[Samba] Strange nslcd error with ldap database
Greetings, I've got a S4 DC joined to a Windows 2008 R2 DC. I'm using the s4bind scripts to add uidNumber/gidNumber/etc entries to LDAP, and I've got nss-pam-ldap installed on the S4 server. I had this working back in December, but since installing the latest stable build, getent passwd is throwing this error, [8b4567] passwd=myuser passwd entry CN=myuser,CN=Users,DC=...,DC=...,DC=... does not contain uidNumber value Interestingly, after creating a user on the linux side, if I point nslcd at the Windows DC, it retrieves the ldap entry just fine. I get nothing from the S4 server. I've done ldbsearch on the local ldap database and uidNumber is definitely there. I'm not sure if there's really something else going on, but I'm at a loss of what to do. I don't think it's a Kerberos issue, because it authenticates fine. It's not my local nslcd client, because I can connect to the Windows DC (via getent passwd) which has the same replicated database and it displays the user data. Has anyone experienced this? Thanks The information in this communication is intended solely for the individual or entity to whom it is addressed. It may contain confidential or legally privileged information. If you are not the intended recipient, any disclosure, copying, distribution or reliance on the contents of this information is strictly prohibited, and may be unlawful. If you have received this communication in error, please notify us immediately by responding to the sender of this email, and then delete it from your system. Taylor University is not liable for the inaccurate or improper transmission of the information contained in this communication or for any delay in its receipt. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Strange nslcd error with ldap database
I wanted to add that it appears nslcd is incapable of seeing any of the posixAccount attributes from the Samba LDAP server. It balks at unixHomeDirectory, uidNumber, and gidNumber. However, if I do: map uidNumber codePage (or some other random AD attribute) map gidNumber codePage It displays the user in getent (with the wrong uid and gid, obviously). What gives? Is there some permission issue with those entries? I can do ldapsearch and see them just fine. I even added administrator credentials to nslcd and I still get the issue. Oddly enough, if I point nslcd at the windows DCs, it works great. Argh. From: Bethel, Zach Sent: Thursday, January 31, 2013 4:31 PM To: samba@lists.samba.org Subject: Strange nslcd error with ldap database Greetings, I've got a S4 DC joined to a Windows 2008 R2 DC. I'm using the s4bind scripts to add uidNumber/gidNumber/etc entries to LDAP, and I've got nss-pam-ldap installed on the S4 server. I had this working back in December, but since installing the latest stable build, getent passwd is throwing this error, [8b4567] passwd=myuser passwd entry CN=myuser,CN=Users,DC=...,DC=...,DC=... does not contain uidNumber value Interestingly, after creating a user on the linux side, if I point nslcd at the Windows DC, it retrieves the ldap entry just fine. I get nothing from the S4 server. I've done ldbsearch on the local ldap database and uidNumber is definitely there. I'm not sure if there's really something else going on, but I'm at a loss of what to do. I don't think it's a Kerberos issue, because it authenticates fine. It's not my local nslcd client, because I can connect to the Windows DC (via getent passwd) which has the same replicated database and it displays the user data. Has anyone experienced this? Thanks The information in this communication is intended solely for the individual or entity to whom it is addressed. It may contain confidential or legally privileged information. If you are not the intended recipient, any disclosure, copying, distribution or reliance on the contents of this information is strictly prohibited, and may be unlawful. If you have received this communication in error, please notify us immediately by responding to the sender of this email, and then delete it from your system. Taylor University is not liable for the inaccurate or improper transmission of the information contained in this communication or for any delay in its receipt. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] ldbsearch returning NT_STATUS_INVALID_PARAMETER
I have a Samba DC connected to two Windows 2008 R2 DC's. On the Samba machine, if I run `ldbsearch -H ldaps://*SAMBA-DC-IP* -U administrator` It asks for my password and then works great. I can use any domain user and this works. However, if I instead run: `ldbsearch -H ldaps://10.120.160.12 -k1 --krb5-ccache=/tmp/krb5cc_0` I get this: Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER Failed to connect to '...' with backend 'ldaps': (null) Failed to connect to ... - (null) This happens regardless of whether or not the ticket exists at /tmp/krb5cc_0 (I can run kinit to create it and kdestroy to remove it). It's not the most useful error message...and strace isn't turning up anything interesting. Any ideas? The information in this communication is intended solely for the individual or entity to whom it is addressed. It may contain confidential or legally privileged information. If you are not the intended recipient, any disclosure, copying, distribution or reliance on the contents of this information is strictly prohibited, and may be unlawful. If you have received this communication in error, please notify us immediately by responding to the sender of this email, and then delete it from your system. Taylor University is not liable for the inaccurate or improper transmission of the information contained in this communication or for any delay in its receipt. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restricting DC Roles?
I went ahead and updated to samba-master, and the error is replaced by a new one that is rather strange: Windows was unable to determine whether new Group Policy settings defined by a network administrator should be enforced for this user or computer because this computer's clock is not synchronized with the clock of one of the domain controllers for the domain. Because of this issue, this computer system may not be in compliance with the network administrator’s requirements, and users of this system may not be able to use some functionality on the network. Windows will periodically attempt to retry this operation, and it is possible that either this system or the domain controller will correct the time settings without intervention by an administrator, so the problem will be corrected. If this issue persists for more than an hour, checking the local system's clock settings to ensure they are accurate and are synchronized with the clocks on the network's domain controllers is one way to resolve this problem. A network administrator may be required to resolve the issue if correcting the local time settings does not address the problem. So it's obviously complaining about clock skew. Once again, I checked the event log and it's trying to update from the samba machine. The odd thing is that the samba DC time is perfectly in sync with the two Windows DCs. I setup NTP on it, and lsof reveals that the signed socket is indeed being read by samba. I am not having any other authentication issues with kerberos. Is this a known issue by chance? Thanks! From: Andrew Bartlett [abart...@samba.org] Sent: Friday, October 26, 2012 5:53 PM To: Bethel, Zach Cc: samba@lists.samba.org Subject: Re: [Samba] Restricting DC Roles? On Fri, 2012-10-26 at 16:56 +, Bethel, Zach wrote: Okay, I copied the files over and ran those two commands. Both of them returned nothing (which I assume is a good thing?) and the file permissions appear to have extended ACLs in the sysvol folder. So I'm assuming that worked. However, when my Windows client attempts to `gpupdate /force` (as the domain admin) from the samba machine, I get the following error message for the computer policy: The processing of Group Policy failed. Windows attempted to read the file \\csetest.taylor.edu\sysvol\csetest.taylor.edu\Policies\{GUID}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: a) Name Resolution/Network Connectivity to the current domain controller. b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). c) The Distributed File System (DFS) client has been disabled. The user policy gets applied just fine. When I look in the event viewer, I get error code 5 with Access is Denied as the description. The same event has a DCName field which points at the samba machine, so I know that it's trying to talk to samba. I can mount the sysvol share manually as the domain administrator and see all the files just fine. Any idea what might be going on? This fix I just put in master is almost certainly for this problem. If it doesn't apply, then just run 'sh -c 'umask 0 samba-tool ntacl sysvolreset' to remove the umask for the duration of this operation. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org The information in this communication is intended solely for the individual or entity to whom it is addressed. It may contain confidential or legally privileged information. If you are not the intended recipient, any disclosure, copying, distribution or reliance on the contents of this information is strictly prohibited, and may be unlawful. If you have received this communication in error, please notify us immediately by responding to the sender of this email, and then delete it from your system. Taylor University is not liable for the inaccurate or improper transmission of the information contained in this communication or for any delay in its receipt. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restricting DC Roles?
Okay, I copied the files over and ran those two commands. Both of them returned nothing (which I assume is a good thing?) and the file permissions appear to have extended ACLs in the sysvol folder. So I'm assuming that worked. However, when my Windows client attempts to `gpupdate /force` (as the domain admin) from the samba machine, I get the following error message for the computer policy: The processing of Group Policy failed. Windows attempted to read the file \\csetest.taylor.edu\sysvol\csetest.taylor.edu\Policies\{GUID}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: a) Name Resolution/Network Connectivity to the current domain controller. b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). c) The Distributed File System (DFS) client has been disabled. The user policy gets applied just fine. When I look in the event viewer, I get error code 5 with Access is Denied as the description. The same event has a DCName field which points at the samba machine, so I know that it's trying to talk to samba. I can mount the sysvol share manually as the domain administrator and see all the files just fine. Any idea what might be going on? Thanks, Zach. From: Andrew Bartlett [abart...@samba.org] Sent: Thursday, October 25, 2012 7:18 PM To: Bethel, Zach Subject: Re: [Samba] Restricting DC Roles? On Thu, 2012-10-25 at 23:16 +, Bethel, Zach wrote: Fair enough, are there special permissions needed for that data on the samba side, or can I mount the sysvol share on my Windows DC as the Domain Administrator and copy/paste those files directly? (or through a script, obviously). Copy the files, then run 'samba-tool ntacl sysvolreset'. That will (modulo bugs) fix the ACLs back to be correct. If your script on the windows side uses an ACL-preserving copy, that should be good too. 'samba-tool ntacl sysvolcheck' will tell you if it worked. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org The information in this communication is intended solely for the individual or entity to whom it is addressed. It may contain confidential or legally privileged information. If you are not the intended recipient, any disclosure, copying, distribution or reliance on the contents of this information is strictly prohibited, and may be unlawful. If you have received this communication in error, please notify us immediately by responding to the sender of this email, and then delete it from your system. Taylor University is not liable for the inaccurate or improper transmission of the information contained in this communication or for any delay in its receipt. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Joining to Windows Domain? Use Internal DNS?
Greetings, I have some questions. Most of the documentation seems to show how to join a windows machine to a samba domain. I went the other way and Created a Windows 2008 R2 domain and joined samba 4 to it. I noticed some things aren't quite looking right, and I'm not sure if I should expect it. For instance, under Active Directory Sites and Services on the Windows box, if I right click on 'NTDS Settings' for the Samba dc and select, Replicate configuration to the selected dc', I get the following error, The following error occurred during the attempt to syncronize naming context CN=Configuration,DC=[...],DC=[...],DC=[...] from Domain Controller SAMBATEST to domain controller QUARTZ: The stub received bad data. Right clicking on the automatically generated connection within the Win2k8r2 server and clicking, 'replicate now' fails for a different reason: The Following error occurred during the attempt to syncronize naming context DomainDnsZones.[fqdn removed] from domain controller QUARTZ to domain controller SAMBATEST: The naming context is in the process of being removed or is not replicated from the specific server. However, replicating from the samba box seems to work just great. I get no errors. Now, I know that there are some limitations on the DNS replication, so maybe this is expected. I read on the documentation that I should either use the Windows DNS server or BIND. When I setup samba, I didn't provision it (like the docs said), but rather did a domain join. Is samba relying on the DNS server on the windows machine then? If not, are the docs right in that I should stick with bind, or am I safe to use the internal DNS? Ultimately, I guess I'm wondering if I'm better off provisioning a samba domain and joining win2k8 to it, and letting samba handle the DNS. Then, I could have, say 2 samba DC's replicating between each other, and a windows DC for managing group policy stuff? That leads me to another question. DFS isn't supported. I noticed this after I tried to edit the group policy on my windows machine. The SYSVOL partition for samba is completely empty. I saw that some people are using rsync between samba instances to replicate this, but what's the preferred method between syncing a windows DC with a samba DC? If I'm messing with the group policy on the windows machine, isn't that going to result in an inconsistent state between the windows DC and the other samba DC's? When I tried updating the group policy on a windows 7 client joined to the domain, I got the following error, The processing of Group Policy failed. Windows attempted to read the file \\[fqdn]\sysvol\[fqdn]\Policies\{...}\gpt.ini from a domain controller and was not successful. Group policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: a) Name Resolution/Network Connectivity to the current domain controller. b) File Replication Service Latency [...] c) The Distributed File System (DFS) client has been disabled. I tried copying the policy files from the SYSVOL folder in windows to the /usr/local/samba/locks/sysvol/... folder, and that didn't solve it. I also mounted the share directly, and I could see the policies, but for some reason my windows 7 machine isn't liking it. Anyway, other things seem to be working. I can add users and they replicate between boxes, and limited group policy settings seem to be working. Thanks for your help! Zach Bethel The information in this communication is intended solely for the individual or entity to whom it is addressed. It may contain confidential or legally privileged information. If you are not the intended recipient, any disclosure, copying, distribution or reliance on the contents of this information is strictly prohibited, and may be unlawful. If you have received this communication in error, please notify us immediately by responding to the sender of this email, and then delete it from your system. Taylor University is not liable for the inaccurate or improper transmission of the information contained in this communication or for any delay in its receipt. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Shares from Windows 2008 R2 machine joined to Samba 3.5.10 domain
Greetings, We host a Samba domain and have a Windows 2008 R2 server joined to it. On this Windows server, we want to create shares using the net share command, however we are getting a The trust relationship between this workstation and the primary domain failed. error when we try and do this. Does samba 3.5 even allow Windows 2008 R2 to share directories on its domain in this fashion? If so, what changes to Windows need to me made to accommodate this? Thanks! Zach. The information in this communication is intended solely for the individual or entity to whom it is addressed. It may contain confidential or legally privileged information. If you are not the intended recipient, any disclosure, copying, distribution or reliance on the contents of this information is strictly prohibited, and may be unlawful. If you have received this communication in error, please notify us immediately by responding to the sender of this email, and then delete it from your system. Taylor University is not liable for the inaccurate or improper transmission of the information contained in this communication or for any delay in its receipt. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba