldap database and uidNumber is definitely there. I'm not sure if there's really something else going on, but I'm at a loss of what to do. I don't think it's a Kerberos issue, because it authenticates fine. It's not my local nslcd client, because I can connect to the Windows DC (via getent passwd) which has the same replicated database and it displays the user data. Has anyone experienced this? Thanks The information in this communication is intended solely for the individual or entity to whom it is addressed. It may contain confidential or legally privileged information. If you are not the intended recipient, any disclosure, copying, distribution or reliance on the contents of this information is strictly prohibited, and may be unlawful. If you have received this communication in error, please notify us immediately by responding to the sender of this email, and then delete it from your system. Taylor University is not liable for the inaccurate or improper transmission of the information contained in this communication or for any delay in its receipt. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Strange nslcd error with ldap database
I wanted to add that it appears nslcd is incapable of seeing any of the posixAccount attributes from the Samba LDAP server. It balks at unixHomeDirectory, uidNumber, and gidNumber. However, if I do: map uidNumber codePage (or some other random AD attribute) map gidNumber codePage It displays the user in getent (with the wrong uid and gid, obviously). What gives? Is there some permission issue with those entries? I can do ldapsearch and see them just fine. I even added administrator credentials to nslcd and I still get the issue. Oddly enough, if I point nslcd at the windows DCs, it works great. Argh. From: Bethel, Zach Sent: Thursday, January 31, 2013 4:31 PM To: samba@lists.samba.org Subject: Strange nslcd error with ldap database Greetings, I've got a S4 DC joined to a Windows 2008 R2 DC. I'm using the s4bind scripts to add uidNumber/gidNumber/etc entries to LDAP, and I've got nss-pam-ldap installed on the S4 server. I had this working back in December, but since installing the latest stable build, getent passwd is throwing this error, [8b4567] passwd=myuser passwd entry CN=myuser,CN=Users,DC=...,DC=...,DC=... does not contain uidNumber value Interestingly, after creating a user on the linux side, if I point nslcd at the Windows DC, it retrieves the ldap entry just fine. I get nothing from the S4 server. I've done ldbsearch on the local ldap database and uidNumber is definitely there. I'm not sure if there's really something else going on, but I'm at a loss of what to do. I don't think it's a Kerberos issue, because it authenticates fine. It's not my local nslcd client, because I can connect to the Windows DC (via getent passwd) which has the same replicated database and it displays the user data. Has anyone experienced this? Thanks The information in this communication is intended solely for the individual or entity to whom it is addressed. It may contain confidential or legally privileged information. If you are not the intended recipient, any disclosure, copying, distribution or reliance on the contents of this information is strictly prohibited, and may be unlawful. If you have received this communication in error, please notify us immediately by responding to the sender of this email, and then delete it from your system. Taylor University is not liable for the inaccurate or improper transmission of the information contained in this communication or for any delay in its receipt. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] ldbsearch returning NT_STATUS_INVALID_PARAMETER
I have a Samba DC connected to two Windows 2008 R2 DC's. On the Samba machine, if I run `ldbsearch -H ldaps://*SAMBA-DC-IP* -U administrator` It asks for my password and then works great. I can use any domain user and this works. However, if I instead run: `ldbsearch -H ldaps://10.120.160.12 -k1 --krb5-ccache=/tmp/krb5cc_0` I get this: Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER Failed to connect to '...' with backend 'ldaps': (null) Failed to connect to ... - (null) This happens regardless of whether or not the ticket exists at /tmp/krb5cc_0 (I can run kinit to create it and kdestroy to remove it). It's not the most useful error message...and strace isn't turning up anything interesting. Any ideas? The information in this communication is intended solely for the individual or entity to whom it is addressed. It may contain confidential or legally privileged information. If you are not the intended recipient, any disclosure, copying, distribution or reliance on the contents of this information is strictly prohibited, and may be unlawful. If you have received this communication in error, please notify us immediately by responding to the sender of this email, and then delete it from your system. Taylor University is not liable for the inaccurate or improper transmission of the information contained in this communication or for any delay in its receipt. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restricting DC Roles?
I went ahead and updated to samba-master, and the error is replaced by a new
one that is rather strange:
Windows was unable to determine whether new Group Policy settings defined by a
network administrator should be enforced for this user or computer because this
computer's clock is not synchronized with the clock of one of the domain
controllers for the domain. Because of this issue, this computer system may not
be in compliance with the network administrator’s requirements, and users of
this system may not be able to use some functionality on the network. Windows
will periodically attempt to retry this operation, and it is possible that
either this system or the domain controller will correct the time settings
without intervention by an administrator, so the problem will be corrected.
