Re: [Samba] kinit user works, kinit user@domain.local doesn't

[Rob Townley]

Try appending a dot character to the end and put it in domain_realm
mapping.  Let us know.

kinit user@domain.local.
 On Oct 13, 2013 11:08 AM, "Danny Fedor"  wrote:

> I'm running Samba 4.0.10 on Ubuntu Server 12.04.3 x64
> Samba was installed from source and provisioned with internal DNS as PDC of
> the domain domain.local. Users were mapped through pam.
>
> I created a new user (user@domain.local) and joined a winxp workstation
> (workstation.domain.local). It seems kerberos is working since user can log
> to workstation without any problem using user@domain.local. Same with DNS;
> if I try to "ping pdc.domain.local", I get name resolved correctly, as well
> as with just "ping pdc".
>
> However, if I run "ping workstation.domain.local" from pdc, I get "unknown
> host", though "ping workstation" works. Similarly, if I run "kinit user", I
> get a ticket, but
> "kinit user@domain.local"
> produces
> "Cannot contact any KDC for realm 'domain.local' while getting initial
> credentials".
>
> Probably related issue is with samba_dnsupdate. Running
> "sudo /usr/local/samba/sbin/samba_dnsupdate --verbose --all-names"
> gives
> "RuntimeError: kinit for PDC$@DOMAIN.LOCAL failed (Cannot contact any KDC
> for requested realm)".
> "sudo host -t SRV _kerberos._udp.domain.local."
> gives
> "_kerberos._udp.domain.local has SRV record 0 100 88 pdc.domain.local."
> so it seems there is a correct record for kdc in dns. I've read that this
> issue can be caused by wrong dns setting in resolv.conf.
> My /etc/resolv.conf (and /etc/resolvconf/resolv.conf.d/tail) is:
> domain domain.local
> nameserver 127.0.0.1
>
> and my /etc/hosts:
> 127.0.0.1   localhost.localdomain   localhost
> 127.0.1.1   pdc.domain.localpdc
> #network interface eth0:
> 192.168.1.67pdc.domain.localpdc
>
> So even here everything looks ok
>
> My krb5.conf:
> [libdefaults]
> default_realm = DOMAIN.LOCAL
> dns_lookup_realm = false
> dns_lookup_kdc = true
> forwardable = true
>
> [realms]
> DOMAIN.LOCAL = {
> kdc = pdc.domain.local
> admin_server = pdc.domain.local
> }
>
> [domain_realm]
> .domain.local = DOMAIN.LOCAL
> domain.local = DOMAIN.LOCAL
>
> My smb.conf:
> [global]
> workgroup = DOMAIN
> realm = DOMAIN.LOCAL
> netbios name = PDC
> server role = active directory domain controller
> server role check:inhibit = yes
> server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl,
> winbind, ntp_signd, kcc, dnsupdate, dns
> template shell = /bin/bash
> security = user
> map to guest = bad user
> guest account = nobody
> encrypt passwords = yes
> allow dns updates = True
> dns forwarder = 217.119.113.244
> interfaces = 127.0.1.1/8 eth0 lo
> bind interfaces only = yes
> logon path = \\%L\profiles\%U\%a
> logon drive = P:
> wins support = yes
> name resolve order = wins host bcast
> load printers = yes
> printing = cups
> printcap name = cups
>
> [netlogon]
> path = /usr/local/samba/var/locks/sysvol/domain.local/scripts
> read only = No
>
> [sysvol]
> path = /usr/local/samba/var/locks/sysvol
> read only = No
>
>
>
> --
> View this message in context:
> http://samba.2283325.n4.nabble.com/kinit-user-works-kinit-user-domain-local-doesn-t-tp4654989.html
> Sent from the Samba - General mailing list archive at Nabble.com.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Windows Profiles Not Being Created

[Rob Verduijn]

Interesting,

Sorry for breaking in on this thread, but I just wanted to say.
Thank you  for the registry tip, it solved a problem for me that was
driving me nuts.

Rob



2013/5/22 David Noriega :
> Ahh that did it. The CentralProfile value was from a previous server
> layout and thus it couldn't find the profile location anymore.
>
> On Wed, May 22, 2013 at 4:47 AM, steve  wrote:
>> On Tue, 2013-05-21 at 11:51 -0500, David Noriega wrote:
>>> I'm finding that roaming profiles are not being created on the server
>>> and when a user logons, they are getting temporary profiles.
>>>
>>> The logs dont mention any obvious errors and in the directory I have
>>> set aside for profiles, a folder for the user is created, but nothing
>>> is put there.
>>
>> Hi
>> You don't say which Windows but when permissions are OK, try deleting
>> the profile. In w7, it's at:
>> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion
>> \ProfileList
>>
>> Steve
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Rsyncing Samba4 Roaming Profiles between servers

[Rob Beard]

On 22/04/2013 11:06, Hisham Attar wrote:

are you using getfattr to check ntacl attributes? getfattr -d -m ".*"
 should dump all extended attributes, itll return a "Not
available" on security.NTACL if there are no extended attributes.



Hi Hisham,

Thanks for the pointer, I've checked the output of getfattr -d -m ".*" 
on both servers and they are coming up with the same output apart from 
user.DOSATTRIB, on the second server that is causing the issue the 
user.DOSATTRIB doesn't have anything applied to it, whereas on the 
original server user.DOSATTRIB has a string of characters assigned to it.


security.NTACL, system.posix_acl_access and system.posix_acl_default are 
the same on both servers.


I've manually copied over the attributes using setfattr -n  
--value=  and I'm still getting the same issue.


Rob


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Rsyncing Samba4 Roaming Profiles between servers

[Rob Beard]

On 17/04/2013 16:32, Rob Beard wrote:

Hi folks,

I've got a bit of an issue with roaming profiles and I wondered if someone
might be able to help please? :-)

We've started rolling out Samba 4 across our network.  Currently it's on 3
of our 4 sites, one site has two Samba servers and two sites have one Samba
server each (well one site has two Samba 4 servers but one of the servers
was an oldish test box which I'm planning on removing from AD when I can
work out how to, but that's a separate issue).

I've managed to get roaming profiles working for the users on each site.
Each user is currently configured to store their roaming profile on the
server on the site that they're based at.  This seems to work pretty well
with our Windows 7 clients and the users are happy that they can now login
to any PC and get their desktop icons etc.

Now my boss would like the ability to be able to login to a PC on a remote
site (as in, not the site where his roaming profile is stored) and have the
profile available.  It seems to work without making any changes but it is
quite slow logging on and off (I put this down to the fairly slow ADSL
links we have between the sites).

I was giving the issue some thought and tried creating a test user and
changing the profile path to %logonserver%\profiles\user.name which when
logging on created a profile on the logon server of whichever site I was
at.

However, I tried then rsyncing this profile across from one server at one
site to another server (I've also tried it between two servers on the same
site) but the permissions seem to get corrupted...

If I look at the permissions in a Linux terminal I get the following...

Output from ls -lh on Server 1:
drwxrwx---+ 14 360 users 4.0K Apr 17 16:15 charles.carmichael.V2

Output from ls -lh on Server 2:
drwxrwx---+ 14 360 users 4.0K Apr 17 16:15 charles.carmichael.V2

So the permissions look okay to me unless I'm missing something.

If I check the permissions of the two profile folders in Windows 7 I get
the following:

Server 1 Permissions:

SYSTEM - Full Control
Charles.Carmichael - Full Control

Server 2 Permissions:

Everyone - None
RANDOMPC$ - Full Control
Random Group - Full Control
Domain Users - None
CREATOR OWNER - Special
CREATOR GROUP - Special

On Server 1 the owner is the user of the profile, on Server 2 the owner is
RANDOMPC$.

Both Server 1 and Server 2 are running Samba 4.0.3, Debian Squeeze AMD64
with the kernel 2.6.32-5-amd64.  If it helps the filesystems are ext4 and
have the options user_xattr,acl,barrier=1 in fstab.

What we'd like to do is run an rsync overnight and copy the differences
between the servers, but as we're coming across these issues we're a bit
stuck.

If anyone could help, or maybe suggest another way of syncing the roaming
profiles between the servers that would be great.

Thanks in advance,

Rob



Hi folks,

Further to Ricky's reply, I've had a look at the xattr's and acl's of 
the profiles folder after running an rsync with the -p, -A and -X switches.


Checking the permissions on both servers they appear to be the same, the 
have the same owner and groups.  Having checked the acls and xattrs they 
match on both servers.


I've restarted Samba on the second server after rsyncing to it and 
checked the permissions again but I'm still getting the incorrect 
permissions :-(


I wondered if there might be anywhere I can check where the permissions 
might be stored?


Ta,

Rob
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Rsyncing Samba4 Roaming Profiles between servers

[Rob Beard]

On 18/04/2013 00:45, Ricky Nance wrote:
See the plus on drwxrwx---+, that means you have either extended 
attributes or ACL's (my guess would be ACL's) so, I am willing to bet 
you haven't told rsync to preserve xattribs or acl's in your script. 
getfacl, setfacl, getfattr, and setfattr will be helpful in sorting 
this out.


Good luck,
Ricky


Thanks Ricky,

I was using the -A and -X switches on rsync, but I'll do a bit more 
reading up on rsync, I'm guessing I've possibly missed something.


Rob
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Rsyncing Samba4 Roaming Profiles between servers

[Rob Beard]

Hi folks,

I've got a bit of an issue with roaming profiles and I wondered if someone
might be able to help please? :-)

We've started rolling out Samba 4 across our network.  Currently it's on 3
of our 4 sites, one site has two Samba servers and two sites have one Samba
server each (well one site has two Samba 4 servers but one of the servers
was an oldish test box which I'm planning on removing from AD when I can
work out how to, but that's a separate issue).

I've managed to get roaming profiles working for the users on each site. 
Each user is currently configured to store their roaming profile on the
server on the site that they're based at.  This seems to work pretty well
with our Windows 7 clients and the users are happy that they can now login
to any PC and get their desktop icons etc.

Now my boss would like the ability to be able to login to a PC on a remote
site (as in, not the site where his roaming profile is stored) and have the
profile available.  It seems to work without making any changes but it is
quite slow logging on and off (I put this down to the fairly slow ADSL
links we have between the sites).

I was giving the issue some thought and tried creating a test user and
changing the profile path to %logonserver%\profiles\user.name which when
logging on created a profile on the logon server of whichever site I was
at.

However, I tried then rsyncing this profile across from one server at one
site to another server (I've also tried it between two servers on the same
site) but the permissions seem to get corrupted...

If I look at the permissions in a Linux terminal I get the following...

Output from ls -lh on Server 1:
drwxrwx---+ 14 360 users 4.0K Apr 17 16:15 charles.carmichael.V2

Output from ls -lh on Server 2:
drwxrwx---+ 14 360 users 4.0K Apr 17 16:15 charles.carmichael.V2

So the permissions look okay to me unless I'm missing something.

If I check the permissions of the two profile folders in Windows 7 I get
the following:

Server 1 Permissions:

SYSTEM - Full Control
Charles.Carmichael - Full Control

Server 2 Permissions:

Everyone - None
RANDOMPC$ - Full Control
Random Group - Full Control
Domain Users - None
CREATOR OWNER - Special
CREATOR GROUP - Special

On Server 1 the owner is the user of the profile, on Server 2 the owner is
RANDOMPC$.

Both Server 1 and Server 2 are running Samba 4.0.3, Debian Squeeze AMD64
with the kernel 2.6.32-5-amd64.  If it helps the filesystems are ext4 and
have the options user_xattr,acl,barrier=1 in fstab.

What we'd like to do is run an rsync overnight and copy the differences
between the servers, but as we're coming across these issues we're a bit
stuck.

If anyone could help, or maybe suggest another way of syncing the roaming
profiles between the servers that would be great.

Thanks in advance,

Rob

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Question marks, asterisks, colons in filenames

[Rob Townley]

On Thu, Feb 21, 2013 at 5:45 PM, Rob Townley  wrote:
>
>
> On Thursday, February 21, 2013, Jeremy Allison  wrote:
>> On Thu, Feb 21, 2013 at 04:38:13PM -0600, Rob Townley wrote:
>>> On Wednesday, February 20, 2013, Jeremy Allison  wrote:
>>> > On Wed, Feb 20, 2013 at 11:30:37AM +0100, Sven Tegethoff wrote:
>>> >>
>>> >> What we have here is a problem of two incompatible text fields, and
>>> >> it does not make a difference if that incompatibility is a filenames
>>> >> in a file system or some table in some kind of non-filesytem media
>>> >> library. If you can't fix the incompatibility and if you can't
>>> >> change the underlying process that generates the data to only create
>>> >> names that fit the lowest common denominator all systems can handle,
>>> >> the obvious solution is to put in some kind of translation rule.
>>> >
>>> > The only question is whether that translation rule belongs in Samba
>>> > :-).
>>> >
>>> > It used to, but now I think it's better for it to be done externally
>>> > :-).
>>> >
>>> > Jeremy.
>>> > --
>>>
>>>
>>> Could there be an add-on module such as
>>> samba-enforce-dumb-filefolder-names ?
>>> Is Samba written in a modular enough way to add in a filesystem layer?
>>
>> Samba is *designed* to allow this :-). Check out the VFS
>> module interface. You'd have to catch all the path-based
>> calls.
>>
>> Jeremy.
>>

Sorry i fat fingered gmail on my smartphone web browser.

Now, i am thinking it would be better as an ext2/3/4 module for those
cases the Linux users are accessing the same file hierarchy but not
via Samba.
Maybe it has to be in Samba as well to satisfy all the different file
systems available to Linux servers.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Question marks, asterisks, colons in filenames

[Rob Townley]

On Thursday, February 21, 2013, Jeremy Allison  wrote:
> On Thu, Feb 21, 2013 at 04:38:13PM -0600, Rob Townley wrote:
>> On Wednesday, February 20, 2013, Jeremy Allison  wrote:
>> > On Wed, Feb 20, 2013 at 11:30:37AM +0100, Sven Tegethoff wrote:
>> >>
>> >> What we have here is a problem of two incompatible text fields, and
>> >> it does not make a difference if that incompatibility is a filenames
>> >> in a file system or some table in some kind of non-filesytem media
>> >> library. If you can't fix the incompatibility and if you can't
>> >> change the underlying process that generates the data to only create
>> >> names that fit the lowest common denominator all systems can handle,
>> >> the obvious solution is to put in some kind of translation rule.
>> >
>> > The only question is whether that translation rule belongs in Samba
:-).
>> >
>> > It used to, but now I think it's better for it to be done externally
:-).
>> >
>> > Jeremy.
>> > --
>>
>>
>> Could there be an add-on module such as
>> samba-enforce-dumb-filefolder-names ?
>> Is Samba written in a modular enough way to add in a filesystem layer?
>
> Samba is *designed* to allow this :-). Check out the VFS
> module interface. You'd have to catch all the path-based
> calls.
>
> Jeremy.
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Question marks, asterisks, colons in filenames

[Rob Townley]

On Wednesday, February 20, 2013, Jeremy Allison  wrote:
> On Wed, Feb 20, 2013 at 11:30:37AM +0100, Sven Tegethoff wrote:
>>
>> What we have here is a problem of two incompatible text fields, and
>> it does not make a difference if that incompatibility is a filenames
>> in a file system or some table in some kind of non-filesytem media
>> library. If you can't fix the incompatibility and if you can't
>> change the underlying process that generates the data to only create
>> names that fit the lowest common denominator all systems can handle,
>> the obvious solution is to put in some kind of translation rule.
>
> The only question is whether that translation rule belongs in Samba :-).
>
> It used to, but now I think it's better for it to be done externally :-).
>
> Jeremy.
> --


Could there be an add-on module such as
samba-enforce-dumb-filefolder-names ?
Is Samba written in a modular enough way to add in a filesystem layer?


> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Question marks, asterisks, colons in filenames

[Rob Townley]

i bookmarked the #Reserved_characters_and_words section of that wiki article.
However, the point is, there are times that the end user is not naming
the files directly, but the OS or an application is doing so.

wget will put escaped ? into filenames, but a windows machine will not
be able to read it.
mkdir "`date`"  allows one to make a folder name based on the time
with slashes and colons, but of course windows chokes on that.

Further, file systems need to save time, not consume a weekend.  The
problem is mostly with NTFS, but we can not control that.  If there
was a filesystem layer in a samba share that prevented the creation of
files / folders incompatible with windows, that would save time.  A
windows filenaming compatibility mode or just get rid of windows and
Macs altogether.  i prefer the latter, but that would entail getting
rid of family members and my job.


On Tue, Feb 19, 2013 at 2:50 AM, L.P.H. van Belle  wrote:
> wel ... just look here whats allowed.
> http://en.wikipedia.org/wiki/Filename
>
> The discussion of * or ? etc, in naming is bad should not be done here.
>
> I had the same with my collection, what is did was, add a new options in my 
> tagging.
> artist and albumartist.  where artist is the person whos singing it, and the 
> albumartist is the
> person/groep who released it, and i dont use strang ( not allowed )  
> characters in the albumartist.
>
> thats how you can fix it pretty easy.
>
> and yes, i have "some" special characters in filenames, but only the allowed 
> ones.
> and no, i dont have problems with windows and unix with these files.
>
>
> Louis
>
>
>>-Oorspronkelijk bericht-
>>Van: rob.town...@gmail.com
>>[mailto:samba-boun...@lists.samba.org] Namens Rob Townley
>>Verzonden: dinsdag 19 februari 2013 0:34
>>Aan: Jonathan Buzzard
>>CC: samba@lists.samba.org
>>Onderwerp: Re: [Samba] Question marks, asterisks, colons in filenames
>>
>>On Mon, Feb 18, 2013 at 4:56 PM, Jonathan Buzzard
>> wrote:
>>> On 18/02/13 19:16, Ray wrote:
>>>>
>>>> Hi,
>>>>
>>>> I suppose this question must have been posted a hundred times, but
>>>> Google brings up nothing useful:
>>>>
>>>> Consider "The Wall" from Pink Floyd in an MP3 collection.
>>There's "In
>>>> The Flesh.mp3" and "In The Flesh?.mp3" as tracks. Or,
>>another example in
>>>> an MP3 collection: There's a Band called "Stellar", but
>>there's also a
>>>> band called "Stellar*". Naming files like this is no
>>problem in Linux.
>>>>
>>>
>>> Anyone putting "special" characters in file names has a
>>special place in
>>> hell reserved for them. It is plain stupid, just don't do it.
>>>
>>> Personally I would name them all wall01.mp3, wall02.mp3 etc.
>>and add ID3
>>> tags to them. Any decent graphical file manager and/or music
>>player will
>>> display the tag information. Stop abusing the filename to
>>store metadata
>>> when there is a standard for storing that metadata in the file.
>>>
>>> JAB.
>>>
>>> --
>>> Jonathan A. Buzzard Email: jonathan (at)
>>buzzard.me.uk
>>> Fife, United Kingdom.
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>JAB, have you ever pulled down a website with wget?  Have you ever
>>looked at  www.dropbox.com/bad_files_check  which shows all the native
>>files on your Linux box that will never make it to windows.
>>
>>Is there some kind of regular expression transliterate functionality?
>>A way to force windows only characters for samba shares?
>>
>>Ray, on more than one occasion swat has documentation that is
>>nowhere else.
>>--
>>To unsubscribe from this list go to the following URL and read the
>>instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Question marks, asterisks, colons in filenames

[Rob Townley]

On Mon, Feb 18, 2013 at 4:56 PM, Jonathan Buzzard
 wrote:
> On 18/02/13 19:16, Ray wrote:
>>
>> Hi,
>>
>> I suppose this question must have been posted a hundred times, but
>> Google brings up nothing useful:
>>
>> Consider "The Wall" from Pink Floyd in an MP3 collection. There's "In
>> The Flesh.mp3" and "In The Flesh?.mp3" as tracks. Or, another example in
>> an MP3 collection: There's a Band called "Stellar", but there's also a
>> band called "Stellar*". Naming files like this is no problem in Linux.
>>
>
> Anyone putting "special" characters in file names has a special place in
> hell reserved for them. It is plain stupid, just don't do it.
>
> Personally I would name them all wall01.mp3, wall02.mp3 etc. and add ID3
> tags to them. Any decent graphical file manager and/or music player will
> display the tag information. Stop abusing the filename to store metadata
> when there is a standard for storing that metadata in the file.
>
> JAB.
>
> --
> Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk
> Fife, United Kingdom.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

JAB, have you ever pulled down a website with wget?  Have you ever
looked at  www.dropbox.com/bad_files_check  which shows all the native
files on your Linux box that will never make it to windows.

Is there some kind of regular expression transliterate functionality?
A way to force windows only characters for samba shares?

Ray, on more than one occasion swat has documentation that is nowhere else.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PROPOSAL: Remove SWAT in Samba 4.1

[Rob Townley]

This is why it is smart to use a dedicated Firefox profile for banking,
another profile just for email, another profile for web browsing.And of
course, another dedicated profile for internal systems only such as
for managing dd-wrt, switches, iLO,  DRAC, webcams, webmin and swat.

Safer is to have a dedicated swat xulrunner app.

If you want to be safest, use Qubes-OS.

Every user on the internet should know the following commands:
Firefox -no-remote -CreateProfile swatUseOnly
Firefox -no-remote -P swatUseOnly

I use swat when I want to find the new config options because it is often
the only documentation.  Keep swat.  It is not swan's fault, it is the
users.

On Sunday, February 17, 2013, Andrew Bartlett  wrote:
> On Sun, 2013-02-17 at 20:52 -0500, Nico Kadel-Garcia wrote:
>> On Sun, Feb 17, 2013 at 7:02 PM, Andrew Bartlett 
wrote:
>> > As most of you would have noticed, we have now had 3 CVE-nominated
>> > security issues for SWAT in the past couple of years.
>>
>> Has "webmin" kept up to date with the latest structural changes in
>> smb.conf? I'll admit that I've long preferred the "webmin" module
>> structure over the dedicated add-on structures of "swat".
>
> It seems webmin has much the same challenges, perhaps because it's a
> package of a similar age.  Or web security is just hard...
> http://www.webmin.com/security.html
>
> smb.conf hasn't changed structure in a long time, but we do add/remove
> options each release.  Neither is likely to do the AD DC stuff very well
> right now.
>
> Andrew Bartlett
>
> --
> Andrew Bartletthttp://samba.org/~abartlet/
> Authentication Developer, Samba Team   http://samba.org
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Fwd: correction - Frustrated with "there are currently no logon servers available"

[Rob Townley]

Win7 by default will only use 445


On Friday, February 1, 2013, Morgan Toal  wrote:
> OK,
>
> How do I confirm the sid that the windows box is using?
>
> I can get the domain sid from net getlocalsid
> I can get the user sid of a local user no problem
>
> In reference to unjoining and rejoining...
> does this require something more than :
> 1) userdel machine$
> 2) pdbedit --delete machine$
>
> ADditional Information:
>
> when I join the domain, and the message "welcome to the domain" appears I
get the following message immediately appear inb my logs:
>
>  _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting
auth request from client WIN7 machine account WIN7$
>
> Agh!
>
>
>
> On 2/1/2013 10:44 AM, Mike Howard wrote:
>>
>> On 01/02/2013 15:59, Morgan Toal wrote:
>>>
>>> On 2/1/2013 8:54 AM, Morgan Toal wrote:
>>>
>>> OK I feel even dumber now...  I pasted the wrong text into my email due
to my frustration level.
>>>
>>> The error is: "there are currently no logon servers available"
>>> as opposed to: "the network name is no longer available"
>>>
>> That error has always meant to me that the client in question has
somehow become unjoined (for all intents and purposes). That is, it's SID
no longer matches that held by the PDC.
>>
>> Have you tried unjoining the domain, ensuring the client record has
actually been removed and rejoining?
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 Winbind - is it really not possible to be sensible?

[Rob McCorkell]

Thanks for the explanation - I wasn't thinking too much about multiple 
domains, and I guess it would be an issue. A potential solution would be 
to have offsets for each domain, specified in smb.conf? If I didn't have 
too much on my plate already I would have a look at the mapping code and 
attempt to write a solution myself.


