Re: [Samba] Samba 4 - smbd; can't parse the PAC: NT_STATUS_BUFFER_TOO_SMALL error but only for a single domain user (Server 2008 R2 domain, Server 2008 functional level forest).
Hi Triss, can you test this branch? https://git.samba.org/?p=gd/samba/.git;a=shortlog;h=refs/heads/master-krb5pac It contains fixes for various pac buffer types. Let us know if it resolves your issues. Thanks, Guenther -- Günther DeschnerGPG-ID: 8EE11688 Red Hat gdesch...@redhat.com Samba Team g...@samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [SCM] Samba Shared Repository - branch master updated
Hi David, On 09/29/2011 02:48 PM, David Disseldorp wrote: The branch, master has been updated via 08573c2 s4: add SMB2_FSCTL opcodes via dbcd59f s3-smb2_server: fix ioctl InputOffset checking via 1848295 s3-smb2_server: SMB2_OP_IOCTL doesn't require at least 1 dyn byte via 392fd0d s4-torture: add smb2 ioctl test suite via bd5e975 s4-torture: remove unchecked read from smb2 create from 27195b3 socket_wrapper: correctly handle dup()/dup2() ref counting http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master Congratulations to your first commit (not your first patch of course) ! And welcome on board! Cheers, Guenther -- Günther DeschnerGPG-ID: 8EE11688 Red Hat gdesch...@redhat.com Samba Team g...@samba.org
Re: [SCM] Samba Shared Repository - branch master updated
On 02/28/2011 08:18 PM, Günther Deschner wrote: The branch, master has been updated via 26321c6 s3-torture: fix the build of rpc_open_tcp. from eece80e s3-smbd: Pass tevent context to messaging functions. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 26321c6010dbd461e85111daf358e6c23a0b47b2 Author: Günther Deschnerg...@samba.org Date: Mon Feb 28 20:18:33 2011 +0100 s3-torture: fix the build of rpc_open_tcp. Guenther Argl, this slipped to master w/o going through autobuild, sorry, was not meant to be like that :) Guenther -- Günther DeschnerGPG-ID: 8EE11688 Red Hat gdesch...@redhat.com Samba Team g...@samba.org
Re: [Samba] winbind and pptpd authentication failure
On Thu, Sep 09, 2010 at 11:12:52PM +1000, Andrew Bartlett wrote: On Thu, 2010-09-09 at 14:33 +0200, John Anderson wrote: On 09/09/10 13:57, Andrew Bartlett wrote: On Tue, 2010-09-07 at 17:35 +0200, John Anderson wrote: I have a linux firewall using winbind to authenticate users coming in with PPTP. It all seemed to work OK at first. After a while I noticed that authentication was denied to users who had previously (as in less than a day) authenticated successfully. After a day or so of fighting with this setup, I found that restarting winbindd will allow users to authenticate successfully again. This happens with both the built-in windows PPTP VPN client, and pppd as a client under linux. What happens is: - restart winbind - authenticate a user - close pptp connection - a few minutes (seems like around 10) after a first (or several) successful authentication, I get the following ppp trace on the client side: rcvd [CHAP Challenge id=0x8b8b7f80d136cce1a774e888a0d4e83bbc, name = pptpd] sent [CHAP Response id=0x8b 95c9d3a1061299d9ca4874659c37f172161c5daea05d0ded24eaf8ca99f338ab4e8f6491e86cdd4900, name = x] rcvd [CHAP Success id=0x8b S=5DB7336F26A8F34ABA08DCD453760E3808A090FF M=Access granted] 5DB7336F26A8F34ABA08DCD453760E3808A090FF M=Access granted F8673CADD4286B742EF0C39036393650701D0A60 MS-CHAPv2 mutual authentication failed. CHAP authentication failed sent [LCP TermReq id=0x2 Failed to authenticate ourselves to peer] In other words, the ntlm-auth helper and AD server says OK, but the hashes aren't equal, which causes ppp to say mutual authentication failed. I hacked the ppp sources (chap_ms.c) gently to output the two hashes. I'be been using samba-3.5.4 (and 3.4.6 and 3.4.8) and ppp-2.4.[2345] (tried all of them) on a x86_64 gentoo box. Try with the lastest GIT tree. We finally fixed a bug which caused this kind of breakage. (We returned the wrong session key, which is why the server thinks this is OK, but the client isn't impressed). Thanks for your reply. I have to get this onto a box on the other end of a 512kbps line with a bandwidth cap, so I'd prefer not to clone the entire repository. Would the v3-6-stable head have the fix? I would have said that v3-6-test should have it. I don't know about v3-6-stable, sorry. all branches have the fix now, you could also individually apply the fix mentioned in https://bugzilla.samba.org/show_bug.cgi?id=7568. We got reports that this resolves exactly that issue. Thanks, Guenther -- Günther DeschnerGPG-ID: 8EE11688 Red Hat gdesch...@redhat.com Samba Team g...@samba.org pgpeHSSZl9rPk.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [SCM] Samba Shared Repository - branch master updated
On Thu, Aug 05, 2010 at 09:12:22AM -0500, Andreas Schneider wrote: The branch, master has been updated via 91a8d9b... s3-torture: Improve the winreg deletekey torture comments. via 2a15f70... s3-torture: Correctly cleanup the winreg volatile key test. via 0a8e382... s4-torture: Fixed the winreg EnumValue test against Windows. from ee11bb87.. s3: Remove some direct cli-inbuf references in interpret_long_filename http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 91a8d9bc9bfe557c1095a7262e3a1b28fc3279ab Author: Andreas Schneider a...@samba.org Date: Thu Aug 5 16:05:31 2010 +0200 s3-torture: Improve the winreg deletekey torture comments. commit 2a15f7008c5b49cfa91c8001ad2541c5a6c80f73 Author: Andreas Schneider a...@samba.org Date: Thu Aug 5 15:35:52 2010 +0200 s3-torture: Correctly cleanup the winreg volatile key test. Günther please check! Yes, that is correct. Thanks ! Guenther -- Günther DeschnerGPG-ID: 8EE11688 Red Hat gdesch...@redhat.com Samba Team g...@samba.org pgpTh8Go2uT5z.pgp Description: PGP signature
Re: [SCM] Samba Shared Repository - branch v3-4-test updated
On Mon, Jul 05, 2010 at 12:36:48AM -0500, Karolin Seeger wrote: The branch, v3-4-test has been updated via 10e34cf... s3-librpc: Fixed GUID_from_data_blob() with length of 32. from 094e864... s3-printing: Fix Bug #7541, %D in printer admin causing smbd crash. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-4-test Hi Andreas, this commit broke the 3.4 build. can you please have a look ? Thanks, Guenther -- Günther DeschnerGPG-ID: 8EE11688 Red Hat gdesch...@redhat.com Samba Team g...@samba.org pgp35zs0uyU8m.pgp Description: PGP signature
Re: [SCM] Samba Shared Repository - branch master updated
Hi Matthieu, On Tue, Jun 22, 2010 at 06:49:47PM +0400, Matthieu Patou wrote: Hi Gunter, On 22/06/2010 18:08, GXXnther Deschner wrote: via 13ede2b... s4-smbtorture: also test keynames with '/' in it in SetPrinterDataEx keyname tests. Does this mean that we will (we are ?) able to create any number of subkey that we want ? Yes we can ! This got fixed very recently. Please test the current master codebase and see if all works now. Thanks, Guenther -- Günther DeschnerGPG-ID: 8EE11688 Red Hat gdesch...@redhat.com Samba Team g...@samba.org pgpF4kXyNx8ii.pgp Description: PGP signature
Re: [SCM] Samba Shared Repository - branch master updated
On Thu, May 27, 2010 at 05:57:35PM -0500, Günther Deschner wrote: The branch, master has been updated via 606be25... s3:auth Free sampass as soon as we have server_info via d9cffc0... s3:auth use info3 in auth_serversupplied_info via 6713f3d... s3:auth add function to copy a netr_SamInfo3 structure via 605cfef... s3:auth: add function to convert samu to netr_SamInfo3 from 667716d... s4-smbtorture: finally test all levels in rap_NetUserGetInfo RAP-SAM test. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master Hi Simo, arg... and of course I pushed and incomplete and old version of that patchset :/ sorry, sorry, sorry. Guenther -- Günther DeschnerGPG-ID: 8EE11688 Red Hat gdesch...@redhat.com Samba Team g...@samba.org pgpOFoHHGJ7JE.pgp Description: PGP signature
Re: [SCM] Samba Shared Repository - branch master updated
On Tue, May 18, 2010 at 06:42:07PM -0500, Jeremy Allison wrote: The branch, master has been updated via 6a90307... Fix our NTLMSSP implementation against the Microsoft torture tester. from 829c876... Change data_blob() to be based on top of data_blob_talloc(), instead of the reverse (as it is now). http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 6a903078cb133a1f46c9d6f24f50d863e31b743c Author: Jeremy Allison j...@samba.org Date: Tue May 18 16:32:13 2010 -0700 Fix our NTLMSSP implementation against the Microsoft torture tester. We need to return a version blob if we negotiate version info. Jeremy. Hi Jeremy, with this change we now announce ntlmssp capabilities just like w2k8r2/win7: Version: struct VERSION ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (0x6) ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_1 (0x1) ProductBuild : 0x1db0 (7600) Reserved : 00 NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (0xF) Is that really what we should do ? (I was just thinking of all the new MsAv types like channel bindings, restrictions, etc.). Can we be sure that we are not raising wrong expectations on the client side ? Cheers, Guenther -- Günther DeschnerGPG-ID: 8EE11688 Red Hat gdesch...@redhat.com Samba Team g...@samba.org pgpcPKgQ8BWHE.pgp Description: PGP signature
Re: [Samba] Problems printing with samba 3.5.2
On Mon, May 10, 2010 at 08:22:46PM +0200, Luca Olivetti wrote: Ok, I finally deployed samba 3.5.2 (upgrading from 3.0.11) on the real server after testing for a while in virtualbox. There's a strange problem with printing: sometimes an application gives an error printing (of course the error message is meaningless, this is windows after all) and/or the job gets lost in transit. After that stopping and restarting the local print spool service solves the problem for a while. This happened on a couple of xp clients but I fear tomorrow I'll see more of those :-( so I'll have the chance to capture more detailed logs. I see these messages in /var/log/messages, don't know if they're related to the problem at hand (I oubt it): Can you please open a bugreport at bugzilla.samba.org and provide as much information as possible about this ? Please also attach a log level 10 logfile and if possible a network trace (http://wiki.samba.org/index.php/Capture_Packets). Thanks, Guenther -- Günther DeschnerGPG-ID: 8EE11688 Red Hat gdesch...@redhat.com Samba Team g...@samba.org pgpMXMZO76Wum.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] cupsaddsmb error: cli_pipe_validate_current_pdu: RPC fault code?DCERPC_FAULT_OP_RNG_ERROR received
Hi Richard, On Mon, Mar 22, 2010 at 11:20:48AM +0100, Richard Lamboj wrote: Well i mean: it works with Samba 3.2.14 but _not_ with Samba 3.5.x. can you please file a bug at https://bugzilla.samba.org about this ? Thanks, Guenther -- Günther DeschnerGPG-ID: 8EE11688 Red Hat gdesch...@redhat.com Samba Team g...@samba.org pgpgDhWpihyWc.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [SCM] Samba Shared Repository - branch master updated
On Wed, Mar 10, 2010 at 12:54:35PM -0600, Matthias Dieter Wallnöfer wrote: The branch, master has been updated via 5d10676... s4:winreg RPC - fix up the QueryValue call to work against the enhanced torture test via 490c0ce... s4:registry/ldb.c - if name isn't set we should return WERR_INVALID_PARAM from 667e8d8... nsswitch: build libnss_winbind.so with SOVERSION = 2 http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 5d10676b3b726a75e2dabe5e8624a7b95b97c424 Author: Matthias Dieter Wallnöfer mwallnoe...@yahoo.de Date: Wed Mar 10 19:49:25 2010 +0100 s4:winreg RPC - fix up the QueryValue call to work against the enhanced torture test Found out by gd's updated torture test. commit 490c0cefeb3fcbba3e8d38ecec23d3b438d58d92 Author: Matthias Dieter Wallnöfer mwallnoe...@yahoo.de Date: Wed Mar 10 09:47:02 2010 +0100 s4:registry/ldb.c - if name isn't set we should return WERR_INVALID_PARAM Matthias, thanks so much for looking after the required s4 winreg fixes! Much appreciated. Guenther -- Günther DeschnerGPG-ID: 8EE11688 Red Hat gdesch...@redhat.com Samba Team g...@samba.org pgptZpuMl4Wl0.pgp Description: PGP signature
Re: [Samba] Fetching DOMAIN database Failed
On Wed, Nov 25, 2009 at 11:36:35AM +0100, Nobody ist perfect wrote: I am trying to migrate our Windows NT 4 Domain to Samba 3.4.3 and got the error message below when I run the command: net join -S myPDC -I 172.30.1.1 -U administrator%mypasswd worked ok net rpc vampire -S myPDC -U administrator%mypasswd Fetching DOMAIN database Failed to fetch domain database: NT_STATUS_ACCESS_DENIED What I want to accomplish is to remove Windows NT 4.0 server as PDC and make Samba our Primary Domain Controller. Looking at Chapter 9 Migrating NT 4 Domain to Samba 3 on Samba-3 By Example book that it is possible to merge or migrate NT domain to Samba using ldap smbldap-tools Can someone please point me to the right direction. For vampire of a NT4 PDC you need to join as a BDC first (you did join as a member workstation/server). net join BDC -S myPDC -I 172.30.1.1 -U administrator%mypasswd should do the trick. Hope that helps, Guenther -- Günther DeschnerGPG-ID: 8EE11688 Red Hat gdesch...@redhat.com Samba Team g...@samba.org pgpkt9Vozr056.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] domain printer issues
On Tue, Dec 01, 2009 at 12:36:51PM +, Daniel Sheridan wrote: On Mon, 2009-11-30 at 09:14 +1100, Brian May wrote: Daniel Sheridan wrote: FWIW, I have the same problem here with Samba 3.4.2 and Windows XP clients. In fact, one printer driver works via point'n'print, but the others do not, so for now I've set all printers to use that one driver (the PPDs are similar enough that it's not a problem). Ok, so maybe it was the upgrade from 3.2.5 to 3.4.2 (required for Windows 7) that broke things. The first few days seemed fine, so I thought it was OK, but maybe that is because nobody reported problems... I'm currently blaming 3.4.x. Downgrading to 3.3.2 (the most recent 3.3 easily available as an Ubuntu package) makes the driver installation work perfectly. Upgrading to 3.4.x breaks it again. Clean /var/lib/samba and /var/cache/samba each time. This is unfortunately a known issue and we are actively working on resolving this; if you have a chance to test, the 3-4-test git branch should have the necessary fixes (unless you are running sparc). For Samba 3.4.4 these issues will be resolved. Thanks, Guenther -- Günther DeschnerGPG-ID: 8EE11688 Red Hat gdesch...@redhat.com Samba Team g...@samba.org pgpCrGkbLzGcy.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [SCM] Samba Shared Repository - branch v3-5-test updated - tevent-0-9-8-913-g7a98fde