If this issue persists for more than an hour, checking the local system's clock
settings to ensure they are accurate and are synchronized with the clocks on
the network's domain controllers is one way to resolve this problem. A network
administrator may be required to resolve the issue if correcting the local time
settings does not address the problem.
So it's obviously complaining about clock skew. Once again, I checked the event
log and it's trying to update from the samba machine. The odd thing is that the
samba DC time is perfectly in sync with the two Windows DCs. I setup NTP on it,
and lsof reveals that the signed socket is indeed being read by samba. I am not
having any other authentication issues with kerberos.
Is this a known issue by chance?
Thanks!
From: Andrew Bartlett [abart...@samba.org]
Sent: Friday, October 26, 2012 5:53 PM
To: Bethel, Zach
Cc: samba@lists.samba.org
Subject: Re: [Samba] Restricting DC Roles?
On Fri, 2012-10-26 at 16:56 +, Bethel, Zach wrote:
Okay, I copied the files over and ran those two commands. Both of them
returned nothing (which I assume is a good thing?) and the file permissions
appear to have extended ACLs in the sysvol folder. So I'm assuming that
worked.
However, when my Windows client attempts to `gpupdate /force` (as the domain
admin) from the samba machine, I get the following error message for the
computer policy:
The processing of Group Policy failed. Windows attempted to read the file
\\csetest.taylor.edu\sysvol\csetest.taylor.edu\Policies\{GUID}\gpt.ini from a
domain controller and was not successful. Group Policy settings may not be
applied until this event is resolved. This issue may be transient and could
be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain
controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
The user policy gets applied just fine.
When I look in the event viewer, I get error code 5 with Access is Denied
as the description. The same event has a DCName field which points at the
samba machine, so I know that it's trying to talk to samba. I can mount the
sysvol share manually as the domain administrator and see all the files just
fine.
Any idea what might be going on?
This fix I just put in master is almost certainly for this problem.
If it doesn't apply, then just run 'sh -c 'umask 0 samba-tool ntacl
sysvolreset' to remove the umask for the duration of this operation.
Andrew Bartlett
--
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
The information in this communication is intended solely for the individual or
entity to whom it is addressed. It may contain confidential or legally
privileged information. If you are not the intended recipient, any disclosure,
copying, distribution or reliance on the contents of this information is
strictly prohibited, and may be unlawful. If you have received this
communication in error, please notify us immediately by responding to the
sender of this email, and then delete it from your system. Taylor University is
not liable for the inaccurate or improper transmission of the information
contained in this communication or for any delay in its receipt.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restricting DC Roles?
Okay, I copied the files over and ran those two commands. Both of them returned
nothing (which I assume is a good thing?) and the file permissions appear to
have extended ACLs in the sysvol folder. So I'm assuming that worked.
However, when my Windows client attempts to `gpupdate /force` (as the domain
admin) from the samba machine, I get the following error message for the
computer policy:
The processing of Group Policy failed. Windows attempted to read the file
\\csetest.taylor.edu\sysvol\csetest.taylor.edu\Policies\{GUID}\gpt.ini from a
domain controller and was not successful. Group Policy settings may not be
applied until this event is resolved. This issue may be transient and could be
caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain
controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
The user policy gets applied just fine.
When I look in the event viewer, I get error code 5 with Access is Denied as
the description. The same event has a DCName field which points at the samba
machine, so I know that it's trying to talk to samba. I can mount the sysvol
share manually as the domain administrator and see all the files just fine.
Any idea what might be going on?
Thanks,
Zach.
From: Andrew Bartlett [abart...@samba.org]
Sent: Thursday, October 25, 2012 7:18 PM
To: Bethel, Zach
Subject: Re: [Samba] Restricting DC Roles?
On Thu, 2012-10-25 at 23:16 +, Bethel, Zach wrote:
Fair enough, are there special permissions needed for that data on the samba
side, or can I mount the sysvol share on my Windows DC as the Domain
Administrator and copy/paste those files directly? (or through a script,
obviously).
Copy the files, then run 'samba-tool ntacl sysvolreset'.
That will (modulo bugs) fix the ACLs back to be correct. If your script
on the windows side uses an ACL-preserving copy, that should be good
too. 'samba-tool ntacl sysvolcheck' will tell you if it worked.
Andrew Bartlett
--
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
The information in this communication is intended solely for the individual or
entity to whom it is addressed. It may contain confidential or legally
privileged information. If you are not the intended recipient, any disclosure,
copying, distribution or reliance on the contents of this information is
strictly prohibited, and may be unlawful. If you have received this
communication in error, please notify us immediately by responding to the
sender of this email, and then delete it from your system. Taylor University is
not liable for the inaccurate or improper transmission of the information
contained in this communication or for any delay in its receipt.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
[Samba] Joining to Windows Domain? Use Internal DNS?