The 'solution' with the UID discrepancy between nslcd and Samba was to 
feed back the nslcd UID back into Samba, then tell Samba to use those 
UIDs instead. Oh, and while I am here I might as well bring a particular 
bug to your attention - when Samba is set to use rfc2307, but no 
uidNumber attribute exists for an object, the UID number gets allocated. 
But once a uidNumber attribute is set, and the allocation has already 
taken place, the allocated UID is used instead. I can't imagine that 
this is the desired behaviour with rfc2307.


Thanks,
Rob

On 26/01/2013 7:25 PM, Matthieu Patou wrote:

On 01/25/2013 11:43 AM, Rob McCorkell wrote:
Samba3 allowed for the setting of idmaps and passdb backends to 
configure how users were pulled in. This made integrating with 
existing LDAP databases, other other forms of authentication easy, 
since Samba could be configured to present the same UID and GID as 
directly from the [insert other auth method here] system. All was good.


Unfortunately Samba4 seems to have removed much of that 
functionality. I understand that in an AD context, passdb backend 
doesn't really make very much sense, so removing that was fair. What 
I do not understand is why Winbind cannot be configured to use 
certain idmaps, more specifically the RID mapping.
First of all: resources, feel free to provide your implementation for 
the rid backend.
Then also with AD winbindd we tried to not reproduce what has been 
done with the original winbindd where we had a lot of options and 
backend and after we realize that it wasn't such a good fit.
And having discussed about it for a long time RID backend is the 
perfect example of the backend that seems very interesting at first 
glance but that is not so in the long run as it works well only when 
you have 1 domain.
We are still thinking on a RID like solution but that would scale with 
more than one domain.


This would make it significantly easier to integrate LDAP 
authenticating clients into Samba4, for example using nslcd to map 
the UIDs and GIDs. The current implementation is forced into using 
allocated *IDs, which are not consistent across machines.
But all in all this is not a big problem, since although machines get 
different *IDs, they use the CIFS protocol which uses usernames 
instead, so each machine knows who a user is. The problem is when a 
server that runs Samba4 as a file server uses LDAP to get user 
information. When a client connects, Samba4 the user UID which is 
allocated. Samba4 then finds the home share, but since the UID on the 
home share (dutifully mapped by nslcd from the RID on the end of the 
objectSid) doesn't match the allocated one, it refuses access.
Can you configure nslcd to use the uidNumber/gidNumber ? if so one 
solution could be (but just for samba only domain controller) to have 
a mechanism that feeds back the randomly generated uid back to the 
uidNumber fields


All that nslcd does in this case is map a UID to the RID from the 
objectSid in LDAP. This is a very simple mapping - just get the end 
of the string, where the first bit is the domain SID. Samba3 
supported RID mapping in this fashion, but I do not understand why 
this was not ported across to Samba4. It would only change the UIDs 
and GIDs as seen by Samba, which as far as I know are used very 
little within Samba, where the objectSid is used instead.


Of course, it could be that I have a massive misunderstanding of the 
internals of Samba4, and there is a reason why this functionality 
wasn't brought across.


No you don't but for the AD part we have for the moment a pretty 
limited set of method to allocate UIDs/GIDs, sorry!


Matthieu.



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 Winbind - is it really not possible to be sensible?

[Rob McCorkell]

If you provision/run with idmap_ldb:use rfc2307 then you can assign each
user/group a uidNumber/gidNumber which then is/can be obeyed by samba/nslcd.


Sorry, I should have made myself more clear. Our current setup uses the nslcd 
approach to get the UIDs and GIDs as mapped from the RID of each object. We 
then feed that back into the LDAP database (as uidNumber and gidNumber 
attributes) along with setting idmap_ldb:use rfc2307 so that Samba4 gets the 
same UIDs and GIDs as from mapping the RID. But this is very much a fudge, and 
it does not make sense that Winbind shouldn't support this form of RID mapping, 
even though previous versions did support it.

Rob

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba4 Winbind - is it really not possible to be sensible?

[Rob McCorkell]

Samba3 allowed for the setting of idmaps and passdb backends to 
configure how users were pulled in. This made integrating with existing 
LDAP databases, other other forms of authentication easy, since Samba 
could be configured to present the same UID and GID as directly from the 
[insert other auth method here] system. All was good.


Unfortunately Samba4 seems to have removed much of that functionality. I 
understand that in an AD context, passdb backend doesn't really make 
very much sense, so removing that was fair. What I do not understand is 
why Winbind cannot be configured to use certain idmaps, more 
specifically the RID mapping. This would make it significantly easier to 
integrate LDAP authenticating clients into Samba4, for example using 
nslcd to map the UIDs and GIDs. The current implementation is forced 
into using allocated *IDs, which are not consistent across machines.
But all in all this is not a big problem, since although machines get 
different *IDs, they use the CIFS protocol which uses usernames instead, 
so each machine knows who a user is. The problem is when a server that 
runs Samba4 as a file server uses LDAP to get user information. When a 
client connects, Samba4 the user UID which is allocated. Samba4 then 
finds the home share, but since the UID on the home share (dutifully 
mapped by nslcd from the RID on the end of the objectSid) doesn't match 
the allocated one, it refuses access.


All that nslcd does in this case is map a UID to the RID from the 
objectSid in LDAP. This is a very simple mapping - just get the end of 
the string, where the first bit is the domain SID. Samba3 supported RID 
mapping in this fashion, but I do not understand why this was not ported 
across to Samba4. It would only change the UIDs and GIDs as seen by 
Samba, which as far as I know are used very little within Samba, where 
the objectSid is used instead.


Of course, it could be that I have a massive misunderstanding of the 
internals of Samba4, and there is a reason why this functionality wasn't 
brought across.


Rob
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 AD DC Sites / Rename Default-First-Site-Name and internal DNS

[Rob Townley]

On Sun, Dec 30, 2012 at 10:06 PM, Matthieu Patou  wrote:

> On 12/30/2012 07:10 PM, Achim Gottinger wrote:
>
>> As you have noticed, we are very good at adding DNS records, but never
>>> remove the old ones.  What you have done seems reasonable, if you have
>>> renamed the site, removing the remaining DNS references seems entirely
>>> reasonable.
>>>
>>> Please file a bug about the left-behind DNS stuff, we really should
>>> clean that up.
>>>
>>> Andrew Bartlett
>>>
>>
>> There is this menu option "cleanup old resource entries" in the DNS
>> snap-in, guess it's normal AD behaviour.  :-)
>>
> Not it's not, there is KB about DNS server about how to clean old records
> that were set by a client via DDNS
>
>  This does not yet work against an Samba4 AD DC. But I'll file an
>> bugreport.
>>
>>  I'm not 100% sure that we implement everything that is needed for a
>>> client to pickup the correct site, so you might see some issues still.
>>>
>> It had happened in very seldom cases with the samba3/bind/openldap
>> before. In the Samba4 test environment it happened only once after i had
>> removed the mentioned SRV records pointig to site2's dc in site1 folders.
>> I'll report back if it happens on an regular basis.
>>
>>> As an last step i renamed the site "Default-First-Site-Name" into
 "site1". Restarted the samba services at both sites check replication. But
 there are still a few DNS entries left whom i deleted manual.

>>> It's really not a good idea to delete rename the default-First site lots
>>> of Windows admins don't advise to do so, you'd better leave it empty.
>>> Matthieu
>>>
>>
>> So to be on the safe side you recommend i create two new sites and assign
>> the two servers to them, leaving Default-First-Site-Name with on assigned
>> server.
>> I thought it is safer to leave the first server in that default site
>> because i had read the sites thing is a work in progress. Renaming it was
>> somethin i did after abit of online research which mentioned it is safe and
>> not forbidden. Beside that now empty structure elements in dns the test
>> environment is still work functional.
>>
>> http://social.technet.**microsoft.com/Forums/en-US/**
>> winserverNIS/thread/2afc3cf5-**7389-4368-bdeb-887e60c0081f
>>
>> Beside all that for me samba4 is a great step forward an will simplify
>> things alot compared to the previous samba3/bind/openldap solution
>>
> Ok good to know.
>
> Matthieu.
>
>
> --
> Matthieu Patou
> Samba Team
> http://samba.org
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  
> https://lists.samba.org/**mailman/options/samba
>




MS ADS utilities would demand restoring from backups for deleting dns
records.

Assuming you are trying to have two different sites in the same domain,
you would not want to delete DNS records at all, but change the dns SRV
record such that the remote site has a lower priority (higher number) and
the local site has a better priority (lower number).   In many computer
systems, higher priority is represented by a lower number.  zero is often
the highest priority.  Weight is different than priority.  More Weight is
represented by a higher number.   You may want to leave weight alone
because rfc2782 says WEIGHT zero is a special case.  rfc2782 is a little
confusing as to what weight zero implies.  It also states the order of
ResourceRecords returned matters in the selection process.  Details are in
the URLs below.  i would recommend reading about PRIORITY and WEIGHT in
2782.



http://en.wikipedia.org/wiki/SRV_record
http://tools.ietf.org/html/rfc2782
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 LDAP ACLs - access to POSIX attributes from a non-admin account

[Rob McCorkell]

Sorry for the late reply - was running it through testing in our 
environment. But so far it seems to be working a treat! Thanks for this, 
much appreciated.


Rob

On 15/12/12 16:42, Thomas Simmons wrote:

Hello Rob,

You can enable anonymous binding to AD by creating the attribute 
"dsHeuristics" with a value of "002001001" under the DN:

CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration

The Microsoft instructions mention below mention using the ADSI Edit 
tool on Windows, but it can be done with any LDAP editing tool. I just 
tested this on S4 and it appears to work.


See: http://technet.microsoft.com/en-us/library/cc816788(v=ws.10).aspx 
<http://technet.microsoft.com/en-us/library/cc816788%28v=ws.10%29.aspx>




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 LDAP ACLs - access to POSIX attributes from a non-admin account

[Rob McCorkell]

On 15/12/12 13:31, Achim Gottinger wrote:
It might work if you give Anonymous full read Access to the cn=Users 
branch via AD User and Group management.
How is it possible to do this from the Samba4 server? Unfortunately 
Windows is out of the question here, because this will be part of 
Karoshi Server which will be distributed as a self-contained Linux 
distribution. Therefore the ideal solution would be either direct LDAP 
modification, or use of samba-tool or other utilities.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 LDAP ACLs - access to POSIX attributes from a non-admin account

[Rob McCorkell]

On the samba-technical mailing list there is this exact problem 
detailed, so your help is no longer needed to configure reading of 
unixHomeDirectory and loginShell by other users, but the question about 
anonymous access still stands - it would be much better for each client 
to have anonymous access to LDAP rather than needing the dedicated user, 
which brings with it security holes.


On 14/12/12 18:03, Rob McCorkell wrote:
In our current testing environment, we are using nslcd to get user and 
group information from the Samba4 LDAP server, using the last part of 
objectSid as uidNumber. The configuration is designed to pull down 
unixHomeDirectory and loginShell if they exist, but they default to 
standard values if they do not. nslcd on each machine binds to LDAP 
using a dedicated user account, nslcd-service, and the entire setup 
works pretty well.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba4 LDAP ACLs - access to POSIX attributes from a non-admin account

[Rob McCorkell]

In our current testing environment, we are using nslcd to get user and 
group information from the Samba4 LDAP server, using the last part of 
objectSid as uidNumber. The configuration is designed to pull down 
unixHomeDirectory and loginShell if they exist, but they default to 
standard values if they do not. nslcd on each machine binds to LDAP 
using a dedicated user account, nslcd-service, and the entire setup 
works pretty well.


But now we have run into a problem - although both POSIX attributes 
exists on a particular user (ismith in this case) they cannot be read by 
the machine using nslcd-service to bind to the LDAP directory. After 
further testing, we found that binding as Administrator makes the 
attributes show up - in fact adding nslcd-service to 'Domain Admins' 
group also lets it see those attributes. Unfortunately both of these 
options are a huge security risk - any server that becomes compromised 
can effectively take control of the Samba4 domain and server, and in 
turn take out the rest of the network.


It seems strange that all normal attributes are perfectly readable by 
any user, while the manually added POSIX attributes are not. I do not 
know enough about AD configuration to figure out where the ACLs are 
stored for this, and documentation has been scarce to say the least. 
Thus I have come to this mailing list for guidance.


An alternative strategy would be to enable anonymous binding on the LDAP 
server, but the (slightly less scarce) documentation shows that to do 
that requires each entry be specifically set to allow this, which seems 
to be more hassle than it is worth. Any help on this would also be 
greatly appreciated.


Thanks,
Rob
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Failing to get uids from AD

[Rob Townley]

Precisely what ldap attribute are you setting user id numbers in AD?  You
may want to check.  There are numerous attribute names that include uid and
gid, but you need the correct one.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Problems accessing Windows shares 3.5.8 vs 3.6.3

[Rob LaRose]

As I recall, Win2008 was the end of the line for Samba-on-Solaris10 for
us.  We adopted a product called Centrify which included its own
AD-binding / kerberos authentication mechanisms for Solaris 10, and their
own build of Samba that worked with it.

That's been working perfectly with AD 2008, and I recommend it highly.

--Rob


Rob LaRose systems administrator
imaginary forces | 530 west 25th street | new york | p 646.486.6868 |
www.imaginaryforces.com <http://www.imaginaryforces.com/>








On 4/16/12 9:18 AM, "Christopher Davis"  wrote:

>I am trying to get Samba up and working on Solaris 10.
>
>I have a seperate discussion going on about my problems getting Samba 358
>on
>Solaris 10 to authenticate to a Windows 2008R2 domain (See )
>
>
>
>As a different solution I have downloaded the source code for 3.6.3 and
>compiled it  The provlem I am having is it won't work with my Windows
>machines
>at all
>
>i.e.  Using the 3.5.8 binary I can do a smbclient -L dc1 -U bob and it
>will
>return the list of shares.  Using the 3.6.3 binary with the same config
>file I
>get NT_STATUS_LOGON_FAILURE
>
>It was compile with the following options:
>
>./configure --prefix=/samba.test --with-automount --with-ldap=/usr/local
>--with-quotas --with-sys-quotas --with-acl-support --with-aio-support
>--with-pam --includedir=/usr/local/include --with-libiconv=/usr/local
>--with-readline=/usr/local --with-winbind --with-pam_smbpass
>--with-krb5=/usr/local --with-ads --disable-krb5developer
>
>Most of the pre-reqs came from the sunfreeware site except for libintl
>(gettext) which I downloaded and compiled as the one from sunfreeware
>would
>not link correctly.
>
>I have also followed the notes I found somewhere that had me change the
>makefile:
>
>1: search for -lthread and add -lintl after it for every instance
>2: search for -Wl,-z,defs and remove them all
>
>This allows me to successfully compile Samba  However - no windows client
>(or
>for that matter no other version of samba I have) can talk to these samba
>serversris  ONLY the smbclient from 3.6.3 will work
>
>
>Any ideas why this is the case?
>What else can I send along to help?
>
>Thanks,
>Chris
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba




This e-mail is intended only for the named person or entity to which it is 
addressed and contains valuable business information that is proprietary, 
privileged, confidential and/or otherwise protected from disclosure. If you 
received this e-mail in error, any review, use, dissemination, distribution or 
copying of this e-mail is strictly prohibited. Please notify us immediately of 
the error via e-mail to  postmas...@imaginaryforces.com and 
please delete the e-mail from your system, retaining no copies in any media. We 
appreciate your cooperation.

...imaginaryforces.com...

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] How do I know if I'm using SMB2?

[Rob Marshall]

It would be very helpful if the protocol is
displayed in smbstatus.

Vielen Dank :-)

Rob

On 3/28/12 3:08 AM, Volker Lendecke wrote:

On Tue, Mar 27, 2012 at 05:13:34PM -0700, Jeremy Allison wrote:

On Tue, Mar 27, 2012 at 05:03:49PM -0400, Rob Marshall wrote:

Hi,

I've installed 3.6.3 on a Linux system (SLES 10) and I
am connecting from a Windows 7 VM running on my Mac. I
added "max protocol = SMB2" to my smb.conf and restarted
Samba. How can I check and verify that the protocol I'm
using is actually SMB2?


No easy way to be sure without looking at the wire traffic.

Would a low debug-level message help ?


I have a reminder message in my inbox saying "output smb2 in
smbstatus".

Volker


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] How do I know if I'm using SMB2?

[Rob Marshall]

Never mind...I ran Ethereal and started a capture
and right in the "Protocol" column it said: SMB2.
So, problem solved.

Thanks,

Rob

On 3/27/12 9:31 PM, Rob Marshall wrote:

Hi Jeremy,

Well, since I'd rather not have to look at the
actual negotiation, anything would help. I'm
just a little surprised there isn't some sort
of way to check it...And by offering a "low
debug-level message" are you saying that there
is one? Or that you could add one?

Thanks,

Rob

On 3/27/12 8:13 PM, Jeremy Allison wrote:

On Tue, Mar 27, 2012 at 05:03:49PM -0400, Rob Marshall wrote:

Hi,

I've installed 3.6.3 on a Linux system (SLES 10) and I
am connecting from a Windows 7 VM running on my Mac. I
added "max protocol = SMB2" to my smb.conf and restarted
Samba. How can I check and verify that the protocol I'm
using is actually SMB2?


No easy way to be sure without looking at the wire traffic.

Would a low debug-level message help ?


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] How do I know if I'm using SMB2?

[Rob Marshall]

Hi Jeremy,

Well, since I'd rather not have to look at the
actual negotiation, anything would help. I'm
just a little surprised there isn't some sort
of way to check it...And by offering a "low
debug-level message" are you saying that there
is one? Or that you could add one?

Thanks,

Rob

On 3/27/12 8:13 PM, Jeremy Allison wrote:

On Tue, Mar 27, 2012 at 05:03:49PM -0400, Rob Marshall wrote:

Hi,

I've installed 3.6.3 on a Linux system (SLES 10) and I
am connecting from a Windows 7 VM running on my Mac. I
added "max protocol = SMB2" to my smb.conf and restarted
Samba. How can I check and verify that the protocol I'm
using is actually SMB2?


No easy way to be sure without looking at the wire traffic.

Would a low debug-level message help ?


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] How do I know if I'm using SMB2?

[Rob Marshall]

Hi,

I've installed 3.6.3 on a Linux system (SLES 10) and I
am connecting from a Windows 7 VM running on my Mac. I
added "max protocol = SMB2" to my smb.conf and restarted
Samba. How can I check and verify that the protocol I'm
using is actually SMB2?

Thanks,

Rob
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Grant computer account access to share?

[Rob Townley]

On Thu, Nov 10, 2011 at 8:48 AM, Chris Weiss  wrote:

> On Thu, Nov 10, 2011 at 2:24 AM, Andrew Lyon 
> wrote:
> > Hi,
> >
> > I have a Microsoft application (SCCM) which I need to grant access to
> > a samba share, however the service which reads the files can only
> > authenticate using the computer account, there is option to configure
> > it to use a domain account.
>
> do you mean to say that it's a windows service that's Log On tab is
> set to local system?  because "authenticate using the computer
> account" isn't a "thing".  A windows service running as local system
> does not have permissions to access network resources at all.  This is
> a windows restriction, you have to have the account log on as a local
> or domain user if you want it to be able to access the network.
>

On a Win7 64bit windows system, bits and "Windows Update" both run as
"Local System" and i can guarantee you i have had numerous reboots the last
few weeks to finish applying updates.  You are probably confused by User
Account Control changes. Like he said, COMPUTER$ can be added on a Windows
share.  The windows security descriptor language may be needed for some
services.  See "sc.exe sdset /?"

man smb.conf may not be up-to-date like the web page configuration that
enumerates all the current parameters.  Going totally from memory, i
believe there was an option in the samba webpage program that allows you to
configure computer account access for a share.  Sorry, blanking on the
package name.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Tuning OSX samba for WAN vs LAN

[Rob LaRose]

Hello my Sambese friends,

Has anyone got info on tuning the SMB client in OSX for connecting to Samba 
servers across a WAN/VPN?  I get decent performance locally, but when I reach 
across our VPN link to another site, throughput falls right to garbage when 
compared with FTP.

Thanks in advance for any tips.

--Rob



Rob LaRose systems administrator
imaginary forces | 530 west 25th street | new york | p 646.486.6868 | 
www.imaginaryforces.com<http://www.imaginaryforces.com/>




This e-mail is intended only for the named person or entity to which it is 
addressed and contains valuable business information that is proprietary, 
privileged, confidential and/or otherwise protected from disclosure. If you 
received this e-mail in error, any review, use, dissemination, distribution or 
copying of this e-mail is strictly prohibited. Please notify us immediately of 
the error via e-mail to  postmas...@imaginaryforces.com and 
please delete the e-mail from your system, retaining no copies in any media. We 
appreciate your cooperation.

...imaginaryforces.com...

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] XP not obeying Samba file perms

[Rob Mason]

The files aren't locked as I can modify them Photoshop?  It's only the "Rotate" 
shell extension that won't work until _after_ Photoshop has opened and 
re-written the file.  However, I do suspect a locking related problem...

--- Original Message ---
From: John Drescher 
To: Rob Mason 
Sent: 13.3.11, 14:17:09
Subject: Re: [Samba] XP not obeying Samba file perms

On Sun, Mar 13, 2011 at 7:11 AM, Rob Mason  wrote:
> Hi List,
>
> I have an unusual problem concerning the Windows  XP "Rotate" image
> explorer shell extension.  I have a share called "Archives" defined with
> a number of sub-directories.  Whilst I have read/write permission to all
> directories, I am unable to use the Windows XP "Rotate Clockwise" or
> "Rotate Counter Clockwise" image command on JPG's contained within those
> directories - error is "file may be in use or directory may be read
> only".  That is, until I read the files into Photoshop and write them
> back out again.  Then the "Rotate" shell extension works!  During this
> process there is no change whatsoever to the file and dir perms either
> on the filesystem (FreeBSD) or those reported by Windows - they appear
> identical before and after Photoshop intervention.
>
> So my question is how to trouble shoot this, and, what may be causing
> this unusual problem?
>
> Samba version is 3.5.6
>
> [albums]
>        comment = Mason family archive
>        path = /usr/local/archive
>        write list = mason, root
>        guest ok = Yes
>
>
> Filesystem perms ->
> -
>
> drwxr-xr-x  28 mason  wheel   -   512 Feb 20 10:08 archive/
>
> drwxr-xr-x   4 mason  wheel  -  512 Dec 19  2009 ./
> drwxr-xr-x  28 mason  wheel  -  512 Feb 20 10:08 ../
> drwxr-xr-x  18 mason  wheel  - 1024 Mar 13 10:42 Mason/
> drwxr-xr-x   2 mason  wheel  -  512 Mar 12 10:40 Wagstaff/
>
> drwxr-xr-x   4 mason  wheel  -  512 Mar 13 10:41 1979 - France -
> Argeles-sur-Mer/
>
> -rw-r--r--   1 mason  wheel  -    8192 Mar 13 10:39 Thumbs.db
> -rw-r--r--   1 mason  wheel  - 2393243 Mar 12 18:06 Untitled-10.jpg
> -rw-r--r--   1 mason  wheel  - 2236064 Mar 12 19:33 Untitled-11.jpg
> -rw-r--r--   1 mason  wheel  - 2441339 Mar 12 19:38 Untitled-12.jpg
> -rw-r--r--   1 mason  wheel  - 2115890 Mar 12 19:45 Untitled-13.jpg
> -rw-r--r--   1 mason  wheel  - 2113096 Mar 12 19:49 Untitled-14.jpg
> -rw-r--r--   1 mason  wheel  - 2507137 Mar 12 19:54 Untitled-15.jpg
> -rw-r--r--   1 mason  wheel  - 2312662 Mar 12 19:59 Untitled-16.jpg
> -rw-r--r--   1 mason  wheel  - 2346841 Mar 12 20:04 Untitled-17.jpg
> -rw-r--r--   1 mason  wheel  - 2583152 Mar 12 20:09 Untitled-18.jpg
> -rw-r--r--   1 mason  wheel  - 2447956 Mar 12 20:14 Untitled-19.jpg
> -rw-r--r--   1 mason  wheel  - 166 Mar 12 20:19 Untitled-20.jpg
> -rw-r--r--   1 mason  wheel  - 2549045 Mar 12 20:24 Untitled-21.jpg
> -rw-r--r--   1 mason  wheel  - 2155071 Mar 12 20:28 Untitled-22.jpg
> -rw-r--r--   1 mason  wheel  - 2228869 Mar 12 20:34 Untitled-23.jpg
> -rw-r--r--   1 mason  wheel  - 1957951 Mar 12 20:38 Untitled-24.jpg
>
>
>
>
> The original of this email was scanned for known viruses at 11:13 on 
> 13/03/2011 and was found to be virus free - ClamAV 0.97/12827/Sat Mar 12 
> 11:38:52 2011.
>
>

Do a smbstatus on the server when the problem happens. The files could
be locked.