On Thu, Oct 01, 2009 at 12:36:10PM -0500, Jeremy Allison wrote: The branch, v3-5-test has been updated via 7a98fdebe454ec55e93868ca319615bf442b2ff8 (commit) via f1b5d5dcab5d8249ae8dc6d26cf9e9e163b95a8d (commit) via 11f56f48433951046a79683eda08ab8a4246d487 (commit) via ca90b480da3f5d813186d3b7be22a5a0ae1057f6 (commit) via 1a0db7a957682782bd915526c69c0779e7b8335f (commit) via d2fd44b357f1e4aa11391b6c9f2602d90eb6d6ec (commit) via 62a7ea41ec40dd23ea4e70d2c3c507b37978c4f0 (commit) from 87b31c0266360f311ae6207b9ec5bce9d8e01be7 (commit) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-test - Log - commit 7a98fdebe454ec55e93868ca319615bf442b2ff8 Author: Günther Deschner g...@samba.org Date: Thu Oct 1 10:21:17 2009 +0200 s3-perfcount: more cleanup. Guenther commit f1b5d5dcab5d8249ae8dc6d26cf9e9e163b95a8d Author: Günther Deschner g...@samba.org Date: Thu Oct 1 03:39:07 2009 +0200 s3-perfcount: only pass down prs_struct when really required. Guenther commit 11f56f48433951046a79683eda08ab8a4246d487 Author: Günther Deschner g...@samba.org Date: Thu Oct 1 02:09:33 2009 +0200 s3: add perfcount idl and generated files. Guenther commit ca90b480da3f5d813186d3b7be22a5a0ae1057f6 Author: Günther Deschner g...@samba.org Date: Thu Oct 1 01:30:45 2009 +0200 s3-registry: move rpccli_winreg_Connect to the only file it belongs. Guenther commit 1a0db7a957682782bd915526c69c0779e7b8335f Author: Günther Deschner g...@samba.org Date: Wed Sep 30 20:01:54 2009 +0200 s3: remove unused rpcstr_pull and rpcstr_pull_talloc. Guenther commit d2fd44b357f1e4aa11391b6c9f2602d90eb6d6ec Author: Günther Deschner g...@samba.org Date: Wed Sep 30 20:01:35 2009 +0200 s3-printing: more use of pull_reg_sz(). Guenther commit 62a7ea41ec40dd23ea4e70d2c3c507b37978c4f0 Author: Günther Deschner g...@samba.org Date: Wed Sep 30 20:00:52 2009 +0200 s3-registry: use pull_reg_sz() where appropriate. (and move away from rpcstr_pull and rpcstr_pull_talloc). Guenther Hi Jeremy, sorry for not doing that myself earlier (busy with other stuff atm.). Be assured that I would not have forgotten it :-) I run my pick-my-stuff-from-master-into-3-5 script frequently so that should have catched those soon. Thanks for looking at this! Guenther -- Günther DeschnerGPG-ID: 8EE11688 Red Hat gdesch...@redhat.com Samba Team g...@samba.org pgplV1oQbWvTq.pgp Description: PGP signature
Re: [Samba] 75 second (5 x 15) between login request and response
On Tue, Sep 22, 2009 at 08:33:46PM +0200, Laurens Blankers wrote: Hello all, It takes about 75 seconds before Samba answers a login request from a WinXP SP3 client. After the delay the client connects successfully and can browse the share. The delay seems to be made up off 5 separate delays of 15 seconds each judging by the debug logs. The delay seems to be caused by a configuration issue with the LDAP password backend, but I can't figure out what the problem(s) is/are. I have attached the log file of a WinXP client (named Mu) trying to connect to the Samba server (version 3.3.4, running on Debian, called Theta) using the user Laurens. No logs attached, sorry :-) Guenther -- Günther DeschnerGPG-ID: 8EE11688 Red Hat gdesch...@redhat.com Samba Team g...@samba.org pgpPwYKnq5w9J.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba slave with winbind fails to communicate with the PDC
On Mon, Sep 21, 2009 at 04:35:04PM -0300, Joel Franco Guzmán wrote: Hi all, After the net rpc join successfuly established to the Samba PDC (net rpc testjoin ok), the following commands fail: # wbinfo -u Error looking up domain users # wbinfo -g Error looking up domain groups #wbinfo -t checking the trust secret via RPC calls failed Could not check secret # net rpc testjoin Join to 'RSP' is OK It appears that, still under valid relationship with the PDC Samba server, the winbind does not get the list from the PDC. What Samba version are you using ? On the client and on the PDC. Thanks, Guenther -- Günther DeschnerGPG-ID: 8EE11688 Red Hat gdesch...@redhat.com Samba Team g...@samba.org pgpzwLWzNHbep.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Mystery Samba (3.4.1) and Win7
Hi Martin, On Wed, Sep 16, 2009 at 01:37:33PM +0200, Martin Hochreiter wrote: Hi! I read many threads and tried many solutions but I can't get Win7 (RTM, 64 bit) and Samba 3.4.1 to work together. I am still failing with the trusteeship problem during the first logon after domain join. Is there a working solution? Have you tried following the steps on http://wiki.samba.org/index.php/Windows7 ? 3.4.1 is really known to work as long as you do not start to modify your netlogon registry settings. Guenther -- Günther DeschnerGPG-ID: 8EE11688 Red Hat gdesch...@redhat.com Samba Team g...@samba.org pgpiAaUTmVmTQ.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Domain Member Server connecting to Samba PDC
On Fri, Sep 11, 2009 at 06:40:02AM -0600, Anthony Powell wrote: There had been some bugs in 3.3.2 preventing that unfortunately. We are currently preparing an update to 3.4.1 for F11. Could you please give https://admin.fedoraproject.org/updates/F11/FEDORA-2009-9443 a try (and leave positive feedback if it works for you) ? This worked for me. Great, thanks for the feedback. Guenther -- Günther DeschnerGPG-ID: 8EE11688 Red Hat gdesch...@redhat.com Samba Team g...@samba.org pgpZ6LiZQJBMr.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Domain Member Server connecting to Samba PDC
On Thu, Sep 10, 2009 at 04:13:55PM -0600, Anthony Powell wrote: Hello: I'm trying to set up a small domain on my home network. The goal is to have a domain member server connect to my samba PDC using winbind for authentication against a tdbsam database. I've tried reading the official howto, and a few help sites, but I'm still having difficulty accomplishing my goal. I'm using Samba 3.3.2 on Fedora 11 for both computers. There had been some bugs in 3.3.2 preventing that unfortunately. We are currently preparing an update to 3.4.1 for F11. Could you please give https://admin.fedoraproject.org/updates/F11/FEDORA-2009-9443 a try (and leave positive feedback if it works for you) ? Thanks, Guenther -- Günther DeschnerGPG-ID: 8EE11688 Red Hat gdesch...@redhat.com Samba Team g...@samba.org pgpRYz1Xg1ape.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] unable to join w2k3 SP1 to samba 3 domain.
Emil, could you please open a bug about this on bugzilla.samba.org and include your C:\windows\debug\netsetup.log file ? I would like to reproduce that and see what is going wrong. Thanks, Guenther -- Günther DeschnerGPG-ID: 8EE11688 Red Hat gdesch...@redhat.com Samba Team g...@samba.org pgpxghdXi45r7.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net user add . is there any way to specify destination ou ?
On Wed, Jul 08, 2009 at 03:14:35PM -0400, Michael Joyner ᏩᏯ wrote: net user add . is there any way to specify destination OU when security=ads ? You can define the container where to create users (and groups) with --container=ou=mycontainer. The base dn of your domain will be appended automatically. Guenther -- Günther DeschnerGPG-ID: 8EE11688 Red Hat gdesch...@redhat.com Samba Team g...@samba.org pgpTCNDebKzJD.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net ads join - strong(er) authentication required
On Wed, Jul 01, 2009 at 12:03:28PM +0200, christoph.be...@desy.de wrote: Hi, my windows folks migrated to AD 2008 R2, resulting in the following error message when trying to join the domain: [HOST] /etc $ /opt/csw/bin/net ads join -U USER Enter USER's password: [2009/07/01 11:51:28, 0] libads/sasl.c:ads_sasl_spnego_bind(819) kinit succeeded but ads_sasl_spnego_krb5_bind failed: Strong(er) authentication required Failed to join domain: failed to connect to AD: Strong(er) authentication required Any hints ? You might need to set client ldap sasl wrapping in order to make this work. See the manpage for possible settings. Guenther -- Günther DeschnerGPG-ID: 8EE11688 Red Hat gdesch...@redhat.com Samba Team g...@samba.org pgpEWrqEyjqSv.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problems starting Server 2008 x64 after added to samba domain
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Robert Ludvik wrote: Robert Ludvik pravi: Guenther Deschner pravi: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Robert Ludvik wrote: Hi I have a problem with Windows Server Ent (and Std) 2008 x64 running on IBM Blade Center. I can add it to the Samba domain but when I restart it, it comes to Applying computer settings... and if I connect with rdesktop I can see a screen saying Please wait for the group policy client and after some minutes it restarts. I can boot it in Safe mode, remove from domain and it will start with no problem. I have no issues with Server 2008 Ent 32 bit running on PC. Any ideas where can I look for help? I installed all updates and SP2 ... What version of Samba is this ? Guenther Sorry, Samba 3.3.3 on CentOS 5 and fedora DS 1.0.4. Right, in that version there was a bug in Samba that caused windows to reboot, fixed with Samba 3.3.4. Guenther - -- Günther DeschnerGPG-ID: 8EE11688 Red Hat gdesch...@redhat.com Samba Team g...@samba.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkolmGEACgkQSOk3aI7hFojalACeJqrRtNek1iaocQ8DpawRa5Qb QjUAn2y8rb1RWaRLcd9bgwf4+AvzUfpe =zO2R -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problems starting Server 2008 x64 after added to samba domain
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Robert Ludvik wrote: Hi I have a problem with Windows Server Ent (and Std) 2008 x64 running on IBM Blade Center. I can add it to the Samba domain but when I restart it, it comes to Applying computer settings... and if I connect with rdesktop I can see a screen saying Please wait for the group policy client and after some minutes it restarts. I can boot it in Safe mode, remove from domain and it will start with no problem. I have no issues with Server 2008 Ent 32 bit running on PC. Any ideas where can I look for help? I installed all updates and SP2 ... What version of Samba is this ? Guenther - -- Günther DeschnerGPG-ID: 8EE11688 Red Hat gdesch...@redhat.com Samba Team g...@samba.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkohnHcACgkQSOk3aI7hFoh5LwCgloei6XiMcrxrOioOcxgfxnJT ggoAnRs+sKCPOFJGQ6WAftdiSYOZVl9+ =/eXD -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] 3.3.4 2008 Domain Join Error
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alex Green wrote: Hi, Just trying to get a SLES10 machine running 3.3.4 to join a 2008 domain and getting this any ideas?? Running: net -d 3 -U admu...@dom.realm.co.com ads join createcomputer=REG/CN/OU/Services/ Error: [2009/05/15 13:42:13, 3] libads/sasl.c:ads_sasl_spnego_bind(780) ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 [2009/05/15 13:42:13, 3] libads/sasl.c:ads_sasl_spnego_bind(789) ads_sasl_spnego_bind: got server principal name = not_defined_in_rfc4...@please_ignore [2009/05/15 13:42:13, 3] libsmb/clikrb5.c:ads_krb5_mk_req(677) ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found) [2009/05/15 13:42:13, 0] libads/kerberos.c:ads_kinit_password(362) kerberos_kinit_password admu...@dom.realm.co.com@DOM.REALM.CO.COM failed: Malformed representation of principal [2009/05/15 13:42:13, 1] libnet/libnet_join.c:libnet_Join(1902) libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx out: struct libnet_JoinCtx account_name : NULL netbios_domain_name : 'DOM' dns_domain_name : 'DOM.REALM.CO.COM' forest_name : 'realm.co.com' dn : NULL domain_sid : * domain_sid : S-1-5-21-1219397942-1773535701-801310046 modified_config : 0x00 (0) error_string : 'failed to connect to AD: Malformed representation of principal' domain_is_ad : 0x01 (1) result : WERR_DEFAULT_JOIN_REQUIRED Failed to join domain: failed to connect to AD: Malformed representation of principal [2009/05/15 13:42:13, 2] utils/net.c:main(770) Can you please file a bug at bugzilla.samba.org for this ? Thanks Guenther - -- Günther DeschnerGPG-ID: 8EE11688 Red Hat gdesch...@redhat.com Samba Team g...@samba.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkoNeX4ACgkQSOk3aI7hFohAvwCeMB4ZokNM+Fc6td+xHNkPPJPj zyMAmwYTMbknnkSDZcLIGiEU53+xEmDU =K5nF -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba with AD/winbind - recurring message
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Adam Cohen wrote: I upgraded to 3.3.4 today (thanks to SerNet.DE for providing RHEL RPMs) but still see the message. Does LDAP signing need to be enabled? Just set client ldap sasl wrapping to seal in smb.conf. Guenther - -- Günther DeschnerGPG-ID: 8EE11688 Red Hat gdesch...@redhat.com Samba Team g...@samba.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkn4wRQACgkQSOk3aI7hFog59ACggR/ryImcPERMri/NxNhjL8NT bBQAn1LP5dkZvWXV/iro/17iuMe83G/L =3exQ -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Re: [Release Planning 3.4] 3.4.0pre1 will be delayed
Remy Zandwijk wrote: Jeremy Allison wrote: On Wed, Apr 15, 2009 at 12:41:20PM +0200, Karolin Seeger wrote: Hey folks, the release of Samba 3.4.0pre1 will be delayed until April 30, 2009 due to the samr access check bugs and bug #6263 (Domain login problems in Windows XP without SP3). @Developers: There is still some space left to place your changes in the release notes. Karolin, Guenther has fixed #6263 and I am waiting on confirmation on my checked in fixes for the samr access check bugs. Just FYI. Thanks for pointing out the problems for us. Please let us know if there are any other show-stoppers you need us to work on asap. Great news. Any change a patch will be made available to apply to 3.2.10? You can just pick the fix for Bug 6263 from the Bugzilla entry: https://bugzilla.samba.org/attachment.cgi?id=4070action=view Guenther -- Günther DeschnerGPG-ID: 8EE11688 Red Hat gdesch...@redhat.com Samba Team g...@samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha7-835-g09265bc
Günther Deschner wrote: The branch, master has been updated via 09265bcff5a2fac42f5abf34b8b439aa0a6998a1 (commit) from 621d40332aad9d99b14c45155308a394c31b98b5 (commit) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 09265bcff5a2fac42f5abf34b8b439aa0a6998a1 Author: Günther Deschner g...@samba.org Date: Fri Apr 3 09:57:53 2009 +0200 s3-nsswitch: Fix Bug #6238. Make sure logoff is bla bla. Arg! That should read: Make sure wbcLogoffUserParams are properly initialized before freed. Need more coffee... -- Günther DeschnerGPG-ID: 8EE11688 Red Hat gdesch...@redhat.com Samba Team g...@samba.org
Re: [Samba] vampire support for windows 2000+ domains?
Charles Marcus wrote: Is this ever going to happen? Or am I waiting in vain? Can you please file a bug report on this and assign to me? I have a git branch for vampire a w2k+ domain into passdb (almost finished). Having a bugid would be good reminder to finally finish it for the next samba version. Thanks, Guenther -- Günther DeschnerGPG-ID: 8EE11688 Red Hat gdesch...@redhat.com Samba Team g...@samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha7-63-gc5e062e
Michael Adam wrote: The branch, master has been updated via c5e062ed74ec7e13e03ed24e9e4d2ced5351f141 (commit) from 3a1f24f286d4dba836b750122f571f831a794e4a (commit) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit c5e062ed74ec7e13e03ed24e9e4d2ced5351f141 Author: Michael Adam ob...@samba.org Date: Thu Feb 26 14:34:38 2009 +0100 s3: fix the build JOB_STATUS_BLOCKED - JOB_STATUS_BLOCKED_DEVQ Günther, please check... Michael Arg! Yes, thanks Michael. Today is not my day :( Guenther -- Günther DeschnerGPG-ID: 8EE11688 Red Hat gdesch...@redhat.com Samba Team g...@samba.org
Re: [Samba] Failed to join domain: failed to set machine spn: Constraint violation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alex Green wrote: Anyone? any ideas? Can you open a bug on this and upload a network trace as well ? Thanks, Guenther - -- Günther DeschnerGPG-ID: 8EE11688 Red Hat gdesch...@redhat.com Samba Team g...@samba.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAklCO+cACgkQSOk3aI7hFoiTLgCeJkjEOkx13ob9j7glt663YmJp Pr0An2flu3aPZvFeFlfjdDtYQpaFrPHm =Iz61 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: join fails samba 3.2 ADS 2003R2 SP2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Roland Hebertinger wrote: Marc-Andre Vallee Marc-Andre.Vallee at complys.com writes: Hi, SLES10 SP2 x86_64 + Samba from repo (samba-3.2.4-8.1) When I try to join (net ads join -U Administrator), I get : Failed to join domain: failed to set machine spn: Can't contact LDAP server Any news on this one? I have the same problem with a slightly different setup. I'm using a Samba 3.2.4 running on SLES 10 SP2 and try to join an AD running on a Windows 2008. Here's my output: # net ads join -U Administrator -d 3 [2008/11/03 19:35:42, 3] param/loadparm.c:lp_load_ex(8754) lp_load_ex: refreshing parameters [2008/11/03 19:35:42, 3] param/loadparm.c:init_globals(4597) Initialising global parameters [2008/11/03 19:35:42, 3] param/params.c:pm_process(569) params.c:pm_process() - Processing configuration file /etc/samba/smb.conf [2008/11/03 19:35:42, 3] param/loadparm.c:do_section(7417) Processing section [global] [2008/11/03 19:35:42, 2] lib/interface.c:add_interface(337) added interface eth0 ip=fe80::214:5eff:fed8:9816%eth0 bcast=fe80:::::%eth0 netmask=::::: [2008/11/03 19:35:42, 2] lib/interface.c:add_interface(337) added interface eth1 ip=fe80::214:5eff:fed8:9818%eth1 bcast=fe80:::::%eth1 netmask=::::: [2008/11/03 19:35:42, 2] lib/interface.c:add_interface(337) added interface eth0 ip=192.168.1.28 bcast=192.168.1.255 netmask=255.255.255.0 [2008/11/03 19:35:42, 2] lib/interface.c:add_interface(337) added interface eth0 ip=192.168.1.144 bcast=192.168.1.255 netmask=255.255.255.0 [2008/11/03 19:35:42, 2] lib/interface.c:add_interface(337) added interface eth0 ip=192.168.1.145 bcast=192.168.1.255 netmask=255.255.255.0 [2008/11/03 19:35:42, 2] lib/interface.c:add_interface(337) added interface eth0 ip=192.168.1.195 bcast=192.168.1.255 netmask=255.255.255.0 [2008/11/03 19:35:42, 2] lib/interface.c:add_interface(337) added interface eth1 ip=10.168.1.195 bcast=10.168.1.255 netmask=255.255.255.0 Enter Administrator's password: [2008/11/03 19:35:46, 1] libnet/libnet_join.c:libnet_Join(1770) libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx in: struct libnet_JoinCtx dc_name : NULL machine_name : 'SR-HOME-1' domain_name : * domain_name : 'VERLAG.VN.IDOWA.DE' account_ou : NULL admin_account: 'Administrator' admin_password : * machine_password : NULL join_flags : 0x0023 (35) 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT 0: WKSSVC_JOIN_FLAGS_DEFER_SPN 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE os_version : NULL os_name : NULL create_upn : 0x00 (0) upn : NULL modify_config: 0x00 (0) ads : NULL debug: 0x01 (1) secure_channel_type : SEC_CHAN_WKSTA (2) [2008/11/03 19:35:46, 3] libsmb/cliconnect.c:cli_start_connection(1632) Connecting to host=sr-dc-1.verlag.vn.idowa.de [2008/11/03 19:35:46, 3] libsmb/namequery.c:resolve_lmhosts(1162) resolve_lmhosts: Attempting lmhosts lookup for name sr-dc-1.verlag.vn.idowa.de0x20 [2008/11/03 19:35:46, 3] libsmb/namequery.c:resolve_wins(1026) resolve_wins: Attempting wins lookup for name sr-dc-1.verlag.vn.idowa.de0x20 [2008/11/03 19:35:46, 3] libsmb/namequery.c:resolve_wins(1030) resolve_wins: WINS server resolution selected and no WINS servers listed. [2008/11/03 19:35:46, 3] libsmb/namequery.c:resolve_hosts(1244) resolve_hosts: Attempting host lookup for name sr-dc-1.verlag.vn.idowa.de0x20 [2008/11/03 19:35:46, 3] lib/util_sock.c:open_socket_out(1331) Connecting to 192.168.1.82 at port 445 [2008/11/03 19:35:46, 3] libsmb/cliconnect.c:cli_session_setup_spnego(804) Doing spnego session setup (blob length=124) [2008/11/03 19:35:46, 3] libsmb/cliconnect.c:cli_session_setup_spnego(831) got OID=1 2 840 48018 1 2 2 [2008/11/03 19:35:46, 3] libsmb/cliconnect.c:cli_session_setup_spnego(831) got OID=1 2 840 113554 1 2 2 [2008/11/03 19:35:46, 3] libsmb/cliconnect.c:cli_session_setup_spnego(831)
Re: [Samba] samba accounts management API
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Русаков Денис wrote: Hello, all I'd like to create, remove, change samba accounts, groups etc. from my own C program. How can I do this, without using samba tools, but some samba API (headers and shared objects). Does samba provide some API (headers and shared objects) for accounts creating etc.? Thank you Starting with Samba 3.2 we added a new shared library called libnetapi. This library is designed very closely to the Windows NetApi equivalent, and provides functions for all these tasks you are looking for. For the upcoming Samba 3.3 release, this library provides around 50 calls and includes example code for at least all account management functions. You may want to have a look at: NetUserAdd, NetUserDel, NetUserSetInfo, and the the NetGroup* functions. The header file is located under: $SRC/lib/netapi/netapi.h Example code can found under: $SRC/lib/netapi/examples Let us know where we can help further. Hope this helps, Guenther - -- Günther DeschnerGPG-ID: 8EE11688 Red Hat [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkjrKKkACgkQSOk3aI7hFojZNgCeLrPgVUfGQE/pzHgFpksAKzes B54An0NQzodllYBnVnSMV8Ww5Jw1aLPj =85Zy -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.28a integration with 2003 AD and password lockout policy?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Braebaum, Neil wrote: | I'm encountering some oddness using Samba 3.0.28a, MIT kerberos (1.6.3) | for user authentication on Linux, to 2003 Active Directory. | | The password policy dictated by AD should lock accounts after 6 | incorrect login attempts within a 30 minute period. However, it seems to | halve that when logging in to these Linux boxes via ssh - so after 3 | incorrect login attempts, the AD account gets locked. | | Looking in log.wb-Domain Name seems to show double attempts / | authentication failures when submitting the login with an incorrect | password (to test this). | | I have noted password level in smb.conf (it's not set in my smb.conf), | but as I'm using encrypt passwords = yes, I thought it was irrelevant. | | It would appear that two submissions are being made, though, is that a | Samba version thing, something I may have not got spot on with my pam | configuration, or an issue with the Samba version? This area of code hasn't been reworked a lot since then, so, can you please file a bug and upload your correct log.wb-* files ? Thanks, Guenther - -- Günther DeschnerGPG-ID: 8EE11688 Red Hat [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkijDEgACgkQSOk3aI7hFoi4CwCfd73W9y0elpD0+R96n/b9HbTH lt8AnRtwoFSES/m7uvIrZfgywlCWwg8e =oGtJ -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Vista SP1-rc1 appears to break against Samba-3.0.27a
Hi, krisani p wrote: Hello, Is the Vista compatibilty issue resolved? Is there any change in PAC structure sent by Vista? Would appreciate any information on this. Yes, this has been resolved in the latest 3.0 and 3.2 releases. Guenther -- Günther DeschnerGPG-ID: 8EE11688 Red Hat [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Error building Samba 3.2.0 with gcc 2.96
Thorkil Olesen wrote: I have tried to build Samba 3.2 with an old compiler gcc 2.96. It gave only one single error: groupdb/mapping_tdb.c: In function `add_mapping_entry': groupdb/mapping_tdb.c:130: incompatible types in return The offending line says: return NULL; in a function of type 'bool'. Is this a bug, or am I using a far too old compiler? It's a bug, fixed already in git. Thanks! Guenther -- Günther DeschnerGPG-ID: 8EE11688 Red Hat [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] simple command to check domain membership
Mikael Kermorgant wrote: Hello, I'm planning to automate domain joining with samba+winbind for a classroom. Using cfengine, I'll have to trigger domain joining by checking current status via a shell command. An example : has_hostname = ( '/bin/test -f /etc/hostname' ) What would be a simple and safe test to check whether or not the machine has already been joined to the domain ? net ads testjoin or net rpc testjoin should do it. Guenther -- Günther DeschnerGPG-ID: 8EE11688 Red Hat [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Can't join AD anymore after migration to 3.0.30
Jens Nissen wrote:
I doff my hat, indeed, my SBS200 is running SP1.
(Microsoft never provided updates for SBS2000 beyond SP1,
there were individual updates for Windows, Exchange, SQL, IIE ... but
they were partially incompatible with SBS2000, so there might be more
machines out there!!)
I updated to SP4, now I get the next error:
NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT
Is it possible, that this is already a known issue in Samba 3.2.0 and
needs to be back-ported to Samba 3.0.30?
See
http://lists-archives.org/samba/34051-net-ads-join-fails-with-nt_status_nologon_workstation_trust_account.html
Yeah, it's a known issue.
Can you please try attached patch?
Thanks,
Guenther
--
Günther DeschnerGPG-ID: 8EE11688
Red Hat [EMAIL PROTECTED]
Samba Team [EMAIL PROTECTED]
From 97a81114e608927af3b94cd1c561e7f8359907d2 Mon Sep 17 00:00:00 2001
From: =?utf-8?q?G=C3=BCnther=20Deschner?= [EMAIL PROTECTED]
Date: Thu, 5 Jun 2008 16:26:10 +0200
Subject: [PATCH] net: fix joining w2k domains in security = ads.
This repairs the join verification code which needs to try an anonymous
connection (as an authenticated connection will always fail with
NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT).
Guenther
---
source/utils/net.c | 61 --
source/utils/net_rpc_join.c |6 +---
2 files changed, 36 insertions(+), 31 deletions(-)
diff --git a/source/utils/net.c b/source/utils/net.c
index 5a81edb..d8ea462 100644
--- a/source/utils/net.c
+++ b/source/utils/net.c
@@ -181,27 +181,30 @@ NTSTATUS connect_to_service(struct cli_state **c, struct
in_addr *server_ip,
opt_user_name, opt_workgroup,
opt_password, 0, Undefined, NULL);
- if (NT_STATUS_IS_OK(nt_status)) {
+ if (NT_STATUS_IS_OK(nt_status) ||
+ NT_STATUS_EQUAL(nt_status,
NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT) ||
+ NT_STATUS_EQUAL(nt_status, NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT)
||
+ NT_STATUS_EQUAL(nt_status,
NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT)) {
return nt_status;
- } else {
- d_fprintf(stderr, Could not connect to server %s\n,
server_name);
+ }
- /* Display a nicer message depending on the result */
+ d_fprintf(stderr, Could not connect to server %s\n, server_name);
- if (NT_STATUS_V(nt_status) ==
- NT_STATUS_V(NT_STATUS_LOGON_FAILURE))
- d_fprintf(stderr, The username or password was not
correct.\n);
+ /* Display a nicer message depending on the result */
- if (NT_STATUS_V(nt_status) ==
- NT_STATUS_V(NT_STATUS_ACCOUNT_LOCKED_OUT))
- d_fprintf(stderr, The account was locked out.\n);
+ if (NT_STATUS_V(nt_status) ==
+ NT_STATUS_V(NT_STATUS_LOGON_FAILURE))
+ d_fprintf(stderr, The username or password was not
correct.\n);
- if (NT_STATUS_V(nt_status) ==
- NT_STATUS_V(NT_STATUS_ACCOUNT_DISABLED))
- d_fprintf(stderr, The account was disabled.\n);
+ if (NT_STATUS_V(nt_status) ==
+ NT_STATUS_V(NT_STATUS_ACCOUNT_LOCKED_OUT))
+ d_fprintf(stderr, The account was locked out.\n);
- return nt_status;
- }
+ if (NT_STATUS_V(nt_status) ==
+ NT_STATUS_V(NT_STATUS_ACCOUNT_DISABLED))
+ d_fprintf(stderr, The account was disabled.\n);
+
+ return nt_status;
}
@@ -481,7 +484,7 @@ struct cli_state *net_make_ipc_connection_ex( const char
*domain, const char *se
char *server_name = NULL;
struct in_addr server_ip;
struct cli_state *cli = NULL;
- NTSTATUS nt_status;
+ NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
if ( !server || !ip ) {
if (!net_find_server(domain, flags, server_ip, server_name)) {
@@ -493,25 +496,31 @@ struct cli_state *net_make_ipc_connection_ex( const char
*domain, const char *se
server_ip = *ip;
}
+ if (opt_user_name opt_password) {
+ nt_status = connect_to_ipc(cli, server_ip, server_name);
+ if (NT_STATUS_IS_OK(nt_status)) {
+ goto connected;
+ }
+ }
if (flags NET_FLAGS_ANONYMOUS) {
nt_status = connect_to_ipc_anonymous(cli, server_ip,
server_name);
- } else {
- nt_status = connect_to_ipc(cli, server_ip, server_name);
+ if (NT_STATUS_IS_OK(nt_status)) {
+ goto connected;
+ }
}
+ SAFE_FREE(server_name);
+ d_fprintf(stderr, Connection failed: %s\n,
+ nt_errstr(nt_status));
+ return NULL;
+
+ connected:
/* store the server in the affinity
Re: [Samba] unable to join a NT4 Domain since 3.0.28a
Shane T. Drinkwater wrote: Hello, My name is Shane Drinkwater. If I use Samba 3.0.29/3.0.30 I cannot join to my NT4 Domain. When running the net command to join I get the following error. [EMAIL PROTECTED] bin]# ./net rpc join -Scsqdomainbackup -UAdministrator Password: [2008/06/05 16:40:35, 0] utils/net_rpc_join.c:net_rpc_join_newstyle(371) Error in domain join verification (credential setup failed): NT_STATUS_ACCESS_DENIED This is fixed in the upstream git tree and will be part of the next samba release (out soon). Guenther -- Günther DeschnerGPG-ID: 8EE11688 Red Hat [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Can't join AD anymore after migration to 3.0.30
Jens Nissen wrote: After migrating from 3.0.26a to 3.0.30 I cannot join my AD member server to the domain anymore: I get a DCERPC_FAULT_INVALID_TAG. As I didn't change my Windows 2000 SBS Server, this looks like a new feature in Samba 3.0.30. You're probably not running the latest SP on the SBS server. I could only reproduce your problem with Windows 2000 GA version (no SPs installed at all). We'll add fallback code for the next release, but you should really consider upgrading to the lastest SP. Guenther -- Günther DeschnerGPG-ID: 8EE11688 Red Hat [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Can't join AD anymore after migration to 3.0.30
Guenther Deschner wrote: Jens Nissen wrote: After migrating from 3.0.26a to 3.0.30 I cannot join my AD member server to the domain anymore: I get a DCERPC_FAULT_INVALID_TAG. As I didn't change my Windows 2000 SBS Server, this looks like a new feature in Samba 3.0.30. You're probably not running the latest SP on the SBS server. I could only reproduce your problem with Windows 2000 GA version (no SPs installed at all). We'll add fallback code for the next release, but you should really consider upgrading to the lastest SP. Ok, In v3-0-test I added code that should resolve your issue. Will be in the next 3.0 release (out really soon). Guenther -- Günther DeschnerGPG-ID: 8EE11688 Red Hat [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Must Change Password at Next Login does not work
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mike Brady wrote: When setting the User Must Change Password at Next Login flag via usrmgr the user is not prompted to change their password. The various Password fields in password backend (tdb) as viewed using pdbedit are all set to zero, so it is doing something. Setting this using net sam pwdmustchangenow works correctly (i.e. the users is prompted to change their password). It also sets all the password fields to zero, but I guess it must be doing something else as well. System is Centos 5.1 x86_64. Samba is a GIT snapshot from 26 Apr 2008. Ok, which git branch ? v3-2-test or v3-0-test ? Debug log level 3 and conf files are attached. The logfile did not make it to the list. If this is a bug let me know and I will log it. Yes, please open a bug for this and attach a log level 10 logfile. Thanks, Guenther - -- Günther DeschnerGPG-ID: 8EE11688 Red Hat [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFIID30SOk3aI7hFogRAvuyAJ40i/7bJ9NKbhAnfFRQeHyQx0fxYACfXAec as4weg0ALSnlEupY9VPuKUY= =hh2R -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Error join Samba: error setting trust account password
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Fernando Xavier wrote: Hello! I'm trying join client in samba server. But, get this error: [2008/04/12 12:18:53, 0] utils/net_rpc_join.c:net_rpc_join_newstyle(304) error setting trust account password: NT code 0x1c010002 Unable to join domain PDCSERVER. What Samba versions are client and server running ? - -- Günther DeschnerGPG-ID: 8EE11688 Red Hat [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFIARXSSOk3aI7hFogRAj5lAJwMXYKGYOsL15M7ARUpVwBh2RAgEQCePc2z +aV/M9HcFjrtu/6uH4vRaIg= =a832 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] 3.0.28a+ 2008 server join with security=domain
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Feroz, feroz ahmed wrote: Hi, Can some one help me out in joining samba 3.0.28a to 2008 server domain with security= domain. When i try to execute ./net rpc join -U administrator%password I'm getting the following error. Error in domain join verification (credential setup failed): NT code 0xc388 Do you have a chance to try the 3-0-test git tree? Joining w2k8 in security=domain should be fixed there right now. Can you please verify it works for you there ? Thanks, Guenther - -- Günther DeschnerGPG-ID: 8EE11688 Red Hat [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFH9d95SOk3aI7hFogRAhgtAJ47/ePoA+smX4ebntQKyApLgzMfOACePg4Y rFYojk7jKXZ5mH5HLJsScos= =78GF -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Urgent... winbind and keytab file creation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Oliver Weinmann wrote: Hi, I'm running winbind (3.0.28a) on SLES9 with heimdal Kerberos. Everything works fine so far. Now i need to have the host keytab generated by winbind to be in the default /etc/krb5/krb5.keytab in order to use nfs with kerberos security. The problem is i have set the parameter in smb.conf: use kerberos keytabe = true and as mentioned in man smb.conf i have set in krb5.conf default_keytab_name = FILE:/etc/krb5/krb5.keytab after a net join ads the krb5.keytab file is not created? do i have to create it myself? Is this not really implemented? What am I doing wrong? Have you tried net ads keytab create ? Guenther - -- Günther DeschnerGPG-ID: 8EE11688 Red Hat [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFH81Q/SOk3aI7hFogRAo9oAJ9olnYtnTFteNgF6jVpK/xdh9be8gCeNHVP WjEvra9U//Tj25Y8hFjnDwg= =peli -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [SCM] Samba Shared Repository - branch v3-2-test updated - release-3-2-0pre2-234-g737e470
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michael Adam wrote: The branch, v3-2-test has been updated via 737e470e02d1233fda51e903f27955e45427e95a (commit) via 8b2cc36ffcb3bccb760ec7cb0a22558eab56070d (commit) via a39807044879ad9df7614e010db6ea16b51000a0 (commit) via ce943aeb581027daf813528481b44177d391b61d (commit) via b942ff6b7f0be4898e05525558b354533dea312b (commit) via 32bfd131e33d06be9dfaef02b57f5401d2bc7639 (commit) via 05eda1252572f310499b28123d0f9e4211b7d54c (commit) via 0a619d4dc476c945130fe47126d98cd47b39c34d (commit) via 288495ec1a9b0c37bb3f98043f8f8dd946072bac (commit) via 4ac52a5a1dfe8f4f22e960db2e4ca99f9e262427 (commit) from 1de05f1a87fcea598021ca485d3ed87005a3be68 (commit) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-2-test - Log - commit 737e470e02d1233fda51e903f27955e45427e95a Author: Michael Adam [EMAIL PROTECTED] Date: Wed Mar 12 02:12:11 2008 +0100 init_srv_share_info_ctr: fix counting of services. The number of services was recorded too early leading to registry shares not showing up in browse lists. Guenther - please check. Yep, looks good. Thanks! Guenther - -- Günther DeschnerGPG-ID: 8EE11688 Red Hat [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFH2BORSOk3aI7hFogRAt6uAJ9whtS+ET8tqpPWeB7OeJrmGMISNQCeN0wF ResVYMoYQ4hWSZX8O94m6r4= =4PHp -END PGP SIGNATURE-
Re: [Samba] UserPrincipalName with samba/winbind 3.2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] wrote: Hi, I'm currently trying the 3.2 version of winbindd (pam + nss + winbindd). I would like to loging with the userPrincipalName on à Win 2k3 but I can't. Winbindd retrun NT_STATUS_INVALID_PARAMETER_MIX (PAM: 4) Any idea This should be fixed in git now. Thanks for reporting. Guenther - -- Günther DeschnerGPG-ID: 8EE11688 Red Hat [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHx+vCSOk3aI7hFogRAl6pAJ9H3ykvm02FiHjshwHhr1HA7Mc/dACfS31D koFq3UsRPyfZ7OEnS6VcIkQ= =aeV9 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [SCM] Samba Shared Repository - branch v3-2-test updated - initial-v3-2-unstable-1325-gaed01fd
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Michael, Michael Adam wrote: commit e2b34e9c028d712c7c8b22aade2c11d347ae176d Author: Michael Adam [EMAIL PROTECTED] Date: Sun Jan 13 22:49:42 2008 +0100 Remove auto-generation of missing share from libnet_conf_set_parameter(). Günther, I wanted to have this as atomic as possible. I will add this behaviour to libnet_conf_set_global_parameter() next with the justification that [global] should exist transparently. Sure, that is just fine. libnet_conf looks really very good now, IMHO. Thanks! Guenther - -- Günther DeschnerGPG-ID: 8EE11688 Red Hat [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHi0H7SOk3aI7hFogRAm3OAJ0TJaoh6Zp6e/7WeV5MAQyGWmN8uACglbFO 7TwWcCTCXjBjddjDoCa2F54= =w6Tx -END PGP SIGNATURE-
Re: [SCM] Samba Shared Repository - branch v3-2-test updated
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Can we also have more uniqueness in the subject line? It looks funny to have all commits as part of one huge thread. Guenther - -- Günther DeschnerGPG-ID: 8EE11688 Red Hat [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHDy9CSOk3aI7hFogRAi2jAJ90a2jHUeuVCG7rQvBSo8eIxGx/twCeJZO8 UjMoMiNuCRN3mvcPyWx2u8o= =/NiA -END PGP SIGNATURE-
Re: [SCM] Samba Shared Repository - branch v3-2-test updated
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Gerald (Jerry) Carter wrote: Guenther Deschner wrote: Can we also have more uniqueness in the subject line? It looks funny to have all commits as part of one huge thread. We did but didn't you ask to have the initial-v3-2-test-#-$HASH part removed? I'll add it back in for now. No, that wasn't me. Thanks for re-adding. Now have a good day with your family! Guenther - -- Günther DeschnerGPG-ID: 8EE11688 Red Hat [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHD3POSOk3aI7hFogRAqX4AJwOxpTRwVNEo2J2lP4/CWR8cF1X1wCgm75j pPvyhqT71DZHpZfynVz3FTU= =XP7J -END PGP SIGNATURE-
[SCM] Samba Shared Repository branch, v3-2-test, updated. initial-v3-2-unstable-17-gfbe5ede
The branch, v3-2-test has been updated
via fbe5edec375c99421d19af086c4f597e70c963b8 (commit)
via 6ae4066bbb59536852036394ffdb89121198a39f (commit)
from 1bf4c7fb2012a81e0b4e3d601a4df42d1113f5ef (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-2-test
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -
commit fbe5edec375c99421d19af086c4f597e70c963b8
Merge: 6ae4066bbb59536852036394ffdb89121198a39f
1bf4c7fb2012a81e0b4e3d601a4df42d1113f5ef
Author: Guenther Deschner [EMAIL PROTECTED]
Date: Thu Oct 11 15:18:50 2007 +0200
Merge commit 'origin/v3-2-test' into my_branch
commit 6ae4066bbb59536852036394ffdb89121198a39f
Author: Guenther Deschner [EMAIL PROTECTED]
Date: Thu Oct 11 15:12:12 2007 +0200
Rename krb5 locator plugin to winbind_krb5_locator.
Guenther
---
Summary of changes:
source/Makefile.in | 10 +-
source/configure.in|6 +++---
.../{smb_krb5_locator.c = winbind_krb5_locator.c} |0
3 files changed, 8 insertions(+), 8 deletions(-)
rename source/nsswitch/{smb_krb5_locator.c = winbind_krb5_locator.c} (100%)
Changeset truncated at 500 lines:
diff --git a/source/Makefile.in b/source/Makefile.in
index 320c9bc..50ad4d6 100644
--- a/source/Makefile.in
+++ b/source/Makefile.in
@@ -917,8 +917,8 @@ LDBADD_OBJ = $(LDB_CMDLINE_OBJ) lib/ldb/tools/ldbadd.o
LDBDEL_OBJ = $(LDB_CMDLINE_OBJ) lib/ldb/tools/ldbdel.o
LDBMODIFY_OBJ = $(LDB_CMDLINE_OBJ) lib/ldb/tools/ldbmodify.o
-SMB_KRB5_LOCATOR_OBJ1 = nsswitch/smb_krb5_locator.o
-SMB_KRB5_LOCATOR_OBJ = $(SMB_KRB5_LOCATOR_OBJ1) $(WBCOMMON_OBJ)
$(LIBREPLACE_OBJ) $(SOCKET_WRAPPER_OBJ)
+WINBIND_KRB5_LOCATOR_OBJ1 = nsswitch/winbind_krb5_locator.o
+WINBIND_KRB5_LOCATOR_OBJ = $(WINBIND_KRB5_LOCATOR_OBJ1) $(WBCOMMON_OBJ)
$(LIBREPLACE_OBJ) $(SOCKET_WRAPPER_OBJ)
POPT_OBJ=popt/findme.o popt/popt.o popt/poptconfig.o \
popt/popthelp.o popt/poptparse.o
@@ -997,7 +997,7 @@ replacetort : SHOWFLAGS bin/[EMAIL PROTECTED]@
timelimit : SHOWFLAGS bin/[EMAIL PROTECTED]@
nsswitch : SHOWFLAGS bin/[EMAIL PROTECTED]@ bin/[EMAIL PROTECTED]@
@WINBIND_NSS@ \
- @WINBIND_WINS_NSS@ bin/[EMAIL PROTECTED]@ @SMB_KRB5_LOCATOR@
+ @WINBIND_WINS_NSS@ bin/[EMAIL PROTECTED]@ @WINBIND_KRB5_LOCATOR@
wins : SHOWFLAGS @WINBIND_WINS_NSS@
@@ -1453,9 +1453,9 @@ bin/[EMAIL PROTECTED]@: $(BINARY_PREREQS) $(WINBINDD_OBJ)
@BUILD_POPT@
$(LDAP_LIBS) $(KRB5LIBS) $(LIBS) \
@[EMAIL PROTECTED] [EMAIL PROTECTED]@NSSSONAMEVERSIONSUFFIX@
-bin/[EMAIL PROTECTED]@: $(BINARY_PREREQS) $(SMB_KRB5_LOCATOR_OBJ)
+bin/[EMAIL PROTECTED]@: $(BINARY_PREREQS) $(WINBIND_KRB5_LOCATOR_OBJ)
@echo Linking $@
- @$(SHLD) $(LDSHFLAGS) -o $@ $(SMB_KRB5_LOCATOR_OBJ) \
+ @$(SHLD) $(LDSHFLAGS) -o $@ $(WINBIND_KRB5_LOCATOR_OBJ) \
@[EMAIL PROTECTED] [EMAIL PROTECTED]
bin/[EMAIL PROTECTED]@: $(BINARY_PREREQS) $(PAM_WINBIND_OBJ)
diff --git a/source/configure.in b/source/configure.in
index 6fb4687..bcb973a 100644
--- a/source/configure.in
+++ b/source/configure.in
@@ -3762,8 +3762,8 @@ if test x$with_ads_support != xno; then
fi
AC_CHECK_HEADERS(krb5/locate_plugin.h)
if test x$ac_cv_header_krb5_locate_plugin_h = xyes; then
- SMB_KRB5_LOCATOR=bin/smb_krb5_locator.$SHLIBEXT
- EXTRA_ALL_TARGETS=$EXTRA_ALL_TARGETS $SMB_KRB5_LOCATOR
+ WINBIND_KRB5_LOCATOR=bin/winbind_krb5_locator.$SHLIBEXT
+ EXTRA_ALL_TARGETS=$EXTRA_ALL_TARGETS $WINBIND_KRB5_LOCATOR
fi
fi
@@ -6036,7 +6036,7 @@ AC_SUBST(WINBIND_NSS_EXTRA_OBJS)
AC_SUBST(WINBIND_NSS_EXTRA_LIBS)
AC_SUBST(NSSSONAMEVERSIONSUFFIX)
-AC_SUBST(SMB_KRB5_LOCATOR)
+AC_SUBST(WINBIND_KRB5_LOCATOR)
# Check the setting of --with-winbind
diff --git a/source/nsswitch/smb_krb5_locator.c
b/source/nsswitch/winbind_krb5_locator.c
similarity index 100%
rename from source/nsswitch/smb_krb5_locator.c
rename to source/nsswitch/winbind_krb5_locator.c
--
Samba Shared Repository
[SCM] Samba Shared Repository branch, v3-2-test, updated. initial-v3-2-unstable-9-g52ca48f
The branch, v3-2-test has been updated
via 52ca48f1881fc7b6ac9d1252468bb20eee174407 (commit)
via 83fe2b4261f0357a62ea93b806a14225173f4945 (commit)
via 5fa3fc81b765f1d9682170de13d2e10994fdd889 (commit)
from e00ea359d66347a7c6f5d75de1670f788bfdc310 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-2-test
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -
commit 52ca48f1881fc7b6ac9d1252468bb20eee174407
Merge: 83fe2b4261f0357a62ea93b806a14225173f4945
e00ea359d66347a7c6f5d75de1670f788bfdc310
Author: Guenther Deschner [EMAIL PROTECTED]
Date: Thu Oct 11 02:43:29 2007 +0200
Merge commit 'origin/v3-2-test' into my_branch
commit 83fe2b4261f0357a62ea93b806a14225173f4945
Merge: 5fa3fc81b765f1d9682170de13d2e10994fdd889
be916777da8c681c393b817105e3dfe8a9c4ef12
Author: Guenther Deschner [EMAIL PROTECTED]
Date: Thu Oct 11 02:33:07 2007 +0200
Merge commit 'origin/v3-2-test' into my_branch
commit 5fa3fc81b765f1d9682170de13d2e10994fdd889
Author: Guenther Deschner [EMAIL PROTECTED]
Date: Thu Oct 11 02:25:44 2007 +0200
Display ace_objects in security descriptors.
Guenther
---
Summary of changes:
source/lib/display_sec.c | 41 +++--
1 files changed, 39 insertions(+), 2 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source/lib/display_sec.c b/source/lib/display_sec.c
index cb8f151..487ac8f 100644
--- a/source/lib/display_sec.c
+++ b/source/lib/display_sec.c
@@ -66,6 +66,23 @@ void display_sec_access(SEC_ACCESS *info)
}
/
+ display sec_ace object
+ /
+static void disp_sec_ace_object(struct security_ace_object *object)
+{
+ if (object-flags SEC_ACE_OBJECT_PRESENT) {
+ printf(Object type: SEC_ACE_OBJECT_PRESENT\n);
+ printf(Object GUID: %s\n, smb_uuid_string_static(
+ object-type.type));
+ }
+ if (object-flags SEC_ACE_OBJECT_INHERITED_PRESENT) {
+ printf(Object type: SEC_ACE_OBJECT_INHERITED_PRESENT\n);
+ printf(Object GUID: %s\n, smb_uuid_string_static(
+ object-inherited_type.inherited_type));
+ }
+}
+
+/
display sec_ace structure
/
void display_sec_ace(SEC_ACE *ace)
@@ -86,14 +103,35 @@ void display_sec_ace(SEC_ACE *ace)
case SEC_ACE_TYPE_SYSTEM_ALARM:
printf(SYSTEM ALARM);
break;
+ case SEC_ACE_TYPE_ALLOWED_COMPOUND:
+ printf(SEC_ACE_TYPE_ALLOWED_COMPOUND);
+ break;
+ case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
+ printf(SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT);
+ break;
+ case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
+ printf(SEC_ACE_TYPE_ACCESS_DENIED_OBJECT);
+ break;
+ case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
+ printf(SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT);
+ break;
+ case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT:
+ printf(SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT);
+ break;
default:
printf();
break;
}
+
printf( (%d) flags: %d\n, ace-type, ace-flags);
display_sec_access(ace-access_mask);
sid_to_string(sid_str, ace-trustee);
printf(\t\tSID: %s\n\n, sid_str);
+
+ if (sec_ace_object(ace-type)) {
+ disp_sec_ace_object(ace-object.object);
+ }
+
}
/
@@ -110,7 +148,6 @@ void display_sec_acl(SEC_ACL *sec_acl)
if (sec_acl-size != 0 sec_acl-num_aces != 0)
for (i = 0; i sec_acl-num_aces; i++)
display_sec_ace(sec_acl-aces[i]);
-
}
void display_acl_type(uint16 type)
@@ -187,6 +224,6 @@ void display_sec_desc(SEC_DESC *sec)
if (sec-group_sid) {
sid_to_string(sid_str, sec-group_sid);
- printf(\tParent SID:\t%s\n, sid_str);
+ printf(\tGroup SID:\t%s\n, sid_str);
}
}
--
Samba Shared Repository
[SCM] Draft Samba Repository branch, v3-2-unstable, updated. 640bda369cdb53b2b3b9e693325f5a0606d226f4
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project Draft Samba Repository. The branch, v3-2-unstable has been updated via 640bda369cdb53b2b3b9e693325f5a0606d226f4 (commit) from eb18d40b2e1411ba48bb15bf2a71e57c32f996dc (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log - commit 640bda369cdb53b2b3b9e693325f5a0606d226f4 Author: Guenther Deschner [EMAIL PROTECTED] Date: Fri Oct 5 23:55:47 2007 +0200 Minor temp. build fix. Guenther --- Summary of changes: source/nsswitch/libwbclient/wbclient.c |5 - 1 files changed, 4 insertions(+), 1 deletions(-) hooks/post-receive -- Draft Samba Repository
Re: svn commit: samba r25532 - in branches/SAMBA_4_0/source/torture/rpc: .
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] wrote: Author: obnox Date: 2007-10-05 21:22:07 + (Fri, 05 Oct 2007) New Revision: 25532 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=25532 Log: Fix some more indentations. Sorry G?\195?\188nther, could not resist, after having gone through this just before you committed r25529. :-) Damn, I missed those. Thanks Michael! Guenther - -- Günther DeschnerGPG-ID: 8EE11688 Red Hat [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHBqwPSOk3aI7hFogRAk2HAKCTWOEhE5yrm64zlFo10TiuAKhHpQCeJ/Mp RgbQOd2DF+TrL4HX4EHhqnc= =vjEW -END PGP SIGNATURE-
Re: [Samba] Problem authenticating users with pam_winbind from trusted domain
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Masopust, Christian wrote: Hi all, i've got a problem in authenticating users from a trusted domain with pam_winbind. What samba version are you using? Also, please increase log level to 10, uncomment max log size, repeat the auth attempt and sent the winbind logfiles off-list. Thanks, Guenther - -- Günther DeschnerGPG-ID: 8EE11688 Red Hat [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFGg82LSOk3aI7hFogRAgUqAJ49LzP55iQfUxM2FG3sIlDNWxI1uQCeLm2J 1bvX+Wl2fRMqxfA9BbXCJ44= =wMT5 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] rfc2307 - 3.0.24
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, David W. Chapman Jr. wrote: In log.winbindd-idmap I get a lot of these [2007/06/26 20:09:13, 1] sam/idmap_ad.c:ad_idmap_get_id_from_sid(309) ad_idmap_get_id_from_sid: ads_pull_uint32: could not read attribute 'gidNumber' [2007/06/26 20:09:13, 1] sam/idmap_ad.c:ad_idmap_get_id_from_sid(309) ad_idmap_get_id_from_sid: ads_pull_uint32: could not read attribute 'gidNumber' [2007/06/26 20:09:13, 1] sam/idmap_ad.c:ad_idmap_get_id_from_sid(309) ad_idmap_get_id_from_sid: ads_pull_uint32: could not read attribute 'gidNumber' [2007/06/26 20:09:13, 1] sam/idmap_ad.c:ad_idmap_get_id_from_sid(309) Which I believe is causing a lot of these [2007/06/26 20:08:09, 1] smbd/sesssetup.c:reply_spnego_kerberos(310) Username DOMAIN\PBROWNXP1$ is invalid on this system [2007/06/26 20:08:09, 1] smbd/sesssetup.c:reply_spnego_kerberos(310) Username DOMAIN\chapman is invalid on this system You have to make sure that both accounts PEROWNXP1$ and chapman have rfc2307 attributes set. Otherwise it won't work. Guenther - -- Günther DeschnerGPG-ID: 8EE11688 Red Hat [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFGg85gSOk3aI7hFogRAlEwAKCVU25Y+EOWedfOoRDzAUcfBv43BwCePp0d Y7Eq8OX5K8kAUC1Pm0td0Hk= =VCAv -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind authentication performance: lookup_groupmem in large sites
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SERGEYS Filip wrote: 3) Per group list all members of that group - BOTTLENECK [2007/06/25 17:18:02, 10] nsswitch/winbindd_cache.c:lookup_groupmem(1665) lookup_groupmem: [Cached] - doing backend query for info for domain [2007/06/25 17:18:02, 10] nsswitch/winbindd_ads.c:lookup_groupmem(879) ads: lookup_groupmem POST sid=S-1-5-21-xx-x-x- In older samba releases we needed to lookup each member in AD which in the upcoming 3.0.26 release will be done much more efficient. You can try the SAMBA_3_0_26 branch to check whether this fixes your performance problem. Thanks, Guenther - -- Günther DeschnerGPG-ID: 8EE11688 Red Hat [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFGgPRWSOk3aI7hFogRAhrjAJ95hF6DjRjTaVQjktfvPLVbwZMtWQCfV63x vRtdQsQIF9JMKrEPEmNpXlw= =dlTH -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: svn commit: samba r23072 - in branches/SAMBA_3_0/source/nsswitch: .
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hey Michael,
[EMAIL PROTECTED] wrote:
+/* If you are looking for dn_lookup: Yes, it used to be here!
+ * It has gone now since it was a major speed bottleneck in
+ * lookup_groupmem (its only use). It has been replaced by
+ * an rpc lookup sids call... R.I.P. */
nice comment :-)
- if (lookup_cached_sid(mem_ctx, sid, domain_name, name,
name_type)) {
-
- DEBUG(10,(ads: lookup_groupmem: got sid %s from
cache\n,
- sid_string_static(sid)));
-
- (*names)[*num_names] = CONST_DISCARD(char *,name);
- (*name_types)[*num_names] = name_type;
- sid_copy((*sid_mem)[*num_names], sid);
-
Hm, what was the reason the remove the frontend cache for lookups that
we already have done and go out to the network with every query?
Guenther
- --
Günther DeschnerGPG-ID: 8EE11688
Red Hat [EMAIL PROTECTED]
Samba Team [EMAIL PROTECTED]
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFGUw3mSOk3aI7hFogRAt5mAJ99MQ+6XUMFYKZIk2MkYNnnEBbBsQCeOcWp
r67jleG9HfS/EGCQFDkuPKs=
=+CJb
-END PGP SIGNATURE-
Re: [Samba] panic in pwnam_r after a reconnect
Andrew, patch was missing, can you resend, please ? Guenther Andrew Bartlett wrote: On Sun, 2007-03-25 at 23:18 +0200, Volker Lendecke wrote: On Sun, Mar 25, 2007 at 10:57:14PM +0200, Dragan Krnic wrote: Is there some explanation for the panic in pwnam_r when a session reconnects after a while? This is an exagerated example. The user leaves on a Thursday, comes back next Tuesday - bang! My Samba 3.0.24 runs under a SuSE 10.1. The passwd files are used for authentication. Is this in any way reproducable at will? You can for example force a reconnect by killing the smbd that is responsible for a particular client. You can find out the pid of that smbd by running smbstatus. Then any subsequent access to that server from the client will trigger a reconnect. If that is reproducable, could you please install the debuginfo package that comes with your binary package. I am very sure I am able to fix that bug If I can get a valgrind log of that panic. Look at https://bugzilla.samba.org/ bug 4434 for information how to get the valgrind log. As a random idea, I worked on, but never committed, this (attached) patch for what I suspected to be some issues here. It might (or might not) be the same bug, but I never got a confirmation from that reporter. Andrew Bartlett -- Günther DeschnerGPG-ID: 8EE11688 Red Hat [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Idmap_rid differs on FreeBSD and SLES!
Hi Anders, Anders Troback wrote: Hi, there was something wrong with the offline cache on the SLES box! After a stop of all samba services, a rm -r /var/lib/samba/* , net join and start all services everything works! With the idmap rewrite in 3.0.25 things like that shouldn't happen. If you could test any potential issues with idmap_rid in that regard, your feedback would be very welcome. Guenther -- Günther DeschnerGPG-ID: 8EE11688 Red Hat [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Limit AD for Winbind
Hi, Daniel Frey wrote: smb.conf: [global] server string = Test workgroup = MYDOMAIN netbios name = SERVERNAME realm = MYDOMAIN.LOCAL idmap uid = 1-20 idmap gid = 1-20 winbind separator = / winbind use default domain = Yes security = ADS encrypt passwords = yes password server = server.mydomain.local client use spnego = yes winbind enum users = yes winbind enum groups = yes It would be a very good decision the turn the two above to no. This is the default in recent samba versions anyway. Apart from that you should use a very recent Samba version. There have been huge improvements achieved for large domains. Guenther -- Günther DeschnerGPG-ID: 8EE11688 Red Hat [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: sys_getpeerid() [was Re: svn commit: samba r21887 -...]
Hi Jerry, Gerald (Jerry) Carter wrote: There are three places we use sys_getpeerid() that I can tell. (a) Jeremy's Domain Users hack for reporting group membership, (b) access to the ntlm_auth cache for applications like Firefox, and now (c) The capability to issue a logoff call. If we don't have getpeerid() I can loose the first two. No big deal. The problem I see with (c) is that if a platform does not support getpeerid() then you get init a user's krb5 ccache but never delete it. Which makes the feature asymetrical based on support for getpeerid(). Am I missing something here ? No, correct, we need broader support of getpeereid(). I'm awaiting response from Kurt from OpenLDAP to import their portable version as a complete file. In the meantime, I will look to make c) consistent. Guenther -- Günther DeschnerGPG-ID: 8EE11688 Red Hat [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED]
Re: [Samba] Samba kerberos more time sensitive that Windows?
Jeremy Allison wrote: On Thu, Mar 15, 2007 at 09:09:48AM -0500, Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jason Haar wrote: Hi there We just had a problem where a user couldn't connect to a Samba server that is a full ADS member. The same user could successfully connect to Windows2K3 servers. The problem was obvious - their clock was 5 hours out, and Samba rejected their connections with a Failed to verify incoming ticket. Correcting the time fixed the fault. However, it remains that Samba rejected them when Windows servers didn't. Is that an option that can be enabled? Anything that makes Samba look more like Windows is a Good Thing (even if it violates the entire point of Kerberos! ;-) Windows client apparently adjust their clocks based on the CLOCK_SKEW error returned in the negprot response. It's hard for us in this cases since we are not the OS. Do you mean the CLOCK_SKEW returned in the SessionsetupX call ? If so I'm testing a patch that will allow smbd to return the same error I'm also finishing up a patch to always get the NT_STATUS codes out of the KRB_ERROR packets directly (in that case is NT_STATUS_TIME_DIFFERENCE_AT_DC). Will work only for Heimdal currently though... Guenther -- Günther DeschnerGPG-ID: 8EE11688 Red Hat [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: svn commit: samba r20861 - in branches: SAMBA_3_0/source/libsmb SAMBA_3_0_24/source/libsmb
On Wednesday 17 January 2007 20:54, Jeremy Allison wrote: On Wed, Jan 17, 2007 at 07:14:34PM +, [EMAIL PROTECTED] wrote: Author: gd Date: 2007-01-17 19:14:34 + (Wed, 17 Jan 2007) New Revision: 20861 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=20861 Log: We only use sitespecific DNS lookups when looking for DCs or KDCs, not for a PDC. Yeah, I wondered about doing that when I wrote the code, but I was being generic. You sure this wasn't needed ? I think so, even if we would do the pdc lookup using DNS then we shouldn't limit the lookup to our local site. I was testing: _ldap._tcp.MYSITE._sites.dc._msdcs.REALM = DCs for MYSITE _ldap._tcp.MYSITE._sites.pdc._msdcs.REALM = 0 _ldap._tcp.dc._msdcs.REALM = all DCs _ldap._tcp.pdc._msdcs.REALM = the PDC Guenther -- Günther DeschnerGPG-ID: 8EE11688 Novell / SUSE Labs[EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] pgpmnipK9W1xH.pgp Description: PGP signature
Re: svn commit: samba r20694 - in branches: SAMBA_3_0/source/lib SAMBA_3_0_24/source/lib
On Friday 12 January 2007 03:48, [EMAIL PROTECTED] wrote: Author: jra Date: 2007-01-12 02:48:37 + (Fri, 12 Jan 2007) New Revision: 20694 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=20694 Log: To get this right we need to do signed 64-bit comparisons here, not unsigned as we're eventually casting into what it normall a signed 32 bit value. Guenther please check (but I think I'm right here). Jeremy. Yes, looks and works correct - at least in my tests. Thanks, Guenther -- Günther DeschnerGPG-ID: 8EE11688 Novell / SUSE Labs[EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] pgpu4umvKScDy.pgp Description: PGP signature
Re: svn commit: samba r19451 - in branches/SAMBA_3_0/source/rpcclient: .
Thanks Volker,
I owed Jerry that change still - and owe him still much more...
Thanks again,
Guenther
On Sun, Oct 22, 2006 at 10:30:46AM +, [EMAIL PROTECTED] wrote:
Author: vlendec
Date: 2006-10-22 10:30:46 + (Sun, 22 Oct 2006)
New Revision: 19451
WebSVN:
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=19451
Log:
Another cleanup of 18802. Referring to structures after the block has been
left is not a good idea.
Volker
Modified:
branches/SAMBA_3_0/source/rpcclient/cmd_srvsvc.c
Changeset:
Modified: branches/SAMBA_3_0/source/rpcclient/cmd_srvsvc.c
===
--- branches/SAMBA_3_0/source/rpcclient/cmd_srvsvc.c 2006-10-22 10:01:55 UTC
(rev 19450)
+++ branches/SAMBA_3_0/source/rpcclient/cmd_srvsvc.c 2006-10-22 10:30:46 UTC
(rev 19451)
@@ -243,6 +243,9 @@
int argc, const char **argv)
{
uint32 info_level = 2;
+ struct srvsvc_NetShareCtr1 ctr1;
+ struct srvsvc_NetShareCtr2 ctr2;
+ struct srvsvc_NetShareCtr502 ctr502;
union srvsvc_NetShareCtr ctr;
NTSTATUS result;
uint32 hnd;
@@ -263,20 +266,17 @@
switch (info_level) {
case 1: {
- struct srvsvc_NetShareCtr1 ctr1;
ZERO_STRUCT(ctr1);
ctr.ctr1 = ctr1;
}
break;
case 2: {
- struct srvsvc_NetShareCtr2 ctr2;
ZERO_STRUCT(ctr2);
ctr.ctr2 = ctr2;
}
break;
case 502: {
- struct srvsvc_NetShareCtr502 ctr502;
ZERO_STRUCT(ctr502);
ctr.ctr502 = ctr502;
}
--
Günther DeschnerGPG-ID: 8EE11688
Novell / SUSE Labs[EMAIL PROTECTED]
Samba Team [EMAIL PROTECTED]
pgpiSFYRuhjp4.pgp
Description: PGP signature
Re: svn commit: samba r18446 - in branches/SAMBA_3_0/source: libads utils
On Wed, Sep 13, 2006 at 09:03:43AM +, [EMAIL PROTECTED] wrote: Author: jra Date: 2006-09-13 09:03:42 + (Wed, 13 Sep 2006) New Revision: 18446 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=18446 Log: Add the ldap 'leave domain' code - call this as a non-fatal error path if the 'disable machine account' code succeeded. Jeremy, maybe we should point out that the ads_leave_realm() code here is not the original one from earlier Samba3 but a version I modified to walk down the hostname dn to delete all subordinate objetcs (published printers, etc.) in the case that the caller has no permissions to use the LDAP_SERVER_TREE_DELETE_OID control. It turned out that this is the only way to get rid of an old workstation account in a migration scenario. Guenther -- Günther DeschnerGPG-ID: 8EE11688 Novell / SUSE Labs[EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] pgp2YiUl4ddmi.pgp Description: PGP signature
Re: [Samba] Winbind dies
Hi, On Thu, Jul 13, 2006 at 11:28:29AM -0400, Dimitri Yioulos wrote: Serious apologies if this has been discussed before, but my search didn't turn up much: I have samba (kept up-to-date with latest) running on several CentOS 3 and 4 boxes as part of a Win2k3 domain. On one particular box, winbind dies on a regular basis (all the other installations run flawlessly). A quick restart, and we're good again. However, as this is a very active server that is accessed 18 hours a day, 7 days a week, I'm called at home during those few hours I spend there to restart winbind on this particular machine. is this Samba 3.0.23 ? If yes, can you please try to provide a gdb backtrace? Thanks, Guenther -- Günther DeschnerGPG-ID: 8EE11688 Novell / SUSE Labs[EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] pgpGyIwHRfLwZ.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] documentation of pam_winbind.conf in samba-3.0.23
Hi, On Thu, Jul 13, 2006 at 03:39:33PM +0200, Dietrich Streifert wrote: Hello List, is there any documentation of pam_winbind.conf for pam_winbind.so in samba-3.0.23. Currently not, I should write a manpage for that though. Especially what value is necessary for krb5_ccache_type to create a ticket file for the user in /tmp? This value can currently be only FILE also see http://websvn.samba.org/cgi-bin/viewcvs.cgi/branches/SAMBA_3_0/examples/pam_winbind/pam_winbind.conf?rev=15058view=markup Guenther -- Günther DeschnerGPG-ID: 8EE11688 Novell / SUSE Labs[EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] pgp8DQwl8BqWC.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Can one set limits on new core dump?
Hi, On Wed, May 31, 2006 at 09:42:13AM -0700, Doug VanLeuven wrote: Gautier, B (Bob) wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of Doug VanLeuven Sent: 31 May 2006 09:56 /usr/local/samba3/sbin/winbindd [0xdda5cf] May 31 01:19:14 gate winbindd[5355]:#7 /usr/local/samba3/sbin/winbindd(talloc_free+0x2a) [0xddacc0] May 31 01:19:14 gate winbindd[5355]:#8 /usr/local/samba3/sbin/winbindd(ads_check_posix_schema_mapping +0x711) [0xea8726] May 31 01:19:14 gate winbindd[5355]:#9 This looks very much like a buglet in the new rfc2307 code that I mailed gd about the other day. The SysAdmins here have blocked my access to bugzilla at the moment so I can't file patches the right way. :-( Jerry asked me to comment in the bug report. I could forward the patch. Can you give me the bug report number. I found 3751, but don't know if it's appropriate there. I just fixed this today in subversion (http://websvn.samba.org/cgi-bin/viewcvs.cgi?rev=15980view=rev) Let me know if you still see problems with that. Thanks, Guenther -- Günther DeschnerGPG-ID: 8EE11688 Novell / SUSE Labs[EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] pgpqWkW3tuTs1.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem joining into ads
Hi, On Wed, May 31, 2006 at 05:58:03PM +0200, Franz Pfoertsch wrote: Hi, it try to join ads with samba 3.0.22 (SLES9 SP3) and got: holu0001:~ # kinit admin [EMAIL PROTECTED] Password: kinit: NOTICE: ticket renewable lifetime is 1 week holu0001:~ # net ads join [2006/05/31 17:42:21, 0] libads/ldap.c:ads_add_machine_acct(1507) Warning: ads_set_machine_sd: Unexpected information received ads_set_machine_password: Message stream modified holu0001:~ # logout It worked for month! I joined aprox: 15 samba servers but now it didn't work. Can you please send the output of the join command with -d 10 ? Thanks, Guenther -- Günther DeschnerGPG-ID: 8EE11688 Novell / SUSE Labs[EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] pgpx1MAfExRsP.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind and AD password updates
Hi, On Mon, May 15, 2006 at 10:46:47AM +0200, Pierre Ossman wrote: Hi! I've been trying to get password changes to work from a SuSE machine to an AD server. Authentication works fine in AD mode, so at least that bit is correct. When trying to change the password, I get PAM error 4 back. Checking in the logs, I see that winbind fails with the error NT_STATUS_PASSWORD_RESTRICTION. From Microsoft's documentation, I can read that this means that there is some password policy that's rejecting the new password. But I cannot find any such policy on the server, so I'm wondering if this can be caused by something else? No, there will be a default policy in place. If you'd try a recent samba release for one of the SUSE products, the user attemptimg to change a password would get delivered with the same amount of information (explaining why the password change has failed) as you would get on Windows XP. Look for the 3.0.22 or 3.0.23pre1 download links on: http://en.opensuse.org/Samba I'm also a bit confused as to how I can get NT error codes in AD mode. Isn't it supposed to talk kerberos? No, as Windows workstations change a user password using MSRPC protocolls as well. Guenther -- Günther DeschnerGPG-ID: 8EE11688 Novell / SUSE Labs[EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] pgpnVL090a78t.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind and AD password updates
On Mon, May 15, 2006 at 03:36:27PM +0200, Pierre Ossman wrote: Guenther Deschner wrote: If you'd try a recent samba release for one of the SUSE products, the user attemptimg to change a password would get delivered with the same amount of information (explaining why the password change has failed) as you would get on Windows XP. Look for the 3.0.22 or 3.0.23pre1 download links on: http://en.opensuse.org/Samba Thanks, that gave me some error messages. Unfortunately, they only make me more confused. I get: Your password must be at least 4 characters; cannot repeat any of the your previous 0 passwords. Please type a different password. Type a password which meets these requirements in both text boxes. The password is 8 characters and I type new ones at random and still get the same message. To make things more bizarre, I was able to change the pass once (from a 8-char lower case to another 8-char lower case). Sounds like a minimum password age that is in effect. There is a fix for that in subversion but in any released samba version. Guenther -- Günther DeschnerGPG-ID: 8EE11688 Novell / SUSE Labs[EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] pgpUL7dJr2zmf.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind and AD password updates
On Mon, May 15, 2006 at 03:49:06PM +0200, Pierre Ossman wrote: Pierre Ossman wrote: Guenther Deschner wrote: If you'd try a recent samba release for one of the SUSE products, the user attemptimg to change a password would get delivered with the same amount of information (explaining why the password change has failed) as you would get on Windows XP. Look for the 3.0.22 or 3.0.23pre1 download links on: http://en.opensuse.org/Samba Thanks, that gave me some error messages. Unfortunately, they only make me more confused. I get: More funkyness. Somewhere in pam_winbind (or something it calls), exit_group(101) gets called, killing of my application. Known issue? No, there is no such call in winbindd or pam_winbind. Guenther -- Günther DeschnerGPG-ID: 8EE11688 Novell / SUSE Labs[EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] pgpoqKTWOtpYV.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] 3.0.23pre1 does not compile on HP-UX 11i
On Thu, May 11, 2006 at 11:54:37AM -0700, Jeremy Allison wrote: On Thu, May 11, 2006 at 02:12:22PM -0400, Ryan Novosielski wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Continuing on: Linking bin/winbindd /usr/ccs/bin/ld: Unsatisfied symbols: seteuid (first referenced in nsswitch/winbindd_pam.o) (code) make: *** [bin/winbindd] Error 1 Problem here appears to be that 'seteuid' is not available on HP-UX, at least not on HP-UX 11i earlier than v2 May 2005: http://devrsrc1.external.hp.com/STKT/impacts/i171.html?jumpid=reg_R1002_USEN Here are notes on what to use instead, however I'm pretty sure that that was already known as it is no doubt needed elsewhere in the package: http://devrsrc1.external.hp.com/STKS/impacts/i133.html?jumpid=reg_R1002_USEN There are also conditionals in configure.in (that never seem to show up in the configure output, interestingly enough). This was not broken in 3.0.22, however, none of the winbindd* files attempted to use seteuid in 3.0.22. Ok, try this patch. Gunther please review as it affects winbindd code. I think it's ok... Yes, looks ok to me too (after a brief test). Please apply, Jeremy. Thanks! Guenther -- Günther DeschnerGPG-ID: 8EE11688 Novell / SUSE LINUX [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] pgpLuSATWFqqn.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind ldap usage...
On Thu, May 11, 2006 at 05:35:38PM -0500, Matt Sellers wrote: hi all For anybody using Winbind with an ldap backend, just wondering how much CPU usage you see on systems.I have a dual PIII-1Ghz with 1GB of ram with ldap entities for ~1400 users and when winbind needs to source ldap to find an object it takes quite a bit of time. Once these results are cached locally, the participating clients are quick and fast, but waiting on this ldap server makes some operations sluggish... Anyway to speed the searches up on ldap? I guess you already took care to set the correct indexes on your LDAP server? Guenther -- Günther DeschnerGPG-ID: 8EE11688 Novell / SUSE LINUX [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] pgpI6deaZGN9B.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Excessive traffic causing slow logons
Hi, On Thu, May 04, 2006 at 10:21:18AM -0400, Trimble, Ronald D wrote: I am seeing some extremely slow logons to my SUSE servers. All are configured exactly the same. When I attempt to log on, I can enter my domain (AD) account without any problems. I then enter my password and sit and wait for several minutes until it eventually takes me to my desktop. In attempting to debug the problem, we have been able to see millions of calls to the domain controller. They all look similar to this... ... I have turned the debug level of winbind up to 10 and have some very extensive logs showing what is going on. Unfortunately, I cannot interpret all of this myself. Can anyone help me with this issue? Sure, could you please send those logs (offlist if too large for the list) and tell us a little more about your local configuration? Guenther -- Günther DeschnerGPG-ID: 8EE11688 Novell / SUSE LINUX [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] pgpIrQaeVX2m5.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smb.conf(5) manpage suggestion re. idmap backend
Hi, On Fri, Apr 28, 2006 at 08:29:48AM -0500, Jonathan C. Detert wrote: suggestion for minor improvement of the smb.conf manpage in the context of the 'idmap backend' parameter. At least as of v3.0.22 the manpage says: Finally, using the idmap_ad module, the UID and GID can directly be retrieved from an Active Directory LDAP Server that supports an RFC2307 compliant LDAP schema. idmap_ad supports Services for Unix (SFU) version 2.x and 3.0. [ snip ] Example: idmap backend = idmap_ad All the examples I found on the internet of how to use this show the value being simply 'ad', as opposed to 'idmap_ad'. I like 'ad' better because it is not redundant. Regardless, the man page should be updated to state the legal possible values. If both 'idmap_ad' and 'ad' are legal, then mention them both. If only 'ad' is legal, then fix the man page. This has just been fixed in subversion, the man page will be correct for the next 3.0.23 pre-release. Thanks for the reminder, Guenther -- Günther DeschnerGPG-ID: 8EE11688 Novell / SUSE LINUX [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] pgp3LAPSpQSrB.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Question regarding sizes of of Samba for SuSE Linux
Hi, On Thu, Apr 27, 2006 at 08:50:57AM -0700, Francis Wilson wrote: My high school computer lab has a Samba file server, currently running SuSE Linux 9.3; over the summer, I plan to wipe out the hard drives and install SuSE Linux 10.0; with this in mind, I have just downloaded the latest Samba, and I was struck by the tremendous difference between the relative sizes of samba-3.0.5 and samba-3.0.22. 6,413,555 samba-3.0.5-0.1.i586.rpm 10/01/2004 04:54 PM 3,012,340 samba-3.0.22-6.1.14.i586.rpm 04/27/2006 08:18 AM Is something wrong? Can someone explain why the newer version is less than half the size of the older version? probably as we have a separate samba-doc package now containing all the pdfs. Guenther -- Günther DeschnerGPG-ID: 8EE11688 Novell / SUSE LINUX [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] pgpsvsau56MqF.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind nss info = sfu is not so much working
On Thu, Apr 27, 2006 at 11:21:45AM -0500, Jonathan C. Detert wrote: with samba 3.0.22, I'm trying to integrate a linux box with Microsoft AD by using winbind for authentication as well as for the source of nss info. When winbind is configured to use its own local id maps, everything works fine. But when i configure winbind to use 'ad' as the source of nss info, authentication fails, 'getent' commands return no results, and 'wbinfo -r someusername' returns nothing (though wbinfo -u and -g work correctly). I am guessing that either there is something wrong or lacking in my config, or that some kind of caching is messing me up. Here is my pertinent smb.conf stuff when winbind is configed to use local id maps: -- winbind enum groups = yes winbind enum users = yes winbind separator = + winbind nested groups = yes winbind use default domain = yes idmap gid = 1-55000 idmap uid = 1-55000 template homedir = /home/%D/%U template shell = /bin/bash And here is how smb.conf looks when winbind is configed to use AD for nss: -- winbind enum groups = yes winbind enum users = yes winbind separator = + winbind nested groups = yes winbind nss info = sfu winbind use default domain = yes idmap backend = ad You still need to have the idmap ranges set so that winbind does not fall into the netlogon proxy only mode. Does it work then? Guenther -- Günther DeschnerGPG-ID: 8EE11688 Novell / SUSE LINUX [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] pgpMpcL0XVB6e.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] 3.0.21c winbind crash
On Wed, Apr 12, 2006 at 07:02:22PM +0200, Thomas Limoncelli wrote: Thomas Limoncelli wrote: After running successfully for some time, it now refuses to start after a reboot. The domain-specific winbindd instances are even crashing. :-( Do the logs below ring a bell with anyone? myself :-) cp /dev/null /var/lib/samba/winbindd_cache.tdb fixed it for the moment. Shall I finally file a bugzilla entry for this? Yes, please. 3.0.21c still seems to corrupt this file on a daily basis and fall over it on next startup. IIRC I've already sent a sample file privately to Jerry. Anything else I can do? As you're seeing this on SuSE 9.3, can you follow the debug recommendations on http://en.opensuse.org/Samba and then generate a gdb backtrace, that will help us a lot. Also please upload your corrupted tdb file, if possible. For all debugging please use the latest rpm packages available for your SuSE version. Guenther -- Günther DeschnerGPG-ID: 8EE11688 Novell / SUSE LINUX [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] pgpAYRMdUaBpA.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Error compiling samba 3.0.21c, AIX 52 ML7 gcc 3.3.2
On Tue, Mar 28, 2006 at 11:37:08AM +0100, [EMAIL PROTECTED] wrote: Hi Guenther, Thanks for the code. Even I managed to understand that ;-0 It has got the make past the point it failed last time, should this be flagged as a bug? Not required, I commit that patch. Thanks, Guenther -- Günther DeschnerGPG-ID: 8EE11688 Novell / SUSE LINUX [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] pgpGNvjpgWS1a.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Error compiling samba 3.0.21c, AIX 52 ML7 gcc 3.3.2
Hi, On Tue, Mar 28, 2006 at 10:30:45AM +0100, [EMAIL PROTECTED] wrote: Can anyone help with the following error I get whilst comiling samba, can you please retry with the following patch? Guenther -- Günther DeschnerGPG-ID: 8EE11688 Novell / SUSE LINUX [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] Index: nsswitch/pam_winbind.h === --- nsswitch/pam_winbind.h (revision 14747) +++ nsswitch/pam_winbind.h (working copy) @@ -26,7 +26,7 @@ #define PAM_SM_ACCOUNT #define PAM_SM_PASSWORD -#if defined(SUNOS5) || defined(SUNOS4) || defined(HPUX) || defined(FREEBSD) +#if defined(SUNOS5) || defined(SUNOS4) || defined(HPUX) || defined(FREEBSD) || defined(AIX) /* Solaris always uses dynamic pam modules */ #define PAM_EXTERN extern pgp6J7gjgKtu2.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba account flags
On Wed, Mar 15, 2006 at 06:53:05PM +0700, Beast wrote: What is the equivalent flag for User Cannot Change password as produce by NT usrmgr.exe? It doesnt mentioned in this documentation: http://us4.samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html#accountflags This is not done by setting an accountflag, it is by modifiying the security descriptor of that user's account. See https://bugzilla.samba.org/show_bug.cgi?id=2964 for details. Guenther -- Günther DeschnerGPG-ID: 8EE11688 Novell / SUSE LINUX [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] pgp20DChKw0W1.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: svn commit: samba r14404 - in trunk/source/nsswitch: .
On Wed, Mar 15, 2006 at 12:35:38AM +, [EMAIL PROTECTED] wrote: Author: jra Date: 2006-03-15 00:35:37 + (Wed, 15 Mar 2006) New Revision: 14404 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=14404 Log: Fix the build when nscd_flush_cache is detected (variable definition was missing). Oh, sorry. And thanks for fixing that ! Guenther -- Günther DeschnerGPG-ID: 8EE11688 Novell / SUSE LINUX [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] pgpJgBmLjkh6O.pgp Description: PGP signature
Re: [Samba] net ads leave failed.
Hi Vincent, On Thu, Mar 09, 2006 at 03:04:02PM +0100, [EMAIL PROTECTED] wrote: Hello all, I have the latest version of Samba (samba-3.0.21c) installed on a SLES9 linux server, with all the related Suse packages. I had link the server correctly to the domain, but discovered a pb with a workstation acting as mster browser. Since it is down, i have a bad result with wbinfo -t, althought net ads testjoin succeed. I beleived that either wbinfo -t result or net ads testjoin result tell if the server is correctly joined to the domain. Is there any explanation about the differences? I think there is a problem with domain link. when i do wbinfo -u winbindd daemon crash with the error in log : INTERNAL ERROR: Signal 11 in pid 20631 (3.0.21c-3.1.4-SUSE-SLES9) [...] PANIC: internal error Could you please send the relevant winbind panic message from log.winbindd and log.wb-* ? Guenther -- Günther DeschnerGPG-ID: 8EE11688 Novell / SUSE LINUX [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] pgpD6oYK48Vg3.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba, Winbind and AD. Nearly there but not quite
Hi Vincent, On Thu, Mar 09, 2006 at 05:02:50PM +1300, Vincent Commarieu wrote: Hi, Just compiled latest version of samba and trying to get Samba to work with AD. I am at the point where I wbinfo -t, wbinfo -u, wbinfo -g and wbinfo -ausername%password work, but I cannot get getent passwd and getent group to gather any AD info. I have noticed the following errors in /var/log/samba/smbd.log [2006/03/09 16:37:16, 1] nsswitch/winbindd_ads.c:enum_dom_groups(282) No rid for Users !? [2006/03/09 16:37:16, 1] nsswitch/winbindd_ads.c:enum_dom_groups(282) No rid for Guests !? [2006/03/09 16:37:16, 1] nsswitch/winbindd_ads.c:enum_dom_groups(282) No rid for Account Operators !? [2006/03/09 16:37:16, 1] nsswitch/winbindd_ads.c:enum_dom_groups(282) No rid for Server Operators !? [2006/03/09 16:37:16, 1] nsswitch/winbindd_ads.c:enum_dom_groups(282) No rid for Print Operators !? [2006/03/09 16:37:16, 1] nsswitch/winbindd_ads.c:enum_dom_groups(282) No rid for Backup Operators !? [2006/03/09 16:37:16, 1] nsswitch/winbindd_ads.c:enum_dom_groups(282) No rid for Replicator !? [2006/03/09 16:37:16, 1] nsswitch/winbindd_ads.c:enum_dom_groups(282) No rid for Pre-Windows 2000 Compatible Access !? [2006/03/09 16:37:16, 1] nsswitch/winbindd_ads.c:enum_dom_groups(282) No rid for Administrators !? You can ignore those. They were builtin (alias) groups from AD showing up the group enumeration code in winbindd. This is long fixed in newer versions of samba. Guenther -- Günther DeschnerGPG-ID: 8EE11688 Novell / SUSE LINUX [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] pgpLin1s3ibRB.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: svn commit: samba r13895 - branches/SAMBA_3_0/source/nsswitch trunk/source/nsswitch
Hi Volker, On Mon, Mar 06, 2006 at 08:18:19PM +, [EMAIL PROTECTED] wrote: Author: vlendec Date: 2006-03-06 20:18:18 + (Mon, 06 Mar 2006) New Revision: 13895 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=13895 Log: As agreed upon with gd on the phone, remove WBFLAG_PAM_CONTACT_TRUSTDOM. This can not work for NTLM auth, where we only have a workstation account for our own domain. For the PAM Kerberos login we need to find a better way to do this, probably using Dsr_GetDCName and some winbind-crafted krb5.conf. The interesting thing is that it *was* working (just verified with two NT4 domains) and that it is *still* working after your patch. Apparently there is no extra work required to make a login with pam_winbind work using NTLM. Checking the krb5 case next. Still wondering... Guenther -- Günther DeschnerGPG-ID: 8EE11688 Novell / SUSE LINUX [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] pgpvMeVdKk8pd.pgp Description: PGP signature
Re: [Samba] ADS and sharing home directory
Hi Dracula :) On Mon, Feb 20, 2006 at 05:02:28PM +0530, Dracula wrote: [homes] comment=home direcoty of %S path=/home/%D/%U browseable=no valid users=%S You have to put valid users = %D+%S in there. Newer Samba Versions will support %D%w%S as well, where %w substitutes the winbind separator for you. Guenther -- Günther DeschnerGPG-ID: 8EE11688 Novell / SUSE LINUX [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] pgp0YBtABegPx.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads dn - reading netbootGUID attribute
Hi Roman, On Thu, Feb 09, 2006 at 11:01:25AM +0100, Roman Sommer wrote: hello everyone, I can read *any* attribute I want out of the Active Directory using 'net ads dn'.. except for one - which of course is the (only) one I need. netbootGUID. It is stored in an octet string as is objectGUID and objectSid which I can read properly. Ok, I fixed that in subversion (see http://build.samba.org/?function=diff;tree=samba_3_0;date=1139480667;author=gd;revision=13410) You might want to take a look at the adssearch.pl perl script which quickly allows you to work on decoding the various attributes without recompiling. Guenther -- Günther DeschnerGPG-ID: 8EE11688 Novell / SUSE LINUX [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] pgpQe7Qab1v72.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Enabling 'idmap backend = ad' for user auth
Hi Jerry, On Fri, Feb 03, 2006 at 09:15:12AM -0600, Gerald (Jerry) Carter wrote: winbind nss info = template, sfu Not absolutely sure, but docs I've seen say to set this to winbind nss info = sfu Not sure what the template bit is used for. I assume template would be for the standard 'template homedir', et. al. otpions. But we don't actually check for that value in the source code that I can tell. Gunether, Why is 'winbind nss info' a list ? We only ever check for sfu. Were you thinking of chaining options Volker asked me to have a list already at that time to allow his unixinfo work to be actived here later on. Cheers, Guenther -- Günther DeschnerGPG-ID: 8EE11688 Novell / SUSE LINUX [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] pgpQe2amZCAr8.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Enabling 'idmap backend = ad' for user auth
Hi, On Fri, Feb 03, 2006 at 09:31:50AM -0600, Gerald (Jerry) Carter wrote: Guenther Deschner wrote: Gunether, Why is 'winbind nss info' a list ? We only ever check for sfu. Were you thinking of chaining options Volker asked me to have a list already at that time to allow his unixinfo work to be actived here later on. Right. That I remember. But why does the parameter accept a list of values? It seems like it should just accept a single string from a list of discrete values. Just the like the security parameter. We thought about to better handle mixed trusted domain setups. Domain A (ADS) = sfu Domain B (NT) = template Domain C (Samba w. Unixinfo) = unixinfo Of course that's referring to unfinished code and this acts just as a placeholder. Guenther -- Günther DeschnerGPG-ID: 8EE11688 Novell / SUSE LINUX [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] pgpIY2GAVeoUf.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] 3.0.21b +pam_winbindd
Hi, On Tue, Jan 31, 2006 at 05:43:02PM -, Batty, Richard wrote: Ive installed and configured samba using cd samba-3.0.21b/source ./autogen.sh ./configure --with-krb5=/usr/local \ --with-automount \ --with-pam \ --with-utmp \ --with-winbind \ --with-libsmbclient \ --with-ldap \ --with-netlib='-lresolv' make make install cp nsswitch/pam_winbind.so /usr/lib/security cp nsswitch/libnss_winbind.so /lib/nss_winbind.so.1 ln -s /lib/nss_winbind.so.1 /usr/lib/nss_winbind.so.1 I can browse my samba shares and the active directory 2003 authentication works fine. Ive modified pam.conf so rlogin should use pam_winbind rlogin auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1 rlogin auth sufficient /usr/lib/security/pam_winbind.so try_first_pass rlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 What did pam_winbind.so wrote to the syslog ? however if I try and login using rlogin -l AD03+richard.batty localhost it fails Does it at least prompt you for a new password? Thanks, Guenther -- Günther DeschnerGPG-ID: 8EE11688 Novell / SUSE LINUX [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] pgpGNxLSPOzFj.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: svn commit: samba r13164 - in trunk/source/nsswitch: .
On Thu, Jan 26, 2006 at 01:41:53PM +, [EMAIL PROTECTED] wrote: Author: gd Date: 2006-01-26 13:41:52 + (Thu, 26 Jan 2006) New Revision: 13164 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=13164 Log: Fix wbinfo --trusted-domains (-m) and add wbinfo --all-domains. We were not quite following our own documentation when wbinfo -m with winbind running in security=ads always returned our own primary domain in the list of trusted domains. When running against non-AD DCs we don't have it in the list. Since we now have clients that expect wbinfo to provide them with a full list of trusted domains including our own primary domain (kdm, gdm, etc.) to mimic XP logon optics, I've added 'wbinfo --all-domains'. Especially the removal of the DS_DOMAIN_DIRECT_OUTBOUND bit needs testing. Arg, DS_DOMAIN_IN_FOREST that is... Guenther -- Günther DeschnerGPG-ID: 8EE11688 Novell / SUSE LINUX [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] pgpSgBdfpBIjU.pgp Description: PGP signature
Re: [Samba] ldapsam:trusted work?
Hi, On Tue, Jan 03, 2006 at 09:52:31AM -0500, William Jojo wrote: Samba 3.0.21(and 'a'), AIX 5.2. Was looking as what appears to be a fantastic optimization, but can't find info in source code or swat and turning the option on makes smbd do exit(-1) (on AIX anyway). Do you have a guest account setup in LDAP ? ldapsam:trusted = yes Does this really exist? Does it need a maintainer? Are there any docs/source? There is at least some documentation about that feature in the smb.conf manpage. Please let us know if there should be more information. Guenther -- Günther DeschnerGPG-ID: 8EE11688 Novell / SUSE LINUX [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] pgpjsEcnWZ4Gu.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Performance Problem / failed to verify PAC server signature
Hi, On Mon, Nov 21, 2005 at 04:42:39PM +0100, Christoph Kaegi wrote: Hello List We run a Solaris9 Server running Samba 3.0.20, Local Users (no winbind) but authenticating against ADS. There are up to 800 concurrent users, mostly Windows XP SP3. When clients access MyDocuments, which is redirected to the Samba share, we observe several Session Setup AndX Requests followed by Session Setup AndX Response, Error: STATUS_LOGON_FAILUREs The delay between the request and the negative response is negligible when less than 200 users are online. But at more than 500 concurrent users, the delay becomes something between 1 to 5 secons. This delays access to MyDocuments quite a bit, considering that there are sometimes up to 10 such requests. So I'm interested in finding the problem and fixing it. The log says: -- 8 -- [2005/11/21 16:09:28, 3] libsmb/clikrb5.c:smb_krb5_verify_checksum(695) smb_krb5_verify_checksum: krb5_c_verify_checksum() failed: Bad encryption type [2005/11/21 16:09:28, 2] libads/authdata.c:check_pac_checksum(666) check_pac_checksum: PAC Verification failed: Bad encryption type (-1765328196) [2005/11/21 16:09:28, 0] libads/authdata.c:decode_pac_data(876) decode_pac_data: failed to verify PAC server signature [2005/11/21 16:09:28, 3] libads/kerberos_verify.c:ads_verify_ticket(416) ads_verify_ticket: failed to decode PAC_DATA: NT_STATUS_ACCESS_DENIED -- 8 -- First of all: are you sure you are running Samba 3.0.20? The PAC verification code is not in any of the 3.0.20/a/b tarball releases (just accidentially in the 3.0.20a subversion tags directory) but only in the 3.0.21 series of pre-releases/rcs. Then you most probably are forced to use DES keys when authenticating with Kerberos on your OS, right? PAC verification must then fail due to a bug in Windows (which fails to put DES-based checksum into the PAC signatures), so we can't verify the signature. What exact Kerberos library are you using (version) ? Nonetheless, failure of the PAC verification is non-critical, we just return to old behaviour and ignore the PAC again, meaning that you can ignore the error messages. Guenther -- Günther DeschnerGPG-ID: 8EE11688 Novell / SUSE LINUX [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] pgpeT4uZUrYGu.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] -DIdmap_rid_support_trusted_domains
Hi Michael, On Wed, Oct 26, 2005 at 04:21:15PM +0200, Michael Gasch wrote: hi, i have a question about winbind, idmap_rid and trusted domains. at sambaxp jerry said it's possible to have idmap_rid working with trusted domains. this is what we would like to have here. Please, please, please just experiment with that when you exactly know what you are doing. smbd -b doesn't show this compile option on 3.0.14a rpm (SuSE). may be this is normal, but how do i ensure that this option is in my binary w/ testing too much :) or how can i compile it myself? will this work only on samba 3.0.14a or with all samba versions that are shipped with idmap_rid support? This will work with all versions. Simply put it into the CFLAGS before compiling CFLAGS=-DIDMAP_RID_SUPPORT_TRUSTED_DOMAINS ./configure --your-opts make Guenther BTW: The packages available at ftp://ftp.suse.com/pub/projects/samba all have this flag set. -- Günther DeschnerGPG-ID: 8EE11688 Novell / SUSE LINUX [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] pgpPLQzfwcMvw.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: svn commit: samba r10945 - in branches/SAMBA_4_0/source/auth/kerberos: .
On Wed, Oct 12, 2005 at 10:24:43PM +, [EMAIL PROTECTED] wrote: Author: abartlet Date: 2005-10-12 22:24:43 + (Wed, 12 Oct 2005) New Revision: 10945 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=10945 Log: Free the salt after we are done with it. May need a merge to similar code in Samba3. Is already fixed in Samba3 :) Cheers, Guenther -- Günther DeschnerGPG-ID: 8EE11688 Novell / SUSE LINUX [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] pgpLDd7VR4r00.pgp Description: PGP signature
Re: [Samba] rid_idmap problem
Hi, On Mon, Sep 19, 2005 at 09:04:28AM +, [EMAIL PROTECTED] wrote: Hi all, in my winbind logfile I get the following errors: rid_idmap_get_id_from_sid: no suitable range available for sid: S-1-5-32-551 [2005/09/19 10:32:20, 0] sam/idmap_rid.c:rid_idmap_get_id_from_sid(478) rid_idmap_get_id_from_sid: no suitable range available for sid: S-1-5-32-545 [2005/09/19 10:32:20, 0] sam/idmap_rid.c:rid_idmap_get_id_from_sid(478) rid_idmap_get_id_from_sid: no suitable range available for sid: S-1-5-32-545 [2005/09/19 10:32:20, 0] sam/idmap_rid.c:rid_idmap_get_id_from_sid(478) rid_idmap_get_id_from_sid: no suitable range available for sid: S-1-5-32-544 [2005/09/19 10:32:20, 0] sam/idmap_rid.c:rid_idmap_get_id_from_sid(478) rid_idmap_get_id_from_sid: no suitable range available for sid: S-1-5-32-544 What`s going wrong? You do not have configured a range for the BUILTIN domain. you can do so by setting: idmap backend = idmap_rid:yourdomain=a-b,builtin=c-d *and* allow trusted domains = yes Guenther PS: With Samba you can set 3.0.21 back to allow trusted domains = no (as encouraged when using the idmap-rid plugin). -- Günther DeschnerGPG-ID: 8EE11688 Novell / SUSE LINUX [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] pgpu7RJyyOKh9.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