Greetings,
I have some questions. Most of the documentation seems to show how to join a
windows machine to a samba domain. I went the other way and Created a Windows
2008 R2 domain and joined samba 4 to it. I noticed some things aren't quite
looking right, and I'm not sure if I should expect it.
For instance, under Active Directory Sites and Services on the Windows box,
if I right click on 'NTDS Settings' for the Samba dc and select, Replicate
configuration to the selected dc', I get the following error,
The following error occurred during the attempt to syncronize naming context
CN=Configuration,DC=[...],DC=[...],DC=[...] from Domain Controller SAMBATEST to
domain controller QUARTZ: The stub received bad data.
Right clicking on the automatically generated connection within the Win2k8r2
server and clicking, 'replicate now' fails for a different reason:
The Following error occurred during the attempt to syncronize naming context
DomainDnsZones.[fqdn removed] from domain controller QUARTZ to domain
controller SAMBATEST: The naming context is in the process of being removed or
is not replicated from the specific server.
However, replicating from the samba box seems to work just great. I get no
errors.
Now, I know that there are some limitations on the DNS replication, so maybe
this is expected. I read on the documentation that I should either use the
Windows DNS server or BIND. When I setup samba, I didn't provision it (like the
docs said), but rather did a domain join. Is samba relying on the DNS server on
the windows machine then? If not, are the docs right in that I should stick
with bind, or am I safe to use the internal DNS?
Ultimately, I guess I'm wondering if I'm better off provisioning a samba domain
and joining win2k8 to it, and letting samba handle the DNS. Then, I could have,
say 2 samba DC's replicating between each other, and a windows DC for managing
group policy stuff?
That leads me to another question. DFS isn't supported. I noticed this after I
tried to edit the group policy on my windows machine. The SYSVOL partition for
samba is completely empty. I saw that some people are using rsync between samba
instances to replicate this, but what's the preferred method between syncing a
windows DC with a samba DC? If I'm messing with the group policy on the windows
machine, isn't that going to result in an inconsistent state between the
windows DC and the other samba DC's?
When I tried updating the group policy on a windows 7 client joined to the
domain, I got the following error,
The processing of Group Policy failed. Windows attempted to read the file
\\[fqdn]\sysvol\[fqdn]\Policies\{...}\gpt.ini from a domain controller and was
not successful. Group policy settings may not be applied until this event is
resolved. This issue may be transient and could be caused by one or more of the
following: a) Name Resolution/Network Connectivity to the current domain
controller. b) File Replication Service Latency [...] c) The Distributed File
System (DFS) client has been disabled.
I tried copying the policy files from the SYSVOL folder in windows to the
/usr/local/samba/locks/sysvol/... folder, and that didn't solve it. I also
mounted the share directly, and I could see the policies, but for some reason
my windows 7 machine isn't liking it.
Anyway, other things seem to be working. I can add users and they replicate
between boxes, and limited group policy settings seem to be working.
Thanks for your help!
Zach Bethel
The information in this communication is intended solely for the individual or
entity to whom it is addressed. It may contain confidential or legally
privileged information. If you are not the intended recipient, any disclosure,
copying, distribution or reliance on the contents of this information is
strictly prohibited, and may be unlawful. If you have received this
communication in error, please notify us immediately by responding to the
sender of this email, and then delete it from your system. Taylor University is
not liable for the inaccurate or improper transmission of the information
contained in this communication or for any delay in its receipt.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
[Samba] Shares from Windows 2008 R2 machine joined to Samba 3.5.10 domain
Greetings, We host a Samba domain and have a Windows 2008 R2 server joined to it. On this Windows server, we want to create shares using the net share command, however we are getting a The trust relationship between this workstation and the primary domain failed. error when we try and do this. Does samba 3.5 even allow Windows 2008 R2 to share directories on its domain in this fashion? If so, what changes to Windows need to me made to accommodate this? Thanks! Zach. The information in this communication is intended solely for the individual or entity to whom it is addressed. It may contain confidential or legally privileged information. If you are not the intended recipient, any disclosure, copying, distribution or reliance on the contents of this information is strictly prohibited, and may be unlawful. If you have received this communication in error, please notify us immediately by responding to the sender of this email, and then delete it from your system. Taylor University is not liable for the inaccurate or improper transmission of the information contained in this communication or for any delay in its receipt. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