John




The original of this email was scanned for known viruses at 15:24 on 13/03/2011 
and was found to be virus free - ClamAV 0.97/12827/Sat Mar 12 11:38:52 2011.
 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] possible to deactivate pre-authentification on the Linux (or windows)- Please help

[Rob Townley]

On Wed, Mar 9, 2011 at 12:33 AM, Sharik M  wrote:
> Dear Friend,
>
>
> Is it possible to deactivate pre-authentification on the Linux (or
>
> Windows) side to avoid these messages ?
>
> Becouse i am getting lot of erro in windows 2003 domain.
>
> Hi,
>
> When validating users on my Linux system against an ActiveDirectory,
> the Windows event log are filled with messages like these (Windows
> Event ID 675):
>
> Pre-authentication failed:
> User Name: linux$
> User ID: KK\linux$
> Service Name: krbtgt/KK.LOCAL
> Pre-Authentication Type: 0x0
> Failure Code: 0x19
> Client Address: 1.2.3.4
>
>
> (1.2.3.4 is the IP address of the Linux machine, LINUX the hostname of
> the Linux machine).
>
> The message above comes at every request from the Linux machine (every 5
> minutes on this installation). If I am validating a user, the same
> message is shown for the user like this (user name validated=test):
>
> Pre-authentication failed:
> User Name: test$
> User ID: KK\test$
> Service Name: krbtgt/KK.LOCAL
> Pre-Authentication Type: 0x0
> Failure Code: 0x19
> Client Address: 1.2.3.4
>
> Messages logged on behalf of a user may be disabled by deactivating
> pre-authentification for each user. But I cannot find any place in
> ActiveDirectory to disable it for the machine account.
>
> What is missing ?
>
> Is it possible to deactivate pre-authentification on the Linux (or
> Windows) side to avoid these messages ?
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Although annoying, these are not necessarily all that bad of audit
entries because it may be trying different methods of authenticating.
First one fails so it tries a more difficult one.
i wonder if it would be better to attempt a reset of the machine
account password from AD, then setting DONT_REQ_PREAUTH.

You can change it via adsiedit or adexplorer.exe
DONT_REQ_PREAUTH

http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B305144
ms-DS-User-Account-Control-Computed

p.s. i typed this 5 days ago and just found it was not sent.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] XP not obeying Samba file perms

[Rob Mason]

Hi List,

I have an unusual problem concerning the Windows  XP "Rotate" image
explorer shell extension.  I have a share called "Archives" defined with
a number of sub-directories.  Whilst I have read/write permission to all
directories, I am unable to use the Windows XP "Rotate Clockwise" or
"Rotate Counter Clockwise" image command on JPG's contained within those
directories - error is "file may be in use or directory may be read
only".  That is, until I read the files into Photoshop and write them
back out again.  Then the "Rotate" shell extension works!  During this
process there is no change whatsoever to the file and dir perms either
on the filesystem (FreeBSD) or those reported by Windows - they appear
identical before and after Photoshop intervention.

So my question is how to trouble shoot this, and, what may be causing
this unusual problem?

Samba version is 3.5.6

[albums]
comment = Mason family archive
path = /usr/local/archive
write list = mason, root
guest ok = Yes


Filesystem perms ->
-

drwxr-xr-x  28 mason  wheel   -   512 Feb 20 10:08 archive/

drwxr-xr-x   4 mason  wheel  -  512 Dec 19  2009 ./
drwxr-xr-x  28 mason  wheel  -  512 Feb 20 10:08 ../
drwxr-xr-x  18 mason  wheel  - 1024 Mar 13 10:42 Mason/
drwxr-xr-x   2 mason  wheel  -  512 Mar 12 10:40 Wagstaff/

drwxr-xr-x   4 mason  wheel  -  512 Mar 13 10:41 1979 - France -
Argeles-sur-Mer/

-rw-r--r--   1 mason  wheel  -8192 Mar 13 10:39 Thumbs.db
-rw-r--r--   1 mason  wheel  - 2393243 Mar 12 18:06 Untitled-10.jpg
-rw-r--r--   1 mason  wheel  - 2236064 Mar 12 19:33 Untitled-11.jpg
-rw-r--r--   1 mason  wheel  - 2441339 Mar 12 19:38 Untitled-12.jpg
-rw-r--r--   1 mason  wheel  - 2115890 Mar 12 19:45 Untitled-13.jpg
-rw-r--r--   1 mason  wheel  - 2113096 Mar 12 19:49 Untitled-14.jpg
-rw-r--r--   1 mason  wheel  - 2507137 Mar 12 19:54 Untitled-15.jpg
-rw-r--r--   1 mason  wheel  - 2312662 Mar 12 19:59 Untitled-16.jpg
-rw-r--r--   1 mason  wheel  - 2346841 Mar 12 20:04 Untitled-17.jpg
-rw-r--r--   1 mason  wheel  - 2583152 Mar 12 20:09 Untitled-18.jpg
-rw-r--r--   1 mason  wheel  - 2447956 Mar 12 20:14 Untitled-19.jpg
-rw-r--r--   1 mason  wheel  - 166 Mar 12 20:19 Untitled-20.jpg
-rw-r--r--   1 mason  wheel  - 2549045 Mar 12 20:24 Untitled-21.jpg
-rw-r--r--   1 mason  wheel  - 2155071 Mar 12 20:28 Untitled-22.jpg
-rw-r--r--   1 mason  wheel  - 2228869 Mar 12 20:34 Untitled-23.jpg
-rw-r--r--   1 mason  wheel  - 1957951 Mar 12 20:38 Untitled-24.jpg




The original of this email was scanned for known viruses at 11:13 on 13/03/2011 
and was found to be virus free - ClamAV 0.97/12827/Sat Mar 12 11:38:52 2011.
 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Managing win7 machines..

[Rob Townley]

FusionInventory.org  OPSI.org

On Fri, Jan 28, 2011 at 2:47 PM,   wrote:
>
>>
>> Ok, i get it...   so both options are horror...
>>
>> so basically i have to use samba4 for the policies and all.
>> and use samba3 on a different machine for the network browsing and
>> printing.
>> must be do-able
>>
>> just 1 question, can i use samba3 for the masterbrowser/wins and make
>> samba4
>> use that.. (as for as i know the network browse support isn't ready for
>> samba4)
>
> Yes
>>
>>
>>
>> Cheers, and thanx..
>>
>> Collen
>>
>>
>>
>> On 21-1-2011 8:48, Daniel Müller wrote:
>>>
>>> No ntconfig.pol anymore. You may use kixtart or other tools. Or
>>> Registry-files. But be aware
>>> Some registry-things can only be done by administrator and no one else.
>>> If
>>> you have the most win 7 clients
>>> It is better to switch over to samba4. You can then manage your group
>>> policies with Microsoft tools on the fly.
>>> With things that samba4 does not support at this moment use a samba 3
>>> domain
>>> member.
>>>
>>> Good Luck
>>> Daniel
>>>
>>> ---
>>> EDV Daniel Müller
>>>
>>> Leitung EDV
>>> Tropenklinik Paul-Lechler-Krankenhaus
>>> Paul-Lechler-Str. 24
>>> 72076 Tübingen
>>>
>>> Tel.: 07071/206-463, Fax: 07071/206-499
>>> eMail: muel...@tropenklinik.de
>>> Internet: http://www.tropenklinik.de
>>> ---
>>>
>>> -Ursprüngliche Nachricht-
>>> Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org]
>>> Im
>>> Auftrag von Collen Blijenberg
>>> Gesendet: Freitag, 21. Januar 2011 08:35
>>> An: samba@lists.samba.org
>>> Betreff: Re: [Samba] Managing win7 machines..
>>>
>>> I did that, but that doesn't make win7 obey  the ntconfig.pol (nt4
>>> policies)
>>>
>>> as far as i know win7 can't handle these policies, so i think
>>> i need an other way to apply policies to win7.
>>>
>>> thx. Collen.
>>>
>>> On 20-1-2011 17:17, Wagg, Dave wrote:

 I don't know about version 3 but have you made the following changes to
>>>
>>> the

 Control Panel à Admin Tools à Local Security Policy  à Local Policies  à
>>>
>>> Security options

 Change the Network Security: LAN Manager authentication level to "Send
 LM&
>>>
>>> NTLM responses"

 Remove 128 bit encryption on the following 2 items as well:

 Network security: Minimum session security for NTLM SSP based CLIENTS
  and

 Network security: Minimum session security for NTLM SSP based SERVERS




 -Original Message-
 From: samba-boun...@lists.samba.org
 [mailto:samba-boun...@lists.samba.org]
>>>
>>> On Behalf Of Collen Blijenberg

 Sent: Thursday, January 20, 2011 10:42 AM
 To: samba@lists.samba.org
 Subject: [Samba] Managing win7 machines..


 I'm curious how others manage their windows 7 machines
 on a samba 3.x.x domain ..

 especial the part of policies and scripts.

 i got the win7 running in the samba domain, but i'm
 stuck in the policies part.. and i don't want to use nitrobit for this.

 how do other users do this.. ?!

 thx, Collen

 --
>>
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] How to backup/restore printer settings?

[Rob Moser]

Hello All,

We have a problem with our samba-based print server (a redhat EL
machine, running samba 3.2.8) occasionally getting corrupt
ntprinters.tdb files.  To combat it, I've been keeping nightly backups
of the file, and restoring the latest whenever it crashes.  This
_almost_ works.  When I restore the file, some of the printer settings -
such as which driver it is using - seem to restore fine.  But some
others - such as Printer Status Notification, to pick one at random from
the Device Settings tab - seem to reset to default values.

Are these settings stored in a different database?  When I make changes
to them through the Windows interface, the timestamp on the
ntprinters.tdb file changes, and not much else (other than files I'd
expect to change regularly anyways.)  Is there a way to save and restore
the printer settings (in some usefully programmatic way for a whole
bunch of printers, rather than manually wading through a bunch of clicky
windows re-doing them all one-by-one...)

Thanks for any assistance,

- rob.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Win7 cannot net use z: Samba share

[Rob Townley]

On Tue, Oct 5, 2010 at 9:26 AM, John Hendrix  wrote:
> Hi all
>
> The symptom is:
>
>> C:\Windows\system32>net USE z: \\10.10.23.219\share /USER:SMBUSER
>> [password]
>>
>> System error 1326 has occurred.
>>
> My situation
>
> I am using VirtualBox.  Windows 7 Home is the host.  Fedora 13 is the guest.
>
>
> My goal is to cause the Fedora guest to expose an smb share to the Win 7
> host and have the Win 7 host mount the share as a drive.
>
> My procedure:
>
>   1. I followed the instructions I found here (http://tinyurl.com/347xcym)
>   to configure the Fedora guest.
>   2. I disabled iptables via the following command: service iptables stop
>   3. I configured the Fedora Guest’s VirtualBox networking for “bridged
>   mode”  This caused the guest to appear as just another computer on the
>   network
>
> At this point, when I attempt to mount the smb share on the Win 7 host I get
> the following:
>
>> C:\Windows\system32>net USE z: \\10.10.23.219\share /USER:SMBUSER
>> [password]
>>
>> System error 1326 has occurred.
>>
>> At this point I cranked smb debugging to the max and attempted to change
>> the ‘smbusers’ password.
>>
>> [r...@localhost fi]# smbpasswd -D 10 smbuser
>>
>> Netbios name list:-
>>
>> my_netbios_names[0]="SMBSERVER"
>>
>> Attempting to register passdb backend ldapsam
>>
>> Successfully added passdb backend 'ldapsam'
>>
>> Attempting to register passdb backend ldapsam_compat
>>
>> Successfully added passdb backend 'ldapsam_compat'
>>
>> Attempting to register passdb backend NDS_ldapsam
>>
>> Successfully added passdb backend 'NDS_ldapsam'
>>
>> Attempting to register passdb backend NDS_ldapsam_compat
>>
>> Successfully added passdb backend 'NDS_ldapsam_compat'
>>
>> Attempting to register passdb backend smbpasswd
>>
>> Successfully added passdb backend 'smbpasswd'
>>
>> Attempting to register passdb backend tdbsam
>>
>> Successfully added passdb backend 'tdbsam'
>>
>> Attempting to register passdb backend wbc_sam
>>
>> Successfully added passdb backend 'wbc_sam'
>>
>> Attempting to find a passdb backend to match tdbsam (tdbsam)
>>
>> Found pdb backend tdbsam
>>
>> pdb backend tdbsam has a valid init
>>
>> New SMB password:
>>
>> Retype new SMB password:
>>
>> tdbsam_open: successfully opened /var/lib/samba/private/passdb.tdb
>>
>> pdb_set_username: setting username smbuser, was
>>
>> pdb_set_domain: setting domain SMBSERVER, was
>>
>> pdb_set_nt_username: setting nt username , was
>>
>> pdb_set_full_name: setting full name , was
>>
>> Home server: smbserver
>>
>> Substituting charset 'UTF-8' for LOCALE
>>
>> Substituting charset 'UTF-8' for LOCALE
>>
>> Substituting charset 'UTF-8' for LOCALE
>>
>> Substituting charset 'UTF-8' for LOCALE
>>
>> Substituting charset 'UTF-8' for LOCALE
>>
>> Substituting charset 'UTF-8' for LOCALE
>>
>> Substituting charset 'UTF-8' for LOCALE
>>
>> Substituting charset 'UTF-8' for LOCALE
>>
>> Substituting charset 'UTF-8' for LOCALE
>>
>> Substituting charset 'UTF-8' for LOCALE
>>
>> Substituting charset 'UTF-8' for LOCALE
>>
>> Substituting charset 'UTF-8' for LOCALE
>>
>> Substituting charset 'UTF-8' for LOCALE
>>
>> Substituting charset 'UTF-8' for LOCALE
>>
>> pdb_set_homedir: setting home dir \\smbserver\smbuser, was
>>
>> pdb_set_dir_drive: setting dir drive , was NULL
>>
>> pdb_set_logon_script: setting logon script , was
>>
>> Home server: smbserver
>>
>> pdb_set_profile_path: setting profile path \\smbserver\smbuser\profile, was
>>
>>
>> pdb_set_workstations: setting workstations , was
>>
>> account_policy_get: name: password history, val: 0
>>
>> pdb_set_user_sid: setting user sid
>> S-1-5-21-2780852000-3232352013-1934734775-1004
>>
>> pdb_set_user_sid_from_rid:
>>
>>                setting user sid
>> S-1-5-21-2780852000-3232352013-1934734775-1004 from rid 1004
>>
>> account_policy_get: name: maximum password age, val: -1
>>
>> Finding user smbuser
>>
>> Trying _Get_Pwnam(), username as lowercase is smbuser
>>
>> Get_Pwnam_internals did find user [smbuser]!
>>
>> Opening cache file at /var/lib/samba/gencache.tdb
>>
>> Opening cache file at /var/lib/samba/gencache_notrans.tdb
>>
>> *Cache entry with key = IDMAP/GID2SID/501 couldn't be found *
>>
>> *gid_to_sid: winbind failed to find a sid for gid 501*
>>
>> *LEGACY: gid 501 -> sid S-1-22-2-501*
>>
>> account_policy_get: name: password history, val: 0
>>
>> pdb_set_username: setting username smbuser, was
>>
>> pdb_set_domain: setting domain SMBSERVER, was
>>
>> pdb_set_nt_username: setting nt username , was
>>
>> pdb_set_full_name: setting full name , was
>>
>> Home server: smbserver
>>
>> pdb_set_homedir: setting home dir \\smbserver\smbuser, was
>>
>> pdb_set_dir_drive: setting dir drive , was NULL
>>
>> pdb_set_logon_script: setting logon script , was
>>
>> Home server: smbserver
>>
>> pdb_set_profile_path: setting profile path \\smbserver\smbuser\profile, was
>>
>>
>> pdb_set_workstations: setting workstations , was
>>
>> account_policy_get: name: password history, val: 0
>>
>> pdb_set_user_sid:

Re: [Samba] help with AD integration

[Rob LaRose]

Hi Ben,

Which version of AD are you using?  We had no luck integrating Solaris Samba w/ 
AD 2008 last year, and were forced to use a third-party authentication product 
called Centrify DirectControl to facilitate.

This may have changed by now — have you opened a support case with Oracle?

--Rob


Rob LaRose  systems administrator
imaginary forces | 530 west 25th st | new york city | p 646.486.6868 | f 
646.486.4700 | www.imaginaryforces.com


From: Ben George mailto:bentech4...@gmail.com>>
Date: Wed, 29 Sep 2010 03:07:15 -0400
To: "samba@lists.samba.org<mailto:samba@lists.samba.org>" 
mailto:samba@lists.samba.org>>
Subject: [Samba] help with AD integration

HI

my name ins Ben.T.George

i am new to samba and active directory integration

my machine ins Sun Slaris SPARC (solaris 10).

the unix side samba and all deps are installed...from this link
http://www.sunfreeware.com/programlistsparc10.html#samba

now i want to sync samba with active directory..

so please help to for this..

please provide me the step by step for this..

now i am stuck with kerberos configuration.

also please provide me the kerberos step by step configuration

thanks
Ben.T.George
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba



This e-mail is intended only for the named person or entity to which it is 
addressed and contains valuable business information that is proprietary, 
privileged, confidential and/or otherwise protected from disclosure. If you 
received this e-mail in error, any review, use, dissemination, distribution or 
copying of this e-mail is strictly prohibited. Please notify us immediately of 
the error via e-mail to  postmas...@imaginaryforces.com and 
please delete the e-mail from your system, retaining no copies in any media. We 
appreciate your cooperation.

...imaginaryforces.com...

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Change of kerberos encryption from DES to AES

[Rob Townley]

On Thu, Aug 26, 2010 at 10:41 AM, Masopust, Christian
 wrote:
> Hello all,
>
> as our Windows DCs will switch off DES encryption in the near future I
> have to change our
> Samba-Server to AES encryption.
>
> If I understand it correctly I have to change kerberos-configuration to
> new encryption type
> (aes256-cts-hmac-sha1-96) and then re-join my Samba-Server to the
> domain.
>
> Is this correct?  Any other things to consider?
>
> Thanks a lot,
> Christian
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

i don't know how helpful this will be, but i will need to do the same.

i believe the samba server should generate the supported encryption
types from AD.
Not sure you have to manually change it, but the following blog posts
i have found helpful.
http://blogs.msdn.com/b/alextch/archive/tags/ad+interop/

This is one 2006 howto video on migrating from DES to RC4.
http://blogs.msdn.com/b/alextch/archive/2006/07/18/MITtoADRC4.aspx
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba and ms server 2008

[Rob Townley]

On Mon, Aug 9, 2010 at 2:07 PM, Gaiseric Vandal
 wrote:
> http://wiki.samba.org/index.php/Windows7
>
>
> I would be pretty sure that if Windows 7 doesn't work with Samba 3.0.x that
> Windows 2008 won't either.   Rather than compiling samba 3.4 or 3.5 from
> source I would go with Fedora Core 11 (samba 3.3.x) or  some other more
> up-to-date linux distro that has a newer version of samba included.   I
> wouldn't start anything with 3.0.xx.
>
> I would (maybe stating the obvious) set up a test environment 1st.     I did
> start playing with FC13 (samba 3.5)-  not sure it behaved properly.    I
> personally would stick with FC12 which I think had samba 3.4.x included-
>  since I am pretty familiar with 3.4.x but not 3.5.x.  There were definately
> some config changes between 3.0.x and 3.4.x (group mapping, domain trusts.)
>
>
>
>
> On 08/09/2010 02:56 PM, Peter Lawrie wrote:
>>
>> Hi
>> I am about to set up a Centos server with samba and an MS server 2008 for
>> a
>> new customer.
>> The MS server is required because he has an MSSQL application. The samba
>> shares will be for everything else.
>> I've previously set up centos and redhat servers as domain members with a
>> 2003 pdc
>> before I get stuck, are there any issues I should worry about with server
>> 2008?
>> What release of samba should I run?
>> Are there any differences in configuration compared with samba3.0.33 which
>> comes with centos5.5
>> Peter
>> No virus found in this outgoing message.
>> Checked by AVG - www.avg.com
>> Version: 9.0.851 / Virus Database: 271.1.1/3059 - Release Date: 08/09/10
>> 07:35:00
>>
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

If you want to use CentOS, then your best bet would probably be :
http://enterprisesamba.com/index.php?id=123

They do have a 64 bit packages, but you have to click on the 386
packages and navigate up and down to see the x86_64 packages.   Better
yet, simply add this repo file as /etc/yum.repos.d/sernet-samba.repo
and then yum install samba3*.  Not samba, but samba3 as they name
packages differently.

http://ftp.sernet.de/pub/samba/3.5/rhel/5/sernet-samba.repo
[sernet-samba]
name=SerNet Samba Team packages (RedHat Enterprise Linux 5)
type=rpm-md
baseurl=http://ftp.sernet.de/pub/samba/3.5/rhel/5
enabled=1
gpgcheck=0


Let us know how it goes.  Are you using 2008 or 2008R2?
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Need suggestion for domain controller

[Rob Townley]

Please elaborate on why you do not like OpenLDAP and SambaPDC same machine?

RedHat sponsored FreeIPA.org does Samba, 389 ldap, Dns, pki all on one
machine.  So does win ads.

On 7/31/10, John Drescher  wrote:
>>     I wish to establish domain controller based on Centos 5.x.I am
>> considering below setups.
>>
>> 1) Samba PDC
>> 2) OpenLDAP
>> 3) Combination of Samba PDC + LDAP
>>
>>     I am confused to select one among above.Can anyone please suggest me?
>
> All are valid. I mean when setting up a samba domain with open ldap
> you should have at least 1 machine that is a PDC and at least 1
> machine that has openldap on it. Unless this is a home install I
> believe you should have at least 2 of each. The choice of how to
> combine these services is up to the user. For my department (of less
> than 50 users but 30TB of raid on a 100% gigabit network) I have 3 DCs
> and 3 openldap servers. At the moment they are PDC + Openldap. Also
> since I have no user shares on the domain controllers (all data is on
> dual / quad core domain member servers) I have these as guests under a
> vps (openvz or lxc).
>
> John
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbind and authentication with local accounts

[Rob Moser]

Depends on where you're talking about your users authenticating, but it
sounds like you need a:

winbind use default domain = yes

in your smb.conf.

    - rob.

On 07/13/2010 02:00 AM, Philipp Braband wrote:
> Hi everyone,
> 
> I have a problem with my samba and winbind configuration:
> 
> before I switched the config (from local user authentication to AD 
> authentication using winbind) my users were able to authenticate for example 
> as “peter”. Now, after switching, they are forced to use 
> SAMBASERVERNAME\peter. If they use only “peter” winbind tries to authenticate 
> them against the AD which fails. Is there a way to “teach” winbind to try to 
> authenticate every user locally if they dont use DOMAIN\peter ?
> Hope you understand my problem in spite of my bad English ☺
> 
> 
> My configuration:
> 
> SLES11 SP0
> samba-3.2.7-11.6
> samba-winbind-3.2.7-11.6
> krb5-1.6.3-133.10
> 
> 
> smb.conf:
> 
> [global]
> workgroup = DOMAIN
> netbios aliases = SAMBASERVER
> interfaces = eth0, 127.0.0.1/8
> bind interfaces only = Yes
> ;security = ADS
> security = ADS
> password server = 192.168.1.1
> load printers = No
> disable spoolss = Yes
> show add printer wizard = No
> ;printcap name = cups
> logon path = \\%L\profiles\.msprofile
> logon drive = P:
> logon home = \\%L\%U\.9xprofile
> encrypt passwords = Yes
> smb passwd file = /etc/samba/smbpasswd
> username map = /etc/samba/smbusers
> kernel oplocks = No
> ldap ssl = no
> printing = bsd
> ;cups options = raw
> print command = lpr -r -P'%p' %s
> lpq command = lpq -P'%p'
> lprm command = lprm -P'%p' %j
> include = /etc/samba/dhcp.conf
> log level = 1
> realm = DOMAIN.DE
> template homedir = /home/%D/%U
> template shell = /bin/bash
> usershare allow guests = No
> winbind refresh tickets = yes
> winbind offline logon = yes
> idmap gid = 1-2
> idmap uid = 1-2
> winbind enum users = yes
> winbind enum groups = yes
> 
> idmap backend = ad
> idmap config DOMAIN : backend = ad
> winbind nss info = rfc2307
> 
> 
> 
> krb5.conf
> 
> 
> [libdefaults]
> default_realm = DOMAIN.DE
> clockskew = 300
> 
> 
> [realms]
> DOMAIN.DE = {
> kdc = 192.168.1.1
> admin_server = 192.168.1.1
> default_domain = domain.de
> }
> 
> 
> 
> 
> [logging]
> kdc = FILE:/var/log/krb5/krb5kdc.log
> admin_server = FILE:/var/log/krb5/kadmind.log
> default = SYSLOG:NOTICE:DAEMON
> 
> 
> 
> [domain_realm]
> .domain.de = DOMAIN.DE
> 
> 
> 
> [appdefaults]
> pam = {
> ticket_lifetime = 1d
> renew_lifetime = 1d
> forwardable = true
> proxiable = false
> minimum_uid = 1
> }
> 
> 
> Cheers,
> Philipp
> 
> 
> S&L Netzwerktechnik GmbH
> Philipp Braband
> Networking Team
> 
> Florinstrasse 18
> 56218 Muelheim-Kaerlich
> 
> Telefon: +49 261 92736 308
> Fax:
> Email:   pbrab...@sul.de
> www: http://www.sul.de
> www: http://www.controlseries.de
> www: http://www.monitoring-solution.de
> 
> 
> 
> S&L Netzwerktechnik GmbH - Geschaeftsfuehrer Goetz Schmitt, Oliver Schmitt
> Sitz der Gesellschaft: Muelheim-Kaerlich - Amtsgericht Koblenz HRB 135 53
> USt-ID: DE 171698897 - USt-ID: Luxembourg LU 18934643
> 
> Diese E-Mail kann vertrauliche und/oder rechtlich geschuetzte Informationen 
> enthalten. Wenn Sie nicht der beabsichtigte Empfaenger sind oder diese E-Mail 
> irrtuemlich erhalten haben, informieren Sie bitte sofort den Absender 
> telefonisch oder per E-Mail und loeschen Sie diese E-Mail aus Ihrem System. 
> Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht 
> gestattet. Wir haften nicht fuer die Unversehrtheit von E-Mails, nachdem sie 
> unseren Einflussbereich verlassen haben.
> 
> This e -mail may contain confidential and/or privileged information. If you 
> are not the intended recipient (or have received this e-mail in error) please 
> notify the sender immediately by call or e-mail and destroy this e-mail. Any 
> unauthorised copying, disclosure or distribution of the material in this 
> e-mail is strictly forbidden. We are not responsible for the integrity of 
> e-mails after they have left our sphere of control.
> 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Error 0x000003e6 when trying to connect to a printer from w2k8 (x64)

[Rob Moser]

Hi Thorsten,

I can't be sure that its exactly the same error, but I had a very
similar problem that I solved like this:

In the policy editor, for the group policy that you're using to control
your print servers, explicitly disable the policy:

Computer Configuration:Policies:Administrative Templates:Printers:Always
render print jobs on the server

Windows documentation says this defaults to disabled, but we have found
this to be (at least partially) untrue for W2k8 - if you need it
disabled then disable it explicitly.

Hopefully that works for you...

 - rob.


On 07/12/2010 08:09 AM, Thorsten Leiser wrote:
> Hello,
> 
> I'm trying to connect my W2k8 (x64) Server farm to our new installed
> printserver based on debian lenny with sernet samba 3.5.4 installed.
> Everytime i try to connect to a printer share via point and print, it
> fails with error 0x03e6.
> When i do the same from Windows XP or from our old w2k3 (x64) server
> farm everything works excellent.
> Does anybody know a workaround. I installed nearly 80 printers on the
> samba server and i don't want to do this again.
> 
> Regards
> 
> Thorsten
> 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Can't connect with rpcclient

[Rob Moser]

Hi All,

I am trying to install Windows drivers on a samba (3.5.4) print server,
following the instructions here:

http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/classicalprinting.html#inst-rpc

(The instructions for using the simpler Windows Add Printer dialogue do
not work for this driver.  It must be configuring necessary things in
the driver's install script.)  The entire method seems to revolve around
my installing the drivers locally on an appropriate machine and then
getting the information about them off of that machine via rpcclient.
But I can't connect to the Windows XP box with rpcclient; it just
returns the error:

Connecting to host=10.0.2.15
Connecting to 10.0.2.15 at port 445
Connecting to 10.0.2.15 at port 139
Error connecting to 10.0.2.15 (Success)
cli_start_connection: failed to connect to 10.0.2.15<20> (0.0.0.0).
Error NT_STATUS_UNSUCCESSFUL
Cannot connect to server.  Error was NT_STATUS_UNSUCCESSFUL

Even on debug 10 it returns no more information between or after those
lines.  The unix local log.smbd file shows it looking up the user and
returning SIDs for various groups, so I'm assuming that its found the
user all right.  I can see it doing a SPOOLSS_ENUMPRINTERS and getting
back my printer name, so it looks like it actually _has_ connected to
the server... but then it just returns the message saying that it
hasn't.  Windows, maddeningly, doesn't seem to log a failed connection
with a reason anywhere that I can find.

Can anyone help me discover why I can't use rpcclient to get driver info
out of a Windows XP box?  And/or have any hints for getting drivers
loaded onto the print server?  (Samba Wiki has a page thats even more
out of date than the one I linked above - I'll happily update it if
anyone can help me find what works!)

thanks,

 - rob.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Default Hidden Disk Shares

[Rob Townley]

Sharing of complete$ drives may  no longer be a default in WinVista / 2008.

Some of the other$ shares such as IPC$ and ADMIN$ may be needed to
manage your Linux shares remotely using windows compmgmt.msc and
remote registry.


http://book.opensourceproject.org.cn/sysadmin/samba/sambao3rd/opensource/0596007698/samba3-chp-9-sect-7.html

On 7/2/10, Gaiseric Vandal  wrote:
> I think I missed part of the conversation, but what would be the purpose
> of this feature?  (I am not even sure why Windows does this.)
>
>
>
> On 07/02/2010 02:15 PM, Robert LeBlanc wrote:
>> On Fri, Jul 2, 2010 at 2:05 AM, Atkinson,
>> Robertwrote:
>>
>>
>>> Interesting to see you say it's dangerous. The way the Windows version
>>> works
>>> is that you have to be part of the Administrator group to be able to see
>>> them, which I would have thought secure enough?
>>>
>>>
>> This is not true, the share is advertised to anyone who asks. The Windows
>> client only hides shares that end with a '$'. By default Windows gives
>> access only to administrators (by default), but they are by no means
>> hidden.
>>
>> Robert LeBlanc
>> Life Sciences&  Undergraduate Education Computer Support
>> Brigham Young University
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] wbinfo recognises my username, smbclient does not

[Rob Moser]

Ok, solved my own problem, but I have no idea how, so if anyone has any
insights I'd still love to hear them.

>From the behaviour I was seeing (described below) I had decided that
perhaps there was something wrong with the smb.conf file, which I had
mostly copied over from another machine.  So, in desperation, I
commented out every single line in the file, and added back the most
basic configuration options until I could connect to the samba share
with smbclient.  Then, to discover what was causing my problem, I added
back the other commented lines one at a time to see which one broke it.
 Well, in the end I added them all back, and it still works!  So, in
short, the solution to my problem was to comment and then uncomment the
smb.conf file?!?  I just ran testparm again and the output is exactly
the same as the one from yesterday quoted below.  Nothing else on the
machine (should have) changed.

I think my machine is haunted... *sigh*

     - rob.

On 06/30/2010 03:26 PM, Rob Moser wrote:
> Hello folks.
> 
> Brand new 3.5.4 install of samba, on a brand new redhat 5.5 install,
> trying to connect to a windows domain and allow AD users access.  I used
> a series of how-tos to set things up, and modified the smb.conf and
> krb5.conf files from an existing (working, 3.2.8) system.  I apparently
> join the domain ok, and I can authenticate an AD user using wbinfo, but
> when I try to use the same user with smbclient I get a
> NT_STATUS_NO_SUCH_USER response.  I thought perhaps that smbclient was
> somehow not associating the username with the correct domain, but
> explicitly stating the domain didn't help.  Googling about on the
> problem found me (among a lot of dross) someone with similar symptoms
> who claimed to fix his problem by adding "client NTLMv2 auth = Yes" to
> his smb.conf, so I tried that, but got no joy there either.  Much
> diagnostic text follows; apologies for the bulk, but figured its better
> to put too much in than leave too much out.
> 
> Any suggestions would be most appreciated; thanks.
> 
>  - rob.
> 
> [r...@dev-acadprtsrv3 log]# kinit -V rmoser
> Password for rmo...@students.froot.nau.edu:
> Authenticated to Kerberos v5
> 
> [r...@dev-acadprtsrv3 log]# klist -5
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: rmo...@students.froot.nau.edu
> Valid starting ExpiresService principal
> 06/30/10 14:19:56  07/01/10 00:20:00
> krbtgt/students.froot.nau@students.froot.nau.edu
> renew until 07/01/10 14:19:56
> 
> [r...@dev-acadprtsrv3 log]# net ads testjoin -U rmoser
> Join is OK
> 
> [r...@dev-acadprtsrv3 log]# wbinfo -t
> checking the trust secret for domain NAU-STUDENTS via RPC calls succeeded
> 
> [r...@dev-acadprtsrv3 log]# wbinfo -a NAU-STUDENTS\\rmoser
> Enter NAU-STUDENTS\rmoser's password:
> plaintext password authentication succeeded
> Enter NAU-STUDENTS\rmoser's password:
> challenge/response password authentication succeeded
> 
> [r...@dev-acadprtsrv3 log]# smbclient -d3 -U NAU-STUDENTS\\rmoser -L
> dev-acadprtsrv3.ucc.nau.edu
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)
> params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
> Processing section "[global]"
> added interface eth0 ip=fe80::9015:73ff:fe64:54cf%eth0
> bcast=fe80:::::%eth0 netmask=:::::
> added interface eth0 ip=134.114.138.189 bcast=134.114.138.255
> netmask=255.255.255.0
> Client started (version 3.5.4).
> Enter NAU-STUDENTS\rmoser's password:
> resolve_lmhosts: Attempting lmhosts lookup for name
> dev-acadprtsrv3.ucc.nau.edu<0x20>
> resolve_wins: Attempting wins lookup for name
> dev-acadprtsrv3.ucc.nau.edu<0x20>
> resolve_wins: using WINS server 134.114.138.35 and tag '*'
> Got a positive name query response from 134.114.138.35 ( 134.114.138.189 )
> Connecting to 134.114.138.189 at port 445
> Doing spnego session setup (blob length=131)
> got OID=1.2.840.113554.1.2.2
> got OID=1.2.840.48018.1.2.2
> got OID=1.3.6.1.4.1.311.2.2.10
> got principal=cifs/dev-acadprtsrv3.ucc.nau@students.froot.nau.edu
> Got challenge flags:
> Got NTLMSSP neg_flags=0x60898215
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x60088215
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x60088215
> SPNEGO login failed: Logon failure
> session setup failed: NT_STATUS_LOGON_FAILURE
> 
> [r...@dev-acadprtsrv3 log]# tail /var/log/samba/log.smbd
> [2010/06/30 14:12:22.530813,  2] auth/auth.c:314(check_ntlm_password)
>   check_ntlm_password:  Authentication for user [rmoser] -> [rmoser]
> FAILED with error NT

[Samba] wbinfo recognises my username, smbclient does not

[Rob Moser]

Hello folks.

Brand new 3.5.4 install of samba, on a brand new redhat 5.5 install,
trying to connect to a windows domain and allow AD users access.  I used
a series of how-tos to set things up, and modified the smb.conf and
krb5.conf files from an existing (working, 3.2.8) system.  I apparently
join the domain ok, and I can authenticate an AD user using wbinfo, but
when I try to use the same user with smbclient I get a
NT_STATUS_NO_SUCH_USER response.  I thought perhaps that smbclient was
somehow not associating the username with the correct domain, but
explicitly stating the domain didn't help.  Googling about on the
problem found me (among a lot of dross) someone with similar symptoms
who claimed to fix his problem by adding "client NTLMv2 auth = Yes" to
his smb.conf, so I tried that, but got no joy there either.  Much
diagnostic text follows; apologies for the bulk, but figured its better
to put too much in than leave too much out.

Any suggestions would be most appreciated; thanks.

 - rob.

[r...@dev-acadprtsrv3 log]# kinit -V rmoser
Password for rmo...@students.froot.nau.edu:
Authenticated to Kerberos v5

[r...@dev-acadprtsrv3 log]# klist -5
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: rmo...@students.froot.nau.edu
Valid starting ExpiresService principal
06/30/10 14:19:56  07/01/10 00:20:00
krbtgt/students.froot.nau@students.froot.nau.edu
renew until 07/01/10 14:19:56

[r...@dev-acadprtsrv3 log]# net ads testjoin -U rmoser
Join is OK

[r...@dev-acadprtsrv3 log]# wbinfo -t
checking the trust secret for domain NAU-STUDENTS via RPC calls succeeded

[r...@dev-acadprtsrv3 log]# wbinfo -a NAU-STUDENTS\\rmoser
Enter NAU-STUDENTS\rmoser's password:
plaintext password authentication succeeded
Enter NAU-STUDENTS\rmoser's password:
challenge/response password authentication succeeded

[r...@dev-acadprtsrv3 log]# smbclient -d3 -U NAU-STUDENTS\\rmoser -L
dev-acadprtsrv3.ucc.nau.edu
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
added interface eth0 ip=fe80::9015:73ff:fe64:54cf%eth0
bcast=fe80:::::%eth0 netmask=:::::
added interface eth0 ip=134.114.138.189 bcast=134.114.138.255
netmask=255.255.255.0
Client started (version 3.5.4).
Enter NAU-STUDENTS\rmoser's password:
resolve_lmhosts: Attempting lmhosts lookup for name
dev-acadprtsrv3.ucc.nau.edu<0x20>
resolve_wins: Attempting wins lookup for name
dev-acadprtsrv3.ucc.nau.edu<0x20>
resolve_wins: using WINS server 134.114.138.35 and tag '*'
Got a positive name query response from 134.114.138.35 ( 134.114.138.189 )
Connecting to 134.114.138.189 at port 445
Doing spnego session setup (blob length=131)
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.48018.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=cifs/dev-acadprtsrv3.ucc.nau@students.froot.nau.edu
Got challenge flags:
Got NTLMSSP neg_flags=0x60898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
SPNEGO login failed: Logon failure
session setup failed: NT_STATUS_LOGON_FAILURE

[r...@dev-acadprtsrv3 log]# tail /var/log/samba/log.smbd
[2010/06/30 14:12:22.530813,  2] auth/auth.c:314(check_ntlm_password)
  check_ntlm_password:  Authentication for user [rmoser] -> [rmoser]
FAILED with error NT_STATUS_NO_SUCH_USER
[2010/06/30 14:22:52.071828,  0] lib/util_sock.c:1505(matchname)
  matchname: host name/address mismatch: :::134.114.138.189 !=
dev-acadprtsrv3.ucc.nau.edu
[2010/06/30 14:22:52.072189,  0] lib/util_sock.c:1626(get_peer_name)
  Matchname failed on dev-acadprtsrv3.ucc.nau.edu :::134.114.138.189
[2010/06/30 14:22:52.072281,  2] lib/access.c:406(check_access)
  Allowed connection from UNKNOWN (:::134.114.138.189)
[2010/06/30 14:22:52.113502,  2] auth/auth.c:314(check_ntlm_password)
  check_ntlm_password:  Authentication for user [rmoser] -> [rmoser]
FAILED with error NT_STATUS_NO_SUCH_USER

[r...@dev-acadprtsrv3 log]# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)
Processing section "[printers]"
Processing section "[print$]"
Processing section "[tmp]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

[global]
workgroup = NAU-STUDENTS
realm = STUDENTS.FROOT.NAU.EDU
netbios aliases = dev-acadprtsrv3.ucc.nau.edu
server string = Samba Server
security = ADS
client NTLMv2 auth = Yes
log level = 2
max log size = 50
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192
SO_RCVBUF=8192 SO_KEEPALIVE
printcap name = cups
wins

Re: [Samba] Winbind problem: can't convert sids and gids

[Rob Moser]

I've had the problem with various versions of 3.3.x - most recently
3.3.8 and 3.3.12.  I have an older machine running 3.2.8 which works
fine using essentially an identical smb.conf file.

My smb.conf file also has the idmap entries for each trusted domain,
with non-overlapping id ranges.  I did see the manual mapping option in
wbinfo, but we have a fairly dynamic user base, so manual configuration
didn't seem viable.

Thanks for your help though!  Hopefully someone can tell us both how to
get the automatic mapping working...

 - rob.

On 06/23/2010 12:04 PM, Gaiseric Vandal wrote:
> Which samba version?
> 
> I had Samba 3.0.x on Solaris 10, and winbind able to allocate uids and 
> gids to users and groups from trusted domain (at least to Windows 2003 
> domains in mixed mode.)  When I switched to a Samba 3.4.x PDC the 
> allocation of new uids and gids broke.I suspect there is some 
> configuration change in smb.conf I needed to make that was not obvious 
> (to me) in the documenation.
> 
> I have an ldap backend-  but temporarily changing to a TDB backend 
> didn't help.
> 
> I worked around this by manually allocating uids and gids.With ldap 
> you can do this with an ldap editor.But you can also use the wbinfo 
> command to manuallly create uid-to-sid or gid-to-sid mappings with ldap 
> or tdb backend.
> 
> It isn't really a long term solution but fortunately account 
> additions/deletions are minimal where I work.
> 
> I did have idmap entries in smb.conf  for each domain I wanted to trust, 
> in addition to the entries you listed.
> 
> On 06/23/2010 02:24 PM, Rob Moser wrote:
> 
> 
>> I have a problem where I can't browse to a samba share from Windows
>> (Server 2008); instead I get the error:
>>
>> The group name could not be found
>>
>> The winbind log contains the message:
>>
>> could not convert gid 507 to sid
>>
>> Suspecting a permissions problem, I went and looked at the files and the
>> group ownership has been set to BUILTIN\guests, which is not what I
>> want.  So I try to chgrp them to the domain group:
>>
>> chgrp -R 'dss users' /file
>> chgrp: invalid group `dss users'
>>
>> But I know that that is the domain group that I want:
>>
>> wbinfo -g | grep dss
>> dss users
>>
>> wbinfo -n 'dss users'
>> S-1-5-21-2129867641-1992771036-1243820751-107019 Domain Group (2)
>>
>> But winbind apparently cannot resolve it to a gid:
>>
>> wbinfo -Y S-1-5-21-2129867641-1992771036-1243820751-107019
>> Could not convert sid S-1-5-21-2129867641-1992771036-1243820751-107019
>> to gid
>>
>> My nsswitch.conf file does list winbind for users and groups.  My
>> smb.conf file contains (in part, obviously):
>>
>>  idmap alloc backend = tdb
>>  idmap alloc config:range = 1 - 400
>>  idmap uid = 1 - 400
>>  idmap gid = 1 - 400
>>
>>  winbind enum users = no
>>  winbind enum groups = no
>>  winbind nested groups = yes
>>  winbind use default domain = yes
>>
>> So it is using a default domain (the correct one; I checked) and I'm not
>> just running out of gids.  My various /var/log/samba/log.* files contain
>> almost exactly nothing from the time of the transaction.
>>
>> Any help appreciated,
>>
>>   - rob.
>>
>>
> 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Winbind problem: can't convert sids and gids

[Rob Moser]

I have a problem where I can't browse to a samba share from Windows
(Server 2008); instead I get the error:

The group name could not be found

The winbind log contains the message:

could not convert gid 507 to sid

Suspecting a permissions problem, I went and looked at the files and the
group ownership has been set to BUILTIN\guests, which is not what I
want.  So I try to chgrp them to the domain group:

chgrp -R 'dss users' /file
chgrp: invalid group `dss users'

But I know that that is the domain group that I want:

wbinfo -g | grep dss
dss users

wbinfo -n 'dss users'
S-1-5-21-2129867641-1992771036-1243820751-107019 Domain Group (2)

But winbind apparently cannot resolve it to a gid:

wbinfo -Y S-1-5-21-2129867641-1992771036-1243820751-107019
Could not convert sid S-1-5-21-2129867641-1992771036-1243820751-107019
to gid

My nsswitch.conf file does list winbind for users and groups.  My
smb.conf file contains (in part, obviously):

idmap alloc backend = tdb
idmap alloc config:range = 1 - 400
idmap uid = 1 - 400
idmap gid = 1 - 400

winbind enum users = no
winbind enum groups = no
winbind nested groups = yes
winbind use default domain = yes

So it is using a default domain (the correct one; I checked) and I'm not
just running out of gids.  My various /var/log/samba/log.* files contain
almost exactly nothing from the time of the transaction.

Any help appreciated,

 - rob.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba printing from 64-bit windows server 2008

[Rob Moser]

Problem solved - or at least, workaround found - so I'm posting it to
the list for the benefit of future archive-divers.  Bug report at:
https://bugzilla.samba.org/show_bug.cgi?id=7506

Basically, the problem is with changes Microsoft made between 2003 and
2008 for Terminal Server - a machine which does not have the Terminal
Server role will not have this problem.  A Server 2008 Terminal Server
host attempting to add a samba-maintained printer (with samba 3.5.3 or
below, at least) will fail to connect to the printer and return the
error code 0x06d1.  Workaround is as follows:

1) On the Windows Server 2008 TS host, bring up the Server Manager.
2) Under Features, install Group Policy Management if it isn't installed
already.
3) Under Group Policy Management, drill down til you find the policy
which is applying to your machine.
4) Right click the Group Policy Object and select "edit".
5) In the resulting editor window, drill down to Computer
Configuration:Policies:Administrative Templates:Printers
6) Find the setting "Always render print jobs on the server" and disable it.
7) reboot the machine.

Yes, I know; Microsofts documentation says that leaving this policy not
configured is the same as disabling it.  They lie.

 - rob.

On 06/08/2010 11:43 AM, Rob Moser wrote:
> Some additional information on this problem:
> 
> I set up wireshark to do a packet trace of the connection attempt.  I'm
> not familiar enough with what the traffic should look like to know whats
> unusual, but the one thing that jumped out at me towards the end of the
> conversation was a SPOOLSS OpenPrinterEx request on the network printer,
> followed by a response with the return code of 5 - Access denied.
> "Aha!" I say to myself, must be a permissions problem... but a packet
> trace of the successful connection from the XP box shows several similar
> Access denied messages.  Maybe its irrelevant, but it seemed worth
> mentioning.
> 
> I also upped the debug level on smbd and captured a more detailed log.
> The "Printer handle not found" message is still the most
> relevant-looking thing there; the details around it look like:
> 
> [2010/06/08 11:35:36,  3] smbd/ipc.c:handle_trans(442)
>   trans <\PIPE\> data=44 params=0 setup=2
> [2010/06/08 11:35:36,  3] smbd/ipc.c:named_pipe(393)
>   named pipe command on <> name
> [2010/06/08 11:35:36,  4] rpc_server/srv_pipe_hnd.c:get_rpc_pipe(1231)
>   search for pipe pnum=71df
> [2010/06/08 11:35:36,  3] smbd/ipc.c:api_fd_reply(351)
>   Got API command 0x26 on pipe "spoolss" (pnum 71df)
> [2010/06/08 11:35:36,  3] rpc_server/srv_pipe_hnd.c:free_pipe_context(500)
>   free_pipe_context: destroying talloc pool of size 0
> [2010/06/08 11:35:36,  4] rpc_server/srv_pipe.c:api_rpcTNP(2352)
>   api_rpcTNP: spoolss op 0x1d - api_rpcTNP: rpc command:
> SPOOLSS_CLOSEPRINTER
> [2010/06/08 11:35:36,  4]
> rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(179)
>   Policy not found: [000] 00 00 00 00 18 00 00 00  00 00 00 00 0E 4C 78
> 8D   .Lx.
>   [010] 28 24 00 00   ($..
> [2010/06/08 11:35:36,  2]
> rpc_server/srv_spoolss_nt.c:find_printer_index_by_hnd(273)
>   find_printer_index_by_hnd: Printer handle not found: Policy not found:
> [000] 00 00 00 00 18 00 00 00  00 00 00 00 0E 4C 78 8D   \
> .Lx.
>   [010] 28 24 00 00   ($..
> [2010/06/08 11:35:36,  2]
> rpc_server/srv_spoolss_nt.c:find_printer_index_by_hnd(273)
>   find_printer_index_by_hnd: Printer handle not found:
> close_printer_handle: Invalid handle (OURS:9256:9256)
> [2010/06/08 11:35:36,  4] rpc_server/srv_pipe.c:api_rpcTNP(2387)
>   api_rpcTNP: bad handle fault return.
> 
> (I don't want to post a full log or the full packet trace - way too much
> for a mailing list.  If no one recognises the problem from this much
> then I'll attach full data to a bug report.)
> 
> Thanks for any suggestions,
> 
>  - rob.
> 
> On 06/07/2010 03:51 PM, Rob Moser wrote:
>> I have a redhat EL5 samba server hosting a collection of printers and
>> joined to a domain.  I can connect to this server and print happily from
>> a 32-bit XP box on the domain, but a 64-bit windows server 2008 box
>> cannot connect, and returns the error 0x06d1.
>>
>> I get the same results with samba 3.0.33 (came with redhat), 3.5.3 (the
>> latest from sernet), and 3.3.12 (this message from the samba-technical
>> archives -
>> http://lists.samba.org/archive/samba-technical/2010-February/069145.html
>> - mentions that at least as of February there were issues with 3.4.x+
>> and 64-bit OS'.)
>>
>> /var/log/samba/log.smb from the time around the fa

Re: [Samba] samba printing from 64-bit windows server 2008

[Rob Moser]

Some additional information on this problem:

I set up wireshark to do a packet trace of the connection attempt.  I'm
not familiar enough with what the traffic should look like to know whats
unusual, but the one thing that jumped out at me towards the end of the
conversation was a SPOOLSS OpenPrinterEx request on the network printer,
followed by a response with the return code of 5 - Access denied.
"Aha!" I say to myself, must be a permissions problem... but a packet
trace of the successful connection from the XP box shows several similar
Access denied messages.  Maybe its irrelevant, but it seemed worth
mentioning.

I also upped the debug level on smbd and captured a more detailed log.
The "Printer handle not found" message is still the most
relevant-looking thing there; the details around it look like:

[2010/06/08 11:35:36,  3] smbd/ipc.c:handle_trans(442)
  trans <\PIPE\> data=44 params=0 setup=2
[2010/06/08 11:35:36,  3] smbd/ipc.c:named_pipe(393)
  named pipe command on <> name
[2010/06/08 11:35:36,  4] rpc_server/srv_pipe_hnd.c:get_rpc_pipe(1231)
  search for pipe pnum=71df
[2010/06/08 11:35:36,  3] smbd/ipc.c:api_fd_reply(351)
  Got API command 0x26 on pipe "spoolss" (pnum 71df)
[2010/06/08 11:35:36,  3] rpc_server/srv_pipe_hnd.c:free_pipe_context(500)
  free_pipe_context: destroying talloc pool of size 0
[2010/06/08 11:35:36,  4] rpc_server/srv_pipe.c:api_rpcTNP(2352)
  api_rpcTNP: spoolss op 0x1d - api_rpcTNP: rpc command:
SPOOLSS_CLOSEPRINTER
[2010/06/08 11:35:36,  4]
rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(179)
  Policy not found: [000] 00 00 00 00 18 00 00 00  00 00 00 00 0E 4C 78
8D   .Lx.
  [010] 28 24 00 00   ($..
[2010/06/08 11:35:36,  2]
rpc_server/srv_spoolss_nt.c:find_printer_index_by_hnd(273)
  find_printer_index_by_hnd: Printer handle not found: Policy not found:
[000] 00 00 00 00 18 00 00 00  00 00 00 00 0E 4C 78 8D   \
.Lx.
  [010] 28 24 00 00   ($..
[2010/06/08 11:35:36,  2]
rpc_server/srv_spoolss_nt.c:find_printer_index_by_hnd(273)
  find_printer_index_by_hnd: Printer handle not found:
close_printer_handle: Invalid handle (OURS:9256:9256)
[2010/06/08 11:35:36,  4] rpc_server/srv_pipe.c:api_rpcTNP(2387)
  api_rpcTNP: bad handle fault return.

(I don't want to post a full log or the full packet trace - way too much
for a mailing list.  If no one recognises the problem from this much
then I'll attach full data to a bug report.)

Thanks for any suggestions,

 - rob.

On 06/07/2010 03:51 PM, Rob Moser wrote:
> I have a redhat EL5 samba server hosting a collection of printers and
> joined to a domain.  I can connect to this server and print happily from
> a 32-bit XP box on the domain, but a 64-bit windows server 2008 box
> cannot connect, and returns the error 0x06d1.
> 
> I get the same results with samba 3.0.33 (came with redhat), 3.5.3 (the
> latest from sernet), and 3.3.12 (this message from the samba-technical
> archives -
> http://lists.samba.org/archive/samba-technical/2010-February/069145.html
> - mentions that at least as of February there were issues with 3.4.x+
> and 64-bit OS'.)
> 
> /var/log/samba/log.smb from the time around the failed connection contains:
> 
> [2010/06/07 14:45:24,  2] lib/access.c:check_access(406)
>   Allowed connection from :::134.114.138.126 (:::134.114.138.126)
> [Repeated many times]
> [2010/06/07 14:45:24,  2]
> rpc_server/srv_spoolss_nt.c:find_printer_index_by_hnd(273)
>   find_printer_index_by_hnd: Printer handle not found:
> find_printer_index_by_hnd: Printer handle not found:
> close_printer_handle: Invalid handle (OURS:29459:29459)
> 
> From the 2008 machine, I can browse the samba server in wexplorer and
> see the printers, but trying to set up a networked printer generates the
> error above.
> 
> Any suggestions?  Thanks,
> 
>  - rob.
> 
> # testparm
> Load smb config files from /etc/samba/smb.conf
> Unknown parameter encountered: "idmap domains"
> Ignoring unknown parameter "idmap domains"
> Processing section "[printers]"
> Processing section "[print$]"
> Processing section "[drivers$]"
> Loaded services file OK.
> Server role: ROLE_DOMAIN_MEMBER
> Press enter to see a dump of your service definitions
> 
> [global]
> workgroup = NAU-STUDENTS
> realm = STUDENTS.FROOT.NAU.EDU
> netbios aliases = dev-acadprtsrv2.ucc.nau.edu
> server string = Samba Server
> security = ADS
> log level = 2
> max log size = 50
> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192
> SO_RCVBUF=8192 SO_KEEPALIVE
> printcap name = cups
> wins server = 134.114.138.35
>   

[Samba] samba printing from 64-bit windows server 2008

[Rob Moser]

I have a redhat EL5 samba server hosting a collection of printers and
joined to a domain.  I can connect to this server and print happily from
a 32-bit XP box on the domain, but a 64-bit windows server 2008 box
cannot connect, and returns the error 0x06d1.

I get the same results with samba 3.0.33 (came with redhat), 3.5.3 (the
latest from sernet), and 3.3.12 (this message from the samba-technical
archives -
http://lists.samba.org/archive/samba-technical/2010-February/069145.html
- mentions that at least as of February there were issues with 3.4.x+
and 64-bit OS'.)

/var/log/samba/log.smb from the time around the failed connection contains:

[2010/06/07 14:45:24,  2] lib/access.c:check_access(406)
  Allowed connection from :::134.114.138.126 (:::134.114.138.126)
[Repeated many times]
[2010/06/07 14:45:24,  2]
rpc_server/srv_spoolss_nt.c:find_printer_index_by_hnd(273)
  find_printer_index_by_hnd: Printer handle not found:
find_printer_index_by_hnd: Printer handle not found:
close_printer_handle: Invalid handle (OURS:29459:29459)

>From the 2008 machine, I can browse the samba server in wexplorer and
see the printers, but trying to set up a networked printer generates the
error above.

Any suggestions?  Thanks,

     - rob.

# testparm
Load smb config files from /etc/samba/smb.conf
Unknown parameter encountered: "idmap domains"
Ignoring unknown parameter "idmap domains"
Processing section "[printers]"
Processing section "[print$]"
Processing section "[drivers$]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

[global]
workgroup = NAU-STUDENTS
realm = STUDENTS.FROOT.NAU.EDU
netbios aliases = dev-acadprtsrv2.ucc.nau.edu
server string = Samba Server
security = ADS
log level = 2
max log size = 50
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192
SO_RCVBUF=8192 SO_KEEPALIVE
printcap name = cups
wins server = 134.114.138.35
idmap alloc backend = tdb
idmap uid = 1 - 400
idmap gid = 1 - 400
winbind use default domain = Yes
idmap alloc config:range = 1 - 400
idmap config FROOT:range = 301 - 400
idmap config FROOT:backend = tdb
idmap config FROOT:default = no
idmap config NAU:range = 201 - 300
idmap config NAU:backend = tdb
idmap config NAU:default = no
idmap config NAU-STUDENTS:range = 1 - 200
idmap config NAU-STUDENTS:backend = tdb
idmap config NAU-STUDENTS:default = yes
hosts allow = 127., 134.114., 10.5.

[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
default devmode = No
browseable = No

[print$]
path = /var/lib/samba/drivers
write list = "@NAU-STUDENTS\Domain Admins", "@domain admins"
force user = root
force group = "domain admins"
force create mode = 0664
force directory mode = 0774
browseable = No

[drivers$]
path = /usr/local/printbilling/drivers/
write list = "@NAU-STUDENTS\Domain Admins", "@domain admins"
force user = root
force group = "domain admins"
force create mode = 0664
force directory mode = 0774
browseable = No
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Problems with SID

[Rob Townley]

On Fri, Jun 4, 2010 at 10:10 AM, Gerard Hooton  wrote:
> Can anyone help me with this, I am badly stuck on this?
>
> //Ger
>
>
> --
> Gerard Hooton.
> Department of Microelectronic Engineering U.C.C.
> Butler Building,
> Enterprise Centre,
> North Mall.
> Cork.
>
> Tel: +353 21 4904576
> Fax: +353 21 4904573
> http://www.ue.ucc.ie/
>
>
> -Original Message-
> From: Gerard Hooton 
> Reply-to: g.hoo...@ucc.ie
> To: samba@lists.samba.org
> Subject: Problems with SID
> Date: Fri, 04 Jun 2010 12:35:49 +0100
> Mailer: Evolution 2.28.3
>
> Hello All,
>
> Problem
> ==
> /var/log/samba/log.smbd has the following
>
> smbd version 3.2.5 started.
>  Copyright Andrew Tridgell and the Samba Team 1992-2008
> [2010/06/04 12:22:41,  1]
> passdb/pdb_interface.c:pdb_default_uid_to_rid(1228)
>  Could not peek rid out of sid
> S-1-5-21-1025115222-3498510805-2498371278-1000


>From what i understand, the rid in this case is 1000 (Administrator
level account).   Domain Controllers should have the same SID as your
SCOIL sid, but this is clearly different.  So maybe the mapping from
userids in winbind is messed up?


>
> More info:
> ===
> net getlocalsid yeilds :-
> SID for domain SCOIL is: S-1-5-21-399018149-2014173726-3152914669
>
> In the LDAP DB I have :-
> sambaDomainName=BBNS,ou=domains,dc=bbns,dc=ie
>        sambaSID=S-1-5-21-399018149-2014173726-3152914669
>
> I am using Debian 5
>
> Any help to debug this is welcome
>
> //Ger
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

You should read the thread in the last couple of weeks on messed up
uid/gid/rid mappings in this thread from May 21:
[Samba] Moving to another idmap backend
http://lists-archives.org/samba/53183-moving-to-another-idmap-backend.html


Does the client happen to be Win7?   Mark Russinovich of SysInternals,
now Microsoft does not see the need for SIDs and was pushing for them
to be removed, but i doubt that has happened yet.


http://msdn.microsoft.com/en-us/library/aa379649%28VS.85%29.aspx
SECURITY_NT_NON_UNIQUE  S-1-5-21SIDS are not unique.

Mark Russinovich on sids
http://blogs.technet.com/b/markrussinovich/archive/2009/11/03/3291024.aspx
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] smbd panic - tdb_reopen: file dev/inode has changed!

[Rob Moser]

Hi folks,

# uname -srvo
Linux 2.6.18-194.el5xen #1 SMP Tue Mar 16 22:01:26 EDT 2010 GNU/Linux

# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.5 (Tikanga)

# smbd --version
Version 3.3.8-0.51.el5

I'm trying to run a backup samba server using some custom in-house
scripts which I inherited and am stuck with.  Essentially the primary
server periodically rsyncs a bunch of files over to the backup,
including a collection of the tdb files.  When I try to connect to the
backup server, I get the following smbd panics in the logs:

-
[2010/05/11 14:34:32,  0] lib/util_tdb.c:tdb_log(682)
  tdb(/var/lib/samba/ntforms.tdb): tdb_reopen: file dev/inode has changed!
[2010/05/11 14:34:32,  0] lib/util.c:reinit_after_fork(1054)
  tdb_reopen_all failed.
[2010/05/11 14:34:32,  0] printing/print_cups.c:cups_pcap_load_async(432)
  cups_pcap_load_async: reinit_after_fork() failed
[2010/05/11 14:34:32,  0] lib/util.c:smb_panic(1673)
  PANIC (pid 28994): cups_pcap_load_async: reinit_after_fork() failed
[2010/05/11 14:34:32,  0] lib/util_tdb.c:tdb_log(682)
  tdb(/var/lib/samba/ntforms.tdb): tdb_reopen: file dev/inode has changed!
[2010/05/11 14:34:32,  0] lib/util.c:reinit_after_fork(1054)
  tdb_reopen_all failed.
[2010/05/11 14:34:32,  0] smbd/server.c:open_sockets_smbd(774)
  reinit_after_fork() failed
[2010/05/11 14:34:32,  0] lib/util.c:smb_panic(1673)
  PANIC (pid 28995): reinit_after_fork() failed
[2010/05/11 14:34:32,  0] lib/util.c:log_stack_trace(1777)
  BACKTRACE: 9 stack frames:
   #0 smbd(log_stack_trace+0x1c) [0x2b49e45a126c]
   #1 smbd(smb_panic+0x2b) [0x2b49e45a134b]
   #2 smbd(cups_cache_reload+0x1b1) [0x2b49e4571d11]
   #3 smbd(pcap_cache_reload+0xb8) [0x2b49e456e6f8]
[2010/05/11 14:34:32,  0] lib/util.c:log_stack_trace(1777)
  BACKTRACE: 5 stack frames:
   #4 smbd(reload_printers+0x25) [0x2b49e47ab3c5]
   #0 smbd(log_stack_trace+0x1c) [0x2b49e45a126c]
   #5 smbd(check_reload+0xe8) [0x2b49e43e7378]
   #1 smbd(smb_panic+0x2b) [0x2b49e45a134b]
   #6 smbd(main+0x1422) [0x2b49e47acee2]
   #2 smbd(main+0x19bf) [0x2b49e47ad47f]
   #7 /lib64/libc.so.6(__libc_start_main+0xf4) [0x2b49e7c3e994]
   #3 /lib64/libc.so.6(__libc_start_main+0xf4) [0x2b49e7c3e994]
   #8 smbd [0x2b49e43717c9]
   #4 smbd [0x2b49e43717c9]
[2010/05/11 14:34:32,  0] lib/fault.c:dump_core(231)
[2010/05/11 14:34:32,  0] lib/fault.c:dump_core(231)
  dumping core in /var/log/samba/cores/smbd
  dumping core in /var/log/samba/cores/smbd
[2010/05/11 14:34:32,  2] printing/print_cups.c:cups_async_callback(544)
  cups_async_callback: failed to read a new printer list
[2010/05/11 14:34:33,  0] lib/util_tdb.c:tdb_log(682)
  tdb(/var/lib/samba/ntforms.tdb): tdb_reopen: file dev/inode has changed!
[2010/05/11 14:34:33,  0] lib/util.c:reinit_after_fork(1054)
  tdb_reopen_all failed.
[2010/05/11 14:34:33,  0] smbd/server.c:open_sockets_smbd(774)
  reinit_after_fork() failed
[2010/05/11 14:34:33,  0] lib/util.c:smb_panic(1673)
  PANIC (pid 28996): reinit_after_fork() failed
[2010/05/11 14:34:33,  0] lib/util.c:log_stack_trace(1777)
  BACKTRACE: 5 stack frames:
   #0 smbd(log_stack_trace+0x1c) [0x2b49e45a126c]
   #1 smbd(smb_panic+0x2b) [0x2b49e45a134b]
   #2 smbd(main+0x19bf) [0x2b49e47ad47f]
   #3 /lib64/libc.so.6(__libc_start_main+0xf4) [0x2b49e7c3e994]
   #4 smbd [0x2b49e43717c9]
[2010/05/11 14:34:33,  0] lib/fault.c:dump_core(231)
  dumping core in /var/log/samba/cores/smbd
-

Uhm... no kidding the inode has changed?  Its on a different machine!
>From scrounging around the web, this looks remarkably similar to https://bugzilla.samba.org/show_bug.cgi?id=5976";>bug 5976, but
a fix for that supposedly went into 3.3.0.  And a reference to a
different patch for it going into 3.3.0 in http://www.mail-archive.com/samba@lists.samba.org/msg98122.html";>the
list archives for this list.  I installed from a non-source package,
so I can't check to see if either patch is there or not.  Still, rather
than re-open a two-year-old bug on the presumption that I am the only
person that its broken for since, I thought I should check and see if
anyone had any insight into it first... any thoughts?  Is it just broken
of these scripts to be trying to move tdb files across machines in the
first place?  If I wipe them clean and just copy the configuration
files, will I keep all of my configuration?

Thanks for any advice,

 - rob.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] smbclient -k works; mount -t cifs does not

[Rob Townley]

On Tue, May 4, 2010 at 1:01 PM, Jeff Layton  wrote:
> On Mon, 03 May 2010 23:25:13 -0400
> Mike Leone  wrote:
>
>> I am confused (nothing new there ...). I have 2 Ubuntu 9.10 Samba
>> servers. I am trying to mount a share from the other (i.e., "workhorse"
>> is trying to mount a share on "dual-booter"). If I specify a smbmount
>> command with a -k option, I can mount the share:
>>
>> tur...@workhorse:~$ klist
>> Ticket cache: FILE:/tmp/krb5cc_1000
>> Default principal: tur...@dacrib.local
>>
>> Valid starting     Expires            Service principal
>> 05/03/10 18:55:31  05/04/10 04:55:31  krbtgt/dacrib.lo...@dacrib.local
>>       renew until 05/09/10 22:56:03
>> 05/03/10 23:07:07  05/04/10 04:55:31
>> cifs/dual-booter.dacrib.lo...@dacrib.local
>>       renew until 05/09/10 22:56:03
>>
>>
>> tur...@workhorse:~$ smbclient //dual-booter/TestShare /mnt -k
>> Domain=[DACRIB] OS=[Unix] Server=[Samba 3.4.0]
>> smb: \> ls
>>   .                              D        0  Sat May  1 19:27:48 2010
>>   ..                             D        0  Mon May  3 19:58:00 2010
>>   TestFile                                0  Sat May  1 19:27:48 2010
>>
>>               37555 blocks of size 524288. 22379 blocks available
>>
>> However, I can't seem to mount it using mount -t cifs:
>>
>> $ sudo mount -t cifs //dual-booter/TestShare /mnt -o username=DACRIB+turgon
>> [sudo] password for turgon:
>> Password:
>> mount error(13): Permission denied
>> Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
>>
>> What I'd like to do is to set this in /etc/fstab. But there seems to be
>> no way to use Kerberos to authenticate the mounting, and it's only
>> Kerberos (and smbmount) that seems to work. And using the "-o sec=krb5"
>> options on mount doesn't seem to work, either.
>>
>> $ sudo mount -t cifs //dual-booter/TestShare /mnt -o sec=krb5
>> mount error(2): No such file or directory
>> Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
>>
>
> Try using the FQDN of the server in the UNC. For instance:
>
>   //dual-booter.dacrib.local/TestShare
>
>> Anyone? I really don't want to have to make a script that uses smbmount
>> -k, running on login, rather than in /etc/fstab.
>>
>> Thanks
>
>
> --
> Jeff Layton 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

First, i use Fedora / Centos.

mount.cifs is actually a different mailing list - linux-cifs-client
http://lists.samba.org/pipermail/linux-cifs-client

mount.cifs has had changes when it comes to setuid security issues.
You may have to do something special.

The files under /proc/fs/cifs/ are your best bet for debugging
mount.cifs. Verbosity can be turned up and extensions turned on.

i feel the pain.  There are at least 3 seemingly totally different
ways to mount a remote  samba filesystem and always have a hard time
remembering where to look for troubleshooting info.  Would have
thought a single open source core would have arrived but now it seems
more splintered than ever.

  1.) mount.cifs  -  intertwined with linux kernel -
linux-cifs-cli...@lists.samba.org
  2.) smbclient  - separated from kernel - samba@lists.samba.org
  3.) fuse-smb
  4.) gvfs-smb / gigolo / gvfs-fuse  - gtk.org
  5.) kde analogues to gvfs
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Encryption

[Rob Townley]

On Sat, Apr 17, 2010 at 6:24 AM, Andrew Malton
 wrote:
> I want to (continue to) use Samba code to obtain data needed by my Linux
> client.  This is currently done by calls into Samba's libraries.
>  Unfortunately the resulting rpc traffic is unencrypted.  I think this has
> to do with the configuration of encryption mechanisms on both sides, but
> perhaps (since when talking to older Windows systems, e.g. Windows 2000)
> encryption (with NTLM SSP I suppose) is used.
>
> Does Samba always use encryption  when it can?  or are there mechanisms that
> Windows can now insist on that Samba cannot use?
>
> If the latter, is improved support for protocol encryption a future plan for
> Samba development?
>
> Thanks for any help (in the form of pointers to documentation if there are
> things I've missed).
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Are you talking about calling mount -t cifs //samba/share /mnt/win ?
Are you talking about kerberos user login?

Linux kerberos can talk any of the encryption protocols, including
aes256.  Fact is, WinXP cannot do AES for this, but it can talk the
less secure RC4.

At a win2000 domain level, you can talk RC4 or DES which was broken in
1998 by the EFF.  A win2000 domain will offer DES as a kerberos option
but will tell winclients via Group Policy Objects to never user DES.

http://blogs.msdn.com/alextch/archive/tags/AD+Interop/default.aspx

Watch this video.
http://blogs.msdn.com/alextch/archive/2006/07/18/MITtoADRC4.aspx
Samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] ads_sasl_spnego_krb5_bind failed: Program lacks supportfor encryption type [SEC=UNCLASSIFIED]

[Rob Townley]

On Sat, Feb 13, 2010 at 8:57 PM, Jeremy Allison  wrote:
> On Sat, Feb 13, 2010 at 01:35:12PM -0600, d...@briannassaladdressing.com 
> wrote:
>> Alex,
>>
>> I've been a victim of this since Day 1.  After a lot of reading and 
>> emailing, it comes down to this.  libkrb5-3 version 1.8x by default 
>> disallows DES encryption.  /etc/krb5.conf can be changed to allow weak 
>> encryption, but as it relates to Samba, is only effective in letting the 
>> system join the domain.  For it's internal functioning, winbind uses an 
>> autogenerated krb5.conf that resides in /var/run/samba.  This krb5.conf has 
>> no knowledge of allow_weak_crypto=true.  Sam Hartman, the maintainer of 
>> libkrb5-3 in Debian, has taken over the responsibility of fixing that 
>> package, rather than the Samba maintainers doing a change there.  In the 
>> interim, winbind is broken with libkrb5-3 version 1.8x.  We can only hope 
>> this fix is soon coming.
>
> In Samba 3.5.0 there is a parameter "create krb5 conf" that controls
> if this private krb5.conf file is created or not. Would it be helpful
> for this to be back ported to earlier versions ?
>
> Jeremy.

i do not want any weak encryption on my systems.

If "create krb5 conf = no"in smb.conf means, that i can
specify RC4 and AES in /etc/krb5.conf and then winbind will honor and
not create a ghost krb5.conf.NEBIOSDOMAINNAME, i would greatly
appreciate it being backported.
Of course, i run CentOS 5 and that uses 3.0.33.  How far back is realistic?

> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] ads_sasl_spnego_krb5_bind failed: Program lacks supportfor encryption type [SEC=UNCLASSIFIED]

[Rob Townley]

On Sat, Feb 13, 2010 at 1:35 PM,  wrote:

> Alex,
>
> I've been a victim of this since Day 1.  After a lot of reading and
> emailing, it comes down to this.  libkrb5-3 version 1.8x by default
> disallows DES encryption.  /etc/krb5.conf can be changed to allow weak
> encryption, but as it relates to Samba, is only effective in letting the
> system join the domain.  For it's internal functioning, winbind uses an
> autogenerated krb5.conf that resides in /var/run/samba.  This krb5.conf has
> no knowledge of allow_weak_crypto=true.  Sam Hartman, the maintainer of
> libkrb5-3 in Debian, has taken over the responsibility of fixing that
> package, rather than the Samba maintainers doing a change there.  In the
> interim, winbind is broken with libkrb5-3 version 1.8x.  We can only hope
> this fix is soon coming.
>
> Dale
>
>
Instead of lowering the encryption level to something broken 12 years ago,
why not just remove DES from everywhere and replace with stronger encryption
types?

Microsoft is phasing out winbind for 2008, so i wonder what that means for
SaMBa winbind.  i would hope to use an all kerberos/ldap solution for
authentication in order to continue Linux ADS interoperability.

Does anyone have a winbind_krb5_locator.so file?  All i have on my system is
a docbook/manpage but no binary file.   If it was there, it seems like it
would use /etc/krb5.conf instead of another.
http://samba.org/samba/docs/man/manpages-3/winbind_krb5_locator.7.html

Under Fedora, the referenced file winbind_krb5_locator.so  is non
existant.


Another poster emailed that they tried changing the krb5.conf manually on
Debian Squeeze
(edited /var/run/samba/smb_krb5/krb5.conf.NETBIOSNAME) and when I
restart winbind, the file is clobbered back to the original. I think this is
in conjunction with a bug from Kerberos where if DES is specified as a
supported type, even if something else better is specified, Kerberos refuses
to play.

Here is what 3.4.5 is showing:
default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
preferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5

It would be nice to have some sort of fix/workaround for this, it seems to
have blindsided us.

I just noticed Jeremy's post, yes it would be helpful to have a config
option to have all kerberos related options in /etc/krb5.conf and i wonder
if that is what the winbind_krb5_locator.so file is meant to do?




>
> -Original message-
> From: "Wilkinson, Alex" alex.wilkin...@dsto.defence.gov.au
> Date: Fri, 12 Feb 2010 21:54:26 -0600
> To: samba@lists.samba.org
> Subject: Re: [Samba] ads_sasl_spnego_krb5_bind failed: Program lacks
> supportfor encryption type [SEC=UNCLASSIFIED]
>
> > Anyone ?
> >
> >-Alex
> >
> > 0n Thu, Feb 11, 2010 at 08:00:57PM +0800, Wilkinson, Alex wrote:
> >
> > >Hi all,
> > >
> > >According to this bug report:
> > >http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566977
> > >
> > >This particular error is actually a bug in the samba code.
> > >
> > >Does anyone know if there are patches that fix this ?
> > >
> > >Adding "allow_weak_crypto = true" to /etc/krb5.conf does not solve
> this for me :(
> > >
> > >Has anyone got a working solution for this ?
> > >
> > >   -Alex
> >
> > IMPORTANT: This email remains the property of the Australian Defence
> Organisation and is subject to the jurisdiction of section 70 of the CRIMES
> ACT 1914.  If you have received this email in error, you are requested to
> contact the sender and delete the email.
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] ads_sasl_spnego_krb5_bind failed: Program lacks support for encryption type [SEC=UNCLASSIFIED]

[Rob Townley]

On Fri, Feb 12, 2010 at 8:25 PM, Wilkinson, Alex <
alex.wilkin...@dsto.defence.gov.au> wrote:

> Anyone ?
>
>   -Alex
>
>0n Thu, Feb 11, 2010 at 08:00:57PM +0800, Wilkinson, Alex wrote:
>
>>Hi all,
>>
>>According to this bug report:
>>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566977
>>
>>This particular error is actually a bug in the samba code.
>>
>>Does anyone know if there are patches that fix this ?
>>
>>Adding "allow_weak_crypto = true" to /etc/krb5.conf does not solve this
> for me :(
>>
>>Has anyone got a working solution for this ?
>>
>>   -Alex
>
> IMPORTANT: This email remains the property of the Australian Defence
> Organisation and is subject to the jurisdiction of section 70 of the CRIMES
> ACT 1914.  If you have received this email in error, you are requested to
> contact the sender and delete the email.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


DES was broken in 1998 by the eff.  Shouldn't be used but it often is in the
list of allowed encryption types.  Won't go into the conspiracy theory now.


The short answer would probably be to delete any reference to DES and
probably DES3 encryption types in all krb5.conf* files on your machine.  i
use RedHat derivatives, but i bet this is the same problem.  Do a find for
all krb5.conf* as it may not be in the same location on debian.

cat /var/cache/samba/smb_krb5/krb5.conf.*
and i bet you will find DES encryption accepted.

You think it would be from /etc/krb5.conf, but no it isn't as evidenced by:
*  Arnaud Lesauvage* arnaud.listes at
codata.eu.
among others.
  http://lists.samba.org/archive/samba/2009-March/146858.html

Change the file /var/lib/samba/smb_krb5/krb5.conf.YOURNETBIOSNAME
  Add either rc4-hmac or arcfour-hmac
  Replace any reference to DES-CBC-CRC encryption with
aes128-cts-hmac-sha1-96.
  Or at the very least, put the AES types further up the list.

 default_tgs_enctypes = RC4-HMAC aes128-cts-hmac-sha1-96
aes256-cts-hmac-sha1-96
 default_tkt_enctypes = RC4-HMAC aes128-cts-hmac-sha1-96
aes256-cts-hmac-sha1-96
 preferred_enctypes = RC4-HMAC aes128-cts-hmac-sha1-96
aes256-cts-hmac-sha1-96

After restarting, check that
/var/cache/samba/smb_krb5/krb5.conf.YOURNETBIOSNAME does not have any DES
remnants.

Very good annotated reference on encryption and hashing:

http://www.gnu.org/software/shishi/manual/html_node/Cryptographic-Overview.html

Decent references on what is encryption type 17 in the domain controller
event log:
  https://blogs.msdn.com/alextch/archive/2006/07/18/etypes.aspx
  http://www.ietf.org/rfc/rfc3961.txt
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] AD Computer Account Becoming Disabled on Re-Join

[Rob Faulkner]

Dear All,

Environment is:

- Squid proxy on linux
- Samba (have tried 3.2.8 and 3.4.3) as a domain client (ADS)
- Heimdal Kerberos
- Active Directory on multiple local Windows Server 2003 domain controllers
(single domain)

Squid is joining the AD domain with ADS via Samba in order to authenticate
users with NTLM etc and perform LDAP queries.

As part of the Squid configuration, on startup the system performs a net ads
join to join the domain and on restart of the squid services it leaves the
domain then re-joins.

Somewhere in the region of 2 out of 3 times that this leave/re-join process
occurs the computer account in AD becomes disabled and the box is unable to
complete the join.  In most cases going through the leave/re-join resolves
this issue and the account becomes re-enabled.

This is somewhat frustrating, as the "usual" things that can go wrong (bind
account credentials/logon names, DNS forward/reverse resolution, server
hostname, clock skew, AD permissions, etc) all seem to be fine - and indeed
some of the time the joins occur without a problem.

Investigating what happens when the account becomes disabled doesn't yield
anything interesting to me:



smb.conf

[global]
workgroup = DOMAIN
netbios name = SQUID-1
realm = DOMAIN.LOCAL
security = ads
password server = DC2.DOMAIN.LOCAL
winbind separator = /
winbind enum users = yes
winbind enum groups = yes



krb5.conf

[libdefaults]
default_realm = DOMAIN.LOCAL
clockskew = 300

[realms]
DOMAIN.LOCAL = {
admin_server = tcp/DC2.domain.local:749
kdc = tcp/DC2.domain.local:88
admin_server = tcp/DC5.domain.local:749
kdc = tcp/DC5.domain.local:88
default_domain = domain.local
}


[domain_realm]
.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL



AD Event Logs:

Event Type:Error
Event Source:NETLOGON
Event Category:None
Event ID:5723
Computer:DC5
Description:
The session setup from computer 'SQUID-1' failed because the security
database does not contain a trust account 'SQUID-1$' referenced by the
specified computer.

Data:
: 8b 01 00 c0   ?..À

Event Type:Error
Event Source:NETLOGON
Event Category:None
Event ID:5805
Computer:DC5
Description:
The session setup from the computer SQUID-1 failed to authenticate. The
following error occurred:
Access is denied.

Data:
: 22 00 00 c0   "..À




Winbind Logs:

[Object becomes disabled: ]
libsmb/cliconnect.c:996(cli_session_setup_spnego)
  Kinit failed: Preauthentication failed

[Object becomes re-enabled: ]
winbindd/winbindd.c:190(winbindd_sig_term_handler)
  Got sig[15] terminate (is_parent=0)

[Object becomes disabled: ]
winbindd/winbindd.c:190(winbindd_sig_term_handler)
  Got sig[15] terminate (is_parent=0)

libsmb/cliconnect.c:996(cli_session_setup_spnego)
  Kinit failed: Clients credentials have been revoked



I do have a number of packet traces of these exchanges, but briefly does
anyone know what the best things to look for are?

I can see the KRB5KDC_ERR_CLIENT_REVOKED NT Status: STATUS_ACCOUNT_DISABLED
that seems to go along with what winbind reports.

Is there any significance in this being a multi-DC environment in that I can
see the kerberos exchange occuring with one DC and the SMB exchange (Session
Setup, Tree Connect, etc) with a different DC?

There are fundamental gaps in my understanding of the end-to-end process
involved here, however I would appreciate if anyone can see anything
glaringly wrong, has seen this before, or can give me any more avenues of
investigation.

Many thanks in advance,


Rob.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba+LDAP + Primary GIDs

[Rob Shinn]

Kris Lou wrote:

PDC Results:
SID for local machine KIF is: S-1-5-21-1297059763-2273326489-166094
SID for domain MLC is: S-1-5-21-957249707-1866601452-441284377

Openfiler Results:
SID for local machine VADER is: S-1-5-21-2859034502-3981372097-2611941478
SID for domain MLC is: S-1-5-21-957249707-1866601452-441284377

As you can see, the domain SIDs match.

Also, here's the global portion of the Openfiler smb.conf and an 
example share (portions edited). About this - I can obviously edit the 
smb.conf, but it gets overwritten by the Openfiler gui whenever 
changes are made.  Looking at the file, I'm not understanding where 
the group security settings are being placed.  It looks like Openfiler 
runs with Samba 3.2.13


Is nss-ldap installed on the Openfiler?  If so, is it pointing to the 
LDAP server on the Samba+LDAP machine?


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba+LDAP + Primary GIDs

[Rob Shinn]

What does your 'net getdomainsid' or 'net getlocalsid' output look like?

Kris Lou wrote:

Hi Rob,

Thanks for the quick reply - Here it is (mostly with some cut and paste).

CentOS 5.4
Samba  3.2.15

dn: cn=Domain Admins,ou=Group,dc=themusiclink,dc=net
description: Netbios Domain Administrators
sambaSID: S-1-5-21-957249707-1866601452-441284377-512
sambaGroupType: 2
displayName: Domain Admins
structuralObjectClass: posixGroup
entryUUID: 1a60146c-cfad-102d-96b0-6fd9fc452718
creatorsName: cn=Manager,dc=themusiclink,dc=net
createTimestamp: 20090507234700Z
gidNumber: 512
cn: Domain Admins
userPassword:: e2NyeXB0fXg=
objectClass: posixGroup
objectClass: top
objectClass: sambaGroupMapping
memberUid:
memberUid:
memberUid:
entryCSN: 20091028001757Z#01#00#00
modifiersName: cn=Manager,dc=themusiclink,dc=net
modifyTimestamp: 20091028001757Z

dn: cn=Domain Users,ou=Group,dc=themusiclink,dc=net
description: Netbios Domain Users
sambaSID: S-1-5-21-957249707-1866601452-441284377-513
sambaGroupType: 2
displayName: Domain Users
structuralObjectClass: posixGroup
entryUUID: 1a7ebb60-cfad-102d-96b1-6fd9fc452718
creatorsName: cn=Manager,dc=themusiclink,dc=net
createTimestamp: 20090507234700Z
gidNumber: 513
cn: Domain Users
userPassword:: e2NyeXB0fXg=
objectClass: posixGroup
objectClass: top
objectClass: sambaGroupMapping
memberUid:
memberUid:
entryCSN: 20091215225639Z#01#00#00
modifiersName: cn=Manager,dc=themusiclink,dc=net
modifyTimestamp: 20091215225639Z

dn: cn=Domain Guests,ou=Group,dc=themusiclink,dc=net
description: Netbios Domain Guests Users
sambaSID: S-1-5-21-957249707-1866601452-441284377-514
sambaGroupType: 2
displayName: Domain Guests
structuralObjectClass: posixGroup
entryUUID: 1a845502-cfad-102d-96b2-6fd9fc452718
creatorsName: cn=Manager,dc=themusiclink,dc=net
createTimestamp: 20090507234700Z
objectClass: posixGroup
objectClass: top
objectClass: sambaGroupMapping
gidNumber: 514
cn: Domain Guests
userPassword:: e2NyeXB0fXg=
memberUid: design
memberUid: fedex
memberUid: infobox
memberUid: mailbox
memberUid: test
entryCSN: 20090521203023Z#02#00#00
modifiersName: cn=Manager,dc=themusiclink,dc=net
modifyTimestamp: 20090521203023Z

dn: cn=Domain Computers,ou=Group,dc=themusiclink,dc=net
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 515
cn: Domain Computers
description: Netbios Domain Computers accounts
sambaSID: S-1-5-21-957249707-1866601452-441284377-515
sambaGroupType: 2
displayName: Domain Computers
structuralObjectClass: posixGroup
entryUUID: 1a8ab492-cfad-102d-96b3-6fd9fc452718
creatorsName: cn=Manager,dc=themusiclink,dc=net
createTimestamp: 20090507234700Z
entryCSN: 20090507234700Z#04#00#00
modifiersName: cn=Manager,dc=themusiclink,dc=net
modifyTimestamp: 20090507234700Z

dn: cn=Administrators,ou=Group,dc=themusiclink,dc=net
description: Netbios Domain Members can fully administer the computer/sambaDom
 ainName
sambaSID: S-1-5-32-544
sambaGroupType: 5
displayName: Administrators
structuralObjectClass: posixGroup
entryUUID: 1a905d16-cfad-102d-96b4-6fd9fc452718
creatorsName: cn=Manager,dc=themusiclink,dc=net
createTimestamp: 20090507234700Z
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 544
cn: Administrators
userPassword:
memberUid: administrator
memberUid: root
entryCSN: 20090516003337Z#01#00#00
modifiersName: cn=Manager,dc=themusiclink,dc=net
modifyTimestamp: 20090516003337Z

dn: sambaDomainName=MLC,dc=themusiclink,dc=net
objectClass: top
objectClass: sambaDomain
objectClass: sambaUnixIdPool
sambaDomainName: MLC
sambaSID: S-1-5-21-957249707-1866601452-441284377
structuralObjectClass: sambaDomain
entryUUID: 1aab5d3c-cfad-102d-96b9-6fd9fc452718
creatorsName: cn=Manager,dc=themusiclink,dc=net
createTimestamp: 20090507234701Z
sambaLockoutThreshold: 0
sambaRefuseMachinePwdChange: 0
sambaMinPwdLength: 5
sambaLogonToChgPwd: 0
sambaForceLogoff: -1
sambaMinPwdAge: 0
sambaMaxPwdAge: -1
sambaPwdHistoryLength: 0
gidNumber: 1033
uidNumber: 1043
sambaNextRid: 1100
entryCSN: 20100104223853Z#02#00#00
modifiersName: cn=Manager,dc=themusiclink,dc=net
modifyTimestamp: 20100104223853Z

n: cn=TML.Accounting,ou=Group,dc=themusiclink,dc=net
objectClass: posixGroup
objectClass: top
objectClass: sambaGroupMapping
cn: TML.Accounting
userPassword:: e2NyeXB0fXg=
gidNumber: 1145
structuralObjectClass: posixGroup
entryUUID: 90185732-cfad-102d-97b9-6fd9fc452718
creatorsName: cn=Manager,dc=themusiclink,dc=net
createTimestamp: 20090507235018Z
sambaSID: S-1-5-21-957249707-1866601452-441284377-1011
sambaGroupType: 2
displayName: TML Accounting
description: Domain Unix group
memberUid: mailman
memberUid: mtong
memberUid: psmith
memberUid: spatrino
memberUid: klou
memberUid: tocampo
entryCSN: 20091202193050Z#03#00#00
modifiersName: cn=Manager,dc=themusiclink,dc=net
modifyTimestamp: 20091202193050Z

dn: cn=TML.CustomerService,ou=Group,dc=themusiclink,dc=net
objectClass: posixGroup
objectCl

Re: [Samba] Samba+LDAP + Primary GIDs

[Rob Shinn]

Kris Lou wrote:

I've checked my ldif's - the groups exist, the users exists as
memberids, but it looks like samba is only checking the gid?
  
Can you post the LDIFs of your groups (you can edit out any 
incriminating evidence ;)?  Sounds like your groups are lacking correct 
sambaSID or sambaGroupType attributes.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Given up on Fedora Ubuntu is 1000-folder simpler

[Rob Shinn]

Michael Lueck wrote:
When Etch came out, the Samba packages were so bad that I ended up 
trying Ubuntu (7.04). It worked great!


That's just silly.  I use Ubuntu on my desktops and servers mostly 
because I prefer the extra fit-and-polish it has to Debian.  But I've 
used both and the packages themselves are basically the same.  A 
particular Ubuntu stable release package of Samba is more likely to be 
more current than the Debian stable release, but that's a result of 
policy differences, not technical ones.  The source for the packages is 
the same:  the Debian package repos.  The main difference is that Ubuntu 
might add a patch or two that hasn't made it into the stable Debian 
package yet, but other than that, they are the same.


Kudos to the good work of the Debian devs.  Without you, there would be 
no Ubuntu and the world would be much worse off without Debian.


As far as the comments on Fedora, you're also aware that the Ubuntu devs 
follow Fedora development and take away some of their best stuff, too, 
right?




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Can only log on to domain, not local machine

[Rob Feldman]

Don, thanks for hanging in there with me on this.

When offline, domain users cannot log on using either "logon to" option,
DomainName ("domain not available") or PCName ("check your user id &
password"). I can log on as domain administrator and add/delete local users,
but these users can't log on. I can also log on as local Administrator at
all times.

Is it significant that the only username in the local users group is
"Administrator?"

-Original Message-
From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org]
On Behalf Of Gaiseric Vandal
Sent: Wednesday, January 13, 2010 9:30 AM
To: samba@lists.samba.org
Subject: Re: [Samba] Can only log on to domain, not local machine

On 01/12/10 21:14, Rob Feldman wrote:
> Hi Don,
>
> Yeah, the behavior you describe is what I expected but not what I'm
getting.
> All domain UID/Password pairs authenticate fine when connected, none do
when
> disconnected. The login credentials are not being cached, but I can't
figure
> out why. I checked the XP group policy and the default setting to keep the
> last 10 logins is intact.
>
> My setup is the same as yours, XP clients of domain with a Samba PDC. I
> maintain another similar system at work which works fine.
>
> I really appreciate the effort -- any other ideas?
>
> Thanks,
> Rob
>
> -Original Message-
> From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org]
> On Behalf Of sa...@piven.org
> Sent: Tuesday, January 12, 2010 8:38 PM
> To: samba@lists.samba.org
> Subject: Re: [Samba] Can only log on to domain, not local machine
>
> Rob Feldman wrote:
>
>> Used Administrator login on XP client to grant domain users rights to log
>>  
> on
>
>> to client machine (such as when offline). All attempts to log on to local
>> machine fail authentication (error "System could not log you on. Check
>>  
> user
>
>> name and domain..."). Everything else works fine, including logon to
>>  
> domain
>
>> and synchronization of offline folders. Frustrating having all data
>> available offline but inaccessible because I can't log in!
>>
>> Don't know what I'm doing wrong, seems like my setup is wrong preventing
>>  
> XP
>
>> from getting password info properly for later use away from domain. Sorry
>>  
> if
>
>> this is a dopey question, but I've pored over all howtos&  other
resources
>> and am still stumped. Plenty of help available for fixing XP clients not
>> logging into smb domain, but none I can find if XP can't log into itself.
>>
>>  
> Have you tried just logging in with the domain login and password?
>
> XP Pro caches login credentials, so the next time a user logs in, the
> cached credentials can be used if for some reason the machine can't
> contact a domain controller.  For example, I have an XP Pro machine on
> my desk, joined to a domain managed by a Samba server.  I pulled the
> network cable out of that machine, then logged into it using my plain
> old unprivileged domain logon.  Works fine, except that I can't get to
> my home directory out on the Samba server :-)
>
> Microsoft already did the grunt work to let your users logon to an
> off-network machine.
>
> Don
>

Can you clarify-
 when you logon disconnected  are you setting the "logon to" 
parameter to the DomainName or the LocalPCName.  It should be the 
DomainName.


By default, Domain Users should be a member of local users, and should 
already be able to logon offline (assuming they have logged in on line 
at least once.)

If you login on  online as the network admin, are you able to create 
local users or do other "administrative" stuff?  I ran into one issue 
with group mapping where the local PC was not recognizing my all my 
groups.  So even though I was a Domain Administrator, the XP machine 
didn't realize I was a member of Domain Admins and thus I didn't get the 
privledges of the local Administrators groups.  And on the same lines, 
domain users did properly get the privileges assigned to the local users 
group.


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba+ldap two domains db sync?

[Rob Shinn]

Alberto Moreno wrote:

Is possible to sync both ldap servers every time I change something
in ldap? or a better way to do it?Alberto Moreno wrote:

You could probably do this with OpenLDAP's syncrepl replication
facility.  You may also wish to consider combining everything into one
LDAP database, containing two different Samba domains, with a common OU
for user accounts.  You could keep the LDAP servers as they are, just
set up one as a secondary LDAP server using syncrepl.  That would have
the advantage of centralizing everything and ease user administration,
since users created in one domain would automatically be included in both.

Without knowing the specifics, however, it's hard to say to which way
would be best.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Can only log on to domain, not local machine

[Rob Feldman]

Hi Don,

Yeah, the behavior you describe is what I expected but not what I'm getting.
All domain UID/Password pairs authenticate fine when connected, none do when
disconnected. The login credentials are not being cached, but I can't figure
out why. I checked the XP group policy and the default setting to keep the
last 10 logins is intact.

My setup is the same as yours, XP clients of domain with a Samba PDC. I
maintain another similar system at work which works fine.

I really appreciate the effort -- any other ideas?

Thanks,
Rob

-Original Message-
From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org]
On Behalf Of sa...@piven.org
Sent: Tuesday, January 12, 2010 8:38 PM
To: samba@lists.samba.org
Subject: Re: [Samba] Can only log on to domain, not local machine

Rob Feldman wrote:
> Used Administrator login on XP client to grant domain users rights to log
on
> to client machine (such as when offline). All attempts to log on to local
> machine fail authentication (error "System could not log you on. Check
user
> name and domain..."). Everything else works fine, including logon to
domain
> and synchronization of offline folders. Frustrating having all data
> available offline but inaccessible because I can't log in!
>
> Don't know what I'm doing wrong, seems like my setup is wrong preventing
XP
> from getting password info properly for later use away from domain. Sorry
if
> this is a dopey question, but I've pored over all howtos & other resources
> and am still stumped. Plenty of help available for fixing XP clients not
> logging into smb domain, but none I can find if XP can't log into itself.
>   

Have you tried just logging in with the domain login and password?

XP Pro caches login credentials, so the next time a user logs in, the 
cached credentials can be used if for some reason the machine can't 
contact a domain controller.  For example, I have an XP Pro machine on 
my desk, joined to a domain managed by a Samba server.  I pulled the 
network cable out of that machine, then logged into it using my plain 
old unprivileged domain logon.  Works fine, except that I can't get to 
my home directory out on the Samba server :-)

Microsoft already did the grunt work to let your users logon to an 
off-network machine.

Don
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Can only log on to domain, not local machine

[Rob Feldman]

Used Administrator login on XP client to grant domain users rights to log on
to client machine (such as when offline). All attempts to log on to local
machine fail authentication (error "System could not log you on. Check user
name and domain..."). Everything else works fine, including logon to domain
and synchronization of offline folders. Frustrating having all data
available offline but inaccessible because I can't log in!

Don't know what I'm doing wrong, seems like my setup is wrong preventing XP
from getting password info properly for later use away from domain. Sorry if
this is a dopey question, but I've pored over all howtos & other resources
and am still stumped. Plenty of help available for fixing XP clients not
logging into smb domain, but none I can find if XP can't log into itself.

Here's the configuration:
XP Pro SP3 client, all updates
Ubuntu 9.10 (karmic) server, all current
Samba 3.4.0 PDC
Smb.conf:
[global]
workgroup = MYGROUP
server string = %h
interfaces = 10.10.10.0/24, eth0
map to guest = Bad User
obey pam restrictions = Yes
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
username map = /etc/samba/smbusers
unix password sync = Yes
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
smb ports = 139
name resolve order = lmhosts hosts wins bcast
add user script = /usr/sbin/useradd -m %u
delete user script = /usr/sbin/userdel -r %u
add group script = /usr/sbin/addgroup --force-badname %g
delete group script = /usr/sbin/groupdel %g
add user to group script = /usr/sbin/groupmod -A %u %g
delete user from group script = /usr/sbin/groupmod -R %u %g
add machine script = /usr/sbin/useradd -g machines -s /bin/false -d
/var/lib/nobody %u
logon script = logon.cmd
logon drive = H:
domain logons = Yes
preferred master = Yes
domain master = Yes
dns proxy = No
wins support = Yes
usershare allow guests = Yes
panic action = /usr/share/samba/panic-action %d
admin users = feldmadmin, @admin
hide unreadable = Yes
hide files = /Desktop.ini/


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba+ldap two domains db sync?

[Rob Shinn]

Gaiseric Vandal wrote:


I don't think one user in LDAP could be in two different domains-  
each user has to have a distinct SambaSID entry.




Ooomph! *slaps forehead*.  You're right.  That's what I get for posting 
before I've had my coffeee.


I stand by my original statement that OpenLDAP's syncrepl would work, 
though.




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba+ldap two domains db sync?

[Rob Shinn]

Alberto Moreno wrote:

Is possible to sync both ldap servers every time I change something
in ldap? or a better way to do it?Alberto Moreno wrote:
You could probably do this with OpenLDAP's syncrepl replication 
facility.  You may also wish to consider combining everything into one 
LDAP database, containing two different Samba domains, with a common OU 
for user accounts.  You could keep the LDAP servers as they are, just 
set up one as a secondary LDAP server using syncrepl.  That would have 
the advantage of centralizing everything and ease user administration, 
since users created in one domain would automatically be included in both.


Without knowing the specifics, however, it's hard to say to which way 
would be best.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Read-only fs

[Rob Shinn]

Kacper wrote:

The file exists there but is of course read-only. Does samba need to
write to this secret file or why doesn't it want to open that file?
  


If you want your root filesystem read-only (like, say, to boot your 
server from a CD-ROM or embedded device) then you can just copy this 
file to a RAM disk and either point to it in your smb.conf via the 
'private dir =' directive, or else mount /etc/samba on your ramdisk and 
copy the files that go in there on startup.  The latter exactly what my 
Linksys NAS200 running Samba 3.0.22 does. (I'm running the jac4 custom 
firmware)




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] tree connect failed: NT_STATUS_BAD_NETWORK_NAME

[Rob Townley]

On Mon, Dec 28, 2009 at 4:03 AM, Michael Adam  wrote:
> Hi Dominic,
>
> Dominic Gamble wrote:
>> Hi,
>>
>> I can't get access to any shares when running "smbclient //DUCK/test -U
>> Dominic". I'm getting the message:
>> tree connect failed: NT_STATUS_BAD_NETWORK_NAME
>>
>> I'm pretty sure it's authenticating properly as it says "session setup ok"
>> in the debug output. If I enter the wrong password I get:
>> "session setup failed: NT_STATUS_LOGON_FAILURE"
>
> This is correct.

Starting from a fresh boot up, try to use the /test share first, does it work?
Does /tmp then fail?
If so, look under /var/cache/samba/

i don't remember exactly what i came across the
NT_STATUS_BAD_NETWORK_NAME error on CentOS 5.4 and what i did to fix
it, but do remember it wasn't what i expected.

>
>> I'm running CentOS 5.4 with the following samba packages
>>
>> samba-common-3.0.33-3.15.el5_4.1
>> samba-3.0.33-3.15.el5_4.1
>> samba-swat-3.0.33-3.15.el5_4.1
>> samba-client-3.0.33-3.15.el5_4.1
>>
>> My samba setup uses LDAP for authentication. All logging seems to indicate
>> that authentication and LDAP is working well.
>>
>> My /etc/samba/smb.conf was generated with SWAT and has the following shares:
>>
>> [tmp]
>>         comment = temporary files
>>         path = /tmp
>>         hosts allow =
>>         hosts deny =
>>
>> [test]
>>         comment = test files
>>         path = /test
>>         hosts allow =
>>         hosts deny =
>>
>>
>> Both shares contain a file called myfile.txt.
>>
>> When I connect to the "tmp" share, I don't get the "tree connect failed:
>> NT_STATUS_BAD_NETWORK_NAME", but I can't list any files:
>>
>> [r...@duck cache]# smbclient //DUCK/tmp -U dominic
>> Password:
>> Domain=[ORANDA] OS=[Unix] Server=[Samba 3.0.33-3.15.el5_4.1]
>> smb: \> ls
>>   .                                   D        0  Mon Dec 28 04:02:13 2009
>>   ..                                  D        0  Sun Dec 27 21:16:53 2009
>>
>>                 36224 blocks of size 8388608. 34082 blocks available
>> smb: \>
>>
>> When I connect to the "test" share I get the "tree connect failed:
>> NT_STATUS_BAD_NETWORK_NAME":
>> [r...@duck cache]# smbclient //DUCK/test -U dominic
>> Password:
>> Domain=[ORANDA] OS=[Unix] Server=[Samba 3.0.33-3.15.el5_4.1]
>> tree connect failed: NT_STATUS_BAD_NETWORK_NAME
>>
>> The permissions on the /tmp and /test folders are the same:
>>
>> drwxrwxrwt 2 root root 4096 Dec 27 21:35 test
>> drwxrwxrwt 4 root root 4096 Dec 28 04:02 tmp
>>
>> There are no complex acls on them either:
>>
>> [r...@duck /]# getfacl tmp
>> # file: tmp
>> # owner: root
>> # group: root
>> user::rwx
>> group::rwx
>> other::rwx
>>
>> [r...@duck /]# getfacl test
>> # file: test
>> # owner: root
>> # group: root
>> user::rwx
>> group::rwx
>> other::rwx
>>
>> I've tried getting more debug info by setting log levels to 10 in both
>> smb.conf and using the -d10 parameter on the command line, but it gives me
>> nothing useful in the logs or in the output.
>>
>> I've been through 'The Samba Checklist'
>> (http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/diagnosis.html)
>> and had no other problems.
>>
>> Here is the rest of my smb.conf:
>>
>> [global]
>>         workgroup = ORANDA
>>         server string = Duck
>>         passdb backend = ldapsam:ldap://localhost/
>>         pam password change = Yes
>>         passwd program = /usr/sbin/smbldap-passwd %u
>>         passwd chat = *New*password* %n\n *Retype*new*password* %n\n
>> *all*authentication*tokens*updated*
>>         unix password sync = Yes
>>         log level = 10
>>         log file = /var/log/samba/log.%m
>>         load printers = No
>>         printcap name = /dev/null
>>         disable spoolss = Yes
>>         add user script = /usr/sbin/smbldap-useradd -m "%u"
>>         delete user script = /usr/sbin/smbldap-userdel "%u"
>>         add group script = /usr/sbin/smbldap-groupadd -p "%g"
>>         delete group script = /usr/sbin/smbldap-groupdel "%g"
>>         add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
>>         delete user from group script = /usr/sbin/smbldap-groupmod -x "%u"
>> "%g"
>>         set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
>>         add machine script = /usr/sbin/smbldap-useradd -w "%u"
>>         logon script = login.cmd
>>         logon path = \\%N\profiles\%U
>>         logon drive = H:
>>         domain logons = Yes
>>         os level = 127
>>         wins support = Yes
>>         ldap admin dn = cn=admin,dc=oranda,dc=internal
>>         ldap delete dn = Yes
>>         ldap group suffix = ou=Group
>>         ldap idmap suffix = ou=Idmap
>>         ldap machine suffix = ou=Computers
>>         ldap passwd sync = Yes
>>         ldap suffix = dc=oranda,dc=internal
>>         ldap user suffix = ou=People
>>         panic action = /usr/share/samba/panic-action %d
>>         admin users = dominic
>>         hosts allow = 192.168.10., 127.
>>         hosts deny = ALL
>>         printing = bsd
>>       

Re: [Samba] dns lookups for SRV kerberos

[Rob Townley]

On Thu, Dec 10, 2009 at 9:21 AM,   wrote:
> Hi,
>
>
> I have raised this question on the kerberos mailing list, but have been told 
> that Samba has it's own behavior regarding SRV lookups.
>
> My configuration uses the following :
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>
> [realms]
>  EXAMPLE.DOM = {
>  kdc = 10.0.0.1:88
>  kdc = 10.0.0.2:88
>  admin_server = 10.0.0.1:749
>  default_domain = example.dom
>  }
>
> but I still see the DNS lookups for SRV _kerberos-master_udp
> ( same with kdc = adserver1.example.dom.:88 )
>
> To be precise, the following happens (We don't have these records in the DNS
> system) :
>
> ASREQ ->
>  <- KRBERR PREAUTH
> DNS SRV _kerberos-master ->
>  <- no such name
> ASREQ ->
>  <- AS REP OK
> DNS SRV _kerberos-master ->
>  <- no such name
> TGSREQ ->
>  <- TGSREP
> DNS SRV _kerberos-master ->
>  <- no such name
>
> that makes 3 DNS lookups per TGS.
>
> As I have excplicitly configured :
> A) dns_lookups to false
> B) numerical IP addresses for the KDC's
> I would expect dns lookups to be completely *non-existant*.
> Are my expectations correct, or is there something in the protocol that I 
> missed
> , that would need to enforce dns lookups even if configured not to ? Or maybe 
> I
> have misconfigured krb5.conf ? It seems that Samba would not look into this 
> file.
> Can it be configured elsewhere ?
> Same behaviour with numerical ipp addresses for "password server"
>
>
> Why I am looking into this is because I use kerberos for AD authentication,
> through winbind.
> Our configuration (typical for an AD infrastructure) is to have 2 DC's, which
> are KDC's as well as DNS servers.
> What happens when the primary DC is unavailable is that both the primary KDC 
> and
> the primary DNS are down.
> Timeouts summing up, the result in a default RHEL5 configuration is to have
> "wbinto -t" take 21 seconds to accomplish.
> (3*5s DNS timeouts + 3*2s KDC timeouts)
> For the moment, DNS Timeout can be lowered to 1s but not less.
>
> Still, I don't understand why these DNS lookups are made at all with this
> configuration.
> Has anyone an explanation ?
>
> using
> krb5-libs-1.6.1-36.el5
> samba-3.0.33-3.15.el5_4
> on RHEL 5.4
>
>
>
> Regards,
>
> Andrew
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Interesting.  Does the samba generated cached version of krb5.conf
have dns records?  This is an altogether different file than
/etc/krb5.conf.

On my CentOS 5.4 box, samba caches its krb5 config here:
/var/cache/samba/smb_krb5/krb5.conf.NETBIOSDOMAINNAME

In my experience, some of these samba generated cached entries can be
altogether different than /etc/krb5.conf !
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] kerberos configuration in samba

[Rob Townley]

On Tue, Dec 15, 2009 at 4:48 AM, Rajesh Ghanekar
 wrote:
> Hi All,
>  I am using samba-3.2.11-0.1.145 in my setup. I have multiple domain
> controllers
> for a domain. I am confused on do I need to edit /etc/krb5.conf or not. I am
> using
> MIT kerberos (krb5-1.4.3-19.34) on SLES10.
>
> Here is what I got from Samba HOWTO:
>
> 1. Adding entries in /etc/krb5.conf for "kdc =", "admin server =" and
> "password server ="
>  is only necessary if SRV records are not there in DNS server. If SRV
> records are there,
>  no need to configure /etc/krb5.conf.
>
> 2. /etc/samba/smb.conf should contain the list of domain controllers in
> "password server =" line
> (space separated) or can contain *, which will get the list from DNS SRV
> records.
>
> 3. If SRV records are not present (may be I migrated my DNS server to linux
> box), then
> I need to manually enter "kdc =", etc, lines in /etc/krb5.conf.

Why not put put the SRV records into your own Linux DNS?

>
> 4. I can have multiple "kdc = " entries in /etc/krb5.conf, if I need to
> manually configure
> /etc/krb5.conf, but only single "admin server =" and "password server ="
> line.
> How does this /etc/krb5.conf entry for admin server and password server
> becomes
> HA if the machine specified in admin server and password server goes down?
>
> Any help appreciated.
>
> Thanks,
> Rajesh
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba caching a broken krb5.conf.NETBIOSDOMAINNAME

[Rob Townley]

i am in a mixed win2000 and win2003 R1 ActiveDirectory environment.
Have always had ntlmv2 server and client required.  LM and NTLM have
always been rejected.  That is how it has been for 10 years.

Mounting from CentOS 5 to the windows servers has not been an issue
for years.  However, using ADS credentials for Linux workstation
logons has always been a issue.  If using ADS credentials to logon to
a Linux workstation worked once, it would stop working for no apparent
reason very quickly.  The problem seems to be that samba kerberos
wants to revert to using very old encryption technology that is
probably on par with plain LM.

How can i force samba to use and _KEEP_USING_ the better security
enctypes?  i am no expert, but you don't have to be an expert to know
that aes is better than des-cbc-crc .   des was broken in 1998, why is
samba kerberos trying to use it?  Win 95 LM uses DES -- look at
lmHash() documented at http://davenport.sourceforge.net/ntlm.html.

We have been using our CentOS clients to mount with ntlmv2i so why
would attempts at joining the ADS domain fail with "stronger
authentication required"?
mount -t cifs //ADScontroller/share /mnt/ntlmv2iprotected  --verbose
-o username=u...@dnsdomainname.com,sec=ntlmv2i

Success with "kinit ad...@dnsdomainname.com"

But then "net -d 10 ads join -U ad...@dnsdomainname.com" would fail
with "stronger authentication required."   I wondering why stronger
auth would be needed by ADS when i am already mounting a file share on
the ADS domain controller using ntlmv2i?

The answer is in "klist -e" and
/var/cache/samba/smb_krb5/krb5.conf.NETBIOSDOMAINNAME:
  default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
  default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
  preferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5

Deleted the samba cache and added the following to /etc/krb5.conf and
it worked once to join the domain and logon a CentOS box with ADS
credentials.
i could even map a drive letter from our Win2003 box to the CentOS
share using ADS credentials.
  default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1
des-cbc-crc des-cbc-md5
  default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1
des-cbc-crc des-cbc-md5
  permitted_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1
des-cbc-crc des-cbc-md5

The samba cached krb5.conf.NETBIOSDOMAINNAME would come back populated
with weak and incompatible encryption types while /etc/krb5.conf would
still have decent enctypes.  Then my account is locked out in ADS.

So how can i permanently force samba to use the better enctypes?
Disable it from ever using weak encryption such as DES?   Triple DES
des3-hmac-sha1 would be ok.
How does one find the exact enctypes ADS will accept?  There must be a
command or ldap location but i had many problems finding it.




The following are all previously documented problems related to this.
Symptoms left here for when others search.

kinit succeeded but ads_sasl_spnego_krb5_bind failed

[Samba] winbind and smb tries to auth as pdc$ rather than local name
when using ADS
http://lists.samba.org/archive/samba/2009-October/150849.html

>From a debug level 10 using smbclient,
lang_tdb_init: /usr/lib/samba/en_US.UTF-8.msg: No such file or directory
tree connect failed: NT_STATUS_ACCESS_DENIED

CentOS 5
samba-common 3.0.33-3.15.el5_4

A HPUX guy reverted his net binary to an older version.

Sorry for the long post, but blogger is giving me some issues and i
will need this as reference material.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] winbind not resolving group membership changes

[Rob VanFleet]

I'm using Samba 3.0.33 (RHEL 5) to connect to a Windows 2008 active 
directory server.  I am restricting SSH logins to a particular AD group. 
  The users allowed to login will change frequently, so it's important 
to me that their group membership is updated when their access to this 
server is granted or revoked. The problem that I keep running into is 
that group membership on the Samba machine doesn't seem to sync up with 
the Windows DC until a user authenticates.


Essentially, if I remove a user from the login group in AD, they will 
still be able to login to the Samba box once, then their group 
membership will be updated.  Conversely, if they are added to the login 
group (and the Samba box has "seen" their user before - it doesn't seem 
to happen with new users) they will not appear to be in that group from 
the Samba box's perspective until they have been authenticated - in that 
case, it often requires a wbinfo --authenticate username%password, since 
their SSH login attempts will fail due to them appearing to be not in 
the login group.  Once that is done, groups USERNAME will report 
accurate group membership.


I've tried adjusting the winbind cache time, to the point of disabling 
it in the init script, but I haven't had any success updating a group 
membership short of authenticating the user.  I was originally using the 
AllowGroups directive in sshd_config, and I switched that to using 
pam_succeed_if.so user ingroup in /etc/pam.d/system-auth, with the same 
result.


Here's what I have in smb.conf

[global]
   workgroup = AD
   password server = AD.WKU.EDU
   realm = AD.WKU.EDU
   security = ads
   idmap uid = 16777216-33554431
   idmap gid = 16777216-33554431
   template shell = /usr/bin/rssh
   winbind use default domain = yes
   winbind offline logon = false
   winbind nested groups = yes
   winbind enum groups = yes
   winbind enum users = no
   template homedir = /var/www/html
   winbind cache time = 1
   passdb backend = tdbsam

nsswitch.conf:

passwd: winbind files
shadow: winbind files
group:  winbind files


I did some googling for this problem, and found a few instances that 
sounded similar, but I didn't see any solutions.  Thanks in advance for 
any assistance you might be able to provide.



Rob
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Still problems with samba 3.4.1 / ldap and search for users ans machines

[Rob Shinn]

John H Terpstra - Samba Team wrote:

Of over 100 LADP Samba installation I have completed over 80%
successfully use:

uid='username',ou=People,ou=Users,
uid='machine',ou=Computers,ou=Users,
  
Same here, though I use 


uid='username', ou=people, 
cn='machine', ou=hosts, 

and make the object structure classes contain ipHost, posixAccount, and 
sambaSamAccount,
which effectively lets me share LDAP hosts resolution and Samba machine 
accounts under the same container :) (Yeah, I gotta be weird, I know...)

If you follow chapter 5 of Samba3-ByExample, it should work for you too.

http://www.samba.org/samba/docs/Samba3-ByExample.pdf
  
That's the book I started with and it's great material.  Thanks for 
writing it!


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] LDAP errors with v3.0.34 using the LDAP schema file with Sun DS 5.2

[Rob Mottishaw]

The format of the sambaDomainName object in the DIT (I've masked the 
sensitive information, don't let the ?'s and #'s throw you):



Distinguished Name: sambaDomainName=,??=???,??=???
ObjectClasses sambaDomain
Attributes
sambaAlgorithmicRidBase 1000
sambaDomainName 
sambaNextUserRid 1000
sambaSID #-#-#-##-##-#-##

The attributes sambapwdhistorylength, sambalockoutthreshold, 
sambamaxpwdage are not included in the definition of the sambaDomainName 
object.  Any ideas?  The searching I've done indicates the attributes 
sambapwdhistorylength, sambalockoutthreshold, sambamaxpwdage should be 
included, in our case, they are not.


Thanks for any assistance,
Rob Mottishaw




Rob Mottishaw wrote:
Receive the following errors when users authenticate with LDAP schema 
file included with Sun DS 5.2:


ERROR<5897> - Schema  - conn=-1 op=-1 msgId=-1 - User error:  Entry 
"sambaDomainName=,??=???,??=???", attribute 
"sambapwdhistorylength" is not allowed
ERROR<5897> - Schema  - conn=-1 op=-1 msgId=-1 - User error:  Entry 
"sambaDomainName=,??=???,??=???", attribute 
"sambalockoutthreshold" is not allowed
ERROR<5897> - Schema  - conn=-1 op=-1 msgId=-1 - User error:  Entry 
"sambaDomainName=,??=???,??=???", attribute "sambamaxpwdage" 
is not allowed


The authentication is succdessful, yet these errors are logged 
multiple times.  Checked in the schema file for SAMBA 3.0.x sent with 
Sun DS 5.2, and indeed, the attributes sambapwdhistorylength, 
sambalockoutthreshold, and sambamaxpwdage are not among those listed 
in the schema file for SAMBA 3.0.x.  Is there an updated schema file 
or a way to configure the authentication to remove the verification of 
these attributes?


Thank you,
Rob Mottishaw



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] LDAP errors with v3.0.34 using the LDAP schema file with Sun DS 5.2

[Rob Mottishaw]

Receive the following errors when users authenticate with LDAP schema 
file included with Sun DS 5.2:


ERROR<5897> - Schema  - conn=-1 op=-1 msgId=-1 - User error:  Entry 
"sambaDomainName=,??=???,??=???", attribute 
"sambapwdhistorylength" is not allowed
ERROR<5897> - Schema  - conn=-1 op=-1 msgId=-1 - User error:  Entry 
"sambaDomainName=,??=???,??=???", attribute 
"sambalockoutthreshold" is not allowed
ERROR<5897> - Schema  - conn=-1 op=-1 msgId=-1 - User error:  Entry 
"sambaDomainName=,??=???,??=???", attribute "sambamaxpwdage" is 
not allowed


The authentication is succdessful, yet these errors are logged multiple 
times.  Checked in the schema file for SAMBA 3.0.x sent with Sun DS 5.2, 
and indeed, the attributes sambapwdhistorylength, sambalockoutthreshold, 
and sambamaxpwdage are not among those listed in the schema file for 
SAMBA 3.0.x.  Is there an updated schema file or a way to configure the 
authentication to remove the verification of these attributes?


Thank you,
Rob Mottishaw
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Tuning the performance of Samba over LAN network to improve I/O performance

[Rob Shinn]

On Wed, Aug 05, 2009 at 05:46:19PM -0700, Jeremy Allison wrote:
> On Wed, Aug 05, 2009 at 07:34:51PM -0500, Himanshu Thapar wrote:
> > Thank youOkay..can you explain how can I go about with hdparm or
> > guide me to an appropriate link. Also how will this help me in diagnosing
> > the current problem?
 
The following thread on Ubuntu Forums is an excellent guide to hdparm:

http://ubuntuforums.org/archive/index.php/t-16360.html

Also, read the man page. 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Can SAMBA make a kerberos keytab on Solaris 10?

