[Samba] Storing privilege info in ldap
Hello I have a Samba server 3.0.22 pdc on Gentoo Linux with a ldap backend all working fine. I am now going to add a bdc to the setup. It seems that the privilege info is stored locally rather than in ldap. I suspect that it's in account_policy.tdb but I'm not sure. I can see the accounts on the bdc and logon fine but the rights are missing when i run "net rpc rights list". I can add the info in manually but that creates a future admin job. Is there any way to store the rights in LDAP? thanks David Williams -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] can't join ads w/ rc3
I googled for help on this, all I found was this cryptic irc chat log http://irc.vernstok.nl/samba-technical.php. It seems to be a kerberos ticket encoding problem. the AD server is giving me a arcfour-hmac-md5 ticket. I'm running mit krb5-1.3.1. Any ideas would be greatly appreciated. -dave david williams wrote: it was working for me with version <= rc2 the end of net ads join -d 10 says: Search for (objectclass=*) gave 1 replies Got error packet 0x7e from kpasswd server parse_setpw_reply failed (Message stream modified) return code = -1 Let me know if you want the whole log/some other debug info. -dave -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] can't join ads w/ rc3
it was working for me with version <= rc2 the end of net ads join -d 10 says: Search for (objectclass=*) gave 1 replies Got error packet 0x7e from kpasswd server parse_setpw_reply failed (Message stream modified) return code = -1 Let me know if you want the whole log/some other debug info. -dave -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] auth failure on samba server + winbind wierdness(trust withunix kerberos realm problem?)
I'm most of the way through getting 3.0rc2 as a 2k3 AD member working. smbclient -L windows_machine -U win_user -k works smbclient -L samba_machine -N works smbclient -L samba_machine -U win_user -k says session setup failed: NT_STATUS_LOGON_FAILURE This is where it gets strange: restart winbind getent passwd only shows local users id WIN\\luser user not found wbinfo -u "Error looking up domain users" wbinfo -m lists our unix kerberos realm (we set up a trust) wbinfo -u works getent passwd lists domain and local users id WIN\\luser user found this is reproducable everytime. I expected the alternate kerberos name mappings to not work under samba yet, but WIN\luser doesn't use the other realm. any ideas? david -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] invalid request size with winbind
i'm still working on joining a win2k3 ad domain. Here's where i'm stuck: when i do: id windows_luser it says no such user tail log.winbind says: [2003/09/02 11:23:23, 10] nsswitch/winbindd_util.c:open_winbindd_socket(526) open_winbindd_socket: opened socket fd 16 [2003/09/02 11:23:23, 10] nsswitch/winbindd_util.c:open_winbindd_priv_socket(538) open_winbindd_priv_socket: opened socket fd 17 [2003/09/02 11:26:38, 6] nsswitch/winbindd.c:new_connection(340) accepted socket 18 [2003/09/02 11:26:38, 10] nsswitch/winbindd.c:winbind_client_read(455) client_read: read 1304 bytes. Need 264 more for a full request. [2003/09/02 11:26:38, 0] nsswitch/winbindd.c:process_loop(716) process_loop: Invalid request size from pid 6360: 1304 bytes sent, should be 1568 Anyone know what i'm doing wrong? -d -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] more problems with rc1 + ADS: smbd sigsegv
#0 0xe002 in ?? () #1 0x42028b93 in abort () from /lib/tls/libc.so.6 #2 0x081cf298 in smb_panic (why=0x828ce7e "internal error") at lib/util.c:1483 #3 0x081bb8a1 in fault_report (sig=11) at lib/fault.c:41 #4 0x081bb8f9 in sig_fault (sig=11) at lib/fault.c:61 #5 #6 0x4006e722 in krb5_free_ticket () from /usr/kerberos/lib/libkrb5.so.3 #7 0x0822e9db in ads_verify_ticket (realm=0x82cffd8 "WIN.CS.UCR.EDU", ticket=0xbfffe860, principal=0xbfffe85c, auth_data=0xbfffe830, ap_rep=0xbfffe820, session_key=0xbfffe7e0 " #\023B\030B9\b\034\b\024\032\023B\0043+\b\234\030") at libads/kerberos_verify.c:242 #8 0x080acadd in reply_spnego_kerberos (conn=0x0, inbuf=0x404e1008 "", outbuf=0x40502008 "", length=1296, bufsize=131072, secblob=0xbfffe8e0) at smbd/sesssetup.c:167 #9 0x080ad40e in reply_spnego_negotiate (conn=0x0, inbuf=0x404e1008 "", outbuf=0x40502008 "", length=1296, bufsize=131072, blob1= {data = 0x8393d58 "`\202\004\006\006+\006\001\005\005\002\202\0040\202\004\0310\027\006\t*\206H\202\022\001\002\002\006\n+\006\001\004\001\2027\002\002\n\202\004\207\004\202\004\203`\202\004\177\006\t*\206H\206\022\001\002\002\001", length = 1210, free = 0x81cc5bc }) at smbd/sesssetup.c:390 #10 0x080ad8cb in reply_sesssetup_and_X_spnego (conn=0x0, inbuf=0x404e1008 "", outbuf=0x40502008 "", length=1296, bufsize=131072) at smbd/sesssetup.c:505 #11 0x080adbc3 in reply_sesssetup_and_X (conn=0x0, inbuf=0x404e1008 "", outbuf=0x40502008 "", length=1296, bufsize=131072) at smbd/sesssetup.c:591 #12 0x080d0e3b in switch_message (type=115, inbuf=0x404e1008 "", outbuf=0x40502008 "", size=1296, bufsize=131072) at smbd/process.c:767 #13 0x080d0ef2 in construct_reply (inbuf=0x404e1008 "", outbuf=0x40502008 "", size=1296, bufsize=131072) at smbd/process.c:797 #14 0x080d125a in process_smb (inbuf=0x404e1008 "", outbuf=0x40502008 "") at smbd/process.c:897 #15 0x080d1fad in smbd_process () at smbd/process.c:1319 #16 0x0823ace7 in main (argc=3, argv=0xb804) at smbd/server.c:887 #17 0x420156a4 in __libc_start_main () from /lib/tls/libc.so.6 Jeremy Allison wrote: On Fri, Aug 22, 2003 at 09:57:40AM -0700, david williams wrote: here's the tail end of the -d 10 log.host. It seems to not like the encryption type. Which should I be using, and where should I change it? Can you please recompile with -g so we can get the symbols from the stack backtrace. That will tell us exactly where it's dying. Thanks, Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] more problems with rc1 + ADS: smbd sigsegv
I don't think so. The admin passwords been changed. I turned Client and server signing off, it didn't make a difference. Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, 22 Aug 2003, david williams wrote: nope, it's mit 1.2.7 from the redhat rpm. Does this apply to you? (from the WHATSNEW) 2) Inclusion of new 'security = ads' option for integration with an Active Directory domain using the native Windows Kerberos 5 and LDAP protocols. MIT kerberos 1.3.1 supports the ARCFOUR-HMAC-MD5 encryption type which is neccessary for servers on which the administrator password has not been changed, or kerberos-enabled SMB connections to servers that require Kerberos SMB signing. Besides this one difference, either MIT or Heimdal Kerberos distributions are usable by Samba 3.0. cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE/RlqaIR7qMdg1EfYRAh3UAKDJGl+vLs8nWmVe8bqUhzQU8r+ujQCg1UOk 2xoNtcS6HLIxHe8pJQjzeAE= =kwO/ -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] more problems with rc1 + ADS: smbd sigsegv
here's the tail end of the -d 10 log.host. It seems to not like the encryption type. Which should I be using, and where should I change it? -dave [2003/08/22 09:45:29, 3] smbd/process.c:switch_message(685) switch message SMBsesssetupX (pid 6310) [2003/08/22 09:45:29, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2003/08/22 09:45:29, 5] auth/auth_util.c:debug_nt_user_token(486) NT user token: (NULL) [2003/08/22 09:45:29, 5] auth/auth_util.c:debug_unix_user_token(505) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2003/08/22 09:45:29, 5] smbd/uid.c:change_to_root_user(218) change_to_root_user: now uid=(0,0) gid=(0,0) [2003/08/22 09:45:29, 3] smbd/sesssetup.c:reply_sesssetup_and_X(577) wct=12 flg2=0xc801 [2003/08/22 09:45:29, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(474) Doing spnego session setup [2003/08/22 09:45:29, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(498) NativeOS=[Unix] NativeLanMan=[Samba] [2003/08/22 09:45:29, 3] smbd/sesssetup.c:reply_spnego_negotiate(383) Got OID 1 2 840 48018 1 2 2 [2003/08/22 09:45:29, 3] smbd/sesssetup.c:reply_spnego_negotiate(383) Got OID 1 3 6 1 4 1 311 2 2 10 [2003/08/22 09:45:29, 3] smbd/sesssetup.c:reply_spnego_negotiate(386) Got secblob of size 1155 [2003/08/22 09:45:29, 10] passdb/secrets.c:secrets_named_mutex(697) secrets_named_mutex: got mutex for replay cache mutex [2003/08/22 09:45:29, 10] libads/kerberos_verify.c:ads_verify_ticket(175) ads_verify_ticket: enc type [16] failed to decrypt with error Bad encryption type [2003/08/22 09:45:29, 3] libads/kerberos_verify.c:ads_verify_ticket(175) ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt integrity check failed [2003/08/22 09:45:29, 10] libads/kerberos_verify.c:ads_verify_ticket(175) ads_verify_ticket: enc type [1] failed to decrypt with error Bad encryption type [2003/08/22 09:45:29, 10] passdb/secrets.c:secrets_named_mutex_release(709) secrets_named_mutex: released mutex for replay cache mutex [2003/08/22 09:45:29, 3] libads/kerberos_verify.c:ads_verify_ticket(182) ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) [2003/08/22 09:45:29, 0] lib/fault.c:fault_report(36) === [2003/08/22 09:45:29, 0] lib/fault.c:fault_report(37) INTERNAL ERROR: Signal 11 in pid 6310 (3.0.0rc1) Please read the appendix Bugs of the Samba HOWTO collection [2003/08/22 09:45:29, 0] lib/fault.c:fault_report(39) === [2003/08/22 09:45:29, 0] lib/util.c:smb_panic(1462) PANIC: internal error [2003/08/22 09:45:29, 0] lib/util.c:smb_panic(1469) BACKTRACE: 15 stack frames: #0 ../sbin/smbd(smb_panic+0xfc) [0x817f320] #1 ../sbin/smbd [0x8170c4f] #2 /lib/tls/libc.so.6 [0x420276f8] #3 ../sbin/smbd(ads_verify_ticket+0x23e) [0x81c910a] #4 ../sbin/smbd [0x809dba5] #5 ../sbin/smbd [0x809e3c0] #6 ../sbin/smbd [0x809e6d5] #7 ../sbin/smbd(reply_sesssetup_and_X+0xa18) [0x809f1cc] #8 ../sbin/smbd [0x80b8579] #9 ../sbin/smbd [0x80b86d9] #10 ../sbin/smbd(process_smb+0x76) [0x80b889e] #11 ../sbin/smbd(smbd_process+0x198) [0x80b93ac] #12 ../sbin/smbd(main+0x416) [0x81d2a7a] #13 /lib/tls/libc.so.6(__libc_start_main+0xe4) [0x420156a4] #14 ../sbin/smbd(chroot+0x31) [0x8075cdd] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbindd problem with 3.0.0rc1
d'oh. I was using some old samba stuff left in my path. david williams wrote: kinit/klist worked net join reported joining successfully [EMAIL PROTECTED] wrote: Have you joined your samba server to the domain? - Original Message - From: david williams <[EMAIL PROTECTED]> Date: Friday, August 22, 2003 6:24 am Subject: [Samba] winbindd problem with 3.0.0rc1 i've been trying to get samba 3 to join my AD domain, and have gotten stuck. when I wbinfo -t it returns "Could not check secret" log.winbindd says: nsswitch/winbindd.c: nsswitch/winbindd.c:process_loop(722) process_loop: Invalid request size from pid 5368: 1304 bytes sent, should be 1568 here's my smb.conf incase it matters. # Global parameters [global] workgroup = WIN.CS.UCR.EDU realm = WIN.CS.UCR.EDU security = ADS password server = mulford.cs.ucr.edu * client lanman auth = No client plaintext auth = No log file = /usr/local/pkgs/samba-3.0.0rc1/var/log.%m ldap ssl = no idmap uid = 1-2 idmap gid = 1-2 valid users = administrator [temp] comment = please work path = /tmp guest ok = Yes thanks in advance dave -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbindd problem with 3.0.0rc1
kinit/klist worked net join reported joining successfully [EMAIL PROTECTED] wrote: Have you joined your samba server to the domain? - Original Message - From: david williams <[EMAIL PROTECTED]> Date: Friday, August 22, 2003 6:24 am Subject: [Samba] winbindd problem with 3.0.0rc1 i've been trying to get samba 3 to join my AD domain, and have gotten stuck. when I wbinfo -t it returns "Could not check secret" log.winbindd says: nsswitch/winbindd.c: nsswitch/winbindd.c:process_loop(722) process_loop: Invalid request size from pid 5368: 1304 bytes sent, should be 1568 here's my smb.conf incase it matters. # Global parameters [global] workgroup = WIN.CS.UCR.EDU realm = WIN.CS.UCR.EDU security = ADS password server = mulford.cs.ucr.edu * client lanman auth = No client plaintext auth = No log file = /usr/local/pkgs/samba-3.0.0rc1/var/log.%m ldap ssl = no idmap uid = 1-2 idmap gid = 1-2 valid users = administrator [temp] comment = please work path = /tmp guest ok = Yes thanks in advance dave -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] winbindd problem with 3.0.0rc1
i've been trying to get samba 3 to join my AD domain, and have gotten stuck. when I wbinfo -t it returns "Could not check secret" log.winbindd says: nsswitch/winbindd.c: nsswitch/winbindd.c:process_loop(722) process_loop: Invalid request size from pid 5368: 1304 bytes sent, should be 1568 here's my smb.conf incase it matters. # Global parameters [global] workgroup = WIN.CS.UCR.EDU realm = WIN.CS.UCR.EDU security = ADS password server = mulford.cs.ucr.edu * client lanman auth = No client plaintext auth = No log file = /usr/local/pkgs/samba-3.0.0rc1/var/log.%m ldap ssl = no idmap uid = 1-2 idmap gid = 1-2 valid users = administrator [temp] comment = please work path = /tmp guest ok = Yes thanks in advance dave -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba