[Samba] Sequence numbers and AD trusts
Hello List - My AD domain has trusts with several other domains, some NT4 and some AD. I've been doing some testing with winbind to see if I can move the UNIX accounts to winbind from LDAP. However, I can't enumerate users from other AD domains. Here is the output I get: [EMAIL PROTECTED]:~# wbinfo --sequence NT4-DOM1 : 21141 NT4-DOM2 : 5668 AD-DOM1 : DISCONNECTED AD-DOM2 : DISCONNECTED AD-DOM3 : DISCONNECTED NT4-DOM3 : 31895 NT4-DOM4 : 39446 MY-AD-DOM : 376144 I have tried setting the winbind auth user to an account from AD-DOM1, but I don't get any better results. log.winbindd shows:[2004/02/19 11:29:13, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(351) refresh_sequence_number: AD-DOM1 time ok [2004/02/19 11:29:13, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(376) refresh_sequence_number: AD-DOM1 seq number is now -1 [2004/02/19 11:29:13, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(351) refresh_sequence_number: AD-DOM2 time ok [2004/02/19 11:29:13, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(376) refresh_sequence_number: AD-DOM2 seq number is now -1 [2004/02/19 11:29:13, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(351) refresh_sequence_number: AD-DOM3 time ok [2004/02/19 11:29:13, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(376) refresh_sequence_number: AD-DOM3 seq number is now -1 Can someone help me with why this is happening or what I can do about it? Thanks- Chris -- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Unable to create keytab in samba 3.0.1
List- I have several samba 3.0.0 file/print servers running in a Windows 2000 AD domain. I do not use winbind; but have an LDAP database for Unix UID's with nss_ldap. I have MIT krb5-1.3.1. When I have tried to upgrade these machines to samba 3.0.1, clients get prompted for a user name and password when trying to connect. I have seen others with this problem, but none of their fixes have worked for me. I also get this message in the log files: setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2003/12/17 14:01:00, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(471) Doing spnego session setup [2003/12/17 14:01:00, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(502) NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0] PrimaryDomain=[] [2003/12/17 14:01:00, 3] smbd/sesssetup.c:reply_spnego_negotiate(380) Got OID 1 2 840 48018 1 2 2 [2003/12/17 14:01:00, 3] smbd/sesssetup.c:reply_spnego_negotiate(380) Got OID 1 2 840 113554 1 2 2 [2003/12/17 14:01:00, 3] smbd/sesssetup.c:reply_spnego_negotiate(380) Got OID 1 3 6 1 4 1 311 2 2 10 [2003/12/17 14:01:00, 3] smbd/sesssetup.c:reply_spnego_negotiate(383) Got secblob of size 1214 [2003/12/17 14:01:00, 10] passdb/secrets.c:secrets_named_mutex(697) secrets_named_mutex: got mutex for replay cache mutex [2003/12/17 14:01:00, 10] libads/kerberos_verify.c:create_keytab(56) creating keytab: MEMORY: [2003/12/17 14:01:00, 3] libads/kerberos_verify.c:setup_keytab(147) unable to create MEMORY: keytab (Unknown Key table type) [2003/12/17 14:01:00, 3] libads/kerberos_verify.c:ads_verify_ticket(280) ads_verify_ticket: unable to setup keytab [2003/12/17 14:01:00, 1] smbd/sesssetup.c:reply_spnego_kerberos(172) Failed to verify incoming ticket! [2003/12/17 14:01:00, 3] smbd/error.c:error_packet(118) error packet at smbd/sesssetup.c(173) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE I haven't found anything that has helped. If I reinstall samba 3.0.0 and restart samba, everything works normally. I am using the same configure options for both source trees. I have also tried applying the patch sent out by Jerry today. I have Slackware 9.1. Can anyone tell me what is going wrong? I get some warnings while compiling the source, but I get the same warnings when compiling 3.0.0, so I don't think that is it. -Chris -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] File Disappearance after copy from OS X
I have seen this problem occur on my network under the following conditions: Mac user puts files on network with OS9 + DAVE. Mac user moves/modifies/alters file with OSX. Mac user returns to OS9 (and/or Classic Mode app), and file appears, but is not really there. It seems that the Resource.frk and the DesktopDB folders (which hold the resource fork data for the Mac), are enough to make the file appear to be there, although it really isn't. This ends up confusing both the OS9 and OSX mac installs. Our solution to this was to eliminate all OS9 and below plus Classic Mode apps on the network. Otherwise, Mac OSX is working on my Samba network with samba 2.2.8a, 2.2.3, and 3.0. Hope it helps. -Chris On Tue, 2003-11-18 at 12:16, Jeremy Allison wrote: On Tue, Nov 18, 2003 at 11:45:38AM -0500, Ed Holden wrote: Hi, I wrote in last week about a problem with Mac OS X systems copying files to a Samba server. The files sometimes disappear, though the problem is intermittent. I suspect that this is an issue with Mac OS X dropping the file prematurely, and indeed a Google search reveals that OS X users have seen similar problems, but only with Samba shares. Have you reported this to Apple ? Conrad is very good about following up with such things. Jeremy. -- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] CUPS vs lprng
I serve about 50 printers via Samba. Here are my experiences - LPRng - This backend I have found to be much stronger than CUPS, but I didn't use it for any server side processing. All drivers had to be installed from some other workstation. In my case, installing drivers for all OS's would only work from an XP machine, not Win2K. Otherwise, this worked very well. CUPS- I migrated to ESP PrintPro about 3 months ago. PrintPro made obtaining all the correct drivers and backends much simpler (there is only one, instead of CUPS + ESP GS + cupsomatic + HPIJS + etc,etc...). It seems to provide better naming of the jobs, displays user name and job on the printer display menu when printing, and can add printers via the cusaddsmb feature, which works A LOT better for remote site management. Plus there is the web based printer administration, and with ESP there is a GUI app that works pretty well. CUPS was easier to load balance amongst servers as well. On new printers, the jobs seem to process faster than with LPRng also. We have several HP 4300/4200 series printers that start printing instantaneously, even during high traffic periods. Overall, Linux print servers have kicked the snot out of NT print servers, and CUPS is much nicer and more complete to work with than LPRng. Installing print drivers locally becomes unsustainable if you have any significant number of users or printers. My thoughts would be to stay well clear of this. Your mileage may vary. -Chris On Thu, 2003-11-06 at 15:55, Douglas Phillipson wrote: Could I get some opinions on which type of Samba based printing is easier, CUPS or LPRNG, or just bybass Samba altogether. I'm looking at the Printing HOWTO by Kurt Pfeifle (Printing Support in Samba 3.0) and both look really complex. Anyone out there have any experience with printing services in Samba? Should I just stay away from samba printing and go direct to Network printers? What are the advantages of a samba print server as opposed to installing printer drivers on the client and printing to a network printer? Any opinions are appreciated Regards DSP -- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba-3.0.0-1 tdb_fetch failed
I had this issue when using the Adobe Windows NT/2K/XP dlls as described in the CUPS-HOWTO section on installing drivers on the server. You should replace these files with the cups-samba drivers. There are probably newer ones, but the URL I've got is here: ftp://ftp.easysw.com/pub/cups/winnt Good Luck! Chris On Wed, 2003-10-01 at 10:57, Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] wrote:ftp://ftp.easysw.com/pub/cups/winnt | RH9 on intel, with samba-built RH9 samba 3 rpm freshly installed. | | I have a raw cups printer which samba picks up, but when a client | connects (root) and selects the host's printers folder, a right click | on the printer and properties causes a small delay and then the msgbox: | Printer Properties could not be displayed, operation could not be | completed. Can you send me a level 10 log file off line? Also, have you tried setting default devmode = yes? cheers, jerry ~ -- ~ Hewlett-Packard- http://www.hp.com ~ SAMBA Team -- http://www.samba.org ~ GnuPG Key http://www.plainjoe.org/gpg_public.asc ~ You can never go home again, Oatman, but I guess you can shop there. ~--John Cusack - Grosse Point Blank (1997) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/evlsIR7qMdg1EfYRAvknAJ99UFzOYxo4g42RtMOgh7c4keBKrQCgjlvH RDC0uaUxn48Pv/0WYKuu9iQ= =QLbg -END PGP SIGNATURE- -- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba Failover
If I understand you correctly, you are going to deploy Samba as a BDC to a Windows PDC. This won't work. See section 6.4.2 of the Samba HOWTO Collection. What you would need to do is set up a Samba PDC with LDAP and then set up the second box as a Samba BDC with a slave LDAP database. -Chris On Thu, 2003-09-04 at 11:31, Alan Hicks wrote: This problem has just been dumped into my lap over the last two or three days. I'm hopelessly in over my head here, and I'm hoping I can get some direction here. I've been searching google for some time, and not come up with my answers. Warning, much of what you are about to hear is ludicrously stupid on a technical level. I work for a small computer consulting firm. One of our clients is running a Windows 2000 file and print server with ADS. We intend to format this machine and reload Windows 2000, but without ADS. This server houses files for a proprietary program that is unsupported if the file server used is Samba. This