[Rob LaRose]

Hi Edward,

	Thanks for the link.  Creating a computer account & keytab on the  
Windows side and copying it back to the Solaris works for my other  
services (ssh, etc.) but net ads join clobbers the existing account  
and creates a new one which no longer matches the keytab.  Is there a  
way to get samba / net ads join to just use the existing kerberos  
setup / keytab and NOT try to create a new account?


--Rob

On Mar 18, 2009, at 4:56 PM, Edward Irvine wrote:


Rob,



Hi Samba people!

	I'm trying to use SAMBA (the version included with Solaris 10)  
with an AD.


	NET ADS JOIN works like a charm to create a computer object in the  
AD for the solaris machine, and SAMBA users are authenticating  
without a problem.  This is good.  HOWEVER -- I also need other  
protocols (including ssh and Xinet KA-Share) to authenticate users.


	As I understand it, SAMBA uses kerberos to authenticate against  
AD, so as long as everyone is using the same keytab file, I'd  
expect all to be well.  However, I find that when I do net ads join  
it doesn't create or modify a keytab file that I can find.  I have  
use kerberos keytab = true in my smb.conf file, but I can't see  
that it actually does anything.


	Can anyone steer me in the right direction here?  I've been  
chasing this for over a month.




The following is a little dated. But see the section in http://users.tpg.com.au/adsl95uc/gssapi-sol10/ 
 that refers to "Windows Active Directory". This is how you get a  
vailid /etc/krb5/krb5.keytab file onto your Solaris machine.


Not that you don't *have* to have a krb5.keytab file on your Solaris  
Servers to authenticate users, unless you want to do single sign on.


If you just want to have same sign on (same username, same password)  
then all the PAM stack needs is a correctly configured /etc/krb5/ 
krb5.conf file.


There is a section about building your own PAM/OpenSSH/Kerberos  
stack which you may be able to ignore.



--Rob


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba






--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Can SAMBA make a kerberos keytab on Solaris 10?

[Rob LaRose]

Hi Samba people!

	I'm trying to use SAMBA (the version included with Solaris 10) with  
an AD.


	NET ADS JOIN works like a charm to create a computer object in the AD  
for the solaris machine, and SAMBA users are authenticating without a  
problem.  This is good.  HOWEVER -- I also need other protocols  
(including ssh and Xinet KA-Share) to authenticate users.


	As I understand it, SAMBA uses kerberos to authenticate against AD,  
so as long as everyone is using the same keytab file, I'd expect all  
to be well.  However, I find that when I do net ads join it doesn't  
create or modify a keytab file that I can find.  I have use kerberos  
keytab = true in my smb.conf file, but I can't see that it actually  
does anything.


	Can anyone steer me in the right direction here?  I've been chasing  
this for over a month.


--Rob


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Long printer name in CUPS not appear in Samba

[Rob Shinn]

Don't know if this helps, but you _can_ add a description in CUPS and
Samba clients will display it.

On 2/13/09, HB  wrote:
> Hi
>
> I have a Samba 3.2.7 acting as a PDC for files and printers sharing.
> All the print configuration is ok and network printers shared by Samba and
> managed by CUPS are working.
> Except that if I put a printer name longer than 15 characters in CUPS , it
> is not seen at all in samba . With less that 15 chars, it
> is ok, but since this is also the name that appears as the share , it could
> not be very practical for endusers .
>
> Is this 15 chars limit a normal behavior ? Is there a way to bypass it ?
>
> Thanks in advance
>
> Regards
>
> Henri
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

-- 
Sent from my mobile device
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] File locking problem involving Samba, Clearcase, and Cygwin

[Rob Shinn]

On Fri, Feb 6, 2009 at 1:23 PM, Kathy  wrote:

>
> # first statement is old and may not be obsolete but we still keep it
> just in case
> oplocks = no
> kernel oplocks = no
> level2 oplocks = no
>

If you have 'oplocks = no', then it doesn't matter what 'kernel oplocks' or
'level2 oplocks' are set to.  Samba will ignore them.

However, as shown below, we're seeing oplocks reported and I have no
> idea whether this is normal or not.  I asked a Clearcase support guy
> and he did not know (sigh).  So hence I'm hoping someone here has some
> experience with this.  Again, we ran this same sort of set up before
> with a Solaris Clearcase/Samba server and we didn't see these
> problems.  This may not be related to Clearcase at all and simply and
> issue of how file locking is working between RHEL 5.2 and Samba.  What
> exactly is a LEVEL_II oplock and why am I seeing these if I have Samba
> oplocks turned off?


level2 oplocks from smb.conf manpage:

Level2, or read-only oplocks allow Windows NT clients that have an oplock on
a file to downgrade from a read-write oplock to a read-only oplock once a
second client opens the file (instead of releasing all oplocks on a second
open, as in traditional, exclusive oplocks). This allows all openers of the
file that support level2 oplocks to cache the file for read-ahead only (ie.
they may not cache writes or lock requests) and increases performance for
many accesses of files that are not commonly written (such as application
.EXE files).

if oplocks = no, then the 'level2 oplocks; doesn't do anything.

Note that oplocks parameter should be set per share.  Please post the output
of your 'testparm' command.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] complete newbie sid problems

[Rob Shinn]

Do you have a complete sambaDomain record in your LDAP and is it at
the root level of the LDAP structure?

On 12/19/08, Graham Seaman  wrote:
> Hi,
>
> I'm trying to set up samba with ldap authorization on a windows network.
> I have samba running on one linux host, and openldap on another. I have
> used smbldap-tools to populate my directory and used smbldap-useradd to
> create an initial testuser on the samba host. I can ssh in to the samba
> host as the testuser ok, and get in to the testuser directory (ie. there
> are no permission problems). But if I try to do `smbclient
> //DOMAIN/testuser -U testuser` I get 'tree connect failed:
> NT_STATUS_ACCESS_DENIED'. Looking at the samba log, I see:
>
>
> [2008/12/19 17:08:30, 2] passdb/pdb_ldap.c:init_sam_from_ldap(545)
> init_sam_from_ldap: Entry found for user: testuser
> [2008/12/19 17:08:30, 2] passdb/pdb_ldap.c:init_group_from_ldap(2162)
> init_group_from_ldap: Entry found for group: 513
> [2008/12/19 17:08:30, 0] passdb/passdb.c:lookup_global_sam_name(596)
> User testuser with invalid SID
> S-1-5-21-1306896613-1613859276-828620297-3000 in passdb
> [2008/12/19 17:08:30, 2] smbd/service.c:make_connection_snum(616)  user
> 'testuser' (from session setup) not permitted to access this share
> (testuser)
>
> net getlocalsid on the samba host gives:
> SID for domain DOMAIN is: S-1-5-21-1306896613-1613859276-828620297
>
> which matches the 'invalid SID' above. Looking in the ldap directory, I
> see the uidNumber for testuser is 1000. The smbldap-tools documentation
> say the algorithm to go from uid to sid is sid = 2 * uid + 1000, which
> also matches the 'invalid SID'.
>
> Any suggestions for what to do from here?
>
> Thanks
> Graham
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

-- 
Sent from my mobile device
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] When to use WINS server in a home network?

[Rob Shinn]

Caveats--virtual machines doing nat are, by definition, on a separate
subnet.  And your friends can share without a hostname--just access by
IP address! (ACLs apply of course)

On 12/11/08, Uriel Avalos <[EMAIL PROTECTED]> wrote:
> @Rob@ - I was just thinking in terms of keeping it simple. One less thing I
> need to worry about. On top of that, my computers and
> any friend's computers will work right out the box (for the most part. I
> imagine, if my router doesn't know their hostname,
> they'll be able to browse but not share).
>
> @Doug@ - So going w/o a WINS server works even if I use different
> workgroups? Sweet...
>
> On Thu, Dec 11, 2008 at 10:55:39AM -0500, Rob Shinn wrote:
>> You shouldn't need one, but running one won't really hurt either.
>>
>> On 12/11/08, Uriel Avalos <[EMAIL PROTECTED]> wrote:
>> > Hi. All, I've been reading the docs but I'm not too sure when I should
>> > run a
>> > WINS server.
>> >
>> > Just to confirm, I only need a WINS server if I have more than one
>> > workgroup? or more than one subnet?
>> > Otherwise the DNS server should be sufficient, right? (My router uses
>> > static
>> > dchp to keep track of hostnames for each machine.)
>> >
>> > My home network:
>> > * User-level security
>> > * 3 linux boxes with 2 windows machines -- the 3 linux boxes file
>> > sharing
>> > with samba
>> > * All machines in one workgroup
>> > * All machines in one subnet
>> >
>> > --
>> > To unsubscribe from this list go to the following URL and read the
>> > instructions:  https://lists.samba.org/mailman/listinfo/samba
>> >
>>
>> --
>> Sent from my mobile device
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

-- 
Sent from my mobile device
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] When to use WINS server in a home network?

[Rob Shinn]

On 12/11/08, Uriel Avalos <[EMAIL PROTECTED]> wrote:
> @Rob@ - I was just thinking in terms of keeping it simple. One less thing I
> need to worry about. On top of that, my computers and
> any friend's computers will work right out the box (for the most part. I
> imagine, if my router doesn't know their hostname,
> they'll be able to browse but not share).
>
> @Doug@ - So going w/o a WINS server works even if I use different
> workgroups? Sweet...
>
> On Thu, Dec 11, 2008 at 10:55:39AM -0500, Rob Shinn wrote:
>> You shouldn't need one, but running one won't really hurt either.
>>
>> On 12/11/08, Uriel Avalos <[EMAIL PROTECTED]> wrote:
>> > Hi. All, I've been reading the docs but I'm not too sure when I should
>> > run a
>> > WINS server.
>> >
>> > Just to confirm, I only need a WINS server if I have more than one
>> > workgroup? or more than one subnet?
>> > Otherwise the DNS server should be sufficient, right? (My router uses
>> > static
>> > dchp to keep track of hostnames for each machine.)
>> >
>> > My home network:
>> > * User-level security
>> > * 3 linux boxes with 2 windows machines -- the 3 linux boxes file
>> > sharing
>> > with samba
>> > * All machines in one workgroup
>> > * All machines in one subnet
>> >
>> > --
>> > To unsubscribe from this list go to the following URL and read the
>> > instructions:  https://lists.samba.org/mailman/listinfo/samba
>> >
>>
>> --
>> Sent from my mobile device
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

-- 
Sent from my mobile device
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Multi OS boot and shared secret trouble

[Rob Shinn]

There are no options that aren't a security nightmare other than using
different hostnames for each OS.

On 12/11/08, Frank Bonnet <[EMAIL PROTECTED]> wrote:
> Hello
>
> We are facing a boring trouble with multi OB boot machines
> that access to our samba server.
>
> All machines authenticate to samba PDC ( linux debian etch + windows )
>
> It appears when machines windows's bootup the shared secret is changed
> by windows
>
> if we reboot the same machine under Linux it cannot authenticate
> anymore because Linux does NOT change the shared secret ...
>
> The machines have the same hostname/IP address with Linux and Windows ...
>
> Anyone knows a workaround/option ?
>
> Thanks
>
> --
> Cordialement
> Frank Bonnet
> ESIEE Paris
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

-- 
Sent from my mobile device
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] When to use WINS server in a home network?

[Rob Shinn]

You shouldn't need one, but running one won't really hurt either.

On 12/11/08, Uriel Avalos <[EMAIL PROTECTED]> wrote:
> Hi. All, I've been reading the docs but I'm not too sure when I should run a
> WINS server.
>
> Just to confirm, I only need a WINS server if I have more than one
> workgroup? or more than one subnet?
> Otherwise the DNS server should be sufficient, right? (My router uses static
> dchp to keep track of hostnames for each machine.)
>
> My home network:
> * User-level security
> * 3 linux boxes with 2 windows machines -- the 3 linux boxes file sharing
> with samba
> * All machines in one workgroup
> * All machines in one subnet
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

-- 
Sent from my mobile device
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Connectivity issues

[Rob Shinn]

Sounds like something at  the physical layer.  Try a different NIC on
the server.  Run some network diagnostics.

On 12/10/08, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> Yes, it's reliable and Samba is working on another machine just fine. That
> box is running Samba 3.0.20 on Slackware.  This is 3.2.5 on Ubuntu. 8.10
>
> I've done some further testing and it's affecting all OS's (Linux
> included), not just Vista.Now it seems that if I don't use the share
> for 4 or 5 minutes, it becomes inactive and I'm unable to reconnect using
> the name.. however, I can reconnect via the IP.  Then, after another
> period of 4 or 5 minutes of inactivity, the connection is lost and I have
> to reconnect via the name.
>
> This is really beginning to drive me nuts.. anyone have any ideas?
>
> Thanks!
> - Matt
>
>
>
>
> Jeremy Allison <[EMAIL PROTECTED]>
> Sent by: [EMAIL PROTECTED]
> 12/09/2008 07:55 PM
> Please respond to
> Jeremy Allison <[EMAIL PROTECTED]>
>
>
> To
> [EMAIL PROTECTED]
> cc
> samba@lists.samba.org
> Subject
> Re: [Samba] Connectivity issues
>
>
>
>
>
>
> On Tue, Dec 09, 2008 at 11:20:42AM -0600, [EMAIL PROTECTED] wrote:
>> Samba 3.2.5
>>
>> I'm running into an issue when using Vista to access Samba shares.  I'm
>> able to connect intermitently and it stays connected for a brief period
> of
>> time (under 60 seconds) before I get the following error on the Vista
> box:
>>
>> "Network path was not found"
>>
>> In syslog it shows:
>>
>> [begin]
>> [2008/12/09 11:09:03,  2] auth/auth.c:check_ntlm_password(308)
>>   check_ntlm_password:  authentication for user [matt] -> [matt] ->
> [matt]
>> succeeded
>>
>> [2008/12/09 11:09:03,  1] smbd/service.c:make_connection_snum(1190)
>>   mpc (10.0.0.58) connect to service data initially as user matt
>> (uid=1005, gid=1006) (pid 19637)
>>
>> [2008/12/09 11:11:02,  0] lib/util_sock.c:read_socket_with_timeout(939)
>>
>> [2008/12/09 11:11:02,  0] lib/util_sock.c:get_peer_addr_internal(1607)
>>   getpeername failed. Error was Transport endpoint is not connected
>>   read_socket_with_timeout: client 0.0.0.0 read error = Connection reset
>
>> by peer.
>
> This means the client disconnected. We (smbd) don't know
> why. Do you have a reliable network ?
>
> Jeremy.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

-- 
Sent from my mobile device
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Groups not showing in Win2K Control Panel "Users and Passwords"

[Rob Shinn]

On Tue, August 5, 2008 8:54 pm, Chris wrote:
> This used to work.
>
> "net groupmap list" shows that the mapping is there, and the SID looks
> correct.
>
> When I check the user after logging into the Windows 2000 workstation
> with WHOAMI.EXE /GROUP the DOMAIN\Admins group is listed, but when I
> log in as the workstation's local administrator to map the group to
> Administrators, I select the domain, and I get a list of users which
> appears to be complete, but there are no groups.  When I manually type
> in DOMAIN\Admins in the lower section, Windows says the group cannot
> be found.

Have you tried re-joining the Windows 2000 workstation to the domain (i.e,
take it out of the domain, and then join it to the domain again)?  That
seems to clear up weird problems with Windows 2000 for me.

-- 
For a good laugh, call (202) 456-1414

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba & Vista [SOLVED]

[Rob Shinn]

On Tue, August 5, 2008 8:12 pm, Michael Heydon wrote:
> This is what happens when you rename a user, it is the same in XP and
probably 2k as well. The only way that I know of to really change a

No, this does not happen on Windows 2000.  Note that I'm still running
Windows 2000 because it runs very nicely under virtualization with only
256 MB allocated to the VM. ;)

-- 
For a good laugh, call (202) 456-1414



-- 
For a good laugh, call (202) 456-1414

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba/Linux CIFS client symlinks cause freeze

[Rob Shinn]

   Symlinks are causing my the Linux CIFS v1.47 client to fail with 
Samba 3.0.24 with Unix Extensions turned on.  The messages I am getting 
are in the syslog are:


Jul 30 21:22:05 dagda kernel: [88044.98]  CIFS VFS: server not 
responding
Jul 30 21:22:05 dagda kernel: [88044.98]  CIFS VFS: server not 
responding
Jul 30 21:22:05 dagda kernel: [88044.98]  CIFS VFS: No response for 
cmd 50 m

id 8596
Jul 30 21:22:05 dagda kernel: [88044.98]  CIFS VFS: No response for 
cmd 162 mid 8597
Jul 30 21:22:05 dagda kernel: [88044.98]  CIFS VFS: No response for 
cmd 50 m

id 8593
Jul 30 21:22:05 dagda kernel: [88044.98]  CIFS VFS: No response for 
cmd 162 mid 8601
Jul 30 21:22:05 dagda kernel: [88044.98]  CIFS VFS: No response for 
cmd 117 mid 8600
Jul 30 21:22:05 dagda kernel: [88044.98]  CIFS VFS: No response for 
cmd 162 mid 8599
Jul 30 21:22:08 dagda kernel: [88048.416000]  CIFS VFS: No response for 
cmd 162 mid 8598
Jul 30 21:22:08 dagda kernel: [88048.416000]  CIFS VFS: No response for 
cmd 162 mid 8588


Has anyone seen this sort of thing before?

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] msdfs root = yes is the default???

[Rob Shinn]

Why is that when you create a share, the default is 'msdfs root = yes'?
Also, why is that a share that is set 'msdfs root = yes' -- or, rather,
a share that does /not/ set 'msdfs root = no' -- advertises that it is a
DFS root to the Linux CIFS client, /even /when 'host msdfs = no'?  This
sounds like A) a bug (ignoring 'host msdfs', and B) a misfeature (msdfs
root should probably /not/ default to yes).
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba & AutoCAd 2005

[Rob Shinn]

Hi everyone--

I've worked with many, many CAD, CAM and PLM products including AutoCAD,
CATIA, I-DEAS, UG/NX, 3DStudio Max, Teamcenter, etc. for many, many years
and consider myself to be an expert in performance, scalability and
reliability of these systems.

Most likely, your problems are not specifically related to Samba and are
related to network issues.  A good way to track down these types of issues
would be setup a test network with identical server and client
configurations to what you use in production.Set Samba's debug level to
at least 3 or 4 and start watching the logs as you run various test
scenarios.  Also, try watching the event viewer on the Windows clients.

If you're not sure what to look for, post some log excerpts and your
smb.conf up on the list and many people here, myself included, should be
able to tell you what's going on.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Grant or deny internet access based on Samba domain logon?

[Rob Shinn]

On Tue, Jun 3, 2008 at 5:31 AM, Fabio Muzzi <[EMAIL PROTECTED]> wrote:

>
> When a user logs on, I would like to run a script that modifies firewall
> rules based on the group that the user belongs to (this determines if he
> has internet access or not) and based on the workstation's IP address
> (so I know which IP address to grant internet access to).
>

Probably, despite what you say about them, preexec/postexec and/or
rootpreexec/rootpostexec are your best bets.  You may have to do something
to prevent the clients from disconnecting these shares in the middle of a
session -- there's probably something you can do with policies and whatnot,
but I'm not expert in client configuration.

You could use the logon script, but that would have to trigger something
else that ran the actual iptables script, maybe some daemon could monitor a
socket and wait for some sort of signal to trip off the iptables script?
But then there is no 'logoff' script, and so you would have to use smbstatus
in a cronjob and wait till the user no longer appeared in the list perhaps
to trip the iptables rule change.

Maybe  the easiest way to do what you want is to segregate the users by VLAN
-- users allowed  to connect to the Internet get put on one VLAN and users
that can't get put another VLAN.  Then you only have one rule to rule them
all!
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Help - Cross-Subnet Browsing with OpenVPN

[Rob Shinn]

Copied to list. (Forgot to hit 'Reply All'_

On Mon, Jun 2, 2008 at 3:02 PM, Rob Shinn <[EMAIL PROTECTED]> wrote:

>
> I can ping each server's IP from the other server.  The following nmblookup
>> commands both work:
>
>
> Hi, Misty:
>
> The all-important question is not whether you can ping each server's IP
> address from the other server, but can you ping each server *by* *name* from
> the other.  In otherwords, can you type 'ping corpsrv' from furnsrv and get
> a response?
>
> In order for cross-subnet browsing to work, it is /essential/ that this
> work. The easiest way to get this working if you don't already have a DNS
> server is to add CORPSRV and FURNSRV to each  machines' /etc/hosts file.
>
>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Migration from Ldap to Samba+Ldap

[Rob Shinn]

On Fri, May 30, 2008 at 3:12 PM, Charlie <[EMAIL PROTECTED]> wrote:

> When I converted our networks to samba a decade or more ago, I started
> out by trying to crack all our user passwords by brute force, but I
> could only get about 90% of them in any reasonable time frame.  So,


Wow.  *Only* 90%.  Did the security admin have a cow?  Perhaps your password
policies were too lax?

instead, we modified our password changing process to produce the NT
> and LM hashes as well as the MD5 hashes and made all our users
> passwords expire over the course of the next two weeks.


Maybe it should be mentioned that this can be accomplished with the 'unix
password sync = yes' if you are using pam_ldap on your Samba server.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] NetBIOS Hostname

[Rob Shinn]

On Fri, May 30, 2008 at 1:54 PM, William W. Hammond <[EMAIL PROTECTED]>
wrote:

> I was setting up Samba on an OpenSuSE 10.3 i386 computer.
>
> At the last minute I decided to enter a NetBIOS Hostname, big mistake.


While this may be a question better suited to the OpenSUSE list than this
one, you entered a NetBIOS hostname where?  In YaST?

>
> A message popped up warning me that entering a NetBIOS Hostname would
> create a new UID and Clients may no longer be able to connect.
> The Message was correct


What clients are no longer be able to connect? Samba clients?  Or some other
clients?
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Unable to browse share from WinXP

[Rob Sharp]

SWAT reports it as version 3.0.20.

I am a relative novice on Samba configuration, and have only used SWAT 
to create the share.


Rob

Volker Lendecke wrote:

On Fri, May 09, 2008 at 11:15:28AM +0100, Rob Sharp wrote:
Is there something special you have to configure server-side for WinXP 
machines to access the share reliably? I've tried restarting the Samba 
services but it appears to have made no difference.


What Samba version?

Volker

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Unable to browse share from WinXP

[Rob Sharp]

Morning all,

I have a Samba share defined on a Sco Openserver 6 machine.

The share is read-only and uses the guest account to read the files on 
the unix server. We intend to use this share to backup some data held 
on the machine.


From my Windows 2000 SP4 workstation I can browse to the machine on 
the network, see the share, navigate into the share and the numerous 
subfolders of the server. Response times and directory listing are fast.


From a Windows XP, Vista or 2003 machine I can browse to the machine 
and see the share. I can navigate into the top level directory of the 
share with no issues, but when I try to go into subdirectories the 
explorer windows on the PC goes into a 'Not Responding' state.


Occasionally you can navigate a folder or two down, but invariably you 
will get a Not Responding explorer window after a few folders.


Is there something special you have to configure server-side for WinXP 
machines to access the share reliably? I've tried restarting the Samba 
services but it appears to have made no difference.


Rob
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Fwd: [Samba] Files over 4GB not listing properly. Cannot get CIFSworking.

[Rob Shinn]

-- Forwarded message --
From: Rob Shinn <[EMAIL PROTECTED]>
Date: Tue, May 6, 2008 at 2:57 PM
Subject: Re: [Samba] Files over 4GB not listing properly. Cannot get
CIFSworking.
To: Matt Boyle <[EMAIL PROTECTED]>




> > Also, I cannot mount the samba share using CIFS.  I use the line
> >
> > mount -t smbfs //server/share/ path/to/local/ -o user=u,pass=p,lfs
> >
> > to mount with SMBFS, and it works correctly, just doesn't display the
> large files.
> > However, when using the following:
> >
> > mount -t smbfs //server/share/ path/to/local/ -o user=u,pass=p,lfs
>

I'm assuming you mean you get the "mount error 5' when you use


mount -t cifs //server/share/ path/to/local/ -o user=u,pass=p,lfs

Do you have an executable named mount.cifs in /sbin or /usr/sbin on the
client?

If not, you'll need to install CIFS VFS on the client.  You may need to
install kernel patches to make this happen.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba