[Samba] Latest winbind creating fault
All, Yesterday morning, I updated samba from samba3-3.6.13-45 to samba3-3.6.14-45 (obtained from sernet) on a couple of CentOS 5.9 boxes. As soon as users started access these boxes, one of my sensors detected a winbind error, as in: Apr 30 08:19:36 norwell winbindd[13283]: INTERNAL ERROR: Signal 11 in pid 13283 (3.6.14) Here's what appears in syslog: Apr 30 08:19:36 norwell winbindd[8938]: [2013/04/30 08:19:36.667710, 0] lib/fault.c:47(fault_report) Apr 30 08:19:36 norwell winbindd[8938]: === Apr 30 08:19:36 norwell winbindd[8938]: [2013/04/30 08:19:36.670612, 0] lib/fault.c:48(fault_report) Apr 30 08:19:36 norwell winbindd[8938]: INTERNAL ERROR: Signal 11 in pid 8938 (3.6.14) Apr 30 08:19:36 norwell winbindd[8938]: Please read the Trouble-Shooting section of the Samba3-HOWTO Apr 30 08:19:36 norwell winbindd[8938]: [2013/04/30 08:19:36.671113, 0] lib/fault.c:50(fault_report) Apr 30 08:19:36 norwell winbindd[8938]: Apr 30 08:19:36 norwell winbindd[8938]: From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf Apr 30 08:19:36 norwell winbindd[8938]: [2013/04/30 08:19:36.671456, 0] lib/fault.c:51(fault_report) Apr 30 08:19:36 norwell winbindd[8938]: === Apr 30 08:19:36 norwell winbindd[8938]: [2013/04/30 08:19:36.671683, 0] lib/util.c:1117(smb_panic) Apr 30 08:19:36 norwell winbindd[8938]: PANIC (pid 8938): internal error Apr 30 08:19:36 norwell winbindd[8938]: [2013/04/30 08:19:36.675330, 0] lib/util.c:1221(log_stack_trace) Apr 30 08:19:36 norwell winbindd[8938]: BACKTRACE: 17 stack frames: Apr 30 08:19:36 norwell winbindd[8938]:#0 winbindd(log_stack_trace+0x2d) [0x31b655] Apr 30 08:19:36 norwell winbindd[8938]:#1 winbindd(smb_panic+0x7c) [0x31b787] Apr 30 08:19:36 norwell winbindd[8938]:#2 winbindd [0x30b8ce] Apr 30 08:19:36 norwell winbindd[8938]:#3 [0xd39420] Apr 30 08:19:36 norwell winbindd[8938]:#4 winbindd [0x23a080] Apr 30 08:19:36 norwell winbindd[8938]:#5 winbindd(_wbint_LookupRids+0x8a) [0x258d08] Apr 30 08:19:36 norwell winbindd[8938]:#6 winbindd [0x263596] Apr 30 08:19:36 norwell winbindd[8938]:#7 winbindd(winbindd_dual_ndrcmd+0x13a) [0x257a42] Apr 30 08:19:36 norwell winbindd[8938]:#8 winbindd [0x256a0c] Apr 30 08:19:36 norwell winbindd[8938]:#9 winbindd [0x32e432] Apr 30 08:19:36 norwell winbindd[8938]:#10 winbindd(tevent_common_loop_immediate+0x111) [0x32ceed] Apr 30 08:19:36 norwell winbindd[8938]:#11 winbindd(run_events_poll+0x3e) [0x32b095] Apr 30 08:19:36 norwell winbindd[8938]:#12 winbindd [0x32b80f] Apr 30 08:19:36 norwell winbindd[8938]:#13 winbindd(_tevent_loop_once+0x9d) [0x32bd2d] Apr 30 08:19:36 norwell winbindd[8938]:#14 winbindd(main+0xd32) [0x22e303] Apr 30 08:19:36 norwell winbindd[8938]: #15 /lib/libc.so.6(__libc_start_main+0xdc) [0xdc0ebc] Apr 30 08:19:36 norwell winbindd[8938]:#16 winbindd [0x22b111] Apr 30 08:19:36 norwell winbindd[8938]: [2013/04/30 08:19:36.677068, 0] lib/fault.c:372(dump_core) Apr 30 08:19:36 norwell winbindd[8938]: dumping core in /var/log/samba/cores/winbindd Apr 30 08:19:36 norwell winbindd[8938]: Unfortunately, I was unable to do any further debugging. This morning, I rolled back installation to samba3-3.6.13-45, and the problem has gone away. Bug in latest version on sernet? Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba help?
On Thursday 12 July 2012 1:31:06 am Gémes Géza wrote: Hi Miklos, Hello Geza, I stand chastised and apologize. I didn't mean to hijack someone's thread. I also didn't plan to ask for help in Hungarian, and this is just a coincidence. However, if you can help me I'll take whatever I can get, so thank you. My question/problem is that I have no windows background at all and am trying to configure Samba with Active Directory. I also have no access to any windows machines to test my configuration so I don't know if it works. I believe I'm almost there but how do I know if it's really working? SWAT works fine, but Winbindd won't start. infadmnq:/lssrc -g samba Subsystem GroupPID Status smbd samba14221530 active nmbd samba13893726 active winbindd samba inoperative I ran testparm and it comes back clean. infadmnq:/testparm Load smb config files from /usr/lib/smb.conf Processing section [samba_infaQ] Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions [global] workgroup = HUMC security = DOMAIN auth methods = winbind password server = dchumc01, dchumc02 client NTLMv2 auth = Yes syslog = 3 log file = /var/log/samba ldap ssl = no idmap uid = 1-2 idmap gid = 1-2 winbind enum users = Yes winbind enum groups = Yes [samba_infaQ] comment = Share for DBA SAs path = /samba_infaQ I run: smbclient -L '\\fileserver1\DECN_Shared\' -U INFAservice and I get two pages of output starting like this: Sharename Type Comment - --- CHRT_Shared Disk CHRT Departmental Shared Files HEDU_Shared Disk HEDU Departmental Shared Files MREC_Shared Disk MREC Departmental Shared Files PHBL_Shared Disk PHBL Departmental Shared Files PHRM_Shared Disk PHRM Departmental Shared Files SLAB_Shared Disk SLAB Departmental Shared Files SPAS_Shared Disk SPAS Departmental Shared Files SPTY_Shared Disk SPTY Departmental Shared Files WomenChild Disk Kosonok minden sekitsegett!! Miklos First question: What does wbinfo -p, wbinfo -u and wbinfo -g returns? You wrote, that you have to authenticate your users against an AD. Have you joined it (e.g. net ads join -U username_of_an_AD_user_with_the_priviledge_of_joining (for example an administrator))? Regards Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba I've found that I need to do a few things to make Samba work with AD (and, it does for me. I must have 15 server (Linux and *BSD) connected to our network via Win2008R2-based AD). First, I believe you have to get kerberos set up properly on your Linux box. Next, configure nsswitch.conf to use winbind. Then, you must join the box to the domain, just as Geza mentioned. After that, start samba. Finally, you can run the commands that Geza suggested (wbinfo -p, wbinfo -u and wbinfo -g. I'd also suggest getent passwd). These steps are all very well documented, and, are easy to find, but if you have a problem with anything, let us know. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba help?
On Thursday 12 July 2012 1:31:06 am Gémes Géza wrote: Hi Miklos, Hello Geza, I stand chastised and apologize. I didn't mean to hijack someone's thread. I also didn't plan to ask for help in Hungarian, and this is just a coincidence. However, if you can help me I'll take whatever I can get, so thank you. My question/problem is that I have no windows background at all and am trying to configure Samba with Active Directory. I also have no access to any windows machines to test my configuration so I don't know if it works. I believe I'm almost there but how do I know if it's really working? SWAT works fine, but Winbindd won't start. infadmnq:/lssrc -g samba Subsystem GroupPID Status smbd samba14221530 active nmbd samba13893726 active winbindd samba inoperative I ran testparm and it comes back clean. infadmnq:/testparm Load smb config files from /usr/lib/smb.conf Processing section [samba_infaQ] Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions [global] workgroup = HUMC security = DOMAIN auth methods = winbind password server = dchumc01, dchumc02 client NTLMv2 auth = Yes syslog = 3 log file = /var/log/samba ldap ssl = no idmap uid = 1-2 idmap gid = 1-2 winbind enum users = Yes winbind enum groups = Yes [samba_infaQ] comment = Share for DBA SAs path = /samba_infaQ I run: smbclient -L '\\fileserver1\DECN_Shared\' -U INFAservice and I get two pages of output starting like this: Sharename Type Comment - --- CHRT_Shared Disk CHRT Departmental Shared Files HEDU_Shared Disk HEDU Departmental Shared Files MREC_Shared Disk MREC Departmental Shared Files PHBL_Shared Disk PHBL Departmental Shared Files PHRM_Shared Disk PHRM Departmental Shared Files SLAB_Shared Disk SLAB Departmental Shared Files SPAS_Shared Disk SPAS Departmental Shared Files SPTY_Shared Disk SPTY Departmental Shared Files WomenChild Disk Kosonok minden sekitsegett!! Miklos First question: What does wbinfo -p, wbinfo -u and wbinfo -g returns? You wrote, that you have to authenticate your users against an AD. Have you joined it (e.g. net ads join -U username_of_an_AD_user_with_the_priviledge_of_joining (for example an administrator))? Regards Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba I'm reposting this, as I just resubscribed to the list using my new mail addy: I've found that I need to do a few things to make Samba work with AD (and, it does for me. I must have 15 server (Linux and *BSD) connected to our network via Win2008R2-based AD). First, I believe you have to get kerberos set up properly on your Linux box. Next, configure nsswitch.conf to use winbind. Then, you must join the box to the domain, just as Geza mentioned. After that, start samba. Finally, you can run the commands that Geza suggested (wbinfo -p, wbinfo -u and wbinfo -g. I'd also suggest getent passwd). These steps are all very well documented, and, are easy to find, but if you have a problem with anything, let us know. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] nt_printing error in logs
Happy New Year, all. I recently updated my CentOS 5.x boxes to run samba-3.6.1. These boxes are memebr servers in a Win2k8 Active Directory. All work fine. However, I see the following errors in the logs of every single one: an 6 07:57:26 hanover smbd[24424]: [2012/01/06 07:57:26.629925, 0] printing/nt_printing_ads.c:358(check_published_printers) Jan 6 07:57:26 hanover smbd[24424]: check_published_printers: Could not create system session_info Jan 6 07:57:26 hanover smbd[24424]: [2012/01/06 07:57:26.630470, 0] printing/nt_printing.c:102(nt_printing_init) Jan 6 07:57:26 hanover smbd[24424]: nt_printing_init: error checking published printers: WERR_ACCESS_DENIED I've googled extensively, but can't find a post that offers a good solution. Your help in understanding and fixing this would be greatly appreciated. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] smbldap-tools and phpldapadmin
On Tuesday 18 January 2011 7:46:55 pm Alberto Moreno wrote: On Mon, Jan 17, 2011 at 4:38 AM, Dimitri Yioulos dyiou...@firstbhph.com wrote: On Saturday 15 January 2011 4:26:03 pm William Brown wrote: If I enter the command smbldap-useradd -a -m -M juser -g Domain Users -G Domain Admins -G Administrators -c Joe User juser (beginning and ending parens for clarity), I do indeed create the type of user I'm trying to create. And, that user appears in the list of users in PhpLdapAdmin. However, if I create the same type of user using the PhpLdapAdmin Samba3 Account template, the user doesn't have the same attributes as the ones created via smbldap-useradd. Yes, there are schema extensions in samba's ldap admin tool that extend the posix account. You can convert an existing user iirc with that command, since the posix password hash is irrerversible. Also pay attention you MUST use the smbpasswod tool to change passwords, else the userPassword and smbPassword feilds will de-sync. I could probably create a bash script that invokes smbldap-useradd for my users to use to create accounts, but they're CLI-phobic, so I really want to get PhpLdapAdmin to do this. How can I accomplish this PhpLdapAdmin/smbldap-useradd integration? I'm really not a programmer, so messing with the PhpLdapAdmin xml files is daunting to me if, in fact, this is how it's done. I've looked through all of the config files associated with the PDC set-up, but simply don't see anything in them that would do the trick. sorry, but edit the templates. Look here http://phpldapadmin.sourceforge.net/wiki/ind ex. php/Templates Also, create a user in ldap, and one in smb, then compare the differences. Some of the fields are autogenerated as well iirc, You can likely cheat with the value tag, to call php, that calls your smb script. Something like valuesystem(smbldap-useradd -a -m -M uid ) might do it (you will need to substitute in values like i did with uid ) If anyone has accomplished this, I would greatly appreciate your help! Thanks. Dimitri -- Thank you both for your responses. I was afraid I'd hear, sorry, but edit the templates. Now, I know the old saw about, If you give a man a fish ... , but if someone has already created such a template, and is willing to share it, I'd be extremely grateful. It's not laziness, it's lack of skill in this area. Thanks. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samb a Hi guys. What I can add to this thread is that, for your safe. 1) Don't use samba 3.0.x, doesn't support windows 7, if someone came with a machine like, your are doom. Use samba 3x is ready to be use as PDC and support windows 7, windows 2008, etc. 2) The only issue is that u have to setup smbldap-tools by hand because doesn't have support for samba 3x, but is to easy, I can help u. 3) I try phpldapadmin but I prefer Mandriva MDS, is the same, ajax interface to openldap, I prefer this one is very clean and stable. I can help u setup this one to. Migrate from samba 3.0.x to samba 3.x is not a issue, you just have to upgrade samba, review your settings, maybe some are on on samba 3.0.x and off on samba3x is what I have seen in my deployments. My two cents!!! -- Alberto, Thanks for your kind response. Let me respond to your points one-by-one: 1) your point on using the latest Samba release is well-taken. I started out isntalling it, but had such a tough time getting the PDC set up and working that, as part of my experimentation, I rolled back to the stock CentOS version. Now that I have the PDC working, I can try upgrading the Samba version. I guess in the worst case, I can always roll back if I run into problems. 2) while the smbldap-tools suite has seemed to work, in that I was able to populate LDAP, and create users and machines, any help with making it better would be appreciated. 3) it doesn't matter to me (or my end users, probably) what GUI front-end I give them, as long as it faithfully creates Samba users and machines as smbldap-tools does. If Mandriva MDS does that, then excellent. Again, your help would be appreciated. Regards, Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] confusion and problem with Samba v3.3.8 as PDC with ldapsam backend
On Tuesday 18 January 2011 4:08:36 pm Jon Detert wrote: On Tue, Jan 18, 2011 at 2:35 PM, Gaiseric Vandal gaiseric.van...@gmail.com wrote: Nt- I don't use the ldapsam:editposix option myself, if I understand it correctly it means you don't have to precreate the underlying unix accounts. That is my understanding as well. I've never used it before, however. However, I believe you still need to do the following Create a samba Administrator account Create samba Domain Admins and Domain Users groups. Explicitly specify the uid or username for the guest user. Set ldap password for the idmap backend (net idmap secret thedomain ) the log messages tend to support this belief. smbpasswd -w sets the ldap password samba to access ldap for users and groups. But idmap needs the ldap password set as well eg. I don't understand that. There is no separate idmap process, afaik. Why can't the 'idmap' functionality get the same ldap credentials that smbd and winbindd evidently get from the smb.conf and the secrets.tdb files? net idmap secret MYDOMAIN net idmap secret alloc In any case, I tried the above, and got the same error for both command : The only currently supported backend is LDAP My smb.conf has a line expressly saying idmap backend = ldap:ldap://localhost;. Does smbd have to be running before running the 'net idmap' commands? If so, I'm screwed, cuz now that I fixed the 'out=IDmap' typo, smbd dies immediately after trying to start it. Ideas? Thanks, Jon I don't know if when using the ldapsam:editposix option you can use smbpasswd to create the user accounts. Also, I used net groupmap add to create the mappings between the samba Domain Admins group and the unix group by the same name. If it were me, I would also create local unix groups for Domain Admins (e.g. with gid 512), Domain Users etc and then use net groupmap to map the unix gids to the Windows well known id's. net groupmap add ntgroup=Domain Admins unixgroup=512 rid=512 type=domain net groupmap add ntgroup=Domain Users unixgroup=513 rid=513 type=domain net groupmap add ntgroup=Domain Guests unixgroup=514 rid=514 type=domain net groupmap add ntgroup=Domain Computers unixgroup=515 rid=515 type=domain net groupmap add ntgroup=Domain Controllers unixgroup=516 rid=516 type=domain I would create a unix Administrator user in the Domain Admins group then use smbpasswd to create the samba Administrator account. I use Apache Directory Studio for browsing and editing ldap entries. You may find having a GUI ldap browser and editor really useful. You should be able to tell if your LDAP groups have unix gids and samba sids. This way you can get basic functionality working, then you can start troubleshooting windbind and idmap . On 01/18/2011 03:04 PM, Jon Detert wrote: Hello, I'm trying to use samba v3.3.8 on Centos 5.5 to act as a PDC, using ldap as the backend for users, groups, and computers. The ldap I'm using is Centos Directory Server v8.1. The setting is a new, never used before, installation of samba and ldap. There are no users other than what exists by default after a Centos install. The smb.conf contains what is my best guess for the desired goal. The problem at the moment (besides having to guess at what to put in smb.conf - see below) is that smbd exits about 2 minutes after I start it. Here are what I think are the relevant bits from the log.smbd: [2011/01/18 13:40:42, 2] lib/smbldap_util.c:smbldap_search_domain_inf o(277) smbldap_search_domain_info: Searching for:[((objectClass=sambaDomain)(sambaDomain Name=CHI))] [2011/01/18 13:40:42, 2] lib/smbldap.c:smbldap_open_connection(856) smbldap_open_connection: connection opened [2011/01/18 13:40:42, 3] lib/smbldap.c:smbldap_connect_system(1067) ldap_connect_system: successful connection to the LDAP server [2011/01/18 13:40:42, 4] lib/smbldap.c:smbldap_open(1143) The LDAP server is successfully connected [2011/01/18 13:41:12, 4] passdb/pdb_ldap.c:ldapsam_getsampwnam(1519) ldapsam_getsampwnam: Unable to locate user [root] count=0 [2011/01/18 13:41:42, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2481) ldapsam_getgroup: Did not find group, filter was ((objectClass=sambaGroupMapping)(gidNumber= 0)) [2011/01/18 13:42:12, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2481) ldapsam_getgroup: Did not find group, filter was ((objectClass=sambaGroupMapping)(sambaSID=S -1-5-32-544)) [2011/01/18 13:42:27, 3] groupdb/mapping.c:pdb_create_builtin_alias(7 86) pdb_create_builtin_alias: Could not get a gid out of winbind [2011/01/18 13:42:27, 2] auth/token_util.c:create_local_nt_token(450) WARNING: Failed to create BUILTIN\Administrators group! Can Winbind allocate gids? [2011/01/18 13:42:57, 4]
Re: [Samba] confusion and problem with Samba v3.3.8 as PDC with ldapsam backend
On Tuesday 18 January 2011 4:39:39 pm Alex Crow wrote: On 18/01/11 21:08, Jon Detert wrote: On Tue, Jan 18, 2011 at 2:35 PM, Gaiseric Vandal gaiseric.van...@gmail.com wrote: Nt- I don't use the ldapsam:editposix option myself, if I understand it correctly it means you don't have to precreate the underlying unix accounts. That is my understanding as well. I've never used it before, however. I've not tried it, I'm not even sure if it really works. Has anyone on the list used such a config in production? However, I believe you still need to do the following Create a samba Administrator account Create samba Domain Admins and Domain Users groups. Explicitly specify the uid or username for the guest user. Set ldap password for the idmap backend (net idmap secret thedomain ) the log messages tend to support this belief. You can create them yourself, but if you want an easier life, see the end of this post (smbldap-tools) smbpasswd -w sets the ldap password samba to access ldap for users and groups. But idmap needs the ldap password set as well eg. It doesn't. smbpasswd -w is sufficient. I don't understand that. There is no separate idmap process, afaik. Why can't the 'idmap' functionality get the same ldap credentials that smbd and winbindd evidently get from the smb.conf and the secrets.tdb files? net idmap secret MYDOMAIN net idmap secret alloc You do *not* need this is the you are not using explicit idmap alloc, just the default idmap range. idmap alloc is apparently not working. In any case, I tried the above, and got the same error for both command : The only currently supported backend is LDAP My smb.conf has a line expressly saying idmap backend = ldap:ldap://localhost;. Does smbd have to be running before running the 'net idmap' commands? If so, I'm screwed, cuz now that I fixed the 'out=IDmap' typo, smbd dies immediately after trying to start it. You should leave the config as is. smbd really should not die. Are you sure smbd is not still running? Did you join your own domain on the PDC (eg net rpc join -S localhost)? Ideas? Thanks, Jon I think you need to use the smbldap-tools. Once configured correctly they will prepopulate your LDAP tree for for you. There should be packages in the repos for most distros. Cheers Alex I'd underscore Alex's last comment - use smbldap-tools. A lot of tutorials have you add an smb.conf directives such as: add user script = /usr/local/sbin/smbldap-useradd -m %u If you install the tools via RPM, change those directives to read: add user script = /usr/sbin/smbldap-useradd -m %u Again, HTH. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] smbldap-tools and phpldapadmin
On Saturday 15 January 2011 4:26:03 pm William Brown wrote: If I enter the command smbldap-useradd -a -m -M juser -g Domain Users -G Domain Admins -G Administrators -c Joe User juser (beginning and ending parens for clarity), I do indeed create the type of user I'm trying to create. And, that user appears in the list of users in PhpLdapAdmin. However, if I create the same type of user using the PhpLdapAdmin Samba3 Account template, the user doesn't have the same attributes as the ones created via smbldap-useradd. Yes, there are schema extensions in samba's ldap admin tool that extend the posix account. You can convert an existing user iirc with that command, since the posix password hash is irrerversible. Also pay attention you MUST use the smbpasswod tool to change passwords, else the userPassword and smbPassword feilds will de-sync. I could probably create a bash script that invokes smbldap-useradd for my users to use to create accounts, but they're CLI-phobic, so I really want to get PhpLdapAdmin to do this. How can I accomplish this PhpLdapAdmin/smbldap-useradd integration? I'm really not a programmer, so messing with the PhpLdapAdmin xml files is daunting to me if, in fact, this is how it's done. I've looked through all of the config files associated with the PDC set-up, but simply don't see anything in them that would do the trick. sorry, but edit the templates. Look here http://phpldapadmin.sourceforge.net/wiki/index. php/Templates Also, create a user in ldap, and one in smb, then compare the differences. Some of the fields are autogenerated as well iirc, You can likely cheat with the value tag, to call php, that calls your smb script. Something like valuesystem(smbldap-useradd -a -m -M uid ) might do it (you will need to substitute in values like i did with uid ) If anyone has accomplished this, I would greatly appreciate your help! Thanks. Dimitri -- Thank you both for your responses. I was afraid I'd hear, sorry, but edit the templates. Now, I know the old saw about, If you give a man a fish ... , but if someone has already created such a template, and is willing to share it, I'd be extremely grateful. It's not laziness, it's lack of skill in this area. Thanks. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] smbldap-tools and phpldapadmin
All, I suspect this is OT, or a solution may have been posted. Either way, I beg your indulgence. While I've used Samba for quite a few years, I recently took a stab at using it in an organization I volunteer at to create a PDC, in conjunction with openldap. The good news is it works, for the most part, after some set-up struggles. I have a couple of remaining issues, but let me take them one-at-a-time. Here some basic info on my set-up: CentOS 5.5 x86_64 stock RPM-based installs of: samba-3.0.33-3.29.el5_5.1 openldap-2.3.43-12.el5_5.3 smbldap-tools-0.9.5-2.el5.rf and phpldapadmin-0.9.8.5 I've used the smbldap-tools suite to 1) populate ldap, and; 2) to create users and machines. This seems to work fine. I've also installed PhpLdapAdmin, as my users are not command line savvy. I want them to use that tool to create new users and machines. Here's the issue: If I enter the command smbldap-useradd -a -m -M juser -g Domain Users -G Domain Admins -G Administrators -c Joe User juser (beginning and ending parens for clarity), I do indeed create the type of user I'm trying to create. And, that user appears in the list of users in PhpLdapAdmin. However, if I create the same type of user using the PhpLdapAdmin Samba3 Account template, the user doesn't have the same attributes as the ones created via smbldap-useradd. I could probably create a bash script that invokes smbldap-useradd for my users to use to create accounts, but they're CLI-phobic, so I really want to get PhpLdapAdmin to do this. How can I accomplish this PhpLdapAdmin/smbldap-useradd integration? I'm really not a programmer, so messing with the PhpLdapAdmin xml files is daunting to me if, in fact, this is how it's done. I've looked through all of the config files associated with the PDC set-up, but simply don't see anything in them that would do the trick. If anyone has accomplished this, I would greatly appreciate your help! Thanks. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba/LDAP and home dir creation
Hi, all. I'm working on a project to create a Samba PDC with LDAP authentication. I've been pretty successful in getting everything to work. However, I've run into a small snag: The PDC is built on an OpenSuse 11.2 box. Most of the member servers are also OpenSuse 11.2 boxes. However, a CentOS 5.5 server was just added to the mix. While users can lo into the CentOS box, with LDAP providing the creds, no home directory is automagically created as in the OpenSuse boxes. I'd like to fix that, with your help. I've used authconfig-tui on the CentOS box to enable Use LDAP and Use LDAP Authentication (the equivalent of YAST's LDAP Client config tool?). I believe my smb.conf and ldap.conf files are correct (I'll provide them if you all need to see them). Any ideas? Thanks. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba/LDAP and home dir creation
On Wednesday 09 June 2010 4:47:31 pm you wrote: Hi Dimitri, You probably want to enable the PAM module responsible for this. Back up and edit your /etc/pam.d/system-auth and add the following line: session required pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0022 Note: Messing with your pam config may lock you out of the system, so be careful. 2010/6/9 Dimitri Yioulos dyiou...@firstbhph.com: Hi, all. I'm working on a project to create a Samba PDC with LDAP authentication. I've been pretty successful in getting everything to work. However, I've run into a small snag: The PDC is built on an OpenSuse 11.2 box. Most of the member servers are also OpenSuse 11.2 boxes. However, a CentOS 5.5 server was just added to the mix. While users can lo into the CentOS box, with LDAP providing the creds, no home directory is automagically created as in the OpenSuse boxes. I'd like to fix that, with your help. I've used authconfig-tui on the CentOS box to enable Use LDAP and Use LDAP Authentication (the equivalent of YAST's LDAP Client config tool?). I believe my smb.conf and ldap.conf files are correct (I'll provide them if you all need to see them). Any ideas? Thanks. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samb a -- Diego Lima Diego, That worked perfectly! I used pam_mkhomedir.so, though, as this is a 32-bit system. Thank you. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba and active Directory
On Friday 14 May 2010 5:11:20 am Andreas Hubert wrote: hi all, yes the good old topic where most people have a problem with :) I have a Windows 2003 Active Directory Server und want that users on this directory are able to login on a Samba Share. The authentication with wbinfo -a user%password works and I already joined the domain with net ads join I am also able to authenticate as directory user with his directory password, BUT only if this username also exists in the /etc/passwd file. Users which username is not in the lokal passwd file cannot login. I use samba Version 3.0.37 on Solaris 10, here is my smb.conf: [global] workgroup = ABC realm = ABC.DE server string = Samba Server security = ADS map to guest = Bad User password server = ABCDC01.abc.de ABCDC02.abc.de use kerberos keytab = Yes log file = /var/log/samba/log.%m max log size = 50 time server = Yes os level = 65 local master = No domain master = No wins support = Yes idmap uid = 1-2 idmap gid = 1-2 winbind separator = + winbind use default domain = Yes [test] comment = test path = /test read only = No [/code] The user ABC+corpus also exists locally and I am able to logon with his Directory password on the share, but not with the user ABC+ahu If I just do useradd ahu I am able to logon with this user! What am I doing wrong? I also want that users from the directory will be mapped to the local user corpus from the access rights and would do this with force user = corpus on the share, would this be right? Thanks for any help Firstly, did you configure Kerberos properly. Nextly, and I could be wrong on this, but I think you need to change: valid users = ABC+corpus, ABC+ahu to: valid users = @ABC+corpus @ABC+ahu Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba and active Directory
On Friday 14 May 2010 11:28:05 am Dimitri Yioulos wrote: On Friday 14 May 2010 5:11:20 am Andreas Hubert wrote: hi all, yes the good old topic where most people have a problem with :) I have a Windows 2003 Active Directory Server und want that users on this directory are able to login on a Samba Share. The authentication with wbinfo -a user%password works and I already joined the domain with net ads join I am also able to authenticate as directory user with his directory password, BUT only if this username also exists in the /etc/passwd file. Users which username is not in the lokal passwd file cannot login. I use samba Version 3.0.37 on Solaris 10, here is my smb.conf: [global] workgroup = ABC realm = ABC.DE server string = Samba Server security = ADS map to guest = Bad User password server = ABCDC01.abc.de ABCDC02.abc.de use kerberos keytab = Yes log file = /var/log/samba/log.%m max log size = 50 time server = Yes os level = 65 local master = No domain master = No wins support = Yes idmap uid = 1-2 idmap gid = 1-2 winbind separator = + [test] comment = test path = /test read only = No [/code] The user ABC+corpus also exists locally and I am able to logon with his Directory password on the share, but not with the user ABC+ahu If I just do useradd ahu I am able to logon with this user! What am I doing wrong? I also want that users from the directory will be mapped to the local user corpus from the access rights and would do this with force user = corpus on the share, would this be right? Thanks for any help Firstly, did you configure Kerberos properly. Nextly, and I could be wrong on this, but I think you need to change: valid users = ABC+corpus, ABC+ahu to: valid users = @ABC+corpus @ABC+ahu Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Oops, sorry on the valid users piece. What I told you applies to groups. But, since you have: winbind use default domain = Yes perhaps you only need to specify the user names in valid users. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] 3.5 issue
On Thursday 04 March 2010 5:58:08 pm Dimitri Yioulos wrote: On Thursday 04 March 2010 5:52:14 pm you wrote: samba-boun...@lists.samba.org wrote on 03/04/2010 05:48:25 PM: On Thursday 04 March 2010 5:40:34 pm you wrote: samba-boun...@lists.samba.org wrote on 03/04/2010 05:35:06 PM: (...) When trying to run any net command, I get the following message: net: symbol lookup error: /usr/lib/libreadline.so.x: undefined symbol: PC As far as I know, the problem arises as a consequence of a bug in RHEL/CentOS 5.x. The Samba team is already aware of the problem and a fix will be available soon. For now you can use LDFLAGS=-W1,--no-as-needed -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options /s amba Stuart, Sorry for my stupidity, but how do I use/invoke LDFLAGS=-W1,--no-as-needed? No stupid questions here :) LDFLAGS=-W1,--no-as-needed ./configure-developer make Dimitri -- Stuart, I'm thinking you hit the send button before adding your reply :-) . If doing the LDFLAGS thing is part of compiling samba from source, I guess I'm sol since I'd like to stick to an RPM install. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Late yesterday, a remote user called to ell me that, while he could see shares on a box upgraded earlier to Samba 3.5, he couldn't see any data in them. I confirmed that this was the case. As per my earlier posts, and with your help, I tried like mad to figure out what the problem was, and took up the fight early this morning. First, I noted that a later 3.5 version must have gone up over night which I hoped addressed the libreadline issue. I installed it, and it did, indeed, fix that problem. net commands were available. However, I still couldn't see data in shares. So, I had no choice but to roll back to version 3.4.6. That cleared up all problems. This is curious, too. On the second machine that I'd updated to 3.5, I run the openfire IM server (a Java-based program, if I'm not mistaken), among other things. After the Samba upgrade, I could no longer get the openfire daemon to stay up. I didn't even suspect Samba was the problem, but was going to roll it back anyway. After I did, all was right with openfire. Thanks to both Miguel and Stuart for their help. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] 3.5 issue
All, This morning, I upgraded samba to version 3.5 on CentOS 4.6 and 5.4 boxes. When trying to run any net command, I get the following message: net: symbol lookup error: /usr/lib/libreadline.so.x: undefined symbol: PC Additionally, while I can see my shares, I can't see any of the data in them. What does the error indicate, and how can I fix it. Thanks. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] 3.5 issue
On Thursday 04 March 2010 5:40:34 pm you wrote: samba-boun...@lists.samba.org wrote on 03/04/2010 05:35:06 PM: (...) When trying to run any net command, I get the following message: net: symbol lookup error: /usr/lib/libreadline.so.x: undefined symbol: PC As far as I know, the problem arises as a consequence of a bug in RHEL/CentOS 5.x. The Samba team is already aware of the problem and a fix will be available soon. For now you can use LDFLAGS=-W1,--no-as-needed -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Stuart, Sorry for my stupidity, but how do I use/invoke LDFLAGS=-W1,--no-as-needed? Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] 3.5 issue
On Thursday 04 March 2010 5:35:06 pm you wrote: (...) When trying to run any net command, I get the following message: net: symbol lookup error: /usr/lib/libreadline.so.x: undefined symbol: PC As far as I know, the problem arises as a consequence of a bug in RHEL/CentOS 5.x. The Samba team is already aware of the problem and a fix will be available soon. I see. But, I also got the error in CentOS 4.6. Hope the team is working on that, as well. Thanks. for the info. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] 3.5 issue
On Thursday 04 March 2010 5:52:14 pm you wrote: samba-boun...@lists.samba.org wrote on 03/04/2010 05:48:25 PM: On Thursday 04 March 2010 5:40:34 pm you wrote: samba-boun...@lists.samba.org wrote on 03/04/2010 05:35:06 PM: (...) When trying to run any net command, I get the following message: net: symbol lookup error: /usr/lib/libreadline.so.x: undefined symbol: PC As far as I know, the problem arises as a consequence of a bug in RHEL/CentOS 5.x. The Samba team is already aware of the problem and a fix will be available soon. For now you can use LDFLAGS=-W1,--no-as-needed -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/s amba Stuart, Sorry for my stupidity, but how do I use/invoke LDFLAGS=-W1,--no-as-needed? No stupid questions here :) LDFLAGS=-W1,--no-as-needed ./configure-developer make Dimitri -- Stuart, I'm thinking you hit the send button before adding your reply :-) . If doing the LDFLAGS thing is part of compiling samba from source, I guess I'm sol since I'd like to stick to an RPM install. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [Announce] Samba 3.5.0 Available for Download
On Monday 01 March 2010 8:49:48 am Volker Lendecke wrote: On Mon, Mar 01, 2010 at 02:44:29PM +0100, Karolin Seeger wrote: = “Perfection is attained by slow degrees; it requires the hand of time” Voltaire = Release Announcements = This is the first stable release of Samba 3.5. This one was hard Many thanks for enduring this :-) Volker Rather, thanks to you and the rest of the Samba team for enduring! Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] RE: Samba with ADS
On Monday 15 June 2009 8:14:39 pm James Zuelow wrote: -Original Message- From: samba-bounces+james_zuelow=ci.juneau.ak...@li sts.samba.org [mailto:samba-bounces+james_zuelow=ci.juneau. ak...@lists.samba .org] On Behalf Of McGranahan, Jamen Sent: Monday, 15 June, 2009 07:50 To: samba@lists.samba.org Subject: [Samba] Samba with ADS Environment: Sun Solaris 9 sparc Software: Samba-3.3.3, KRB5-1.6.3, OpenLDAP-2.4.11 Problem: Am trying to create shares with Samba so that users can map to folders on this server using Active Directory. I am successful in creating a Kerberos ticket; I can join the domain; and wbinfo -u and -g give me users in the AD. However, getent passwd only gives me a list of users on the server and not in the AD. The winbindd.log file has a lot of these lines: --8-- snip --8-- If you have any advice and/or guidance, I would greatly appreciate it. Thank you! The getent passwd trouble may be a red herring. If you do not have these lines in smb.conf Winbind enum users = Yes Winbind enum groups = Yes Then wbinfo -u will work, but getent passwd will not. Generally you want to leave enumumerating users and groups turned off (the default) on larger domains. In my experience having them turned on can delay share access, restart times, etc. However enumerating users and groups so that getent passwd works is not necessary for shares to work correctly or users to map drives in AD. (At least this is true for Debian, I don't know about Solaris.) James -- It's been a very long time since I installed and ran Samba on Solaris. That said, are nsswitch.conf and resolv.conf correctly configured? Is your Solaris clock synced with the AD server? And, as James suggested, are Winbind enum users and Winbind enum groups set to Yes? HTH. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Trying to join RHEL to Win2k3 Active Directory domain.
On Wednesday 27 May 2009 11:22:19 am Tim Lewis wrote: Trying to join a RHEL server to Win2K3 domain. I followed the directions specified here: http://kbase.redhat.com/faq/docs/DOC-4735 and here: http://kbase.redhat.com/faq/docs/DOC-3051 Confirmed that I have the edited the smb.conf and krb5.conf files correctly. Ran: /etc/rc.d/init.d/smb stop and /etc/rc.d/init.d/winbind stop Ran: net ads join -U administrator and got: [2009/05/20 13:23:59, 0] utils/net_ads.c:ads_startup(186) ads_connect: No such file or directory Any help? -- Using Opera's revolutionary e-mail client: http://www.opera.com/mail/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Did you run kinit administrator prior to running net ads join -U administrator? Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Source RPM compile error
Hi, all. I have several boxes with CentOS versions 3.x, 4.x, and 5.x running in my shop, with Samba loaded on many. I've been able to stay on the current version of Samba in CentOS 4.x and 5.x using the source RPM from Sernet. However, I'm not able to upgrade Samba on the CentOS 3.x boxes. Here's the error I get when I run rpmbuild --rebuild --clean samba-3.2.7-38.src.rpm: + mkdir -p /var/tmp/samba3-3.2.7-build//usr/lib/krb5/plugins/libkrb5 + cp -p source/bin/winbind_krb5_locator.so /var/tmp/samba3-3.2.7-build//usr/lib/krb5/plugins/libkrb5 cp: cannot stat `source/bin/winbind_krb5_locator.so': No such file or directory error: Bad exit status from /var/tmp/rpm-tmp.4484 (%install) RPM build errors: Bad exit status from /var/tmp/rpm-tmp.4484 (%install) Has anybody encountered and overcome this problem? Better still, has anyone successfully compiled from source RPM and installed recent versions of Samba on CentOS 3.x boxes? Thanls. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] OT?: Binaries from sernet
On Wednesday 29 October 2008 12:21 pm, Dimitri Yioulos wrote: All, Apologies if this is an impertinent question. I've been installing source RPMs from the Experimental branch at sernet. That has yet to change to samba-3.2.4. I understand it's a volunteer effort, but I was wondering if any work is being done to create the 3.2.4 source rpm? Dimitri This morning I noticed that sernet had added the source RPM for samba-3.2.4. Thanks to sernet. That's much appreciated. However, to build the RPMs requires Keyutils-libs and keyutils-libs-devel. These appear to be available for RHEL5/CentOS5, but not for RHEL45/CentOS4 or RHEL3/CentOS3, both of which I'm using. I don't seem to find the source files for these, either. And, just installing the 3.2.4-related RPMs (also made available this morning) has never worked for me; I've always had to build the RPMs from the source RPM. Has anyone else encountered this dependency problem? If so (or even, if not), how might I resolve the problem? I'd like to be using 3.2.4. Thanks. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] OT?: Binaries from sernet
All, Apologies if this is an impertinent question. I've been installing source RPMs from the Experimental branch at sernet. That has yet to change to samba-3.2.4. I understand it's a volunteer effort, but I was wondering if any work is being done to create the 3.2.4 source rpm? Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Congratulations
I'm sure I speak for the entire community when I offer my heartiest congratulations to the Protocol Freedom Information Foundation and the Samba team for new agreement with Microsoft giving them, and other FOSS programs, access to data on how the Windows operating system works! The Samba team has gutted it through over the past several years to provide an essential tool for our work. Now, their jobs will hopefully be a bit easier, and will allow for the creation of an even better Samba. Once again, kudos, and the very best of the holiday season. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Excel Disk Full when overwriting file
On Friday 28 September 2007 5:15 pm, John Herrmann wrote: Help, I'm using: Operating System: SUSE Linux Enterprise Server 10 (i586) VERSION = 10 PATCHLEVEL = 1 Upgraded Samba to: Samba version 3.0.26a-SerNet-SuSE On a windows machine the user can see the directories and files. They can access the files in say excel but when they go to save the changes it gives them a message of Disk Full. New Files they can save, no problem. If they pull up a file in notepad and then save the changes the message will be The process cannot access the file because another process has locked a portion of the file. You hit ok, and get the save as dialog box. If you don't change the name of the file and hit save, it saves it. Weird. Here is a copy of the smb.conf file: # smb.conf is the main Samba configuration file. You find a full commented # version at /usr/share/doc/packages/samba/examples/smb.conf.SuSE # Date: 2004-04-06 [global] realm = CYC.COM workgroup = CYC.COM interfaces = 127.0.0.1 eth1 bind interfaces only = true printing = cups printcap name = cups load printers = yes printer admin = @ntadmin, root, administrator map to guest = Bad User # the following fixes a weird problem with winxp sp2 systems and # netbios aliases on samba. - mgb 10/20/04 smb ports = 139 netbios name = HOME netbios aliases = cyc host server string = zeus hosts allow = 10.1.1. 127. security = ADS socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 name resolve order = host wins lmhosts bcast wins server = 10.1.1.15 10.1.1.251 remote announce = 10.1.1.15 10.1.1.251 dns proxy = no preserve case = yes short preserve case = yes default case = lower case sensitive = no create mask = 0664 directory mask = 0775 include = /etc/samba/smb.conf.all domain logons = Yes domain master = No passdb backend = smbpasswd wins support = No strict locking = No inherit acls = Yes strict allocate = Yes inherit permissions = Yes [pdf] comment = PDF creator path = /var/tmp printable = Yes print command = /usr/bin/smbprngenpdf -J '%J' -c %c -s %s -u '%u' -z %z create mask = 0600 [printers] comment = All Printers path = /var/tmp printable = Yes create mask = 0600 browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/drivers write list = @ntadmin root force group = ntadmin create mask = 0664 directory mask = 0775 Any help would be greatly appreciated. Thanks, John Herrrmann -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba Try adding veto oplock files = /*.xls/*.XLS in the [global] section. HTH. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.26a Available for Download
On Tuesday 11 September 2007 8:44 pm, Josh Kelley wrote: On 9/11/07, Ed Kasky [EMAIL PROTECTED] wrote: Not being as adept at building rpm's as I could be if I had the time to learn it, is there any supporting documentation anywhere that describes how to go about converting from an rpm install to installing from src? Or is it easier/preferred/better to stick with the rpm's and build them from the src? I strongly prefer using RPMs on an RPM-based system; I think that there are a lot of advantages to letting the package manager know about all of the software installed on my systems. For example, it lets you easily switch back and forth between a version that you build yourself and one that's provided by the vendor, and it lets you more easily install and upgrade software across multiple computers. Building RPMs yourself in this case is quite easy: Set up your RPM build environment. Instructions are available online from several places; http://www.city-fan.org/tips/CreateRPMBuildEnvironment appears to be a good set of instructions. Next, download the SRPM (.src.rpm file) from the Samba site (http://www.samba.org/samba/ftp/Binary_Packages/Fedora/SRPMS/). Although the directory is labeled Fedora, it works quite well for RHEL and CentOS too. Finally, run rpmbuild --rebuild samba.src.rpm. The resulting RPMs will be placed in ~/rpmbuild/RPMS. Another poster mentioned sernet's RPMs. I personally prefer to use the ones from Samba's web site for Fedora / RHEL / CentOS, since their packaging more closely matches RHEL's, but your mileage may vary. Josh Kelley -- Just to point out, it looks like the samba team officially blesses the sernet RPMs, as from the samba web site: http://enterprisesamba.com/ offers Samba packages for SLES, RHEL, and Debian. That's good enough for me. But, to each his/her own. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.26a Available for Download
On Wednesday 12 September 2007 5:22 pm, Guillermo Gutierrez wrote: Ok, I am trying again with the sernet instructions on enterprisesamba.com, this time aptitude is telling me that there is no public key for the site. Can I still install from here? Or do I need to add the key, if so where do I get it from? Guillermo Gutierrez Network Administrator Market Scan Information Systems, Inc. (818) 575-2017 (818) 324-0871 [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dimitri Yioulos Sent: Wednesday, September 12, 2007 7:53 AM To: samba@lists.samba.org Subject: Re: [Samba] Samba 3.0.26a Available for Download On Tuesday 11 September 2007 8:44 pm, Josh Kelley wrote: On 9/11/07, Ed Kasky [EMAIL PROTECTED] wrote: Not being as adept at building rpm's as I could be if I had the time to learn it, is there any supporting documentation anywhere that describes how to go about converting from an rpm install to installing from src? Or is it easier/preferred/better to stick with the rpm's and build them from the src? I strongly prefer using RPMs on an RPM-based system; I think that there are a lot of advantages to letting the package manager know about all of the software installed on my systems. For example, it lets you easily switch back and forth between a version that you build yourself and one that's provided by the vendor, and it lets you more easily install and upgrade software across multiple computers. Building RPMs yourself in this case is quite easy: Set up your RPM build environment. Instructions are available online from several places; http://www.city-fan.org/tips/CreateRPMBuildEnvironment appears to be a good set of instructions. Next, download the SRPM (.src.rpm file) from the Samba site (http://www.samba.org/samba/ftp/Binary_Packages/Fedora/SRPMS/). Although the directory is labeled Fedora, it works quite well for RHEL and CentOS too. Finally, run rpmbuild --rebuild samba.src.rpm. The resulting RPMs will be placed in ~/rpmbuild/RPMS. Another poster mentioned sernet's RPMs. I personally prefer to use the ones from Samba's web site for Fedora / RHEL / CentOS, since their packaging more closely matches RHEL's, but your mileage may vary. Josh Kelley -- Just to point out, it looks like the samba team officially blesses the sernet RPMs, as from the samba web site: http://enterprisesamba.com/ offers Samba packages for SLES, RHEL, and Debian. That's good enough for me. But, to each his/her own. Dimitri Why not simply DL the RPMs and install them? Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.26a Available for Download
On Tuesday 11 September 2007 12:08 pm, Ray Anderson wrote: In your migration back to src, any special considerations? Or will you just remove the rpm and install from the src? Any considerations for the smb.conf? I can't think of any off hand myself, but thought I'd put it out on the list just in case... In my particular situation, removing the rpm also removed the /var/log/samba dir and all subtrees, so if you want the log history of the machines, back that up first, and restore after removing the rpm. Otherwise, you must create the /var/log/samba directory. Also, for the Redhat/Fedora users, you will want to backup the /etc/init.d/smbd script and then restore and edit to point to the /usr/local/samba/sbin directory. Other than that, the migration was quite painless, and now I'm finally running an up to date samba with an up to date samba-vscan vfs plugin. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba sernet (http://ftp.sernet.de/pub/samba) makes binaries available for CentOS, debian, RHEL, SLES, etc. available within a few of days of the source release. I use 'em on my CentOS 3 and 4 boxes without issue. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind failure
On Tuesday 10 July 2007 6:03 pm, Michael Bann wrote: After copying over the lock files and the secrets.tdb file, I get a new error. (I attempted to reinstall Samba and did not copy those files over before.) I removed the computer name... [2007/07/10 16:51:31, 0] smbd/server.c:main(986) standard input is not a socket, assuming -D option [2007/07/10 16:51:31, 0] nsswitch/winbindd_cache.c:initialize_winbindd_cache(2221) initialize_winbindd_cache: clearing cache and re-creating with version number 1 [2007/07/10 16:51:32, 0] libads/kerberos.c:ads_kinit_password(227) kerberos_kinit_password COMPUTER[EMAIL PROTECTED] failed: Preauthentication failed [2007/07/10 16:51:32, 0] printing/nt_printing.c:nt_printing_init(650) nt_printing_init: error checking published printers: WERR_ACCESS_DENIED [2007/07/10 16:51:32, 0] libsmb/cliconnect.c:cli_session_setup_spnego(853) Kinit failed: Preauthentication failed [2007/07/10 16:51:32, 1] nsswitch/winbindd_util.c:trustdom_recv(237) Could not receive trustdoms Any ideas? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba This is probably of no use to you, but, who knows. I had the same thing happen on one of my CentOS 3 boxes; same errors. I generally like to roll my own RPMs from source RPMs, and use the source RPM from sernet. As the machine in question is VERY old (Dell PW 6100/200 - test machine that otherwise works very well), I couldn't do this without the machine hanging. So, I DL'd the full sernet RPMs. I believe I tried both the RedHat and CentOS RPMs and ... I got the exact same messages as you. After struggling to figure out what the problem was, the light bulb finally lit. I copied over RPMs I had created on another CentOS 3 box and ,,, all errors vanished, and I was able to connect the box to my AD network. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Creating Samba RPM
Hello to all. With recent versions of Samba, it seems that I've built the Samba RPM from source RPM which, in turn. The single RPM that was created installs samba, winbind, smbclient, etc. With version 3.0.25, I can't find that source RPM. All I can find are source RPMs that create individual RPMs for Samba and each of its components. If I try to create the RPM from source tarball, it needs smbldap-tools-0.9.2.tgz. I DL smbldap-tools-0.9.2a.tgz (the only version available), and try again. No joy until I rename smbldap-tools-0.9.2.tgz to smbldap-tools-0.9.2a.tgz and add lots of perl modules. I try again, and smbldap-tools-0.9.2-1.rpm is created, but the samba RPM isn't. I'm trying this on a CentOS 3.8 box. Sorry for the long and perhaps, somewhat unclear description of my issue. Where might I find the single install Samba source RPM? Thanks. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problems with FC4 Samba 3.0.23a and Windows XP PRO 2002
On Friday September 15 2006 9:19 am, Mark L. Wise wrote: I upgraded the server to a FC4 Box with SAMBA 3.0.23a There are several changes in the 3.0.23 series, did you read about that changes and how it could impact your installation/configuration? I'm going to show my ignorance here, but I need the information :-) Where do I read about the changes between the versions? www.samba.org/samba/history/samba-3.0.23.html Probably, you will need to attach your smb.conf and a more verbose log, increase the loglevel/debuglevel). How do I increase the loglevel/debuglevel? smb.conf Mark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind dies redux
On Wednesday July 26 2006 12:07 pm, Dimitri Yioulos wrote: On Wednesday July 26 2006 11:33 am, you wrote: Dimitri Yioulos wrote: All, I fear I''ve become a pita with this, but windbind periodically dying on one of my machines is really starting to cause grief, and I have no idea what might be causing it, especially as the same config is used on several similar boxes which do not exhibit the problem. While I've posted the problem previously, I thought that maybe this latest log entry after winbind dies might help with finding the solution: Is there a bug # for this? If not, please make one. I'll do this shortly. lib/fault.c:dump_core(173) dumping core in /var/log/samba/cores/winbindd : 2 Time(s) lib/fault.c:fault_report(42) INTERNAL ERROR: Signal 6 in pid 2102 (3.0.23) Please read the There's a abort() call somewhere Ok. Trouble-Shooting section of the Samba3-HOWTO : 1 Time(s) lib/fault.c:fault_report(42) INTERNAL ERROR: Signal 6 in pid 9172 (3.0.23a) Please read the Trouble-Shooting section of the Samba3- HOWTO : 1 Time(s) lib/fault.c:fault_report(44)From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf : 2 Time(s) lib/util.c:log_stack_trace(1699) BACKTRACE: 26 stack frames #0 winbindd(log_stack_trace+0x2d) [0xcd2ded] #1 winbindd(smb_panic+0x75) [0xcd2c95] #2 winbindd [0xcbe3e6] #3 /lib/tls/libc.so.6 [0x28f0d8] #4 /lib/tls/libc.so.6(abort+0x1d5) [0x290705] #5 winbindd [0xcf99e2] #6 winbindd [0xcf9c65] #7 winbindd(cli_krb5_get_ticket+0x242) [0xcfa142] Can you get a backtrace with debug symbols? The only report of this I've seen was fixed by upgrading the krb5 libs. What server platform and krb5 version are you using? Server is CentOS 3.7. Krb version is 1.2.57. I've searched quite a bit about how to run a backtrace with debug symbols, but come up with nothing useful to me. I've found Tridge's backtrace script, but don't how to use it. I would appreciate your kind assistance with how to do the backtrace. Dimitri All. Forgive me. I must either be stupid, a poor researcher, blind, all of the above, a combination of the above, none of the above (the last choice unlikely). I've searched extensicely for a how-to on running a backtrace with debug symbols, but can find nothing to help me. I see how to run gdb, if that's the tool I should use, as in gdb /usr/sbin/winbind PID. But, part of the data returned is (no debugging symbols found). Arrrgh. Am I missing something obvious? Is the answer under my nose, and I'm just not seeing it? I'd like to provide all the information I can so that I might help you help me to solve my issue. But, I need your kind assistance on how to do this backtrace. Please don't be angry with me, I'm doin' my best here (and really am considered a nice person by my peers :-) ). Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind dies redux
All, I fear I''ve become a pita with this, but windbind periodically dying on one of my machines is really starting to cause grief, and I have no idea what might be causing it, especially as the same config is used on several similar boxes which do not exhibit the problem. While I've posted the problem previously, I thought that maybe this latest log entry after winbind dies might help with finding the solution: lib/fault.c:dump_core(173) dumping core in /var/log/samba/cores/winbindd : 2 Time(s) lib/fault.c:fault_report(42) INTERNAL ERROR: Signal 6 in pid 2102 (3.0.23) Please read the Trouble-Shooting section of the Samba3-HOWTO : 1 Time(s) lib/fault.c:fault_report(42) INTERNAL ERROR: Signal 6 in pid 9172 (3.0.23a) Please read the Trouble-Shooting section of the Samba3- HOWTO : 1 Time(s) lib/fault.c:fault_report(44)From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf : 2 Time(s) lib/util.c:log_stack_trace(1699) BACKTRACE: 26 stack frames #0 winbindd(log_stack_trace+0x2d) [0xcd2ded] #1 winbindd(smb_panic+0x75) [0xcd2c95] #2 winbindd [0xcbe3e6] #3 /lib/tls/libc.so.6 [0x28f0d8] #4 /lib/tls/libc.so.6(abort+0x1d5) [0x290705] #5 winbindd [0xcf99e2] #6 winbindd [0xcf9c65] #7 winbindd(cli_krb5_get_ticket+0x242) [0xcfa142] #8 winbindd(spnego_gen_negTokenTarg+0x62) [0xcfbcd2] #9 winbindd [0xdbc782] #10 winbindd [0xdbcaae] #11 winbindd(ads_sasl_bind+0x150) [0xdbd370] #12 winbindd(ads_connect+0x1ea) [0xdb622a] #13 winbindd [0xdc313a] #14 winbindd(ads_do_search_retry+0x46) [0xdc3426] #15 winbindd(ads_search_retry+0x3f) [0xdc34df] #16 winbindd [0xc707f4] #17 winbindd [0xc5b0e9] #18 winbindd [0xc5004e] #19 winbindd(winbindd_getgrgid+0x2ba) [0xc5107a] #20 winbindd [0xc4bd37] #21 winbindd [0xc4bf78] #22 winbindd [0xc4d1fa] #23 winbindd(main+0x5c5) [0xc4d805] #24 /lib/tls/libc.so.6(__libc_start_main+0xda) [0x27c79a] #25 winbindd [0xc4b5f2] : 1 Time(s) lib/util.c:log_stack_trace(1699) BACKTRACE: 28 stack frames: #0 winbindd(log_stack_trace+0x2d) [0x279add] #1 winbindd(smb_panic+0x75) [0x279985] #2 winbindd [0x2650d6] #3 /lib/tls/libc.so.6 [0x8440d8] #4 /lib/tls/libc.so.6(abort+0x1d5) [0x845705] #5 winbindd [0x2a06d2] #6 winbindd [0x2a0955] #7 winbindd(cli_krb5_get_ticket+0x242) [0x2a0e32] #8 winbindd(spnego_gen_negTokenTarg+0x62) [0x2a29c2] #9 winbindd [0x362f82] #10 winbindd [0x3632ae] #11 winbindd(ads_sasl_bind+0x150) [0x363b70] #12 winbindd(ads_connect+0x1ea) [0x35cf2a] #13 winbindd [0x369d3a] #14 winbindd(ads_do_search_retry+0x46) [0x36a026] #15 winbindd(ads_USN+0x66) [0x360ed6] #16 winbindd [0x217e59] #17 winbindd [0x1feb73] #18 winbindd [0x1ff028] #19 winbindd [0x201362] #20 winbindd(winbindd_lookup_name_by_sid+0x5c) [0x1fc07c] #21 winbindd(winbindd_getgrgid+0x109) [0x1f7e09] #22 winbindd [0x1f2c77] #23 winbindd [0x1f2eb8] #24 winbindd [0x1f413a] #25 winbindd(main+0x5c5) [0x1f4745] #26 /lib/tls/libc.so.6(__libc_start_main+0xda) [0x83179a] #27 winbindd [0x1f2532] : 1 Time(s) lib/util.c:smb_panic(1592) PANIC (pid 2102): internal error : 1 Time(s) lib/util.c:smb_panic(1592) PANIC (pid 9172): internal error : 1 Time(s) nsswitch/winbindd_dual.c:child_read_request(49) Got invalid request length: 0 : 9 Time(s) If anyone can help me out with this, I'd be most grateful. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind dies redux
On Wednesday July 26 2006 11:33 am, you wrote: Dimitri Yioulos wrote: All, I fear I''ve become a pita with this, but windbind periodically dying on one of my machines is really starting to cause grief, and I have no idea what might be causing it, especially as the same config is used on several similar boxes which do not exhibit the problem. While I've posted the problem previously, I thought that maybe this latest log entry after winbind dies might help with finding the solution: Is there a bug # for this? If not, please make one. I'll do this shortly. lib/fault.c:dump_core(173) dumping core in /var/log/samba/cores/winbindd : 2 Time(s) lib/fault.c:fault_report(42) INTERNAL ERROR: Signal 6 in pid 2102 (3.0.23) Please read the There's a abort() call somewhere Ok. Trouble-Shooting section of the Samba3-HOWTO : 1 Time(s) lib/fault.c:fault_report(42) INTERNAL ERROR: Signal 6 in pid 9172 (3.0.23a) Please read the Trouble-Shooting section of the Samba3- HOWTO : 1 Time(s) lib/fault.c:fault_report(44)From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf : 2 Time(s) lib/util.c:log_stack_trace(1699) BACKTRACE: 26 stack frames #0 winbindd(log_stack_trace+0x2d) [0xcd2ded] #1 winbindd(smb_panic+0x75) [0xcd2c95] #2 winbindd [0xcbe3e6] #3 /lib/tls/libc.so.6 [0x28f0d8] #4 /lib/tls/libc.so.6(abort+0x1d5) [0x290705] #5 winbindd [0xcf99e2] #6 winbindd [0xcf9c65] #7 winbindd(cli_krb5_get_ticket+0x242) [0xcfa142] Can you get a backtrace with debug symbols? The only report of this I've seen was fixed by upgrading the krb5 libs. What server platform and krb5 version are you using? Server is CentOS 3.7. Krb version is 1.2.57. I've searched quite a bit about how to run a backtrace with debug symbols, but come up with nothing useful to me. I've found Tridge's backtrace script, but don't how to use it. I would appreciate your kind assistance with how to do the backtrace. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: (Samba) Winbind dies
On Thursday July 13 2006 12:39 pm, you wrote: Dimitri Yioulos wrote: Serious apologies if this has been discussed before, but my search didn't turn up much: I have samba (kept up-to-date with latest) running on several CentOS 3 and 4 boxes as part of a Win2k3 domain. On one particular box, winbind dies on a regular basis (all the other installations run flawlessly). A quick restart, and we're good again. However, as this is a very active server that is accessed 18 hours a day, 7 days a week, I'm called at home during those few hours I spend there to restart winbind on this particular machine. The is the second report of winbindd crash in the krb5 libs. The other was an FC5 box. INTERNAL ERROR: Signal 6 in pid 23775 (3.0.23) ... Jul 12 18:26:06 norwell winbindd[23775]: BACKTRACE: 28 stack frames: #0 winbindd(log_stack_trace+0x2d) [0x5f5add] #1 winbindd(smb_panic+0x75) [0x5f5985] #2 winbindd [0x5e10d6] #3 /lib/tls/libc.so.6 [0x1b70d8] #4 /lib/tls/libc.so.6 (abort+0x1d5) [0x1b8705] #5 winbindd [0x61c6d2] #6 winbindd [0x61c955] #7 winbindd(cli_krb5_get_ticket+0x242) [0x61ce32] #8 winbindd(spnego_gen_negTokenTarg+0x62) [0x61e9c2] We're working on it. If you could get a backtrace including debugging symbols, that would help. cheers, jerry I posted a backtrace (at least, I think it was) of the core dump yesterday. Does that work to troubleshoot this issue? Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind dies
Serious apologies if this has been discussed before, but my search didn't turn up much: I have samba (kept up-to-date with latest) running on several CentOS 3 and 4 boxes as part of a Win2k3 domain. On one particular box, winbind dies on a regular basis (all the other installations run flawlessly). A quick restart, and we're good again. However, as this is a very active server that is accessed 18 hours a day, 7 days a week, I'm called at home during those few hours I spend there to restart winbind on this particular machine. Here's the relevant syslog output (sorry for the length): Jul 12 18:26:06 norwell winbindd[23775]: [2006/07/12 18:26:06, 0] lib/fault.c:fault_report(41) Jul 12 18:26:06 norwell winbindd[23775]: === Jul 12 18:26:06 norwell winbindd[23775]: [2006/07/12 18:26:06, 0] lib/fault.c:fault_report(42) Jul 12 18:26:06 norwell winbindd[23775]: INTERNAL ERROR: Signal 6 in pid 23775 (3.0.23) Jul 12 18:26:06 norwell winbindd[23775]: Please read the Trouble-Shooting section of the Samba3-HOWTO Jul 12 18:26:06 norwell winbindd[23775]: [2006/07/12 18:26:06, 0] lib/fault.c:fault_report(44) Jul 12 18:26:06 norwell winbindd[23775]: Jul 12 18:26:06 norwell winbindd[23775]: From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf Jul 12 18:26:06 norwell winbindd[23775]: [2006/07/12 18:26:06, 0] lib/fault.c:fault_report(45) Jul 12 18:26:06 norwell winbindd[23775]: === Jul 12 18:26:06 norwell winbindd[23775]: [2006/07/12 18:26:06, 0] lib/util.c:smb_panic(1592) Jul 12 18:26:06 norwell winbindd[23775]: PANIC (pid 23775): internal error Jul 12 18:26:06 norwell winbindd[23775]: [2006/07/12 18:26:06, 0] lib/util.c:log_stack_trace(1699) Jul 12 18:26:06 norwell winbindd[23775]: BACKTRACE: 28 stack frames: Jul 12 18:26:06 norwell winbindd[23775]:#0 winbindd(log_stack_trace+0x2d) [0x5f5add] Jul 12 18:26:06 norwell winbindd[23775]:#1 winbindd(smb_panic+0x75) [0x5f5985] Jul 12 18:26:06 norwell winbindd[23775]:#2 winbindd [0x5e10d6] Jul 12 18:26:06 norwell winbindd[23775]:#3 /lib/tls/libc.so.6 [0x1b70d8] Jul 12 18:26:06 norwell winbindd[23775]:#4 /lib/tls/libc.so.6 (abort+0x1d5) [0x1b8705] Jul 12 18:26:06 norwell winbindd[23775]:#5 winbindd [0x61c6d2] Jul 12 18:26:06 norwell winbindd[23775]:#6 winbindd [0x61c955] Jul 12 18:26:06 norwell winbindd[23775]:#7 winbindd(cli_krb5_get_ticket+0x242) [0x61ce32] Jul 12 18:26:07 norwell winbindd[23775]:#8 winbindd(spnego_gen_negTokenTarg+0x62) [0x61e9c2] Jul 12 18:26:07 norwell winbindd[23775]:#9 winbindd [0x6def82] Jul 12 18:26:07 norwell winbindd[23775]:#10 winbindd [0x6df2ae] Jul 12 18:26:07 norwell winbindd[23775]:#11 winbindd(ads_sasl_bind+0x150) [0x6dfb70] Jul 12 18:26:07 norwell winbindd[23775]:#12 winbindd(ads_connect+0x1ea) [0x6d8f2a] Jul 12 18:26:07 norwell winbindd[23775]:#13 winbindd [0x6e5d3a] Jul 12 18:26:07 norwell winbindd[23775]:#14 winbindd(ads_do_search_retry+0x46) [0x6e6026] Jul 12 18:26:07 norwell winbindd[23775]:#15 winbindd(ads_USN+0x66) [0x6dced6] Jul 12 18:26:07 norwell winbindd[23775]:#16 winbindd [0x593e59] Jul 12 18:26:07 norwell winbindd[23775]:#17 winbindd [0x57ab73] Jul 12 18:26:07 norwell winbindd[23775]:#18 winbindd [0x57b028] Jul 12 18:26:07 norwell winbindd[23775]:#19 winbindd [0x57d362] Jul 12 18:26:07 norwell winbindd[23775]:#20 winbindd(winbindd_lookup_name_by_sid+0x5c) [0x57807c] Jul 12 18:26:07 norwell winbindd[23775]:#21 winbindd(winbindd_getgrgid+0x109) [0x573e09] Jul 12 18:26:07 norwell winbindd[23775]:#22 winbindd [0x56ec77] Jul 12 18:26:07 norwell winbindd[23775]:#23 winbindd [0x56eeb8] Jul 12 18:26:07 norwell winbindd[23775]:#24 winbindd [0x57013a] Jul 12 18:26:07 norwell winbindd[23775]:#25 winbindd(main+0x5c5) [0x570745] Jul 12 18:26:07 norwell winbindd[23775]:#26 /lib/tls/libc.so.6 (__libc_start_main+0xda) [0x1a479a] Jul 12 18:26:07 norwell winbindd[23775]:#27 winbindd [0x56e532] Jul 12 18:26:07 norwell winbindd[23775]: [2006/07/12 18:26:07, 0] lib/fault.c:dump_core(173) Jul 12 18:26:07 norwell winbindd[23775]: dumping core in /var/log/samba/cores/winbindd Jul 12 18:26:07 norwell winbindd[23775]: Jul 12 18:26:08 norwell winbindd[23792]: [2006/07/12 18:26:08, 0] nsswitch/winbindd_dual.c:child_read_request(49) Jul 12 18:26:08 norwell winbindd[23792]: Got invalid request length: 0 Jul 12 18:26:08 norwell winbindd[23780]: [2006/07/12 18:26:08, 0] nsswitch/winbindd_dual.c:child_read_request(49) Jul 12 18:26:08 norwell winbindd[23780]: Got invalid request length: 0 Jul 12 18:26:08 norwell winbindd[23776]: [2006/07/12 18:26:08, 0] nsswitch/winbindd_dual.c:child_read_request(49) Jul 12 18:26:08 norwell winbindd[23776]: Got invalid request length: 0 The last few errors are thrown due to someone trying to access the box via samba? Anyway, can someone
Re: [Samba] Winbind dies
On Thursday July 13 2006 12:28 pm, you wrote: Hi, On Thu, Jul 13, 2006 at 11:28:29AM -0400, Dimitri Yioulos wrote: Serious apologies if this has been discussed before, but my search didn't turn up much: I have samba (kept up-to-date with latest) running on several CentOS 3 and 4 boxes as part of a Win2k3 domain. On one particular box, winbind dies on a regular basis (all the other installations run flawlessly). A quick restart, and we're good again. However, as this is a very active server that is accessed 18 hours a day, 7 days a week, I'm called at home during those few hours I spend there to restart winbind on this particular machine. is this Samba 3.0.23 ? If yes, can you please try to provide a gdb backtrace? Thanks, Guenther Guenther, While I'm running 3.0.23 on the machine, this has actually been going on for a while (perhaps since 3.0.20, but not really sure. Yes, I'm just getting to posting this because it's # 6,387 on my list of to-do's :-) ). Can you tell me how to do a gdb backtrace, as the instruction in the How-To isn't very clear to me. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind dies
On Thursday July 13 2006 12:39 pm, you wrote: Dimitri Yioulos wrote: Serious apologies if this has been discussed before, but my search didn't turn up much: I have samba (kept up-to-date with latest) running on several CentOS 3 and 4 boxes as part of a Win2k3 domain. On one particular box, winbind dies on a regular basis (all the other installations run flawlessly). A quick restart, and we're good again. However, as this is a very active server that is accessed 18 hours a day, 7 days a week, I'm called at home during those few hours I spend there to restart winbind on this particular machine. The is the second report of winbindd crash in the krb5 libs. The other was an FC5 box. INTERNAL ERROR: Signal 6 in pid 23775 (3.0.23) ... Jul 12 18:26:06 norwell winbindd[23775]: BACKTRACE: 28 stack frames: #0 winbindd(log_stack_trace+0x2d) [0x5f5add] #1 winbindd(smb_panic+0x75) [0x5f5985] #2 winbindd [0x5e10d6] #3 /lib/tls/libc.so.6 [0x1b70d8] #4 /lib/tls/libc.so.6 (abort+0x1d5) [0x1b8705] #5 winbindd [0x61c6d2] #6 winbindd [0x61c955] #7 winbindd(cli_krb5_get_ticket+0x242) [0x61ce32] #8 winbindd(spnego_gen_negTokenTarg+0x62) [0x61e9c2] We're working on it. If you could get a backtrace including debugging symbols, that would help. cheers, jerry Hi, Jerry. As I responded to Guenther, I'm not sure how to do a backtrace. I did try this on the core dump, though, and wonder if it's of any value to you?: [EMAIL PROTECTED] root]# gdb /usr/sbin/winbindd /var/log/samba/cores/winbindd/core.23775 GNU gdb Red Hat Linux (6.3.0.0-1.90rh) Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type show copying to see the conditions. There is absolutely no warranty for GDB. Type show warranty for details. This GDB was configured as i386-redhat-linux-gnu...(no debugging symbols found) Using host libthread_db library /lib/tls/libthread_db.so.1. Core was generated by `winbindd'. Program terminated with signal 6, Aborted. #0 0x001b6eff in idmap_sid_to_gid () (gdb) bt #0 0x001b6eff in idmap_sid_to_gid () #1 0x001b8705 in idmap_ldap_init () #2 0x005e154a in ?? () #3 0x0006 in ?? () #4 0x in ?? () (gdb) quit [1]+ Done/etc/bastille-tmpdir-defense.sh 12028 Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Winbind and email server
OK, here's the samba module: #%PAM-1.0 auth required pam_nologin.so auth required pam_stack.so service=system-auth account required pam_stack.so service=system-auth session required pam_mkhomedir.so skel=/etc/skel umask=0022 session required pam_stack.so service=system-auth password required pam_stack.so service=system-auth and here's system-auth: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so password required /lib/security/$ISA/pam_cracklib.so retry=3 type= password required /usr/lib/security/pam_sso.so.1 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow #password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so If you need more, please let me know. Dimitri On Thursday March 30 2006 5:45 pm, Paul Matthews wrote: how about you post your pam module here, you might have it configured to require both local and winbind users instead of either or Paul Matthews I.T Trainee | The Cathedral School Ph (07) 47222 194 | Fax (07) 47222 111 PO Box 944 Aitkenvale Q 4814 E: [EMAIL PROTECTED] W: www.cathedral.qld.edu.au Anglican coeducation | Day and Boarding | Early Childhood to Year 12 Educating for life-long success *** * *** * *** IMPORTANT NOTICE REGARDING CONFIDENTIALITY This electronic email message is intended only for the addressee and may contain confidential information. If you are not the addressee, you are notified that any transmission, distribution or photocopying of this email is strictly prohibited. The confidentiality attached to this email is not waived, lost or destroyed by reasons of a mistaken delivery to you. -Original Message- From: Dimitri Yioulos [mailto:[EMAIL PROTECTED] Sent: Friday, 31 March 2006 8:33 AM To: Paul Matthews Subject: Re: [Samba] Winbind and email server top-posting by necessity ... Hi, Paul. Alas, my nsswitch.conf is properly configured. Any other ideas? Dimitri On Thursday March 30 2006 5:12 pm, you wrote: well the problem i think your having is that you have not edited the /etc/nsswitch.conf file. change from passwd: files shadow: files group: files to: passwd: winbind files shadow: winbind files group: winbind files or something along those lines, play with the /etc/nsswitch.conf to find the right configuration for you. check out the post i've made on my website about how we use have setup my mail system, i think i've done it fairly well http://www.yourhowto.org/content/view/25/9/ Paul Matthews I.T Trainee | The Cathedral School Ph (07) 47222 194 | Fax (07) 47222 111 PO Box 944 Aitkenvale Q 4814 E: [EMAIL PROTECTED] W: www.cathedral.qld.edu.au Anglican coeducation | Day and Boarding | Early Childhood to Year 12 Educating for life-long success *** * *** * *** IMPORTANT NOTICE REGARDING CONFIDENTIALITY This electronic email message is intended only for the addressee and may contain confidential information. If you are not the addressee, you are notified that any transmission, distribution or photocopying of this email is strictly prohibited. The confidentiality attached to this email is not waived, lost or destroyed by reasons of a mistaken delivery to you. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ]On Behalf Of Dimitri Yioulos Sent: Friday, 31 March 2006 1:53 AM To: samba@lists.samba.org Subject: [Samba] Winbind and email server Folks, Sincere apologies for asking this again, but I'm just not getting this to work, and must be missing something here: My company's network is based around a Windows 2003 server AD, with several RHEL AS 3 boxes connected to it via samba (3.0.21c-1). This scheme works very well. I've set up, and have successfully been using a sendmail-based email system, too. My issue is this: When I create a user account in AD, I have to also create it in the mail server. This is inconvenient and inefficient. I have samba installed on the mail server. I also have the mkhomedir module installed, and the appropriate line to invoke
[Samba] Winbind and email server
Folks, Sincere apologies for asking this again, but I'm just not getting this to work, and must be missing something here: My company's network is based around a Windows 2003 server AD, with several RHEL AS 3 boxes connected to it via samba (3.0.21c-1). This scheme works very well. I've set up, and have successfully been using a sendmail-based email system, too. My issue is this: When I create a user account in AD, I have to also create it in the mail server. This is inconvenient and inefficient. I have samba installed on the mail server. I also have the mkhomedir module installed, and the appropriate line to invoke it is in the samba, pop, and smtp.sendmail config files under /etc/pam.d. My users are using the Outlook 2003 mail client. If I create a user in the email server, then Outlook has no problem connecting to the mail server using the user's credentials from the email server. But, if the user is only created in AD, then Outlook complains that the incoming pop server won't authenticate the user, despite the fact that winbind is fired up, wbinfo -u shows the user, and getent passwd shows the user's credentials. Arrrgh! IMHO, this is the one small thing that keeps this from being a really great system. Can anybody show me the way to get over the hump? Many thanks. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba rpm and /var/*/samba directory for .tdb files
On Monday February 06 2006 1:08 pm, Oliver Schulze L. wrote: Hi, I use CentOS4 (RHEL4) and it seems that I was using /var/lib/samba for storing the .tdb files. Then I compilled the fedora .src.rpm from samba.org and it points now to /var/cache/samba I will build tonight the .rpm from the .tar.gz and see which directory samba choose for the .tdb files in CentOS4. Anyone can confirm this list of distro/.tdb directory: Fedora: /var/cache/samba CentOS4: /var/lib/samba RH9: /var/lib/samba ? Many thanks Oliver I can't speak to RH9, but I'm running CentOS 3 and 4, and FC2 boxes here. As to those, the tdb files are stored as you suspected: Fedora: /var/cache/samba CentOS4: /var/lib/samba HTH. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba rpm and /var/*/samba directory for .tdb files
On Monday February 06 2006 1:47 pm, Dimitri Yioulos wrote: On Monday February 06 2006 1:08 pm, Oliver Schulze L. wrote: Hi, I use CentOS4 (RHEL4) and it seems that I was using /var/lib/samba for storing the .tdb files. Then I compilled the fedora .src.rpm from samba.org and it points now to /var/cache/samba I will build tonight the .rpm from the .tar.gz and see which directory samba choose for the .tdb files in CentOS4. Anyone can confirm this list of distro/.tdb directory: Fedora: /var/cache/samba CentOS4: /var/lib/samba RH9: /var/lib/samba ? Many thanks Oliver I can't speak to RH9, but I'm running CentOS 3 and 4, and FC2 boxes here. As to those, the tdb files are stored as you suspected: Fedora: /var/cache/samba CentOS4: /var/lib/samba HTH. Dimitri Sorry for replying to my own post, but I should note that I use the latest Samba release from the Samba team. I build the RPMs from their source RPMs. Doing this results in the tdb files being located as you suspected. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] trouble with winbind
On Friday February 03 2006 12:28 pm, David Shapiro wrote:
I found mention of how to run net ads join with debugging, which got me
some good info when I run net ads join with debuglevel=10:
namecache_store: storing 1 address for adserver.domain.com#20:
1.2.3.4:0
[2006/02/03 12:19:02, 10] ../lib/gencache.c:gencache_set(127)
Adding cache entry with key = NBT/ADSSERVER.DOMAIN.COM#20; value =
1.2.3.4:0 and timeout = Fri Feb 3 12:30:02 2006
(660 seconds ahead)
[2006/02/03 12:19:02, 10]
../libsmb/namequery.c:internal_resolve_name(1145)
internal_resolve_name: returning 1 addresses: 10.69.147.110:0
[2006/02/03 12:19:02, 10]
../libsmb/namequery.c:remove_duplicate_addrs2(320)
remove_duplicate_addrs2: looking for duplicate address/port pairs
[2006/02/03 12:19:02, 4] ../libsmb/namequery.c:get_dc_list(1406)
get_dc_list: returning 1 ip addresses in an ordered list
[2006/02/03 12:19:02, 4] ../libsmb/namequery.c:get_dc_list(1407)
get_dc_list: 10.69.147.110:0
[2006/02/03 12:19:02, 5] ../libads/ldap.c:ads_try_connect(126)
ads_try_connect: trying ldap server '1.2.3.4' port 389
[2006/02/03 12:19:02, 3] ../libads/ldap.c:ads_connect(288)
Connected to LDAP server 1.2.3.4
[2006/02/03 12:19:02, 3] ../libads/ldap.c:ads_server_info(2541)
got ldap server name [EMAIL PROTECTED], using bind path:
dc=DOMAIN,dc=COM
[2006/02/03 12:19:02, 4] ../libads/ldap.c:ads_server_info(2547)
time offset is 114 seconds
[2006/02/03 12:19:02, 4] ../libads/sasl.c:ads_sasl_bind(455)
Found SASL mechanism GSS-SPNEGO
[2006/02/03 12:19:02, 3] ../libads/sasl.c:ads_sasl_spnego_bind(210)
ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2006/02/03 12:19:02, 3] ../libads/sasl.c:ads_sasl_spnego_bind(210)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2006/02/03 12:19:02, 3] ../libads/sasl.c:ads_sasl_spnego_bind(210)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2006/02/03 12:19:02, 3] ../libads/sasl.c:ads_sasl_spnego_bind(210)
ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2006/02/03 12:19:02, 3] ../libads/sasl.c:ads_sasl_spnego_bind(219)
ads_sasl_spnego_bind: got server principal name
[EMAIL PROTECTED]
[2006/02/03 12:19:02, 3] ../libsmb/clikrb5.c:ads_krb5_mk_req(478)
ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache
found)
[2006/02/03 12:19:02, 0] ../libads/kerberos.c:ads_kinit_password(164)
kerberos_kinit_password [EMAIL PROTECTED] failed: Cannot
resolve network address for KDC in requested realm
[2006/02/03 12:19:02, 0] ../utils/net_ads.c:ads_startup(191)
ads_connect: Cannot resolve network address for KDC in requested
realm
[2006/02/03 12:19:02, 2] ../utils/net.c:main(876)
return code = -1
So it looks like it found the adsserver buyt then tried to kinit for
the samba server I am trying to join and complained about not being able
to resolve the kdc. Did it fail to find a credential cache (I thought I
was trying to get one with the join command, so it shouldn't find one)
and then tried to get one from the local samba server and is saying it
is not resolvable?
David Shapiro
Unix Team Lead
919-765-2011
Nico De Wilde [EMAIL PROTECTED] 2/3/2006 10:57:23 AM
Chris,
The following error is repeated multiple times in your winbind.log:
Client not found in Kerberos database
Are you joining these machines as a domain admin or as an account with
domain admin priviliges?
Is your resolving setup correctly?
Are the clocks on your servers synchronized with the DC?
Could you try:
- kinit [EMAIL PROTECTED]
- net ads join -U ADMINISTRATOR
What output do these two commands generate on your system?
Sample smb.conf for a 'member server' in a 2000/2003 AD domain:
--
[global]
server string = somebox
realm = DOM1.JHUAPL.EDU
workgroup = CHOCOWEB
password server = dom1-dc6.dom1.jhuapl.edu
security = ADS
encrypt passwords = true
# winbind configuration
winbind separator = +
idmap uid = 1-2
idmap gid = 1-2
winbind enum users=yes
winbind enum groups=yes
---
Sample krb5.conf
---
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = DOM1.JHUAPL.EDU
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
DOM1.JHUAPL.EDU = {
kdc = the.ip.of.your.dc:88
admin_server = the.ip.of.your.dc:749
default_domain = dom1.jhuapl.edu
}
--
Nsswitch.conf
passwd: files winbind
shadow: files
group: files winbind
hosts: files dns winbind
--
This should get you going.
Can you provide additional feedback on this?
Thx.
Regards,
Nico
- Original Message -
Re: [Samba] trouble with winbind
Top-posting. Eeek.
One thing I think I see is that the system times between the Samba and Ad
servers may be out of sync. I believe that if the time difference is
significant enough, then the krb encryption codes will not match and access
to network resources may be denied. Are both of your servers system times
sync via ntp?
Dimitri
On Friday February 03 2006 12:28 pm, David Shapiro wrote:
I found mention of how to run net ads join with debugging, which got me
some good info when I run net ads join with debuglevel=10:
namecache_store: storing 1 address for adserver.domain.com#20:
1.2.3.4:0
[2006/02/03 12:19:02, 10] ../lib/gencache.c:gencache_set(127)
Adding cache entry with key = NBT/ADSSERVER.DOMAIN.COM#20; value =
1.2.3.4:0 and timeout = Fri Feb 3 12:30:02 2006
(660 seconds ahead)
[2006/02/03 12:19:02, 10]
../libsmb/namequery.c:internal_resolve_name(1145)
internal_resolve_name: returning 1 addresses: 10.69.147.110:0
[2006/02/03 12:19:02, 10]
../libsmb/namequery.c:remove_duplicate_addrs2(320)
remove_duplicate_addrs2: looking for duplicate address/port pairs
[2006/02/03 12:19:02, 4] ../libsmb/namequery.c:get_dc_list(1406)
get_dc_list: returning 1 ip addresses in an ordered list
[2006/02/03 12:19:02, 4] ../libsmb/namequery.c:get_dc_list(1407)
get_dc_list: 10.69.147.110:0
[2006/02/03 12:19:02, 5] ../libads/ldap.c:ads_try_connect(126)
ads_try_connect: trying ldap server '1.2.3.4' port 389
[2006/02/03 12:19:02, 3] ../libads/ldap.c:ads_connect(288)
Connected to LDAP server 1.2.3.4
[2006/02/03 12:19:02, 3] ../libads/ldap.c:ads_server_info(2541)
got ldap server name [EMAIL PROTECTED], using bind path:
dc=DOMAIN,dc=COM
[2006/02/03 12:19:02, 4] ../libads/ldap.c:ads_server_info(2547)
time offset is 114 seconds
[2006/02/03 12:19:02, 4] ../libads/sasl.c:ads_sasl_bind(455)
Found SASL mechanism GSS-SPNEGO
[2006/02/03 12:19:02, 3] ../libads/sasl.c:ads_sasl_spnego_bind(210)
ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2006/02/03 12:19:02, 3] ../libads/sasl.c:ads_sasl_spnego_bind(210)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2006/02/03 12:19:02, 3] ../libads/sasl.c:ads_sasl_spnego_bind(210)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2006/02/03 12:19:02, 3] ../libads/sasl.c:ads_sasl_spnego_bind(210)
ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2006/02/03 12:19:02, 3] ../libads/sasl.c:ads_sasl_spnego_bind(219)
ads_sasl_spnego_bind: got server principal name
[EMAIL PROTECTED]
[2006/02/03 12:19:02, 3] ../libsmb/clikrb5.c:ads_krb5_mk_req(478)
ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache
found)
[2006/02/03 12:19:02, 0] ../libads/kerberos.c:ads_kinit_password(164)
kerberos_kinit_password [EMAIL PROTECTED] failed: Cannot
resolve network address for KDC in requested realm
[2006/02/03 12:19:02, 0] ../utils/net_ads.c:ads_startup(191)
ads_connect: Cannot resolve network address for KDC in requested
realm
[2006/02/03 12:19:02, 2] ../utils/net.c:main(876)
return code = -1
So it looks like it found the adsserver buyt then tried to kinit for
the samba server I am trying to join and complained about not being able
to resolve the kdc. Did it fail to find a credential cache (I thought I
was trying to get one with the join command, so it shouldn't find one)
and then tried to get one from the local samba server and is saying it
is not resolvable?
David Shapiro
Unix Team Lead
919-765-2011
Nico De Wilde [EMAIL PROTECTED] 2/3/2006 10:57:23 AM
Chris,
The following error is repeated multiple times in your winbind.log:
Client not found in Kerberos database
Are you joining these machines as a domain admin or as an account with
domain admin priviliges?
Is your resolving setup correctly?
Are the clocks on your servers synchronized with the DC?
Could you try:
- kinit [EMAIL PROTECTED]
- net ads join -U ADMINISTRATOR
What output do these two commands generate on your system?
Sample smb.conf for a 'member server' in a 2000/2003 AD domain:
--
[global]
server string = somebox
realm = DOM1.JHUAPL.EDU
workgroup = CHOCOWEB
password server = dom1-dc6.dom1.jhuapl.edu
security = ADS
encrypt passwords = true
# winbind configuration
winbind separator = +
idmap uid = 1-2
idmap gid = 1-2
winbind enum users=yes
winbind enum groups=yes
---
Sample krb5.conf
---
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = DOM1.JHUAPL.EDU
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
DOM1.JHUAPL.EDU = {
kdc = the.ip.of.your.dc:88
admin_server = the.ip.of.your.dc:749
default_domain = dom1.jhuapl.edu
}
Re: [Samba] ADS and samba domain member: ads_connect: Cannot resolve network address for KDC in requ
On Thursday February 02 2006 8:49 am, David Shapiro wrote:
Is there no fix for thi? Nobody answers this for me or other people
asking this question.
I really need help with this. Is there anything I can be looking at?
I would am not getting past doing a simple kinit
[EMAIL PROTECTED] It gives me the Cannot resolve network
address for KDC as well. Does ads not like krb5? Does it need krb4?
Why doesn't kerberos provide any messages in the logs? Any suggestions
on ways to figure out what is going on? I tried truss, but that does
not show much other than I do see it looking in /etc/krb5.conf and
/usr/local/etc/krb5.conf. I can use tcpdump, but I am not sure what to
be looking for?
David Shapiro
Unix Team Lead
919-765-2011
David Shapiro
Unix Team Lead
919-765-2011
Dimitri Yioulos [EMAIL PROTECTED] 2/1/2006 10:15:49 AM
On Wednesday February 01 2006 9:41 am, David Shapiro wrote:
Hello,
I am having a problem getting my server to join our realm as a
domain
member server. I have read through google, yahoo, and this list,
but I
cannot find the answer yet.
When I run: net join ads -Uadministrator and try to login it gives
the
following error:
kerberos_kinit_password [EMAIL PROTECTED] failed: Cannot
resolve network address for KDC in requested realm
[2006/02/01 09:33:46, 0] ../utils/net_ads.c:ads_startup(191)
ads_connect: Cannot resolve network address for KDC in requested
realm
The details of my setup are:
aix 5.2.0.7
libiconv-1.9.1
autoconf-2.59
libiodbc-3.52.4
bison-2.0
m4-1.4.3
db-4.4.20
mysql-connector-odbc-3.51.12
krb
samba-3.0.21a
../configure --prefix=/usr/local/samba --with-ads --with-ldap
--with-winbind --with-acl-support --with-utmp --with-quotas
--with-sendfile-support
openldap-2.3.19
./configure --enable-crypt --without-cyrus-sasl
unixODBC-2.2.11
gcc 3.3.2
/etc/krb5.conf:
[libdefaults]
default_realm = MYREALM.COM
default_etypes = des-cbc-crc des-cbc-md5
default_etypes_des = des-cbc-crc des-cbc-md5
ticket_lifetime = 24000
clockskew = 300
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
MYREALM.COM = {
kdc = myadsserver.mydomain.com
default_domain = mydomain.com
}
[domain_realm]
.mydomain.com = MYREALM.COM
[logging]
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
/etc/hosts:
1.2.3.4 myadsserver.mydomain.com myadsserver
Note: Nothing goes into the logs and if I move aisde thekrb5.conf it
still tries automatically MYREALM.COM. I put an error int he
krb5.conf
file to see if it would notice, and it does warn about it, so it is
looking in krb5.conf.
David Shapiro
Unix Team Lead
919-765-2011
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
In krb5.conf, try this:
[realms]
YOURDOMAIN.COM = {
default_domain = yourdomain.com
kdc = xxx.xxx.xxx.xxx (my note - use ip address of AD server)
admin_server = xxx.xxx.xxx.xxx (my note - use ip address of AD
server)
}
HTH.
Dimitri
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
David,
Firstly, be mindful that the list is made up of volunteers who do their best
to provide answers as quickly as possible. Sometimes you may have to wait a
bit longer, but I've always found these folks to be most kind and helpful.
Give 'em a chance.
Now, after that mild rebuke: I have little experience with AIX; my responses
are based on my work with Samba on Linux. That said, I believe that you
should have nsswitch.conf and resolv.conf files on the system. Are these
configured correctly? Is pam.d/login configured correctly?
Dimitri
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ADS and samba domain member: ads_connect: Cannot resolve network address for KDC in requested realm
On Wednesday February 01 2006 9:41 am, David Shapiro wrote:
Hello,
I am having a problem getting my server to join our realm as a domain
member server. I have read through google, yahoo, and this list, but I
cannot find the answer yet.
When I run: net join ads -Uadministrator and try to login it gives the
following error:
kerberos_kinit_password [EMAIL PROTECTED] failed: Cannot
resolve network address for KDC in requested realm
[2006/02/01 09:33:46, 0] ../utils/net_ads.c:ads_startup(191)
ads_connect: Cannot resolve network address for KDC in requested
realm
The details of my setup are:
aix 5.2.0.7
libiconv-1.9.1
autoconf-2.59
libiodbc-3.52.4
bison-2.0
m4-1.4.3
db-4.4.20
mysql-connector-odbc-3.51.12
krb
samba-3.0.21a
../configure --prefix=/usr/local/samba --with-ads --with-ldap
--with-winbind --with-acl-support --with-utmp --with-quotas
--with-sendfile-support
openldap-2.3.19
./configure --enable-crypt --without-cyrus-sasl
unixODBC-2.2.11
gcc 3.3.2
/etc/krb5.conf:
[libdefaults]
default_realm = MYREALM.COM
default_etypes = des-cbc-crc des-cbc-md5
default_etypes_des = des-cbc-crc des-cbc-md5
ticket_lifetime = 24000
clockskew = 300
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
MYREALM.COM = {
kdc = myadsserver.mydomain.com
default_domain = mydomain.com
}
[domain_realm]
.mydomain.com = MYREALM.COM
[logging]
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
/etc/hosts:
1.2.3.4 myadsserver.mydomain.com myadsserver
Note: Nothing goes into the logs and if I move aisde thekrb5.conf it
still tries automatically MYREALM.COM. I put an error int he krb5.conf
file to see if it would notice, and it does warn about it, so it is
looking in krb5.conf.
David Shapiro
Unix Team Lead
919-765-2011
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
In krb5.conf, try this:
[realms]
YOURDOMAIN.COM = {
default_domain = yourdomain.com
kdc = xxx.xxx.xxx.xxx (my note - use ip address of AD server)
admin_server = xxx.xxx.xxx.xxx (my note - use ip address of AD server)
}
HTH.
Dimitri
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] iptables rules for samba
Hello to all. There are plenty of posts with iptables rules for samba out there. Unfortunately, they're all different. For a straightforward setup (access by LAN only), is there a definitive set of iptables rules for samba to be found anywhere? Thanks. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Samba 3.0.21 Available for Download
On Wednesday December 21 2005 4:58 pm, Ed Kasky wrote: At 01:29 PM Wednesday, 12/21/2005, Gerald (Jerry) Carter wrote -= Ed Kasky wrote: At 12:46 PM Tuesday, 12/20/2005, Gerald (Jerry) Carter wrote -= This is the latest stable release of Samba. This is the version that production Samba servers should be running for all current bug-fixes. Please read the following important changes in this release. Binary packages are available at http://download.samba.org/samba/ftp/Binary_Packages/ How long usually before the SRPM's are available? For what platform? Redhat. RedHat xx ? Enterprise? I stopped producing SRPMS for RedHat 7.3 + in hopes that it wouldn't be noticed. I'm assuming you noticed. Is there still a great demand for RedHat 9 ? I use the source rpm and would you believe 7.2? I know, I know - but it works! The most recent SRPM was samba-3.0.20b-1.src.rpm - 13-Oct-2005 Jerry, This is only based on anecdotal information, but I think that RH 7.3 is still used to a fair extent. Certainly, SRPMs for the RHELs (3 and 4) are useful. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Newbie
On Thursday December 08 2005 9:30 am, Craig White wrote: On Thu, 2005-12-08 at 09:20 -0500, john steele wrote: Hello, I am new to SAMBA and Linux and need help finding documentation on the setup and how to integrate SAMBA and LDAP with Windows based clients. I have done a lot of looking around and found a lot of information, but it all seems to be written for someone with some knowledge of both software packages. I did pickup two Linux Admin books from Tech Republic and they are helpful. But they seem to be missing parts that I guess someone with more knowledge then myself would know. I guess I should give you a little background on myself. I am a Network Engineer with 21 year of Microsoft experience. In the past few years I have been getting fed up with MS forcing me to upgrade all me servers just because just want to sell a new OS. So I have begun looking into LINUX. Because of the large MS client base (over 1000 clients) my employer wants a solution that will integrate easily and SAMBA looks like that option. Can you point me in the direction of some doc's or even some books that will give the whole story or at least fill in the blanks. Thanks up front for all help. The official Samba documentation... http://www.samba.org/samba/docs See the 'How-To' for a very complete reference See the 'By Example' for installation guidance Both are available in dead tree form at your favorite bookseller or online above in html/pdf form Craig First, welcome to Linux! I'm confident you'll find it a great operating system - robust, scalable, extensible, etc. It'll do all you want, and more. Samba is an excellent tool for making Linux shares available to Windows clients. The two Samba references that Craig mentioned above are excellent, and should be your starting point; they're well-written and very thorough (as always, thanks John T., and all the Samba team). Now, I'm guilty of this too, at times, but do read the Samba reference guides. Then, use this mailing list. I don't want to do the whole love-fest thing here (well, ok, yes I do), but this list's members are among the most patient and helpful I've found. So, do use their knowledge, but use it wisely. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] deploy application on Windows Stations
On Wednesday October 12 2005 11:25 am, FM wrote: Hello, How do-you handle applications deployment with SAMBA domain and Windows XP workstations ? non free softwares are ok too :-) Thanks !! SNIP I haven't used it, but you may want to take a look at WPKG (http://wpkg.org). Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Horrible Linux/Samba vs Windows political battle - can you help?
On Tuesday 20 September 2005 2:56 am, Tomasz Chmielewski wrote: Gregory A. Cain schrieb: Greetings, I am currently the IT Manager for a 30-person architectural firm. About 5 months ago we hired a new employee. He is quite good at what he does. He is also extremely opinionated, particularly when it comes to computer software, including server software. I'm running the office server functions on RedHat, Fedora and Trustix servers. He has managed to convince my boss that there are serious problems with these servers and with Linux in general. After having worked here for over 14 years, I would have hoped my boss would have more trust in my choices. In any case, I now find myself in the position of having to defend my position here. My boss has gone as far as to hire an independent consultant to evaluate our whole network infrastructure, simply on the basis of the new employee's statemenets about the worthlessness of Linux. I do not relish being put in this position, however I'm going to take a stand. If there is anyone reading this who works in the field of architecture or engineering, and with CAD or BIM software, who is using Linux as your server software, I would sure be appreciative it if you could write a testimonial for me to help me convince my boss that migrating from Linux to MS would be a horrible mistake. perhaps it would help us if you told which statements he said about the worthlessness of Linux? and why he claims Windows would be superior over Linux in your case. what our company does at the moment is quite reverse - migrating our customers Windows to Linux, or just setting Linux in new locations, as it has better value and is easier to manage. -- Tomek http://wpkg.org I don't work in an engineering or archtectural firm, but I hope this will help anyway: I manage a busy 45-person financial services firm. SInce we're a lender, and thus scrutinized not only by customers and a board of directors, but also by regulators in every state in which we do business, reliability, stability, scalability, and security are all paramount to us. Some might say I gambled on Linux, relying too heavily on it in a high-profile environment. However, several years of working with it and following led me to believe it would do all that was asked of it. And, since our system was built when we first started the business, we stood to save lots of money we could plow into other aspects of the business. We have eight servers in our current set-up: one Windows 2003 server, and seven CentOS Linux servers. The one Windows server is there only because of the accounting software we use (it hasn't been ported to Linux ... yet). The Windows server does act as the system's PDC. The Linux servers act as: file and print servers, mail server, web server, database server, application server, fax server, secure FTP and VPN servers, and firewall. Samba works beautifully to allow us to access shares on the Linux servers from our Windows XP desktops. Road warriors connect quickly and securely via out open source VPN. Our systems are backed up to tape using a commercial backup software running on Linux. If I've ever had a problem with these systems, and there have been few, my own intelligence and ability to research (I'd need to rely on that in a pure Microsoft environment, too), and help from the community get me through nicely. I've achieved the reliability, stability, scalability, and security I was after without sacrificing on the quality of the programs I've installed and use. Our end-users are virually unaware of the back-end systems we use. Frankly, they don't care, as long as they just work. And, they do, day-in and day-out, for over two years now. I'm not trying to evangelize here. I have business needs that have to be metright away with the good products. I also don't want to knock Microsoft; I do use its products. However, they're no more reliable, stable, scalable, or secure than our Linux servers. In fact, our experience is that they tend to be less so. Nor are they an more easy to maintain. Finally, If I'm not convincing enough, read almost any publication these day (general circulation, not just trade jouranls), and see how many companies, from the Fortune 500 on down, are using Linux in their shops. And, for mission critical purposes. The likes of IBM, Oracle, etc. wouldn't be involved with Linux if it we'ren't a great product here for the long-haul. Hope this helps. I'll be happy to provide my full name, title, and company off-list, if you need. Dimitri -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Authentication against AD?
On Thursday 15 September 2005 11:21 am, you wrote: /snip Oops, obviously these lines are uncommented (how'd I do that?): idmap uid = 1-2 idmap gid = 1-2 Dimitri Odd, here is what I am getting when I do a net groupmap list: System Operators (S-1-5-32-549) - -1 Domain Admins (S-1-5-21-2000478354-789336058-725345543-512) - -1 Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 Domain Users (S-1-5-21-2247000946-2623471383-2375109730-513) - -1 Domain Users (S-1-5-21-2000478354-789336058-725345543-513) - -1 Power Users (S-1-5-32-547) - -1 Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - -1 Domain Guests (S-1-5-21-2000478354-789336058-725345543-514) - -1 Domain Admins (S-1-5-21-2247000946-2623471383-2375109730-512) - -1 Account Operators (S-1-5-32-548) - -1 Domain Guests (S-1-5-21-2247000946-2623471383-2375109730-514) - -1 Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - -1 So this is a good indication I am a member server, but the startup logs are still indicating this as a logon server. Am I running the wrong command to join the domain? % net ads join -Uadmin ad_container_name Try net ads join -U Nameusedwithkinit(e.g. Your Win2k3 Administrator)@MYDOMAIN.COM Dimitri -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Authentication against AD?
On Thursday 15 September 2005 3:32 pm, you wrote: /snip Ok I think I have found my problem. I need to find a way to map Samba to an active directory common name: % net ads join -UAdministrator cn=users,dc=domain,dc=com (example, I know the syntax is incorrect) As far as I can tell it is hard coded in the net ads join routine to tack on the ou=users vs. cn=users, anyone shed some light on this? Uh, I must be missing something here. This is a pretty straightforward set-up, right? You want to join this Samba box to a Win2k3 server for file- or print-serving purposes? I've always felt that you get a basic set-up working first, then start to get fancy. AFAIK: 1. kinit [EMAIL PROTECTED] (You'll be prompted for a password. My systems simply return me to a prompt if I'm successful.) 2. net ads join -U [EMAIL PROTECTED] (Again, you'll be prompted for a password. Info about the machine joining the AD is returned) Beyond this, someone else will have to help out. Best, Dimitri -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Authentication against AD?
On Thursday 15 September 2005 4:17 pm, you wrote: Dimitri Yioulos wrote: On Thursday 15 September 2005 3:32 pm, you wrote: /snip Ok I think I have found my problem. I need to find a way to map Samba to an active directory common name: % net ads join -UAdministrator cn=users,dc=domain,dc=com (example, I know the syntax is incorrect) As far as I can tell it is hard coded in the net ads join routine to tack on the ou=users vs. cn=users, anyone shed some light on this? Uh, I must be missing something here. This is a pretty straightforward set-up, right? You want to join this Samba box to a Win2k3 server for file- or print-serving purposes? I've always felt that you get a basic set-up working first, then start to get fancy. AFAIK: 1. kinit [EMAIL PROTECTED] (You'll be prompted for a password. My systems simply return me to a prompt if I'm successful.) 2. net ads join -U [EMAIL PROTECTED] (Again, you'll be prompted for a password. Info about the machine joining the AD is returned) Beyond this, someone else will have to help out. Best, Dimitri Yeah this works, I can get my krb creds: [EMAIL PROTECTED]:~ kinit [EMAIL PROTECTED] Password for [EMAIL PROTECTED]: [EMAIL PROTECTED]:~ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: [EMAIL PROTECTED] Valid starting ExpiresService principal 09/15/05 14:12:30 09/16/05 00:11:16 krbtgt/[EMAIL PROTECTED] renew until 09/16/05 14:12:30 Kerberos 4 ticket cache: /tmp/tkt1000 klist: You have no tickets cached And this works as well: [EMAIL PROTECTED]'s password: [2005/09/15 14:13:25, 0] libads/ldap.c:ads_add_machine_acct(1405) ads_add_machine_acct: Host account for odin-newb already exists - modifying old account Using short domain name -- DOMAIN.COM Joined 'ODIN-NEWB' to realm 'DOMAIN.COM' But when testing, using wbinfo -u or getent I am getting only the local passwd accounts. [EMAIL PROTECTED]:~ wbinfo -u Error looking up domain users And here is where my accounts need to be authenticted from LDAP://server.domain.com/CN=Users,DC=server,DC=domain,DC=com Note the CN=Users, vs. OU=Users, I will go read the RFC to see if I can get more info on this. So, you're not authenticating against ADS? If you are, are you sure the winbind daemon is running? Dimitri -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Authentication against AD?
On Wednesday 14 September 2005 10:21 am, you wrote: Could I get an example of the /etc/pam.d/login configuration for use with winbind? Dimitri Yioulos wrote: On Tuesday 13 September 2005 3:58 pm, Rex Dieter wrote: Jason Gerfen wrote: I am having a hard time getting Samba to authentication correctly against a Windows Active Directory setup. template shell = /bin/bash template homedir = /home/%D/%U I can run the net ads join command which works fine, but if I try to authentication without a local account I am recieving errors. Any assistance or pointers is appreciated. If you want to avoid the use of local accounts, you also need to configure/use winbind and pam+nss_winbind -- Rex Rex is right. You need to configure resolv.conf, nsswitch.conf, and etc/pam.d/login. Dimitri Jason, I'll do it, but you really should read Samba-3 by Example. John H. and company have done an excellent job of documenting Samba configuration and use. It would be better to use the mailing list after that. That said: #%PAM-1.0 auth required pam_securetty.so auth sufficient pam_winbind.so auth sufficient pam_unix.so use_first_pass auth required pam_stack.so service=system-auth auth required pam_nologin.so account sufficient pam_winbind.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth session optional pam_console.so Dimitri -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Authentication against AD?
On Wednesday 14 September 2005 11:11 am, you wrote: I just wanted to make sure what I have currently is accurate for the /etc/pam.d/login, which according to what you sent me and the HOWTO you refered me to it is. For some reason I have still having problems. Would it matter if I had a non-traditional active directory schema (was modified to include unix services)? Dimitri Yioulos wrote: On Wednesday 14 September 2005 10:21 am, you wrote: Could I get an example of the /etc/pam.d/login configuration for use with winbind? Dimitri Yioulos wrote: On Tuesday 13 September 2005 3:58 pm, Rex Dieter wrote: Jason Gerfen wrote: I am having a hard time getting Samba to authentication correctly against a Windows Active Directory setup. template shell = /bin/bash template homedir = /home/%D/%U I can run the net ads join command which works fine, but if I try to authentication without a local account I am recieving errors. Any assistance or pointers is appreciated. If you want to avoid the use of local accounts, you also need to configure/use winbind and pam+nss_winbind -- Rex Rex is right. You need to configure resolv.conf, nsswitch.conf, and etc/pam.d/login. Dimitri Jason, I'll do it, but you really should read Samba-3 by Example. John H. and company have done an excellent job of documenting Samba configuration and use. It would be better to use the mailing list after that. That said: #%PAM-1.0 auth required pam_securetty.so authsufficient pam_winbind.so authsufficient pam_unix.so use_first_pass auth required pam_stack.so service=system-auth auth required pam_nologin.so account sufficient pam_winbind.so accountrequired pam_stack.so service=system-auth password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionoptional pam_console.so Dimitri I don't particularly see that as being an issue. So, let's review: - Your smb.conf was changed to include/modify/etc. the directives mentioned in previous posts. Let me say here that I use the ip address in password server =. I'd also change realm = server.com to realm = SERVER.COM. I know these work for me, and we have 6 samba member servers working great in our AD scheme. - nsswitch.conf, resolv.conf, and /etc/pam.d/login are configured correctly. - krb5.conf is configured correctly. You might want to post your krb5.conf so we can have a look-see. When you start samba, do you also start the winbind daemon? Dimitri -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Authentication against AD?
On Wednesday 14 September 2005 11:38 am, you wrote:
You might want to post your krb5.conf so we can have a look-see.
When you start samba, do you also start the winbind daemon?
Dimitri
[libdefaults]
default_realm = REALM.COM
clockskew = 300
[realms]
UTAH.EDU = {
kdc = 192.168.0.5
default_domain = domain.com
admin_server = 192.168.0.5
}
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
[domain_realm]
.domain.com = REALM.COM
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
}
And I am starting both the winbind daemon with the samba daemon.
You showed me yours, I'll show you mine :-)
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MYDOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
default_tkt_enctypes = des-cbc-crc des-cbc-md5
default_tgs_enctypes = des-cbc-crc
[realms]
MYDOMAIN.COM = {
default_domain = mydomain.com
kdc = 192.168.100.3
admin_server = 192.168.100.3
}
[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Note the default enctypes. Seems in the way back I was getting errors; adding
these fixed that. Others may disagree, and YMMV.
Dimitri
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Authentication against AD?
On Wednesday 14 September 2005 3:26 pm, Jason Gerfen wrote:
Dimitri Yioulos wrote:
On Wednesday 14 September 2005 1:07 pm, you wrote:
snippit
add_domain_logon_names:
Attempting to become logon server for workgroup SCL.UTAH.EDU on subnet
192.168.0.3
[2005/09/14 10:38:12, 0]
nmbd/nmbd_logonnames.c:become_logon_server_success(124)
become_logon_server_success: Samba is now a logon server for workgroup
SCL.UTAH.EDU on subnet 192.168.0.3
[2005/09/14 10:43:48, 0]
nmbd/nmbd_become_lmb.c:become_local_master_stage2(396)
*
Samba name server ODIN-NEWB is now a local master browser for
workgroup DOMAIN.Com on subnet 192.168.0.3
*
I am still not able to authenticate against the domain, any other
suggestions?
I think a tip-off is:
nmbd/nmbd_logonnames.c:become_logon_server_success(124)
become_logon_server_success: Samba is now a logon server for workgroup
SCL.UTAH.EDU on subnet 192.168.0.3
Is that what you want? If the samba box has become the logon server,
then what's the purpose of your Win2k3 server?
Dimitri
Ok, so how do I fix it? Here is my configuration:
smb.conf
[global]
workgroup = DOMAIN.COM
realm = REALM.COM
security = ADS
domain logons = yes
encrypt passwords = yes
password server = DC1.DOMAIN.COM DC2.DOMAIN.COM
server string = odin.scl.utah.edu
ldap idmap suffix = ou=users,dc=domain,dc=com
prefered master = No
local master = no
domain master = No
prefered master = no
hide unreadable = no
wins support = no
dns proxy = no
idmap uid = 15000-2
idmap gid = 15000-2
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
add machine script = /usr/sbin/useradd -c Machine -d
/var/lib/nobody -s /bin/false %m$
use spnego = yes
update encrypted = yes
winbind use default domain = yes
winbind separator = \
winbind enum users = yes
winbind enum groups = yes
os level = 20
template shell = /bin/bash
template homedir = /home/%D/%U
[odin]
comment = samba box
inherit acls = Yes
path = /usr/local/odin/
read only = no
user = @DOMAIN+domain users
force group = users
force user = users
guest ok = no
krb5.conf
[libdefaults]
default_realm = REALM.COM
clockskew = 300
dns_lookup_realm = true
dns_lookup_kdc = true
default_tkt_enctypes = des-cbc-crc des-cbc-md5
default_tgs_enctypes = des-cbc-crc
[realms]
REALM.COM = {
kdc = 192.168.0.2
default_domain = scl.utah.edu
admin_server = 192.168.0.2
}
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
[domain_realm]
.domain.com = REALM.COM
domain.com = REALM.COM
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
}
nsswitch.conf
passwd: files winbind
shadow: files
group: files winbind
pam.d/login
#%PAM-1.0
auth required pam_securetty.so
auth includecommon-auth
auth required pam_nologin.so
auth required pam_mail.so
auth sufficient pam_winbind.so
#account include common-account
account sufficientpam_winbind.so
password includecommon-password
session includecommon-session
session required pam_resmgr.so
What am I doing wrong? I followed the samba howto on ADS domain membership
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.ht
ml#ads-member
here are the results of the commands run when creating the computer
account:
[EMAIL PROTECTED]:~ sudo net ads join -UAdmin
Admin's password:
[2005/09/14 13:26:03, 0] libads/ldap.c:ads_add_machine_acct(1405)
ads_add_machine_acct: Host account for odin-newb already exists -
modifying old account
Using short domain name -- SCL.UTAH.EDU
Joined 'ODIN-NEWB' to realm 'SCL.UTAH.EDU'
Am I ok up to this point?
--
Jason Gerfen
CLIP
Please undertsand that mu configuration is pretty straightforward. My samba
boxes are not PDCs/BDCs, I don't use ACLs, etc. All I want is basic access
for file and print serving. Again, that said:
Looks like you're good, up to a point, in that you've joined the domain. If
you go to your Win2k3 server, can you browse the samba share you created?
I'm certainly no expert (in fact, the people on the list have helped me), but
I'm not sure why you need:
ldap idmap suffix = ou=users,dc=domain,dc=com
Anyway, here's my smb.conf from one of my servers:
[global]
workgroup = HEADQUARTERS
netbios name = NORWELL
server string =
hosts allow = 192.168.100. 10.8.0.0/24 127.
printcap name = /etc/printcap
load printers = yes
log file = /var/log/samba/%m.log
max
Re: [Samba] Re: Authentication against AD?
On Wednesday 14 September 2005 3:56 pm, you wrote:
On Wednesday 14 September 2005 3:26 pm, Jason Gerfen wrote:
Dimitri Yioulos wrote:
On Wednesday 14 September 2005 1:07 pm, you wrote:
snippit
add_domain_logon_names:
Attempting to become logon server for workgroup SCL.UTAH.EDU on
subnet 192.168.0.3
[2005/09/14 10:38:12, 0]
nmbd/nmbd_logonnames.c:become_logon_server_success(124)
become_logon_server_success: Samba is now a logon server for
workgroup SCL.UTAH.EDU on subnet 192.168.0.3
[2005/09/14 10:43:48, 0]
nmbd/nmbd_become_lmb.c:become_local_master_stage2(396)
*
Samba name server ODIN-NEWB is now a local master browser for
workgroup DOMAIN.Com on subnet 192.168.0.3
*
I am still not able to authenticate against the domain, any other
suggestions?
I think a tip-off is:
nmbd/nmbd_logonnames.c:become_logon_server_success(124)
become_logon_server_success: Samba is now a logon server for workgroup
SCL.UTAH.EDU on subnet 192.168.0.3
Is that what you want? If the samba box has become the logon server,
then what's the purpose of your Win2k3 server?
Dimitri
Ok, so how do I fix it? Here is my configuration:
smb.conf
[global]
workgroup = DOMAIN.COM
realm = REALM.COM
security = ADS
domain logons = yes
encrypt passwords = yes
password server = DC1.DOMAIN.COM DC2.DOMAIN.COM
server string = odin.scl.utah.edu
ldap idmap suffix = ou=users,dc=domain,dc=com
prefered master = No
local master = no
domain master = No
prefered master = no
hide unreadable = no
wins support = no
dns proxy = no
idmap uid = 15000-2
idmap gid = 15000-2
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
add machine script = /usr/sbin/useradd -c Machine -d
/var/lib/nobody -s /bin/false %m$
use spnego = yes
update encrypted = yes
winbind use default domain = yes
winbind separator = \
winbind enum users = yes
winbind enum groups = yes
os level = 20
template shell = /bin/bash
template homedir = /home/%D/%U
[odin]
comment = samba box
inherit acls = Yes
path = /usr/local/odin/
read only = no
user = @DOMAIN+domain users
force group = users
force user = users
guest ok = no
krb5.conf
[libdefaults]
default_realm = REALM.COM
clockskew = 300
dns_lookup_realm = true
dns_lookup_kdc = true
default_tkt_enctypes = des-cbc-crc des-cbc-md5
default_tgs_enctypes = des-cbc-crc
[realms]
REALM.COM = {
kdc = 192.168.0.2
default_domain = scl.utah.edu
admin_server = 192.168.0.2
}
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
[domain_realm]
.domain.com = REALM.COM
domain.com = REALM.COM
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
}
nsswitch.conf
passwd: files winbind
shadow: files
group: files winbind
pam.d/login
#%PAM-1.0
auth required pam_securetty.so
auth includecommon-auth
auth required pam_nologin.so
auth required pam_mail.so
auth sufficient pam_winbind.so
#account include common-account
account sufficientpam_winbind.so
password includecommon-password
session includecommon-session
session required pam_resmgr.so
What am I doing wrong? I followed the samba howto on ADS domain
membership
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.
ht ml#ads-member
here are the results of the commands run when creating the computer
account:
[EMAIL PROTECTED]:~ sudo net ads join -UAdmin
Admin's password:
[2005/09/14 13:26:03, 0] libads/ldap.c:ads_add_machine_acct(1405)
ads_add_machine_acct: Host account for odin-newb already exists -
modifying old account
Using short domain name -- SCL.UTAH.EDU
Joined 'ODIN-NEWB' to realm 'SCL.UTAH.EDU'
Am I ok up to this point?
--
Jason Gerfen
CLIP
Please undertsand that mu configuration is pretty straightforward. My
samba boxes are not PDCs/BDCs, I don't use ACLs, etc. All I want is basic
access for file and print serving. Again, that said:
Looks like you're good, up to a point, in that you've joined the domain.
If you go to your Win2k3 server, can you browse the samba share you
created?
I'm certainly no expert (in fact, the people on the list have helped me),
but I'm not sure why you need:
ldap idmap suffix = ou=users,dc=domain,dc=com
Anyway, here's my smb.conf from one of my servers:
[global
Re: [Samba] Authentication against AD?
On Tuesday 13 September 2005 11:09 am, Jason Gerfen wrote: I am having a hard time getting Samba to authentication correctly against a Windows Active Directory setup. Here is a snap of the smb.conf [global] passdb backend = ldapsam security = domain password server = server1.com server2.com prefered master = No local master = no hide unreadable = yes wins support = no winbind use default domain = yes domain master = No netbios name = samba-newb workgroup = scl prefered master = no dns proxy = no idmap uid = 15000-2 idmap gid = 15000-2 realm = server.com socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false %m$ use spnego = yes server string = samba-newb update encrypted = yes domain logons = yes winbind separator = + winbind enum users = yes winbind enum groups = yes encrypt passwords = yes os level = 20 template shell = /bin/bash template homedir = /home/%D/%U [newb] comment = newb inherit acls = Yes path = /usr/local/files/ read only = no force group = users force user = users guest ok = no I can run the net ads join command which works fine, but if I try to authentication without a local account I am recieving errors. Any assistance or pointers is appreciated. -- Jason Gerfen Student Computing Labs, University Of Utah [EMAIL PROTECTED] J. Willard Marriott Library 295 S 1500 E, Salt Lake City, UT 84112-0860 801-585-9810 My girlfriend threated to leave me if I went boarding... I will miss her. ~ DIATRIBE aka FBITKK Jason, It looks like your smb.conf is set up more for a Samba PDC than for a member server in a Windows AD. Are you looking to make your Samba server a member server? If so: security = ads wins server = ip.of.your.winsserver I don't believe you need: passdb backend = ldapsam Is kerberos installed, and do you have krb5.conf set up properly? Dimitri -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Authentication against AD?
On Tuesday 13 September 2005 3:58 pm, Rex Dieter wrote: Jason Gerfen wrote: I am having a hard time getting Samba to authentication correctly against a Windows Active Directory setup. template shell = /bin/bash template homedir = /home/%D/%U I can run the net ads join command which works fine, but if I try to authentication without a local account I am recieving errors. Any assistance or pointers is appreciated. If you want to avoid the use of local accounts, you also need to configure/use winbind and pam+nss_winbind -- Rex Rex is right. You need to configure resolv.conf, nsswitch.conf, and etc/pam.d/login. Dimitri -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba banner string
On Thursday 01 September 2005 08:14, Wolfgang Ratzka wrote: How do I do to rid of the banner SAMBA 3.0.14a on debian on sarge (pdcsrv) Just edit the server string parameter in your smb.conf file. -- Wolfgang Ratzka Phone: +49 6421 2823531 FAX: +49 6421 2826994 Uni Marburg, HRZ, Hans-Meerwein-Str., D-35032 Marburg, Germany http://www.uni-marburg.de/hrz/mitarbeiter/ratzka.html in smb.conf: server string = -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [GOLUM] RE: [Samba] pdbedit not working as documented
You think Microsoft's mailing lists and forums are better? Just wait (and
wait, and and ...). Oh, that's right, you can call Microsft for help ,,, and
shell out $295 per.
Dimitri
John McLoskey wrote:
Thanks everyone for your lack of any response whatsoever, I find it builds
character to be ignored throughout challenges I encounter in my life. Since
I was unable to explain why Samba is predisposed to a range of SID for all
accounts, the client who was interested in keeping his Linux/Samba solution
will be migrating to Window 2003. I hope that feels as bad, deep in your
stomach, as it does mine! Thanks for nothing.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
John McLoskey
Sent: Tuesday, August 09, 2005 3:03 AM
To: samba@lists.samba.org; [EMAIL PROTECTED]
Subject: [GOLUM] RE: [Samba] pdbedit not working as documented
Am I building user_sid internally every time?
We seem to ignore -U argument to pdbedit.
At line 475 of samba-3.0.14a/source/utils/pdbedit.c;
if (user_sid) {
DOM_SID u_sid;
if (!string_to_sid(u_sid, user_sid)) {
/* not a complete sid, may be a RID, try building a
SID */
int u_rid;
if (sscanf(user_sid, %d, u_rid) != 1) {
fprintf(stderr, Error passed string is not
a complete user SID or RID!\n);
return -1;
}
sid_copy(u_sid, get_global_sam_sid());
sid_append_rid(u_sid, u_rid);
}
pdb_set_user_sid (sam_pwent, u_sid, PDB_CHANGED);
}
if (group_sid) {
DOM_SID g_sid;
if (!string_to_sid(g_sid, group_sid)) {
/* not a complete sid, may be a RID, try building a
SID */
int g_rid;
if (sscanf(group_sid, %d, g_rid) != 1) {
fprintf(stderr, Error passed string is not
a complete group SID or RID!\n);
return -1;
}
sid_copy(g_sid, get_global_sam_sid());
sid_append_rid(g_sid, g_rid);
}
pdb_set_group_sid (sam_pwent, g_sid, PDB_CHANGED);
}
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf
Of John McLoskey
Sent: Tuesday, August 09, 2005 12:46 AM
To: samba@lists.samba.org
Subject: RE: [Samba] pdbedit not working as documented
Modifying account has same behavior;
smbsvr# pdbedit -r test1 -U S-1-5-21-1375268081-527015025-691025275-3010
Unix username: test1
NT username:
Account Flags: [U ]
User SID: S-1-5-21-1375268081-527015025-691025275-3008
Primary Group SID: S-1-5-21-1375268081-527015025-691025275-3009
Full Name: User
Home Directory: \\smbsvr\home\test1
HomeDir Drive: H:
Logon Script:
Profile Path: \\smbsvr\home\test1\profile
Domain: WORKGROUP
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: Mon, 18 Jan 2038 21:14:07 UTC
Kickoff time: Mon, 18 Jan 2038 21:14:07 UTC
Password last set: Tue, 09 Aug 2005 04:53:13 UTC
Password can change: Tue, 09 Aug 2005 04:53:13 UTC
Password must change: Mon, 18 Jan 2038 21:14:07 UTC
Last bad password : 0
Bad password count : 0
Logon hours : FF
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf
Of John McLoskey
Sent: Monday, August 08, 2005 11:55 PM
To: samba@lists.samba.org
Subject: [Samba] pdbedit not working as documented
I have am hitting a wall with pdbedit, as shown below.
Any workarounds would be greatly appreciated.
I am encountering the inability to change any users (profile) SID on Samba
3.x for Linux and BSD, which causes the accounts to no longer recognize
their local Samba 2 profiles once they join Samba 3 domain. If I add a new
user and pdbedit -a user -U SID it ignores the -U.
The old profiles appear on the Windows clients as unknown profile.
The problem is that the profiles are inaccessible.
If I man pdbedit, it clearly states the ability to;
smbsvr# man pdbedit
...
-G SID|rid
This option can be used while adding or modifying a user
ac-
count. It will specify the users' new primary group SID
(Securi-
ty Identifier) or rid.
Example: -G S-1-5-21-2447931902-1787058256-3961074038-1201
-U SID|rid
This option can be used while adding or modifying a user
ac-
count. It will specify the users' new SID (Security
Identifier)
or rid.
Example: -U
[Samba] What's this error?
Hello all. Logwatch reports this: **Unmatched Entries** rpc_client/cli_netlogon.c:cli_nt_setup_creds(256) cli_nt_setup_creds: request challenge failed : 288 Time(s) And syslog this: Aug 3 04:09:48 hanover winbindd[1746]: [2005/08/03 04:09:48, 0] rpc_client/cli_netlogon.c:cli_nt_setup_creds(256) Aug 3 04:09:48 hanover winbindd[1746]: cli_nt_setup_creds: request challenge failed What does it mean, and what's the fix? Many thanks. Dimitri -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Automatically creating home directories?
Hello to all. I want to use winbind to automatically create email accounts. I've added several linux boxes to our win2k3 AD and working pretty well (more in a new post about this). When I create a new user on the win2k3 box, users can access various shares on the linux boxes, as it should be. I also have a sendmail server sitting in a DMZ. I have to create the email user account on this box separately. I'd like to eliminate this step. I've added 3.0.14a to the email server, and fired up winbind. It works like a charm! But ... I still need to create user home directories so that mail gets deilvered to thier mailboxes. I know there's a samba directive as follows: template homedir = home/%D/%U. Should this create user home directories? If not, is there a way to do this automatically, and if so, how. As always, many thanks. Dimitri -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] MIT Kerberso or Heimdal Kerberos what is the question?
You might also want to add the following to the [realms] section of your krb5.conf: kdc = tcp/x.x.x.x:88 where x.x.x.x is the ip address of your w2k3 PDC (I use the ip address as opposed to the FQDN). HTH. Dimitri On Thursday June 23 2005 8:25 am, Mark Irving wrote: I ran into the same problem also on FreeBSD, although v 5.4. I ran across this registry hack that fixed it at http://mailman.mit.edu/pipermail/kerberos/2004-June/005665.html -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MIN Sent: Thursday, June 23, 2005 1:45 AM To: samba@lists.samba.org Subject: [Samba] MIT Kerberso or Heimdal Kerberos what is the question? I have some problem whit Kerberos. OS: FreeBSD 5.3 Domain: W2k3 native mode. 1)I am Installing Heimdal 0.6.1 over port. Config /etc/krb5.conf %/usr/local/bin/kinit ivan [EMAIL PROTECTED]'s Password: kinit: krb5_get_init_creds: Response too big for UDP, retry with TCP 2)Compile and install Heimdal 0.6.4 over source %/usr/local/bin/kinit ivan [EMAIL PROTECTED]'s Password: kinit: krb5_get_init_creds: Additional pre-authentication required 3)Install over ports MIT krb5-1.3.4 %/usr/local/bin/kinit ivan Password for [EMAIL PROTECTED]: % That graet! Mit is working. But not compile Samba. I use Samba.3.0.14a ports. I captured tcp packet. And see that MIT version working over tcp session, but Heimdal version vorking over udp and try over tcp but unseccessfuly. We have many groups in our domain. If i create new user account, and not add this account in many groups all work fine! What should i do? We have 2500 users. And some groups in our domain labeled at russian language. Thank for help. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Kerberos enc type [xx] failed
Ephi, I think I had the same problem once upon a time. I haven't seen your krb5.conf, but I added the following to mine in the [libdefaults] section: default_tkt_enctypes = des-cbc-crc des-cbc-md5 default_tgs_enctypes = des-cbc-crc des-cbc-md5 That cleared up the problem. HTH. Dimitri On Tuesday June 14 2005 10:04 pm, Ephi Dror wrote: Hi Andrew, I upgraded krb5 libs to 1.3.3 and now the error became Decrypt integrity check failed. I rebooted my AD server and the SAMBA server just in case. Here is the log: [2005/06/14 18:14:30, 3, pid=17668] libads/kerberos_verify.c:ads_secrets_verify_ticket(193) ads_secrets_verify_ticket: enc type [3] failed to decrypt with error Decrypt integrity check failed [2005/06/14 18:14:30, 3, pid=17668] libads/kerberos_verify.c:ads_verify_ticket(307) ads_verify_ticket: krb5_rd_req with auth failed (Unknown code 0) Any idea? Did I forget to do something so obvious? Is it anything to do with keytab which I have noticed that if I specify use kerberos keytab = yes I get an error in net ads join that says: [2005/06/14 18:50:43, 1, pid=23237] libads/kerberos_keytab.c:ads_keytab_add_entry(236) ads_keytab_add_entry: adding entry to keytab failed (Cannot write to specified key table) [2005/06/14 18:50:43, 1, pid=23237] libads/kerberos_keytab.c:ads_keytab_create_default(418) ads_keytab_create_default: ads_keytab_add_entry failed while adding 'host'. [2005/06/14 18:50:43, 1, pid=23237] utils/net_ads.c:net_ads_join(829) Error creating host keytab! Joined 'SSN217' to realm 'LONDON.STORADINC.COM' And last, is it to do with kerberos hot fix http://support.microsoft.com/kb/833708/ Just wondering. Thanks so much in advance for any hint in this complicated area. Cheers, Ephi -Original Message- From: Ephi Dror Sent: Tuesday, June 14, 2005 10:28 AM To: 'Andrew Bartlett' Cc: Samba (samba@lists.samba.org) Subject: RE: [Samba] Kerberos enc type [xx] failed Thank you Andrew for sharing with us your expertise and give us those suggestions. We really appreciate it. Cheers, Ephi -Original Message- From: Andrew Bartlett [mailto:[EMAIL PROTECTED] Sent: Monday, June 13, 2005 10:15 PM To: Ephi Dror Cc: samba@lists.samba.org Subject: Re: [Samba] Kerberos enc type [xx] failed On Mon, 2005-06-13 at 10:09 -0700, Ephi Dror wrote: Hi All, I am getting Kerberos enc type problem that I can't explain: Just a quick background: 1. My samba version is 3.0. 6 (will switch to latest soon) 2. My Kerberos version is krb5 1.2.7. 4. Samba joined active directory that has one KDC running win2003 (not sp1) 5. I switched between different domains and join as ADS and domain many times, could it contribute to this problem? At the moment, I can't switch to latest krb5 package. What is the minimum Kerberos version required by SAMBA? MIT Kerberos 1.3.1 (or a suitably recent Heimdal) is the minimum we have maintained since Samba 3.0. Using less than this will cause issues with clients that for one reason or another do not posses 'DES' kerberos keys. Kerberos library requirements have been quite a pain in Samba 3.0. There are three basic solutions: - Upgrade your OS to one with a suitable kerberos - Upgrade the kerberos libraries on your OS - Statically link your Samba install to an upgraded kerberos. The latter option is what SerNet did/does for their Samba 3.0 packages. In Samba4, we have noted the pain that kerberos has caused in Samba 3.0, and the current plan is to ship with a built-in kerberos library. (Options for later development allow this to possibly use a system lib, but the aim is to shift the pain away from the administrator, who can't help the situation much). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Samba Developer, SuSE Labs, Novell Inc.http://suse.de Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Best Practices for rookie
On Wednesday June 15 2005 5:36 pm, Fortin, Kelly wrote: I am interested in setting up Samba file services for our location and I am looking to find a Best Practices approach and configuration for use with an Active Directory controller. I have had some luck in setup Samba with local accounts, but Linux will be used increasingly in the months to come and I would like to build a file server that will validate file system access against AD domain groups. I am familiar with Samba, but not so familiar with Kerberos and winbind. I have read through some Samba documentation and found some valuable information, but I feel like I am missing a few pieces to my puzzle. What is the process for setting up this service? Are there some sample configs out there? Thanks Kelly Of course, there's Samba-By-Example (http://www.samba.org/samba/docs/man/Samba-Guide/), which is excellent (many thanks to John T. Co.). I've also had success with this: http://www.wlug.org.nz/ActiveDirectorySamba Regards, Dimitri -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] [Fwd: How to join to a DC ie. net join?]
On Thursday June 9 2005 8:33 am, David Collier-Brown wrote: Anyone on the list able to help this chap? The message was mis-sent to samba-technical (the development list). --dave Original Message Subject: How to join to a DC ie. net join? Date: Wed, 08 Jun 2005 16:19:46 -0700 From: The Kid From LA [EMAIL PROTECTED] Reply-To: The Kid From LA [EMAIL PROTECTED] To: samba-technical@lists.samba.org I have read lots of documentation and looked through the archives. I am trying to join a RHEL machine to a windows 2000 PDC. I have having some errors: [EMAIL PROTECTED] etc]# net join -U Administrator Administrator's password: [2005/06/08 16:02:02, 0] utils/net_ads.c:ads_startup(186) ads_connect: No such file or directory Unable to find a suitable server Unable to find a suitable server === I have modified my /etc/krb5.conf and tried many different things and I still cannot join my windows domian? Any ideas? Thanks, thom bishop -- David Collier-Brown, | Always do right. This will gratify Sun Microsystems, Toronto | some people and astonish the rest [EMAIL PROTECTED] | -- Mark Twain (416) 263-5733 (x65733) | Thom, This does look like it might be related to krb5.conf. Would you post yours, please, so we can take a look? Dimitri -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ADS join troubles 3.0.14a
On Tuesday May 24 2005 2:51 pm, Michael Andrewjeski wrote: Hi List, I'm attempting to join a win2k3 domain as a member server with great difficulty. I've read The HowTo, but am hung when attempting to join the Domain. I can kinit klist Which seems good, but the ads join fails. Can someone help me understand what is causing the error listed below? Component particulars are: RH AS3, samba-3.0.14a compiled from source (./configure --prefix=/usr/pkg/samba-3.0.14a --with-ads --with-ldap --with-winbind --with-smb-mount --with-acl-support --with-pam --with-ldapsam) RedHat's krb5-*-1.2.7-44.rpm's I can send krb5.conf and smb.conf if needed! Here's the command and subsequent error: #net ads join -U'svcSAMBA%!' -S sfintra1.AD.CHECKPOINT.COM -d3 [2005/05/24 11:33:09, 3] param/loadparm.c:lp_load(3907) lp_load: refreshing parameters [2005/05/24 11:33:09, 3] param/loadparm.c:init_globals(1321) Initialising global parameters [2005/05/24 11:33:09, 3] param/params.c:pm_process(573) params.c:pm_process() - Processing configuration file /usr/pkg/samba-3.0.14a/lib/smb.conf [2005/05/24 11:33:09, 2] lib/interface.c:add_interface(81) added interface ip=172.16.211.151 bcast=172.16.211.255 nmask=255.255.255.0 [2005/05/24 11:33:09, 3] libads/ldap.c:ads_connect(285) Connected to LDAP server 209.87.220.50 [2005/05/24 11:33:09, 3] libads/ldap.c:ads_server_info(2469) got ldap server name [EMAIL PROTECTED], using bind path: dc=AD,dc=CHECKPOINT,dc=COM [2005/05/24 11:33:09, 3] libads/sasl.c:ads_sasl_spnego_bind(204) ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2 [2005/05/24 11:33:09, 3] libads/sasl.c:ads_sasl_spnego_bind(204) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 [2005/05/24 11:33:09, 3] libads/sasl.c:ads_sasl_spnego_bind(204) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3 [2005/05/24 11:33:09, 3] libads/sasl.c:ads_sasl_spnego_bind(204) ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 [2005/05/24 11:33:09, 3] libads/sasl.c:ads_sasl_spnego_bind(211) ads_sasl_spnego_bind: got server principal name [EMAIL PROTECTED] [2005/05/24 11:33:09, 3] libsmb/clikrb5.c:ads_krb5_mk_req(381) ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found) [2005/05/24 11:33:09, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(318) Ticket in ccache[MEMORY:net_ads] expiration Tue, 24 May 2005 21:33:09 GMT [2005/05/24 11:33:09, 1] libads/ldap.c:ads_default_ou_string(1085) Failed while searching for: WKGUID=AA312825768811D1ADED00C04FD8D5CD,dc=AD,dc=CHECKPOINT,dc=COM ads_join_realm: Operations error [2005/05/24 11:33:09, 2] utils/net.c:main(897) return code = -1 Any help greatly appreciated.. Mike Michael Andrewjeski Unix Administrator Zone Labs, A Check Point Company http://www.zonelabs.com Tel: 415.633.4769 Fax: 415.633.4501 Do post you krb5.conf and smb.conf files. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and Window 2003
Thanks, Toby. That actually answers a question I had, as I use CentOS 3. Since this is an RHEL AS 3 clone it, too, uses krb5 1.2.7. Although samba has worked great, and several CentOS boxes have joined my Win2k3 ADS, it's still comforting. Dimitri On Friday May 20 2005 12:50 pm, Tobias Bluhm wrote: If you have all the latest krb5 samba rpm updates installed, it should work as is. RedHat backports quite a bit of code. RH's current krb5 1.2.7 has stuff from 1.3 already patched in , for example. This is speaking from experience with Whitebox Linux3 ( a RHES3 clone ) using stock rpms and connecting to AD 2003. - toby bluhm philips medical systems, cleveland ohio [EMAIL PROTECTED] 440-483-5323 Esquivel, Vicente [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 05/20/2005 10:35 AM To: samba@lists.samba.org cc: (bcc: Tobias Bluhm/CLE/MS/PHILIPS) Subject:[Samba] Samba and Window 2003 Classification: I am trying to find a good how-to on setting up samba to use Windows 2003 for authentication, if anyone knows of a good link let me know. I am using RedHat ES 3 and our Windows is running in native mode with NT style authentication allowed. I cant use ADS and Kerberos because the current version of Kerberos on my RH server is 1.2.7 and from what I have read I need 1.3+ in order for it to work that way. I just cant upgrade right now so I am trying to find a way to get this to work somehow. Any advice would GREATLY appreciated. Thanks Vince -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: RHEL 3 and MIT kerberos
My apologies. I'll do that. Dimitri On Wed, 2005-05-18 at 12:39 -0400, Charlie Brady wrote: On Tue, 17 May 2005, Dimitri Yioulos wrote: Hello to all. I read in a prior post that samba 3.x.x doesn't play well with MIT kerberos from version 1.2.something and earlier (or vice-versa. Sorry, I looked briefly, but didn't find the earlier post). I tried making an RPM of a later version of kerberos, but failed. Does anyone know if there's a later version of MIT kerberos available in RPM or SRPM that will work on RHEL AS 3? Pehraps you should ask on a kerberos or RHEL related list. This has nothing to do with netfilter Thanks. Dimitri -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Creating a BDC
Good morning/evening to all. I hope I'm not taking up space here or wasting people's time but - I've had several samba machines joined to a Win2k3 AD for some time now. Of course, I'm using kerberos, but that's it. I've kinda rolled the bones up 'til now in that I've relied on the PDC without having a BDC. But, if the PDC were to experience any down time during the work day, ... So, I'd like to create a BDC on one of the samba boxes. Now, I've looked at the how-to, but am wondering if ldap is absolutely necessary? What might be the easiest/least painful way to accomplish this? Many thanks. Dimitri -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] RedHat EL 3 rpm spec file and samba 3.0.14a?
On Monday April 25 2005 4:48 pm, Gerald (Jerry) Carter wrote: Marshall Herington wrote: Is the RedHat RPM spec file included with the samba-3.0.14a.tar.gz source files compatible with RedHat EL 3? No. But see http://www.enterprisesamba.com/ for RHEL3 RPMS. Or you could probably use the Fedora packaging in samba-3.0.14. But I haven't tested that on RHEL3. cheers, jerry I've used rpmbuild with the stock samba-3.0.14a.tar.gz source file to create, then install, on a CentOS 3.4 box (an RHEL AS 3 clone). Works like a champ. HTH. Dimitri -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smb ports feedback
On Friday April 22 2005 4:01 pm, Alan Munday wrote: Having read a few posts recently I thought I would do some testing. Given XP's use of 445 and that I have a couple of networks where they only have XP clients, I thought I would try setting smb ports to 445 only rather than that suggested of just specifying 139. This has worked well for XP clients with SP2. However SP1, and presumably pre-SP1 clients, lose all sight of the NBT network. Indeed they report an RPC error on start-up. Alan Hmmm. I also configured smb ports = 445. That has gotten rid of those annoying getpeername failed errors, and my mix of XP SP1 and SP2 clients have had no problems. Is there a correct or preferred setting, or is just whatever works? Dimitri -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] getpeername failed. Error was Transport endpoint is not connected
I've also seen a post somewhere (forgive, don't remember where somewhere is) suggesting that smb ports = 445 would corect this issue. So, which is it, 139 or 445? Dimitri On Monday 18 April 2005 05:55 am, Fabian Arrotin wrote: I've already seen this in my logs... A little search on Google shows me that Windows XP client try try to connect to port 139 and 445 in parallel and drop the connection to port 139 if the connect to 445 is successful. In fact, no one was complaining about real network connection loss ... More informations here : http://www.linuxaa.com/ftopic6568.html Hope this helps. On Mon, 2005-04-18 at 03:58 -0300, Guido Lorenzutti wrote: I get this error message getpeername failed. Error was Transport endpoint is not connected in my logs very often. Any ideas how to fix it? Tnxs in advance -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join fails
On Monday 11 April 2005 09:42 am, you wrote:
I have recreated my dns pointers without success and I think my krb5.conf
file is configured correctly. First I left this to Yast to set up but that
didn't work and then I tried to modify it from a article I found.
I have pasted it in below
[libdefaults]
#default_realm = ellisonslegal.com
clockskew = 300
[realms]
ELLISONSLEGAL.COM = {
kdc = apps.ellisonslegal.com
#default_domain = ELLNET
#kpasswd_server = apps.ellisonslegal.com
}
#ELLISONSLEGAL.COM = {
# kdc = APPS.ELLISONSLEGAL.COM
# admin_server = APPS.ELLISONSLEGAL.COM
# kpasswd_server = APPS.ELLISONSLEGAL.COM
#}
#OTHER.REALM = {
# kdc = OTHER.COMPUTER
#}
[domain_realm]
# .my.domain = MY.REALM
.ellisonslegal.com = ELLISONSLEGAL.COM
[logging]
default = SYSLOG:NOTICE:DAEMON
kdc = FILE:/var/log/kdc.log
kadmind = FILE:/var/log/kadmind.log
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
debug = false
}
Dimitri would you be able to repost that link for the HOW-TO please? I
tried it but it seems like it is broken, do you have the updated link?
Thanks for your continued help.
Penny
-Original Message-
From: Gordon Hopper [mailto:[EMAIL PROTECTED]
Sent: 09 April 2005 00:23
To: Penny Willisson
Subject: RE: [Samba] net ads join fails
You might need to add some entries to your krb5.conf file. for example:
[realms]
ellisonslegal.com = {
kdc = domain.controller.ellisonslegal.com:88
}
Where kdc points to a domain controller. Doesn't need to be the primary
domain controller, choose one close by for best performance. (You
shouldn't need to do this if your DNS for the domain resolves to a domain
controller.)
Gordon
On Fri, 2005-04-08 at 15:41 +0100, Penny Willisson wrote:
Thanks
When I run 'kinit administrator' I get the following error
kinit: krb5_get_init_creds: unable to reach any KDC in realm
ellisonslegal.com
any ideas???
-Original Message-
From: [EMAIL PROTECTED]
[mailto: [EMAIL PROTECTED] Behalf Of
Dimitri Yioulos
Sent: 08 April 2005 13:30
To: samba@lists.samba.org
Subject: Re: [Samba] net ads join fails
On Friday 08 April 2005 07:46 am, Penny Willisson wrote:
Hi
I have created the machine account on the AD server and did this logged
in
as Administrator so that should mean that the Administrator account has
the
correct permissions.
I have executed the following command as suggested
net ads join [EMAIL PROTECTED] -d 2
The following was output to the screen:
[2005/04/08 13:33:38, 2] lib/interface.c:add_interface(81)
added interface ip=10.0.0.39 bcast=10.0.255.255 nmask=255.255.0.0
[2005/04/08 13:33:41, 0] libads/kerberos.c:ads_kinit_password(146)
kerberos_kinit_password [EMAIL PROTECTED] failed:
Unknown code krb5 156
[2005/04/08 13:33:41, 0] utils/net_ads.c:ads_startup(191)
ads_connect: Unknown code krb5 156
[2005/04/08 13:33:41, 2] utils/net.c:main(897)
return code = -1
Thanks
Penny
-Original Message-
From: Gordon Hopper [mailto: [EMAIL PROTECTED]
Sent: 06 April 2005 05:28
To: Penny Willisson
Subject: Re: [Samba] net ads join fails
[2005/04/05 15:11:44, 3] libsmb/clikrb5.c:ads_krb5_mk_req(381)
ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or
directory)
[2005/04/05 15:11:44, 0] libads/kerberos.c:ads_kinit_password(146)
kerberos_kinit_password [EMAIL PROTECTED] failed:
Unknown
code krb5 156
[2005/04/05 15:11:44, 0] utils/net_ads.c:ads_startup(191)
ads_connect: Unknown code krb5 156
I suggest you post the output of the command you are running to join the
domain (including the command), for example, net ads join -U
[EMAIL PROTECTED] -d 2.
Also, note that the credentials you use to join the domain are not
necessarily the domain Administrator, but they need to be a user who has
write privileges to the ads folder where the machine account will be
created. (It worked better for me when the machine account was already
created in server manager, but according to the docs, that shouldn't be
necessary.)
It almost looks like the password failed. Or perhaps the folde
r you
specified for the machine account does not exist.
Regards,
Gordon Hopper
Try the command kinit Administrator (or [EMAIL PROTECTED]).
You
should be prompted for a password. If, after entering the password, you're
returned to a prompt with no further output then, in theory at least, your
Kerberos setup is OK. If you get errors, well ... Run that first, then try
net ads join -U [EMAIL PROTECTED]
A good how-to can be found at:
http://www.ulug.org.nz
Re: FW: [Samba] net ads join fails
OK, this is closer.
Change [realms] kpasswd_server to admin_server.
I also believe that [domain realm] should read:
ellisonlegal.com = ELLISONLEGAL.COM
.ellisonlegal.com = ELLISONLEGAL.COM
I would add to [libdefaults]:
dns_lookup_realm = true
dns_lookup_kdc = true
Try this and report back (like a good IT soldier :-) )
Dimitri
On Monday 11 April 2005 10:58 am, you wrote:
Ok I deleted the incorrect conf file and set it up using Yast again here is
the amended file. I tried using the IP address of the server this time but
I'm still getting the same errors as before.
[libdefaults]
default_realm = ELLISONSLEGAL.COM
clockskew = 300
[domain_realm]
.ELLNET = ELLISONSLEGAL.COM
[realms]
ELLISONSLEGAL.COM = {
kdc = 10.0.0.31
default_domain = ELLNET
kpasswd_server = 10.0.0.31
}
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
}
Thanks
-Original Message-
From: Penny Willisson
Sent: 11 April 2005 14:43
To: 'Gordon Hopper'; '[EMAIL PROTECTED]'
Cc: Dimitri Yioulos; samba@lists.samba.org
Subject: RE: [Samba] net ads join fails
I have recreated my dns pointers without success and I think my krb5.conf
file is configured correctly. First I left this to Yast to set up but that
didn't work and then I tried to modify it from a article I found.
I have pasted it in below
[libdefaults]
#default_realm = ellisonslegal.com
clockskew = 300
[realms]
ELLISONSLEGAL.COM = {
kdc = apps.ellisonslegal.com
#default_domain = ELLNET
#kpasswd_server = apps.ellisonslegal.com
}
#ELLISONSLEGAL.COM = {
# kdc = APPS.ELLISONSLEGAL.COM
# admin_server = APPS.ELLISONSLEGAL.COM
# kpasswd_server = APPS.ELLISONSLEGAL.COM
#}
#OTHER.REALM = {
# kdc = OTHER.COMPUTER
#}
[domain_realm]
# .my.domain = MY.REALM
.ellisonslegal.com = ELLISONSLEGAL.COM
[logging]
default = SYSLOG:NOTICE:DAEMON
kdc = FILE:/var/log/kdc.log
kadmind = FILE:/var/log/kadmind.log
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
debug = false
}
Dimitri would you be able to repost that link for the HOW-TO please? I
tried it but it seems like it is broken, do you have the updated link?
Thanks for your continued help.
Penny
-Original Message-
From: Gordon Hopper [mailto:[EMAIL PROTECTED]
Sent: 09 April 2005 00:23
To: Penny Willisson
Subject: RE: [Samba] net ads join fails
You might need to add some entries to your krb5.conf file. for example:
[realms]
ellisonslegal.com = {
kdc = domain.controller.ellisonslegal.com:88
}
Where kdc points to a domain controller. Doesn't need to be the primary
domain controller, choose one close by for best performance. (You
shouldn't need to do this if your DNS for the domain resolves to a domain
controller.)
Gordon
On Fri, 2005-04-08 at 15:41 +0100, Penny Willisson wrote:
Thanks
When I run 'kinit administrator' I get the following error
kinit: krb5_get_init_creds: unable to reach any KDC in realm
ellisonslegal.com
any ideas???
-Original Message-
From: [EMAIL PROTECTED]
[mailto: [EMAIL PROTECTED] Behalf Of
Dimitri Yioulos
Sent: 08 April 2005 13:30
To: samba@lists.samba.org
Subject: Re: [Samba] net ads join fails
On Friday 08 April 2005 07:46 am, Penny Willisson wrote:
Hi
I have created the machine account on the AD server and did this logged
in
as Administrator so that should mean that the Administrator account has
the
correct permissions.
I have executed the following command as suggested
net ads join [EMAIL PROTECTED] -d 2
The following was output to the screen:
[2005/04/08 13:33:38, 2] lib/interface.c:add_interface(81)
added interface ip=10.0.0.39 bcast=10.0.255.255 nmask=255.255.0.0
[2005/04/08 13:33:41, 0] libads/kerberos.c:ads_kinit_password(146)
kerberos_kinit_password [EMAIL PROTECTED] failed:
Unknown code krb5 156
[2005/04/08 13:33:41, 0] utils/net_ads.c:ads_startup(191)
ads_connect: Unknown code krb5 156
[2005/04/08 13:33:41, 2] utils/net.c:main(897)
return code = -1
Thanks
Penny
-Original Message-
From: Gordon Hopper [mailto: [EMAIL PROTECTED]
Sent: 06 April 2005 05:28
To: Penny Willisson
Subject: Re: [Samba] net ads join fails
[2005/04/05 15:11:44, 3] libsmb/clikrb5.c:ads_krb5_mk_req(381)
ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or
directory)
[2005/04/05 15:11:44, 0] libads/kerberos.c:ads_kinit_password(146)
kerberos_kinit_password [EMAIL PROTECTED] failed:
Unknown
code krb5 156
[2005/04/05 15:11:44, 0] utils/net_ads.c:ads_startup(191)
ads_connect: Unknown code krb5 156
Re: [Samba] net ads join fails
On Friday 08 April 2005 07:46 am, Penny Willisson wrote: Hi I have created the machine account on the AD server and did this logged in as Administrator so that should mean that the Administrator account has the correct permissions. I have executed the following command as suggested net ads join [EMAIL PROTECTED] -d 2 The following was output to the screen: [2005/04/08 13:33:38, 2] lib/interface.c:add_interface(81) added interface ip=10.0.0.39 bcast=10.0.255.255 nmask=255.255.0.0 [2005/04/08 13:33:41, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown code krb5 156 [2005/04/08 13:33:41, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 156 [2005/04/08 13:33:41, 2] utils/net.c:main(897) return code = -1 Thanks Penny -Original Message- From: Gordon Hopper [mailto:[EMAIL PROTECTED] Sent: 06 April 2005 05:28 To: Penny Willisson Subject: Re: [Samba] net ads join fails [2005/04/05 15:11:44, 3] libsmb/clikrb5.c:ads_krb5_mk_req(381) ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory) [2005/04/05 15:11:44, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown code krb5 156 [2005/04/05 15:11:44, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 156 I suggest you post the output of the command you are running to join the domain (including the command), for example, net ads join -U [EMAIL PROTECTED] -d 2. Also, note that the credentials you use to join the domain are not necessarily the domain Administrator, but they need to be a user who has write privileges to the ads folder where the machine account will be created. (It worked better for me when the machine account was already created in server manager, but according to the docs, that shouldn't be necessary.) It almost looks like the password failed. Or perhaps the folde r you specified for the machine account does not exist. Regards, Gordon Hopper Try the command kinit Administrator (or [EMAIL PROTECTED]). You should be prompted for a password. If, after entering the password, you're returned to a prompt with no further output then, in theory at least, your Kerberos setup is OK. If you get errors, well ... Run that first, then try net ads join -U [EMAIL PROTECTED] A good how-to can be found at: http://www.ulug.org.nz/ActiveDirectorySamba. HTH. Dimitri -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Nagging error
Hello to all. I keep getting the same error in the logs of all my Samba boxes: Apr 8 09:00:19 hanover smbd[19917]: [2005/04/08 09:00:19, 0] lib/util_sock.c:read_socket_data(384) Apr 8 09:00:19 hanover smbd[19917]: read_socket_data: recv failure for 4. Error = Connection reset by peer If this has been posted before, my apologies. I've RTFM, and I've googled for a solution, and while I've seen a few suggestions (actually, very few, although many have requested a solution), none has worked for me. Can anyone help? Many thanks. Dimitri -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Windows Server 2003 SP 1
On Friday 08 April 2005 08:46 am, you wrote: Dimitri Yioulos wrote: | I applied it to my DC that is playing the PDC role | today and all of a sudden Winbind could not | enumerate any Active Directory information. Mind you, | I'm not joined to the domain using Kerberos/ADS; | As to your problem, you might want to read this: | | http://lists.samba.org/archive/samba-technical/2005-April/040187.html Here's 2 more threads. The second one applies to you I believe. http://lists.samba.org/archive/samba-technical/2005-April/040316.html http://lists.samba.org/archive/samba-technical/2005-April/040322.html We are planning a 3.0.14 patch release to deal with the Win2003 sp1 issues early next week. If you need a immediate workaround for the current code, you can set 'client schannel = no' in smb.conf and then set the credentials to use when connecting by calling 'wbinfo --set-auth-user='domain\user%pw'. See the wbinfo/winbind man page for more details. cheers, jerry Jerry, Many thanks. Not only did SP1 break Samba, but it also wreaked havoc with our Dell server running Dell OpenManage. That problem was confirmed by Microsoft support personnel. Now, slightly aside, in the past, I would never add a patch or service pack without letting it mellow out in the world for a while. But something overtook me, and I went ahead and added it immediately. Results - chaos. Let that be a lesson to you wacky kids out there :-) Dimitri -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join fails
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dimitri Yioulos Sent: 08 April 2005 13:30 To: samba@lists.samba.org Subject: Re: [Samba] net ads join fails On Friday 08 April 2005 07:46 am, Penny Willisson wrote: Hi I have created the machine account on the AD server and did this logged in as Administrator so that should mean that the Administrator account has the correct permissions. I have executed the following command as suggested net ads join [EMAIL PROTECTED] -d 2 The following was output to the screen: [2005/04/08 13:33:38, 2] lib/interface.c:add_interface(81) added interface ip=10.0.0.39 bcast=10.0.255.255 nmask=255.255.0.0 [2005/04/08 13:33:41, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown code krb5 156 [2005/04/08 13:33:41, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 156 [2005/04/08 13:33:41, 2] utils/net.c:main(897) return code = -1 Thanks Penny -Original Message- From: Gordon Hopper [mailto:[EMAIL PROTECTED] Sent: 06 April 2005 05:28 To: Penny Willisson Subject: Re: [Samba] net ads join fails [2005/04/05 15:11:44, 3] libsmb/clikrb5.c:ads_krb5_mk_req(381) ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory) [2005/04/05 15:11:44, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown code krb5 156 [2005/04/05 15:11:44, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 156 I suggest you post the output of the command you are running to join the domain (including the command), for example, net ads join -U [EMAIL PROTECTED] -d 2. Also, note that the credentials you use to join the domain are not necessarily the domain Administrator, but they need to be a user who has write privileges to the ads folder where the machine account will be created. (It worked better for me when the machine account was already created in server manager, but according to the docs, that shouldn't be necessary.) It almost looks like the password failed. Or perhaps the folde r you specified for the machine account does not exist. Regards, Gordon Hopper Try the command kinit Administrator (or [EMAIL PROTECTED]). You should be prompted for a password. If, after entering the password, you're returned to a prompt with no further output then, in theory at least, your Kerberos setup is OK. If you get errors, well ... Run that first, then try net ads join -U [EMAIL PROTECTED] A good how-to can be found at: http://www.ulug.org.nz/ActiveDirectorySamba. HTH. Dimitri On Friday 08 April 2005 10:41 am, you wrote: Thanks When I run 'kinit administrator' I get the following error kinit: krb5_get_init_creds: unable to reach any KDC in realm ellisonslegal.com any ideas??? You probably don't have Kerberos configured correctly. Check your krb5.conf and kdc.conf files. Refer to the how-to I mentioned earlier, and also http://web.mit.edu/kerberos/www/krb5-1.4/krb5-1.4/doc/krb5-install.html, if you're using MIT Kerberos. Dimitri -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Error was Transport endpoint is not connected
On Thursday 07 April 2005 07:49 am, Meli Marco wrote: Hi, I running samba 3.0.13 on RH9, and share a folder in a mix network workstations (W2k, DOS, Win98SE, NT4) and I have set following smb.conf file: netbios name = NETBIOSNAME os level = 16 wins server = 10.90.17.80 socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE workgroup = DOMAIN realm = DOMAIN.COM security = ADS password server = kdcsrv.sinter.gkn.com encrypt passwords = yes # null passwords = yes # auth methods = guest sam_ignoredomain winbind:ntdomain allow trusted domains = Yes winbind use default domain = Yes winbind separator = / winbind enum users = Yes winbind enum groups = yes idmap uid = 1-10 idmap gid = 1-10 hide unreadable = Yes template homedir = /data/user/%U template shell = /bin/false use sendfile = No printer admin = *** admin users = *** log file = /var/log/samba/log.%m log level = 1 auth:5 sam:5 max log size = 50 printing = cups printcap name = cups load printers = Yes map acl inherit = Yes nt acl support = Yes Yesterday some local users doesn't login on the samba share, if I get in the window property panel I have noticed that these users was replaced by others (maybe id mapping problem) so I decided to relocate them on Windows 2003, delete them by the smbpasswd file and /etc/smbpasswd, run tdbbackup tool and disable auth methods option (no more local users authentication). Today everithing seems works fine but I have stranges messages by winbind and smbd log file again: Tail -f /var/log/samba/log.winbindd: [2005/04/06 10:29:53, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(161) user 'MILSALHP2200D_1' does not exist - this is a printer! [2005/04/06 10:33:01, 1] nsswitch/winbindd_sid.c:winbindd_gid_to_sid(474) Could not convert gid 24329 to sid Tail -f /var/log/samba/log.smbd: [2005/04/06 08:33:57, 0] lib/util_sock.c:get_peer_addr(1150) getpeername failed. Error was Transport endpoint is not connected [2005/04/06 08:58:21, 0] lib/util_sock.c:get_peer_addr(1150) getpeername failed. Error was Transport endpoint is not connected How can I fix it? Thanks. Marco. As I recall, it has something to do with smb trying to use both ports 139 and 445, and there being some contention there. Try adding the following to your smb.conf file: smb ports = 445 (the default is smbports = 445 139). At least this worked for me. Dimitri -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Windows Server 2003 SP 1
On Wednesday 06 April 2005 05:29 pm, Stewart, Eric wrote: Samba 3.0.11 with Winbind running on Redhat Enterprise Linux 3, compiled with --with-pam (possibly another argument that I can't remember at this second). I applied it to my DC that is playing the PDC role today and all of a sudden Winbind could not enumerate any Active Directory information. Mind you, I'm not joined to the domain using Kerberos/ADS; the libs that come with RHEL3 are slightly out of date for Kerberos. RPC was working fine, and appears to work when the PDC role is moved to a 2003 DC that does not have SP 1 (however, I ran into other issues that will be dealt with in later messages - note that this issue does seem to rear it's ugly head even with 3.0.13, so yes, I did try upgrading Samba). Now, this isn't so much a cry for help, as, in the long run, I plan on upgrading (along with a hardware upgrade) to Redhat Enterprise Linux 4, which has more up to date Kerberos libs (as I'm guessing it could be a security feature in SP1), so that I can have my Samba server more properly a member of the ADS. But if anyone knows what's up, or is willing to ask for more info (I might be able to provide it), well, go ahead and ask. Eric Stewart - Network Admin, USF Tampa Library - [EMAIL PROTECTED] Managing sysadmins is like leading a neighborhood gang of neurotic pumas on jet-powered hoverbikes with nasty smack habits and opposable thumbs. - Feen, Benjy: Pumas on Hoverbikes: Sysadmin Management, http://www.monkeybagel.com/pumas.html As to your problem, you might want to read this: http://lists.samba.org/archive/samba-technical/2005-April/040187.html Dimitri -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Emergency - please help
Hello to all. I have 5 CentOS 3.4 (RHEL AS 3) boxes running Samba 3.0.13-1. They have been joined to ADS; the PDC is a Win2k3 box. I've been running this successfully for a while now. However, this morning, I added SP1 to the Win2k3 server, and now my Samba boxes are all messed up (wouldn't ya know). Where previously I had files and directories that might have ownership of HEADQUARTERS\Administrator and group ownership of HEADQUARTERS\Domain Users (or some other existing user or group on the Windows server, those have magically been replaced by uid and gid numbers. When our users try to access these files or directories, they're prompted for a uname and password, none of which work. If I try to change ownersip and group ownership back to where I had them, the systems say that user and group that I try to use are invalid names. This despite the fact that I get correct values when I run wbinfo -u, wbinfo -g, and getent passwd. I've got to get us back to square as quickly as possible. Can anyone help? Many thanks. Dimitri -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