client has about 20 computers at their offices, no more than a dozen of which ever use the server at the same time. The one machine is far more than enough to handle the load, but they decided they need failover (even though they've never had this server crash). They have purchased two Dell servers with SCSI hard drives and Intel Xeon 2,4 Ghz processors (yes, to do file and print sharing for 20 users; I told you it was ludicrous). My PHB has signed a contract with them to install Linux OSs on these boxes, and run Samba on them. Since their proprietary application isn't supported for Samba, they aren't going to move it over to either of these machines. These machines are only to do authentication in the unlikely event that the PDC (the Windows 2000 machines) should fail. I've done a lot of google searching and haven't come up with many leads. Is there a HOW-TO fr setting up Samba in a failover environment, specifically in making it play nice with a Windows PDC? The goal here is to have zero downtime, but I don't think the client understands that if those files for his application aren't present on the Samba servers, authenticating with them won't help him at all. -- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: SMBD and Winbind Errors
I've been having a similar issue with winbindd hanging up enumerating users and groups. Here were my symptoms: log.winbindd showed that winbindd was connecting to servers that did not respond (no error, but using tail -f on the log at debug 10 while running either wbinfo -u/g or getent passwd/group showed a stop of progress). net lookup dc OTHER_DOMAIN listed IP's that are not available (can't ping, nslookup or traceroute). Existing connections work, new connections by any means did not. I did: net lookup dc OTHER_DOMAIN net lookup master OTHER_DOMAIN Made sure that master was in list of dc's. nslookup IP_OF_MASTER wbinfo -I IP_OF_MASTER made sure both records exist. Edited /etc/samba/lmhosts to have IP_OF_MASTERNETBIOS_NAME_OF_MASTER#20 IP_OF_MASTEROTHER_DOMAIN#1B IP_OF_MASTEROTHER_DOMAIN#1C added 'name resolution order = lmhosts wins bcast' to smb.conf I did this for the domain I am in and all domains I have trusts with. This has cut the time it takes for winbindd to enumerate all the users on my corporate domains from several hours to about 3-6 mins for users. HIH. I don't know if this is true or not, but my suspicion is that (at least for NT4 domains) winbind is relying on the PDC to tell it which machines are dc's. On some domains, dead accounts in the server manager seem to be screwing this up. -Chris On Thu, 2003-08-07 at 14:01, Lahners, Jeremy wrote: I have exactly the same errors in a similar configuration (RH9, Samba 3b3). When my samba server gets these errors, it stops allowing new connections to services but continues to respond for existing connections. Winbind appears to fix itself after 40-45 minutes without any intervention. Restarting winbind fixes it immediately. I, too, would like to hear any updates/suggestions on this problem. Errol Neal [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... Hi All, I am running Samba3.0 beta 3 installed from RPM's provided on the Samba.org FTP server. My platform is Red Hat 9. I am seeing a lot of errors such as: Aug 6 17:50:18 server3 winbindd[31138]: [2003/08/06 17:50:18, 0] nsswitch/winbindd_sid.c:winbindd_lookupname(103) Aug 6 17:50:18 server3 winbindd[31138]: could not find domain entry for domain AND smbd[27004]: [2003/08/06 17:31:06, 0] auth/auth_util.c:make_server_info_info3(994) smbd[27004]: make_server_info_info3: pdb_init_sam failed! A few questions about them: 1. Are they critical errors? 2. What do these errors mean? 2. Can they be resolved? In case you need it, here is a copy of my smb.conf # Global parameters [global] workgroup = FOO realm = FOO.PRIVATE password server = XX.XX.XX.XX netbios name = SERVER3 interfaces = XX.XX.XX.XX bind interfaces only = Yes security = ADS encrypt passwords = yes winbind gid = 6-65000 winbind uid = 6-65000 winbind separator = + template homedir = /home/%U template shell = /bin/bash acl compatibility = Win2k winbind use default domain = yes [html] path = /home/htdocs follow symlinks = no browsable = yes force create mode = 0664 force directory mode = 0775 writeable = yes write list = @FOO+Administrators FOO+esobczak nt acl support = yes Thanks in advance, Regards, Errol U. Neal Errol Neal, Systems/Network Administrator [EMAIL PROTECTED] Enhanced Technologies Inc. http://www.enhtech.com 703-924-0301 or 800-368-3249 703-924-0302 Fax -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] winbind timeouts
On Fri, 2003-08-08 at 14:45, Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, 8 Aug 2003, Douglass, Chris wrote: Yes I am; but the offending domain is not AD. With an NT4 domain, this would be WINS only, right? I have 4 corporate wide WINS servers available to me. If I do 'net lookup dc PROBLEM_NT4_DOMAIN' I get a list of 24 IP's. Almost 1/2 of them have no entry in DNS, and 'wbinfo -I' also show no hostname. Barring a bad master browse list, where else can this come from? What you really need to run is nmblookup -U wins ip -R 'PROBLEM_NT4_DOMAIN#1c' and see what IP's are returned. DNS is not used to locate a list of mixed mode AD or NT4 domain controllers. Are there IP's in th list that are dead? There are 25 IP's that show as a result of this command. wbinfo -I IP_ADDR on each IP shows 14 that resolve to a name piping the IP's to nslookup shows 10 NXDOMAIN entries (not applicable really, but the 'standard' for them is to have an A record for servers, at least) piping the IP's to ping shows 10 IP's with 100% packet loss. It may be important to note that this domain primarily houses mail (MS Exchange) servers, which all respond to ldap packets. btw...are you running 3.0beta? or 2.2.x? 3.0beta3. I pulled CVS yesterday, but have not installed/compiled it. This might be a seperate issue, but another bit of info is that if I try to use 'net lookup ldap DOMAIN', I get this in syslog: [2003/08/08 11:19:13, 0] lib/charcnv.c:convert_string(194) convert_string: Required 26, available 16 When I specify a different domain, I get the same message with a different required length. Google turns up others with this, but no solution. What's wrong here? -Chris -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Different Printer Model for different Arch
I have used an XP Pro machine to add the other drivers, which seems to work just fine. -Chris On Mon, 2003-08-11 at 19:17, Ryan Novosielski wrote: Here is a problem I posted to HP's forum on the DesignJet drivers for the 755cm, but something tells me someone clever here has already hacked around this or a similar printer and might know how to solve my problem: --- When installing drivers on a remote Samba server (ie. Windows NT emulation, and perhaps real NT as well), you are able to install printer drivers for a printer for various architectures. The requirement, however, is that the model string for each driver be the same. However, HP has HP DesignJet 755CM (3198B) for the Windows 9x driver, and HP DesignJet 755CM(3198B)by HP for the Windows 2000 model string. I hacked the OEMSETUP.INF to make the Win2k model string identical to the '9x model string, but apparently this broke the paper sources in your driver. I removed the driver, restored the stock Win2k model string (with the by HP) and the driver started working again. The problem, then, that remains unresolved is that HP has improperly labeled one of their drivers. To work properly in an NT environment, one needs to be changed and re-released. --- Anyone have a workaround -- I'm not holding my breath for a driver re-write. _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | | Ryan Novosielski - Jr. UNIX Systems Admin |$| |__| | | |__/ | \| _| | [EMAIL PROTECTED] - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent. | IST/ACS - NJMS Medical Science Bldg - C630 -- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] winbind timeouts
Hello, I have tried posting to comp.protocols.smb with no luck. Please help. I am running: Slackware 9.0 (x86) kernel 2.4.21 samba 3.0b3 MIT kerberos5 v1.2.7 I am testing samba 3.0b3 as part of migrating my site to Active Directory. Compiles/installs OK. When winbindd is started, it looks for the list of trusted domains and then queries those domains for user/group info. When I have the samba3b3 box joined to an NT4 domain, it takes about 15 minutes to get this info from all domains. (roughly 6+ user accounts in many domains.) When the machine is joined to the AD domain, though, it gets list of IP's for each domain on servers it can try to get the user/group data from. Many of the IP addresses it is obtaining are bad in almost every domain it contacts (cannot nslookup, ping, traceroute, or query WINS with any results). Winbindd just sits there until it times out, then tries the next one. The problem is that it takes many HOURS of waiting to get a full list generated so that I can run 'getent passwd'. Then I have to start the wait all over again so that 'getent group' works also. Once winbindd is queried, the test box is useless from the network until it's done (including plain Linux stuff like ssh) Everyting is fine at this point until I restart winbindd, then the whole thing starts over again. These are my questions: I thought that winbindd was supposed to cache all this info. Why doesn't it read the cache when it's restarted instead of getting new information? Is there something that can be done to tell winbindd not to try to query servers that aren't actually up? Where is this list of IP's coming from? Are these a bunch of dead accounts being reported from some Server Manager on a PDC? Any info would be greatly appreciated. -- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba