Re: [Samba] windows 7 machine account fails to authenticate against samba PDC
On 06/22/2011 12:31 AM, mrArcabuz wrote: Hi, it's been a while since the original message appeared, but here's my experience in case someone finds it useful: [...] I changed the machine account name to uppercase in the passwd shadow files and the message does not appear anymore in the logs. This would explain why it's not an issue on an LDAP backend, as the uid there is case insensitive. I have experienced the same issue with the same configuration (PDB backend, no LDAP) and I can confirm that /etc/passwd entries created by adding machines to domain (via the add machine script) show an UPPERCASE name in Samba (that is, when I issue a pdbedit -L command) but a lowercase name in /etc/passwd, resulting in errors being logged when the machine connects to Samba because its username (uppercase) cannot be found in /etc/passwd (where it is written in lowercase). The workaround is in fact to edit /etc/passwd to se the machines usernames to uppercase. I don't understand why and when this behaviour changed. I have a very old Samba installation that shows the older machine entries in PDB file being lowercase, as in this example: #pdbedit -L ... nb-gmg$:1051:NB-GMG$ ... and other entries in the same PDB file being all uppercase, like this: NOTEBOOK-FLAVIA$:4294967295:NOTEBOOK-FLAVIA$ Since all of the /etc/passwd file entries are lowercase, the second example (NOTEBOOK-FLAVIA$) does not authenticate correctly. You can also see that the output of the pdbedit -L command reports a wrong unix UID (4294967295) for the uppercase entry, because it cannot find it in /etc/passwd (being lowercase in passwd). If I edit /etc/passwd and set the username in uppercase there, then everything works, and also the unix UID shown by pdbedit -L is correct. -- Fabio Kurgan Muzzi - IZ4UFQ - Ginn! L'ottimismo e' il profumo di quella gnocca di tua sorella!Corri anche tu alla UniEuro!Ci sono radio che traspirano, cani di un'altra galassia!!! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] PDC: System SID missing / inconsistent with domain SID
I've recently come across the same situation, while migrating a 3.0.33 PDC host to 3.6.9. I had renamed the old host some time ago from LANYARD to TACS-DC. The old host still functions fine, except for not being able to get its own SID. Old DC host: [root@tacs-dc samba]# net getdomainsid Could not fetch local SID [root@tacs-dc samba]# tdbdump secrets.tdb { key(19) = SECRETS/DOMGUID/R3I data(16) = \DF\DDA\01\F62\8CG\A8\80\B4\1CFM\1D\0B } { key(19) = SECRETS/SID/LANYARD data(68) = \01\04\00\00\00\00\00\05\15\00\00\00n\86\90\05\D9\D2\ED (...) } { key(15) = SECRETS/SID/R3I data(68) = \01\04\00\00\00\00\00\05\15\00\00\00n\86\90\05\D9\D2\ED (...) } [root@tacs-dc samba]# net rpc trustdom list -U shubes Password: Trusted domains list: none Trusting domains list: none [root@tacs-dc samba]# I've migrated everything (accounts, tdb files) to a new host, and changed the LANYARD record to TACS-DC in the secrets.tdb, which corresponds to the new hostname: [root@tacs-dc private]# net getdomainsid SID for local machine TACS-DC is: S-1-5-21-93357678-3857568473-1617xx SID for domain R3I is: S-1-5-21-93357678-3857568473-1617xx [root@tacs-dc private]# tdbdump secrets.tdb { key(19) = SECRETS/DOMGUID/R3I data(16) = \DF\DDA\01\F62\8CG\A8\80\B4\1CFM\1D\0B } { key(19) = SECRETS/SID/TACS-DC data(68) = \01\04\00\00\00\00\00\05\15\00\00\00n\86\90\05\D9\D2\ED (...) } { key(15) = SECRETS/SID/R3I data(68) = \01\04\00\00\00\00\00\05\15\00\00\00n\86\90\05\D9\D2\ED (...) } [root@tacs-dc private]# net rpc trustdom list -U shubes Unable to find a suitable server for domain R3I Couldn't connect to domain controller: NT_STATUS_UNSUCCESSFUL [root@tacs-dc private]# Everything appears to be working, except that the new host isn't recognized as a domain controller. Note that workstations are able to log on to the domain using the new DC host though. I'm guessing that adding a TACS-DC record to the old host would fix the problem of not being able to get its SID. I'm also guessing that adding a LANYARD record to the new host *might* make it recognize that it's a domain controller. I hope to test this later today, when users are gone. It appears to me that the original host name which created the domain is stored in some way somewhere else (I see it in the USER_ records in the passdb.tdb file). If so, can this somehow be changed? The documentation I've found all says how to migrate to another host keeping the host name the same, but I haven't been able to find anything about changing the host name. Does anyone have any other ideas why this new host isn't being recognized as a DC? Thanks. -- -Eric 'shubes' On 04/29/2010 03:08 AM, Frank Stanek wrote: Hello, I recently noticed a problem on our PDC (samba 3.0.32 on SLES 10 SP2) which I kind of know how to solve after web research but I am unclear about the possible consequences for our domain and clients. The situation is this: Originally samba was set up on this machine to test. Back then its hostname was infrahostnew, so there is a SID for that NETBIOS name in secrets.tdb. When the PDC went in production, we had to change the hostname to infrahost. We then provisioned our domain MYDOMAIN. Now there is also a SID for MYDOMAIN in secrets.tdb which is different than the SID of infrahostnew. Also there is no SID at all for the new NETBIOS name infrahost. This causes for example net getlocalsid to fail. My research suggests that the NETBIOS name SID of the PDC infrahost should be the same as the domain SID, is that correct? Also, I found an article that dealt with inconsistent SIDs; it suggested to set the NETBIOS SID to be the same as the domain SID. But this article dealt with the case that there actually _is_ a NETBIOS SID in secrets.tdb but it's not the same as the domain SID. This is not our case however since there is no SID at all for the NETBIOS name. We haven't noticed any problems because of this at all, I just stumbled upon it when I went to check the SIDs routinely. How would you suggest I proceed in this situation? Should we set the NETBIOS SID to be the same as the domain SID with net setlocalsid? What possible consequences could there be? We are very concerned that this may introduce problems for our clients that we don't have at the moment. But I wouldn't like to keep things in an inconsistent state like this either. I'd be glad for any insights. Regards Frank -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] PDC: System SID missing / inconsistent with domain SID
On 08/26/2013 01:21 PM, Eric Shubert wrote: I'm guessing that adding a TACS-DC record to the old host would fix the problem of not being able to get its SID. This appears to work now. I'm also guessing that adding a LANYARD record to the new host *might* make it recognize that it's a domain controller. I hope to test this later today, when users are gone. This didn't appear to help. The new DC still doesn't recognize itself as a DC: # net rpc trustdom list -U shubes Unable to find a suitable server for domain R3I Couldn't connect to domain controller: NT_STATUS_UNSUCCESSFUL # I do have the SID of the domain/host that was created by this host. I wonder if restoring those records in secrets.tdb, then using the net command to change the SID of the domain and host might fix things up. Does the net setdomainsid command do anything more than change the value of the record in the tdb file? If it does, that could be a solution. Anyone have any insight about how to go about changing the host name of a domain controller (while migrating it)? Thanks. -- -Eric 'shubes' -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Replication Samba PDC to Samba BDC
On 6/3/2013 11:57 PM, Giedrius wrote: Hi, 2013.06.04 04:16, David González Herrera - [DGHVoIP] rašė: Hi, Let's see if any of the questions gets answered or at least I get ponte dto something that can help me. I followed this wiki: http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC#Getting_ready_for_joining_Samba_as_a_DC_to_an_existing_domain I have my S4 domain running, I compiled and installed another S4 to replicate the first server and joined successfully to the domain but replication seems to be broken. Commandused: root@bdc:~# samba-tool domain join mundo.local DC -Uadministrator --realm=mundo.local --password=Mugr3P0pO --dns-backend=BIND9_DLZ Finding a writeable DC for domain 'mundo.local' Found DC samba.mundo.local workgroup is mundo realm is mundo.local checking sAMAccountName Adding CN=BDC,OU=Domain Controllers,DC=mundo,DC=local Adding CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local Adding CN=NTDS Settings,CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local Adding SPNs to CN=BDC,OU=Domain Controllers,DC=mundo,DC=local Setting account password for BDC$ Enabling account Calling bare provision No IPv6 address will be assigned Provision OK for domain DN DC=mundo,DC=local Starting replication Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local] objects[402/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local] objects[804/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local] objects[1206/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local] objects[1550/1550] linked_values[0/0] Analyze and apply schema objects Partition[CN=Configuration,DC=mundo,DC=local] objects[402/1614] linked_values[0/0] Partition[CN=Configuration,DC=mundo,DC=local] objects[804/1614] linked_values[0/0] Partition[CN=Configuration,DC=mundo,DC=local] objects[1206/1614] linked_values[0/0] Partition[CN=Configuration,DC=mundo,DC=local] objects[1608/1614] linked_values[0/0] Partition[CN=Configuration,DC=mundo,DC=local] objects[1614/1614] linked_values[28/0] Replicating critical objects from the base DN of the domain Partition[DC=mundo,DC=local] objects[98/98] linked_values[31/0] Partition[DC=mundo,DC=local] objects[336/238] linked_values[74/0] Done with always replicated NC (base, config, schema) Replicating DC=DomainDnsZones,DC=mundo,DC=local Partition[DC=DomainDnsZones,DC=mundo,DC=local] objects[42/42] linked_values[0/0] Replicating DC=ForestDnsZones,DC=mundo,DC=local Partition[DC=ForestDnsZones,DC=mundo,DC=local] objects[18/18] linked_values[0/0] Partition[DC=ForestDnsZones,DC=mundo,DC=local] objects[36/18] linked_values[0/0] Committing SAM database Sending DsReplicateUpdateRefs for all the replicated partitions Setting isSynchronized and dsServiceName Setting up secrets database Joined domain mundo (SID S-1-5-21-1918558401-2200574552-2151153235) as a DC Seemed to have succeded, then I radn the recommended tests # ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationid=*)' --cross-ncs objectguid # record 1 dn: CN=NTDS Settings,CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local objectGUID: 7106cbf4-3cf6-4ed9-b019-dd937035b1e7 # record 2 dn: CN=NTDS Settings,CN=SAMBA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local objectGUID: ad828198-a723-44c2-8d7f-d5f801e2849f # returned 2 records # 2 entries # 0 referrals These testes run from the BDC seem to work. host -t CNAME ad828198-a723-44c2-8d7f-d5f801e2849f._msdcs.mundo.local ad828198-a723-44c2-8d7f-d5f801e2849f._msdcs.mundo.local is an alias for samba.mundo.local. host -t CNAME 7106cbf4-3cf6-4ed9-b019-dd937035b1e7._msdcs.mundo.local 7106cbf4-3cf6-4ed9-b019-dd937035b1e7._msdcs.mundo.local is an alias for bdc.mundo.local. root@bdc:~# host -t A bdc.mundo.local. bdc.mundo.local has address 10.10.10.20 root@bdc:~# host -t A samba.mundo.local. samba.mundo.local has address 10.10.10.5 Error showing up on the BDC dns child failed to find name 'ad828198-a723-44c2-8d7f-d5f801e2849f._msdcs.mundo.local' of type A dreplsrv_notify: Failed to send DsReplicaSync to ad828198-a723-44c2-8d7f-d5f801e2849f._msdcs.mundo.local for CN=Configuration,DC=mundo,DC=local - *NT_STATUS_OBJECT_NAME_NOT_FOUND : WERR_BADFILE * Did you AT LEAST search the mailing list??? Check if ping (or any program using GLIBC's *NSS* DNS resolver) can resolve your 7106cbf4-3cf6-4ed9-b019-dd937035b1e7._msdcs.mundo.local name Yes I searched the ML with no luck. Yes, I did and it works, I had to add 7106cbf4-3cf6-4ed9-b019-dd937035b1e7._msdcs.mundo.loca lto /etc/hosts and it works. So I thinks it's a DNS issue. Thanks for your answer. I tried to check replication status but this error shows root@bdc:~# samba-tool drs showrepl Default-First-Site-Name\BDC DSA Options: 0x0001 DSA object GUID: 7106cbf4-3cf6-4ed9-b019-dd937035b1e7 DSA invocationId:
Re: [Samba] Replication Samba PDC to Samba BDC
2013.06.04 09:10, David González Herrera - [DGHVoIP] rašė: On 6/3/2013 11:57 PM, Giedrius wrote: Hi, 2013.06.04 04:16, David González Herrera - [DGHVoIP] rašė: Hi, Let's see if any of the questions gets answered or at least I get ponte dto something that can help me. I followed this wiki: http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC#Getting_ready_for_joining_Samba_as_a_DC_to_an_existing_domain I have my S4 domain running, I compiled and installed another S4 to replicate the first server and joined successfully to the domain but replication seems to be broken. Commandused: root@bdc:~# samba-tool domain join mundo.local DC -Uadministrator --realm=mundo.local --password=Mugr3P0pO --dns-backend=BIND9_DLZ Finding a writeable DC for domain 'mundo.local' Found DC samba.mundo.local workgroup is mundo realm is mundo.local checking sAMAccountName Adding CN=BDC,OU=Domain Controllers,DC=mundo,DC=local Adding CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local Adding CN=NTDS Settings,CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local Adding SPNs to CN=BDC,OU=Domain Controllers,DC=mundo,DC=local Setting account password for BDC$ Enabling account Calling bare provision No IPv6 address will be assigned Provision OK for domain DN DC=mundo,DC=local Starting replication Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local] objects[402/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local] objects[804/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local] objects[1206/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local] objects[1550/1550] linked_values[0/0] Analyze and apply schema objects Partition[CN=Configuration,DC=mundo,DC=local] objects[402/1614] linked_values[0/0] Partition[CN=Configuration,DC=mundo,DC=local] objects[804/1614] linked_values[0/0] Partition[CN=Configuration,DC=mundo,DC=local] objects[1206/1614] linked_values[0/0] Partition[CN=Configuration,DC=mundo,DC=local] objects[1608/1614] linked_values[0/0] Partition[CN=Configuration,DC=mundo,DC=local] objects[1614/1614] linked_values[28/0] Replicating critical objects from the base DN of the domain Partition[DC=mundo,DC=local] objects[98/98] linked_values[31/0] Partition[DC=mundo,DC=local] objects[336/238] linked_values[74/0] Done with always replicated NC (base, config, schema) Replicating DC=DomainDnsZones,DC=mundo,DC=local Partition[DC=DomainDnsZones,DC=mundo,DC=local] objects[42/42] linked_values[0/0] Replicating DC=ForestDnsZones,DC=mundo,DC=local Partition[DC=ForestDnsZones,DC=mundo,DC=local] objects[18/18] linked_values[0/0] Partition[DC=ForestDnsZones,DC=mundo,DC=local] objects[36/18] linked_values[0/0] Committing SAM database Sending DsReplicateUpdateRefs for all the replicated partitions Setting isSynchronized and dsServiceName Setting up secrets database Joined domain mundo (SID S-1-5-21-1918558401-2200574552-2151153235) as a DC Seemed to have succeded, then I radn the recommended tests # ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationid=*)' --cross-ncs objectguid # record 1 dn: CN=NTDS Settings,CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local objectGUID: 7106cbf4-3cf6-4ed9-b019-dd937035b1e7 # record 2 dn: CN=NTDS Settings,CN=SAMBA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local objectGUID: ad828198-a723-44c2-8d7f-d5f801e2849f # returned 2 records # 2 entries # 0 referrals These testes run from the BDC seem to work. host -t CNAME ad828198-a723-44c2-8d7f-d5f801e2849f._msdcs.mundo.local ad828198-a723-44c2-8d7f-d5f801e2849f._msdcs.mundo.local is an alias for samba.mundo.local. host -t CNAME 7106cbf4-3cf6-4ed9-b019-dd937035b1e7._msdcs.mundo.local 7106cbf4-3cf6-4ed9-b019-dd937035b1e7._msdcs.mundo.local is an alias for bdc.mundo.local. root@bdc:~# host -t A bdc.mundo.local. bdc.mundo.local has address 10.10.10.20 root@bdc:~# host -t A samba.mundo.local. samba.mundo.local has address 10.10.10.5 Error showing up on the BDC dns child failed to find name 'ad828198-a723-44c2-8d7f-d5f801e2849f._msdcs.mundo.local' of type A dreplsrv_notify: Failed to send DsReplicaSync to ad828198-a723-44c2-8d7f-d5f801e2849f._msdcs.mundo.local for CN=Configuration,DC=mundo,DC=local - *NT_STATUS_OBJECT_NAME_NOT_FOUND : WERR_BADFILE * Did you AT LEAST search the mailing list??? Check if ping (or any program using GLIBC's *NSS* DNS resolver) can resolve your 7106cbf4-3cf6-4ed9-b019-dd937035b1e7._msdcs.mundo.local name Yes I searched the ML with no luck. Yes, I did and it works, I had to add 7106cbf4-3cf6-4ed9-b019-dd937035b1e7._msdcs.mundo.loca lto /etc/hosts and it works. So I thinks it's a DNS issue. Not exactly, as I wrote in my other posts to mailing list, this is glibc's nss dns resolvers'
Re: [Samba] Replication Samba PDC to Samba BDC
On 6/4/2013 1:28 AM, Giedrius wrote: 2013.06.04 09:10, David González Herrera - [DGHVoIP] rašė: On 6/3/2013 11:57 PM, Giedrius wrote: Hi, 2013.06.04 04:16, David González Herrera - [DGHVoIP] rašė: Hi, Let's see if any of the questions gets answered or at least I get ponte dto something that can help me. I followed this wiki: http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC#Getting_ready_for_joining_Samba_as_a_DC_to_an_existing_domain I have my S4 domain running, I compiled and installed another S4 to replicate the first server and joined successfully to the domain but replication seems to be broken. Commandused: root@bdc:~# samba-tool domain join mundo.local DC -Uadministrator --realm=mundo.local --password=Mugr3P0pO --dns-backend=BIND9_DLZ Finding a writeable DC for domain 'mundo.local' Found DC samba.mundo.local workgroup is mundo realm is mundo.local checking sAMAccountName Adding CN=BDC,OU=Domain Controllers,DC=mundo,DC=local Adding CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local Adding CN=NTDS Settings,CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local Adding SPNs to CN=BDC,OU=Domain Controllers,DC=mundo,DC=local Setting account password for BDC$ Enabling account Calling bare provision No IPv6 address will be assigned Provision OK for domain DN DC=mundo,DC=local Starting replication Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local] objects[402/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local] objects[804/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local] objects[1206/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local] objects[1550/1550] linked_values[0/0] Analyze and apply schema objects Partition[CN=Configuration,DC=mundo,DC=local] objects[402/1614] linked_values[0/0] Partition[CN=Configuration,DC=mundo,DC=local] objects[804/1614] linked_values[0/0] Partition[CN=Configuration,DC=mundo,DC=local] objects[1206/1614] linked_values[0/0] Partition[CN=Configuration,DC=mundo,DC=local] objects[1608/1614] linked_values[0/0] Partition[CN=Configuration,DC=mundo,DC=local] objects[1614/1614] linked_values[28/0] Replicating critical objects from the base DN of the domain Partition[DC=mundo,DC=local] objects[98/98] linked_values[31/0] Partition[DC=mundo,DC=local] objects[336/238] linked_values[74/0] Done with always replicated NC (base, config, schema) Replicating DC=DomainDnsZones,DC=mundo,DC=local Partition[DC=DomainDnsZones,DC=mundo,DC=local] objects[42/42] linked_values[0/0] Replicating DC=ForestDnsZones,DC=mundo,DC=local Partition[DC=ForestDnsZones,DC=mundo,DC=local] objects[18/18] linked_values[0/0] Partition[DC=ForestDnsZones,DC=mundo,DC=local] objects[36/18] linked_values[0/0] Committing SAM database Sending DsReplicateUpdateRefs for all the replicated partitions Setting isSynchronized and dsServiceName Setting up secrets database Joined domain mundo (SID S-1-5-21-1918558401-2200574552-2151153235) as a DC Seemed to have succeded, then I radn the recommended tests # ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationid=*)' --cross-ncs objectguid # record 1 dn: CN=NTDS Settings,CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local objectGUID: 7106cbf4-3cf6-4ed9-b019-dd937035b1e7 # record 2 dn: CN=NTDS Settings,CN=SAMBA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local objectGUID: ad828198-a723-44c2-8d7f-d5f801e2849f # returned 2 records # 2 entries # 0 referrals These testes run from the BDC seem to work. host -t CNAME ad828198-a723-44c2-8d7f-d5f801e2849f._msdcs.mundo.local ad828198-a723-44c2-8d7f-d5f801e2849f._msdcs.mundo.local is an alias for samba.mundo.local. host -t CNAME 7106cbf4-3cf6-4ed9-b019-dd937035b1e7._msdcs.mundo.local 7106cbf4-3cf6-4ed9-b019-dd937035b1e7._msdcs.mundo.local is an alias for bdc.mundo.local. root@bdc:~# host -t A bdc.mundo.local. bdc.mundo.local has address 10.10.10.20 root@bdc:~# host -t A samba.mundo.local. samba.mundo.local has address 10.10.10.5 Error showing up on the BDC dns child failed to find name 'ad828198-a723-44c2-8d7f-d5f801e2849f._msdcs.mundo.local' of type A dreplsrv_notify: Failed to send DsReplicaSync to ad828198-a723-44c2-8d7f-d5f801e2849f._msdcs.mundo.local for CN=Configuration,DC=mundo,DC=local - *NT_STATUS_OBJECT_NAME_NOT_FOUND : WERR_BADFILE * Did you AT LEAST search the mailing list??? Check if ping (or any program using GLIBC's *NSS* DNS resolver) can resolve your 7106cbf4-3cf6-4ed9-b019-dd937035b1e7._msdcs.mundo.local name Yes I searched the ML with no luck. Yes, I did and it works, I had to add 7106cbf4-3cf6-4ed9-b019-dd937035b1e7._msdcs.mundo.loca lto /etc/hosts and it works. So I thinks it's a DNS issue. Not exactly, as I wrote in my other posts to mailing list, this is glibc's nss dns resolvers' (libnss_dns.so) issue that is ignoring hostnames with _
Re: [Samba] Replication Samba PDC to Samba BDC
@Giedrius Not exactly, as I wrote in my other posts to mailing list, this is glibc's nss dns resolvers' (libnss_dns.so) issue that is ignoring hostnames with _ (*_*msdcs) Which OS's does that affect? @David, Is your nameserver (in /etc/resolv.conf) on dcA ip.to.dc.a and on dcB ip.to.dc.b if so, what happens when you set them both to A? how about when you set them both to B? I'd play around with that a bit until you get a good replication, then restart samba on both DC's and set them properly (dcA needs ip.to.dc.a and dcB needs ip.to.dc.b) . Ricky On Tue, Jun 4, 2013 at 1:59 AM, David González Herrera - [DGHVoIP] i...@dghvoip.com wrote: On 6/4/2013 1:28 AM, Giedrius wrote: 2013.06.04 09:10, David González Herrera - [DGHVoIP] rašė: On 6/3/2013 11:57 PM, Giedrius wrote: Hi, 2013.06.04 04:16, David González Herrera - [DGHVoIP] rašė: Hi, Let's see if any of the questions gets answered or at least I get ponte dto something that can help me. I followed this wiki: http://wiki.samba.org/index.**php/Samba4/HOWTO/Join_a_** domain_as_a_DC#Getting_ready_**for_joining_Samba_as_a_DC_to_** an_existing_domainhttp://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC#Getting_ready_for_joining_Samba_as_a_DC_to_an_existing_domain I have my S4 domain running, I compiled and installed another S4 to replicate the first server and joined successfully to the domain but replication seems to be broken. Commandused: root@bdc:~# samba-tool domain join mundo.local DC -Uadministrator --realm=mundo.local --password=Mugr3P0pO --dns-backend=BIND9_DLZ Finding a writeable DC for domain 'mundo.local' Found DC samba.mundo.local workgroup is mundo realm is mundo.local checking sAMAccountName Adding CN=BDC,OU=Domain Controllers,DC=mundo,DC=local Adding CN=BDC,CN=Servers,CN=Default-**First-Site-Name,CN=Sites,CN=** Configuration,DC=mundo,DC=**local Adding CN=NTDS Settings,CN=BDC,CN=Servers,CN=**Default-First-Site-Name,CN=** Sites,CN=Configuration,DC=**mundo,DC=local Adding SPNs to CN=BDC,OU=Domain Controllers,DC=mundo,DC=local Setting account password for BDC$ Enabling account Calling bare provision No IPv6 address will be assigned Provision OK for domain DN DC=mundo,DC=local Starting replication Schema-DN[CN=Schema,CN=**Configuration,DC=mundo,DC=**local] objects[402/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=**Configuration,DC=mundo,DC=**local] objects[804/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=**Configuration,DC=mundo,DC=**local] objects[1206/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=**Configuration,DC=mundo,DC=**local] objects[1550/1550] linked_values[0/0] Analyze and apply schema objects Partition[CN=Configuration,DC=**mundo,DC=local] objects[402/1614] linked_values[0/0] Partition[CN=Configuration,DC=**mundo,DC=local] objects[804/1614] linked_values[0/0] Partition[CN=Configuration,DC=**mundo,DC=local] objects[1206/1614] linked_values[0/0] Partition[CN=Configuration,DC=**mundo,DC=local] objects[1608/1614] linked_values[0/0] Partition[CN=Configuration,DC=**mundo,DC=local] objects[1614/1614] linked_values[28/0] Replicating critical objects from the base DN of the domain Partition[DC=mundo,DC=local] objects[98/98] linked_values[31/0] Partition[DC=mundo,DC=local] objects[336/238] linked_values[74/0] Done with always replicated NC (base, config, schema) Replicating DC=DomainDnsZones,DC=mundo,DC=**local Partition[DC=DomainDnsZones,**DC=mundo,DC=local] objects[42/42] linked_values[0/0] Replicating DC=ForestDnsZones,DC=mundo,DC=**local Partition[DC=ForestDnsZones,**DC=mundo,DC=local] objects[18/18] linked_values[0/0] Partition[DC=ForestDnsZones,**DC=mundo,DC=local] objects[36/18] linked_values[0/0] Committing SAM database Sending DsReplicateUpdateRefs for all the replicated partitions Setting isSynchronized and dsServiceName Setting up secrets database Joined domain mundo (SID S-1-5-21-1918558401-**2200574552-2151153235) as a DC Seemed to have succeded, then I radn the recommended tests # ldbsearch -H /usr/local/samba/private/sam.**ldb '(invocationid=*)' --cross-ncs objectguid # record 1 dn: CN=NTDS Settings,CN=BDC,CN=Servers,CN=**Default-First-Site-Name,CN=** Sites,CN=Configuration,DC=**mundo,DC=local objectGUID: 7106cbf4-3cf6-4ed9-b019-**dd937035b1e7 # record 2 dn: CN=NTDS Settings,CN=SAMBA,CN=Servers,**CN=Default-First-Site-Name,CN=** Sites,CN=Configuration,DC=**mundo,DC=local objectGUID: ad828198-a723-44c2-8d7f-**d5f801e2849f # returned 2 records # 2 entries # 0 referrals These testes run from the BDC seem to work. host -t CNAME ad828198-a723-44c2-8d7f-**d5f801e2849f._msdcs.mundo.** local ad828198-a723-44c2-8d7f-**d5f801e2849f._msdcs.mundo.**local is an alias for samba.mundo.local. host -t CNAME 7106cbf4-3cf6-4ed9-b019-**dd937035b1e7._msdcs.mundo.** local 7106cbf4-3cf6-4ed9-b019-**dd937035b1e7._msdcs.mundo.**local is an alias for bdc.mundo.local. root@bdc:~# host -t A bdc.mundo.local.
Re: [Samba] Replication Samba PDC to Samba BDC
Hi, 2013.06.04 16:35, Ricky Nance rašė: @Giedrius Not exactly, as I wrote in my other posts to mailing list, this is glibc's nss dns resolvers' (libnss_dns.so) issue that is ignoring hostnames with _ (*_*msdcs) Which OS's does that affect? I personally tested this on openSUSE 12.2 and 12.3 (bug report: https://bugzilla.novell.com/show_bug.cgi?id=822414) From the mailing list - seems this bug is much more wildspread @David, Is your nameserver (in /etc/resolv.conf) on dcA ip.to.dc.a and on dcB ip.to.dc.b if so, what happens when you set them both to A? how about when you set them both to B? I'd play around with that a bit until you get a good replication, then restart samba on both DC's and set them properly (dcA needs ip.to.dc.a and dcB needs ip.to.dc.b) . I doubt this would change anything, given there is a working DNS, allow-query / firewall setup. but this is easily checked with host / dig / nslookup commands. And for that matter - his DNS setup is working: host / dig tests are not failing The problem is with the RESOLVER LIBRARY failing(at least in my case) to return replies from DNS , so changing DNS servers address will not in any way fix the problem. It simply will not be returned to the program through the system calls (at lease for me, tcpdump shown DNS *is* replying) Better solution is to fix that damn bug in glibc (or use /etc/hosts | mdns | whatever) and specify BOTH dcA AND dcB in resolv.conf. So that if one of them fails - the other replies. Ricky On Tue, Jun 4, 2013 at 1:59 AM, David González Herrera - [DGHVoIP] i...@dghvoip.com mailto:i...@dghvoip.com wrote: On 6/4/2013 1:28 AM, Giedrius wrote: 2013.06.04 09:10, David González Herrera - [DGHVoIP] rašė: On 6/3/2013 11:57 PM, Giedrius wrote: Hi, 2013.06.04 04:16, David González Herrera - [DGHVoIP] rašė: Hi, Let's see if any of the questions gets answered or at least I get ponte dto something that can help me. I followed this wiki: http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC#Getting_ready_for_joining_Samba_as_a_DC_to_an_existing_domain I have my S4 domain running, I compiled and installed another S4 to replicate the first server and joined successfully to the domain but replication seems to be broken. Commandused: root@bdc:~# samba-tool domain join mundo.local DC -Uadministrator --realm=mundo.local --password=Mugr3P0pO --dns-backend=BIND9_DLZ Finding a writeable DC for domain 'mundo.local' Found DC samba.mundo.local workgroup is mundo realm is mundo.local checking sAMAccountName Adding CN=BDC,OU=Domain Controllers,DC=mundo,DC=local Adding CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local Adding CN=NTDS Settings,CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local Adding SPNs to CN=BDC,OU=Domain Controllers,DC=mundo,DC=local Setting account password for BDC$ Enabling account Calling bare provision No IPv6 address will be assigned Provision OK for domain DN DC=mundo,DC=local Starting replication Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local] objects[402/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local] objects[804/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local] objects[1206/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local] objects[1550/1550] linked_values[0/0] Analyze and apply schema objects Partition[CN=Configuration,DC=mundo,DC=local] objects[402/1614] linked_values[0/0] Partition[CN=Configuration,DC=mundo,DC=local] objects[804/1614] linked_values[0/0] Partition[CN=Configuration,DC=mundo,DC=local] objects[1206/1614] linked_values[0/0] Partition[CN=Configuration,DC=mundo,DC=local] objects[1608/1614]
Re: [Samba] Replication Samba PDC to Samba BDC
On 6/4/2013 8:35 AM, Ricky Nance wrote: @Giedrius Not exactly, as I wrote in my other posts to mailing list, this is glibc's nss dns resolvers' (libnss_dns.so) issue that is ignoring hostnames with _ (*_*msdcs) Which OS's does that affect? PDC is Ubuntu 12.0.4 root@samba:~# cat /etc/debian_version wheezy/sid root@samba:~# samba -V Version 4.1.0pre1-GIT-8bf3112 BDC is on Ubuntu Server 12.0.4 root@bdc:~# samba -V Version 4.1.0pre1-GIT-b238008 @David, Is your nameserver (in /etc/resolv.conf) on dcA ip.to.dc.a and on dcB ip.to.dc.b if so, what happens when you set them both to A? how about when you set them both to B? I'd play around with that a bit until you get a good replication, then restart samba on both DC's and set them properly (dcA needs ip.to.dc.a and dcB needs ip.to.dc.b) . Yes, after putting ip.to.dc.a on DCB and vice-versa I get the same can't find bla.blah.msc A record, it only works back again when I add the name to /etc/hosts. Is there any patch I can apply to samba or the like to have this fixed?. Thanks. Ricky On Tue, Jun 4, 2013 at 1:59 AM, David González Herrera - [DGHVoIP] i...@dghvoip.com mailto:i...@dghvoip.com wrote: On 6/4/2013 1:28 AM, Giedrius wrote: 2013.06.04 09:10, David González Herrera - [DGHVoIP] rašė: On 6/3/2013 11:57 PM, Giedrius wrote: Hi, 2013.06.04 04:16, David González Herrera - [DGHVoIP] rašė: Hi, Let's see if any of the questions gets answered or at least I get ponte dto something that can help me. I followed this wiki: http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC#Getting_ready_for_joining_Samba_as_a_DC_to_an_existing_domain I have my S4 domain running, I compiled and installed another S4 to replicate the first server and joined successfully to the domain but replication seems to be broken. Commandused: root@bdc:~# samba-tool domain join mundo.local DC -Uadministrator --realm=mundo.local --password=Mugr3P0pO --dns-backend=BIND9_DLZ Finding a writeable DC for domain 'mundo.local' Found DC samba.mundo.local workgroup is mundo realm is mundo.local checking sAMAccountName Adding CN=BDC,OU=Domain Controllers,DC=mundo,DC=local Adding CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local Adding CN=NTDS Settings,CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local Adding SPNs to CN=BDC,OU=Domain Controllers,DC=mundo,DC=local Setting account password for BDC$ Enabling account Calling bare provision No IPv6 address will be assigned Provision OK for domain DN DC=mundo,DC=local Starting replication Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local] objects[402/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local] objects[804/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local] objects[1206/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local] objects[1550/1550] linked_values[0/0] Analyze and apply schema objects Partition[CN=Configuration,DC=mundo,DC=local] objects[402/1614] linked_values[0/0] Partition[CN=Configuration,DC=mundo,DC=local] objects[804/1614] linked_values[0/0] Partition[CN=Configuration,DC=mundo,DC=local] objects[1206/1614] linked_values[0/0] Partition[CN=Configuration,DC=mundo,DC=local] objects[1608/1614] linked_values[0/0] Partition[CN=Configuration,DC=mundo,DC=local] objects[1614/1614] linked_values[28/0] Replicating critical objects from the base DN of the domain Partition[DC=mundo,DC=local] objects[98/98] linked_values[31/0] Partition[DC=mundo,DC=local] objects[336/238] linked_values[74/0]
[Samba] Replication Samba PDC to Samba BDC
Hi, Let's see if any of the questions gets answered or at least I get ponte dto something that can help me. I followed this wiki: http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC#Getting_ready_for_joining_Samba_as_a_DC_to_an_existing_domain I have my S4 domain running, I compiled and installed another S4 to replicate the first server and joined successfully to the domain but replication seems to be broken. Commandused: root@bdc:~# samba-tool domain join mundo.local DC -Uadministrator --realm=mundo.local --password=Mugr3P0pO --dns-backend=BIND9_DLZ Finding a writeable DC for domain 'mundo.local' Found DC samba.mundo.local workgroup is mundo realm is mundo.local checking sAMAccountName Adding CN=BDC,OU=Domain Controllers,DC=mundo,DC=local Adding CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local Adding CN=NTDS Settings,CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local Adding SPNs to CN=BDC,OU=Domain Controllers,DC=mundo,DC=local Setting account password for BDC$ Enabling account Calling bare provision No IPv6 address will be assigned Provision OK for domain DN DC=mundo,DC=local Starting replication Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local] objects[402/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local] objects[804/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local] objects[1206/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local] objects[1550/1550] linked_values[0/0] Analyze and apply schema objects Partition[CN=Configuration,DC=mundo,DC=local] objects[402/1614] linked_values[0/0] Partition[CN=Configuration,DC=mundo,DC=local] objects[804/1614] linked_values[0/0] Partition[CN=Configuration,DC=mundo,DC=local] objects[1206/1614] linked_values[0/0] Partition[CN=Configuration,DC=mundo,DC=local] objects[1608/1614] linked_values[0/0] Partition[CN=Configuration,DC=mundo,DC=local] objects[1614/1614] linked_values[28/0] Replicating critical objects from the base DN of the domain Partition[DC=mundo,DC=local] objects[98/98] linked_values[31/0] Partition[DC=mundo,DC=local] objects[336/238] linked_values[74/0] Done with always replicated NC (base, config, schema) Replicating DC=DomainDnsZones,DC=mundo,DC=local Partition[DC=DomainDnsZones,DC=mundo,DC=local] objects[42/42] linked_values[0/0] Replicating DC=ForestDnsZones,DC=mundo,DC=local Partition[DC=ForestDnsZones,DC=mundo,DC=local] objects[18/18] linked_values[0/0] Partition[DC=ForestDnsZones,DC=mundo,DC=local] objects[36/18] linked_values[0/0] Committing SAM database Sending DsReplicateUpdateRefs for all the replicated partitions Setting isSynchronized and dsServiceName Setting up secrets database Joined domain mundo (SID S-1-5-21-1918558401-2200574552-2151153235) as a DC Seemed to have succeded, then I radn the recommended tests # ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationid=*)' --cross-ncs objectguid # record 1 dn: CN=NTDS Settings,CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local objectGUID: 7106cbf4-3cf6-4ed9-b019-dd937035b1e7 # record 2 dn: CN=NTDS Settings,CN=SAMBA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local objectGUID: ad828198-a723-44c2-8d7f-d5f801e2849f # returned 2 records # 2 entries # 0 referrals These testes run from the BDC seem to work. host -t CNAME ad828198-a723-44c2-8d7f-d5f801e2849f._msdcs.mundo.local ad828198-a723-44c2-8d7f-d5f801e2849f._msdcs.mundo.local is an alias for samba.mundo.local. host -t CNAME 7106cbf4-3cf6-4ed9-b019-dd937035b1e7._msdcs.mundo.local 7106cbf4-3cf6-4ed9-b019-dd937035b1e7._msdcs.mundo.local is an alias for bdc.mundo.local. root@bdc:~# host -t A bdc.mundo.local. bdc.mundo.local has address 10.10.10.20 root@bdc:~# host -t A samba.mundo.local. samba.mundo.local has address 10.10.10.5 Error showing up on the BDC dns child failed to find name 'ad828198-a723-44c2-8d7f-d5f801e2849f._msdcs.mundo.local' of type A dreplsrv_notify: Failed to send DsReplicaSync to ad828198-a723-44c2-8d7f-d5f801e2849f._msdcs.mundo.local for CN=Configuration,DC=mundo,DC=local - NT_STATUS_OBJECT_NAME_NOT_FOUND : WERR_BADFILE I tried to check replication status but this error shows root@bdc:~# samba-tool drs showrepl Default-First-Site-Name\BDC DSA Options: 0x0001 DSA object GUID: 7106cbf4-3cf6-4ed9-b019-dd937035b1e7 DSA invocationId: 609fd8be-7e0c-49ca-a5f5-1a68237ef03f INBOUND NEIGHBORS DC=mundo,DC=local Default-First-Site-Name\SAMBA via RPC DSA object GUID: ad828198-a723-44c2-8d7f-d5f801e2849f Last attempt @ Mon Jun 3 20:58:43 2013 EDT failed, result 2 (WERR_BADFILE) 8 consecutive failure(s). Last success @ Mon Jun 3 20:35:43 2013 EDT CN=Schema,CN=Configuration,DC=mundo,DC=local Default-First-Site-Name\SAMBA via RPC
Re: [Samba] Replication Samba PDC to Samba BDC
Hi, 2013.06.04 04:16, David González Herrera - [DGHVoIP] rašė: Hi, Let's see if any of the questions gets answered or at least I get ponte dto something that can help me. I followed this wiki: http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC#Getting_ready_for_joining_Samba_as_a_DC_to_an_existing_domain I have my S4 domain running, I compiled and installed another S4 to replicate the first server and joined successfully to the domain but replication seems to be broken. Commandused: root@bdc:~# samba-tool domain join mundo.local DC -Uadministrator --realm=mundo.local --password=Mugr3P0pO --dns-backend=BIND9_DLZ Finding a writeable DC for domain 'mundo.local' Found DC samba.mundo.local workgroup is mundo realm is mundo.local checking sAMAccountName Adding CN=BDC,OU=Domain Controllers,DC=mundo,DC=local Adding CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local Adding CN=NTDS Settings,CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local Adding SPNs to CN=BDC,OU=Domain Controllers,DC=mundo,DC=local Setting account password for BDC$ Enabling account Calling bare provision No IPv6 address will be assigned Provision OK for domain DN DC=mundo,DC=local Starting replication Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local] objects[402/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local] objects[804/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local] objects[1206/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local] objects[1550/1550] linked_values[0/0] Analyze and apply schema objects Partition[CN=Configuration,DC=mundo,DC=local] objects[402/1614] linked_values[0/0] Partition[CN=Configuration,DC=mundo,DC=local] objects[804/1614] linked_values[0/0] Partition[CN=Configuration,DC=mundo,DC=local] objects[1206/1614] linked_values[0/0] Partition[CN=Configuration,DC=mundo,DC=local] objects[1608/1614] linked_values[0/0] Partition[CN=Configuration,DC=mundo,DC=local] objects[1614/1614] linked_values[28/0] Replicating critical objects from the base DN of the domain Partition[DC=mundo,DC=local] objects[98/98] linked_values[31/0] Partition[DC=mundo,DC=local] objects[336/238] linked_values[74/0] Done with always replicated NC (base, config, schema) Replicating DC=DomainDnsZones,DC=mundo,DC=local Partition[DC=DomainDnsZones,DC=mundo,DC=local] objects[42/42] linked_values[0/0] Replicating DC=ForestDnsZones,DC=mundo,DC=local Partition[DC=ForestDnsZones,DC=mundo,DC=local] objects[18/18] linked_values[0/0] Partition[DC=ForestDnsZones,DC=mundo,DC=local] objects[36/18] linked_values[0/0] Committing SAM database Sending DsReplicateUpdateRefs for all the replicated partitions Setting isSynchronized and dsServiceName Setting up secrets database Joined domain mundo (SID S-1-5-21-1918558401-2200574552-2151153235) as a DC Seemed to have succeded, then I radn the recommended tests # ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationid=*)' --cross-ncs objectguid # record 1 dn: CN=NTDS Settings,CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local objectGUID: 7106cbf4-3cf6-4ed9-b019-dd937035b1e7 # record 2 dn: CN=NTDS Settings,CN=SAMBA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local objectGUID: ad828198-a723-44c2-8d7f-d5f801e2849f # returned 2 records # 2 entries # 0 referrals These testes run from the BDC seem to work. host -t CNAME ad828198-a723-44c2-8d7f-d5f801e2849f._msdcs.mundo.local ad828198-a723-44c2-8d7f-d5f801e2849f._msdcs.mundo.local is an alias for samba.mundo.local. host -t CNAME 7106cbf4-3cf6-4ed9-b019-dd937035b1e7._msdcs.mundo.local 7106cbf4-3cf6-4ed9-b019-dd937035b1e7._msdcs.mundo.local is an alias for bdc.mundo.local. root@bdc:~# host -t A bdc.mundo.local. bdc.mundo.local has address 10.10.10.20 root@bdc:~# host -t A samba.mundo.local. samba.mundo.local has address 10.10.10.5 Error showing up on the BDC dns child failed to find name 'ad828198-a723-44c2-8d7f-d5f801e2849f._msdcs.mundo.local' of type A dreplsrv_notify: Failed to send DsReplicaSync to ad828198-a723-44c2-8d7f-d5f801e2849f._msdcs.mundo.local for CN=Configuration,DC=mundo,DC=local - *NT_STATUS_OBJECT_NAME_NOT_FOUND : WERR_BADFILE * Did you AT LEAST search the mailing list??? Check if ping (or any program using GLIBC's *NSS* DNS resolver) can resolve your 7106cbf4-3cf6-4ed9-b019-dd937035b1e7._msdcs.mundo.local name I tried to check replication status but this error shows root@bdc:~# samba-tool drs showrepl Default-First-Site-Name\BDC DSA Options: 0x0001 DSA object GUID: 7106cbf4-3cf6-4ed9-b019-dd937035b1e7 DSA invocationId: 609fd8be-7e0c-49ca-a5f5-1a68237ef03f INBOUND NEIGHBORS DC=mundo,DC=local Default-First-Site-Name\SAMBA via RPC DSA object GUID:
Re: [Samba] PDC: The trust relationship ... failed from the beginning
Hiii Were you able to resolve the issue. Thanks for the reply -Sreejith -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC not in network environment (Windows 7/8)
Something weird... I connected one notbook to another samba (v3.5.5) network. Logged in as a local user on the notebook and guess what. The complete network environment is shown. The main difference between these two networks, apart form the version number of smbd, is that the working network is based on ldap while the not working network is based on tdb. Another small difference in smb.conf: 3.5.5: name resolve order = bcast lmhosts host 3.6.12: name resolve order = wins bcast lmhosts hosts Going to check if it has any impact if I remove wins from name resolve order. And another small difference: In v3.5.5 computers are members of Domain Users while v3.6.12 lists them in Domain Computers. Also going to check if this makes any difference. The last thing I will check is if it makes any difference when I login to a local account on my client. Will keep you updated. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba PDC not in network environment (Windows 7/8)
I recently changed my clients (3 notebooks, 2 desktop pcs) from Windows XP Pro to Windows 7/8 Pro. I followed the guides that can be found on samba.org and all over the internet. Client migration worked after some minor trouble. There is only one thing left that I could no resolve the last few days. All clients see each other under Network but no client sees my samba server. Though the samba PDC cannot be seen most of the network related stuff works as expected. Domain logons work, the per user netlogon script ist executed (network shares on the PDC get mapped, time is synced), shares can be opened with \\PDC\share. Executing nbtstat on the clients works except for -[s|S|R|RR] which results in no connection. Executing smbtree -N | smbclient -N works on the PDC. To prevent common questions: - client installation is not older than 30 days - disabled pw change after 30 days in registry - no firewall on clients - PDC firewall allows traffic to and from ports 137-139,445 - samba version Version 3.6.12-162.1-2943-SUSE-SL12.1-x86_64 Output of netstat -an | egrep '13[789]|445' tcp0 0 0.0.0.0:139 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:445 0.0.0.0:* LISTEN tcp0 0 192.168.11.10:60002 192.168.11.230:445 VERBUNDEN udp0 0 192.168.11.255:137 0.0.0.0:* udp0 0 192.168.11.10:137 0.0.0.0:* udp0 0 0.0.0.0:137 0.0.0.0:* udp0 0 192.168.11.255:138 0.0.0.0:* udp0 0 192.168.11.10:138 0.0.0.0:* udp0 0 0.0.0.0:138 0.0.0.0:* Remark: 192.168.11.230 is a nas storage which cannot be seen from clients either. My smb.conf: [global] unix charset = UTF8 display charset = UTF8 workgroup = MyWorkgroupName server string = MyServerString netbios name = MyServerName netbios aliases = PDC interfaces = eth0, 127.0.0.0/8 bind interfaces only = no map to guest = Bad User passdb backend = tdbsam username map = /etc/samba/smbusers username level = 1 server signing = auto max protocol = SMB2 client NTLMv2 auth = Yes log level = 2 smb:1 auth:1 sam:1 acls:1 passdb:1 tdb:1 winbind:1 idmap:1 syslog = 0 log file = /var/log/samba/log.%m max xmit = 65535 name resolve order = wins bcast lmhosts hosts time server = Yes deadtime = 10 paranoid server security = No socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY SO_BROADCAST SO _SNDBUF=16384 SO_RCVBUF=16384 hostname lookups = Yes add user script = /usr/sbin/useradd -d /home/%u -g users -k /etc/samba/s kel -m -s /bin/false %u delete user script = /usr/sbin/userdel %u add user to group script = /usr/sbin/usermod -G %g %u set primary group script = /usr/sbin/usermod -g %g %u delete user from group script = /usr/sbin/groupmod -R %u %g add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false -g machines %u logon script = %U.bat logon path = \\%N\profiles\%U\%a domain logons = Yes os level = 88 preferred master = Yes domain master = Yes local master = yes time server = yes wins support = Yes client use spnego = no ldap ssl = no winbind enum users = Yes winbind enum groups = Yes winbind expand groups = 3 winbind use default domain = no winbind rpc only = Yes winbind offline logon = no idmap config * : backend = tdb idmap config * : range = 15000 - 25000 encrypt passwords = yes pam password change = yes passwd program = /usr/bin/passwd %u passwd chat = Neues*Passwort* %n\nGeben Sie das neue Passwort erneut ein * %n\nPass*dert.\n veto files = /*.eml/*.nws/riched20.dll/*.{*}/ dos filetime resolution = Yes printing = cups printcap = cups [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon write list = @samba-domain-admins @Administrators read list = @samba-domain-users @machines @Familie force group = samba-domain-users browseable = No [profiles] path = /var/lib/samba/profiles profile acls = yes csc policy = disable read only = No browsable = no store dos attributes = yes guest ok = no printable = no hide files = /desktop.ini/*Briefcase*/ write list = %S %S%w%D root hosts allow = 192.168.11., 127.0.0.1, 10.168.11. create mask = 0600 directory mask = 0700 [IPC$] path
Re: [Samba] Samba PDC not in network environment (Windows 7/8)
Something I came across. Don't know if it is related. Trying to connect to a Windows 8 share from my PDC results in cli_session_setup: NT1 session setup failed: NT_STATUS_INVALID_PARAMETER session setup failed: NT_STATUS_INVALID_PARAMETER when client NTLMv2 auth = yes set in smb.conf. smbtree executed by a domain admin user lists all shares on PDC and nas but only the name of the client. Changing settings to client NTLMv2 auth = no client lanman auth = yes gives access to shares on the Windows 8 client. smbtree lists all adminstrative shares (C$, D$, etc.) on Windows 8 client. --- There are some entries in the samba logfile for client JOGO which seem to be problem related: [2013/02/21 12:17:27.638163, 0] rpc_server/srv_pipe.c:500(pipe_schannel_auth_bi nd) pipe_schannel_auth_bind: Attempt to bind using schannel without successful ser verauth2 [2013/02/21 12:17:27.762403, 2] rpc_server/samr/srv_samr_nt.c:4071(_samr_Lookup Domain) Returning domain sid for domain MyDomainName - S-1-5-21-3406496673- 2355577635-1274 693878 [2013/02/21 12:17:32.774569, 2] ../libcli/auth/credentials.c:308(netlogon_creds _server_check_internal) credentials check failed [2013/02/21 12:17:32.774681, 0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_S erverAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client JOGO machine account JOGO$ [2013/02/21 12:17:32.777495, 2] rpc_server/samr/srv_samr_nt.c:4071(_samr_Lookup Domain) Returning domain sid for domain MyDomainName - S-1-5-21-3406496673- 2355577635-1274 693878 [2013/02/21 12:17:45.665467, 2] smbd/smb2_server.c:2628(smbd_smb2_request_incom ing) smbd_smb2_request_incoming: client read error NT_STATUS_CONNECTION_RESET [2013/02/21 12:18:03.168300, 2] smbd/smb2_server.c:2628(smbd_smb2_request_incom ing) smbd_smb2_request_incoming: client read error NT_STATUS_CONNECTION_RESET [2013/02/21 12:18:50.279081, 2] smbd/smb2_server.c:2628(smbd_smb2_request_incom ing) smbd_smb2_request_incoming: client read error NT_STATUS_CONNECTION_RESET [2013/02/21 12:21:36.293203, 2] smbd/smb2_server.c:2628(smbd_smb2_request_incom ing) smbd_smb2_request_incoming: client read error NT_STATUS_CONNECTION_RESET -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC not in network environment (Windows 7/8)
Jörg Nissen joerg at nissen.de.hm writes: Looks like I'm talking to myself all the time. Anyway, solved this small problem. Accidentally the parameter client use spnego was set to no during testing. Setting it back to yes made the client tools on the server behave normally. Still looking for help on my starting post. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] PDC: The trust relationship ... failed from the beginning
From: Eimac Dude [mailto:eimacd...@aol.com] Sent: 24 January 2013 19:43 To: samba@lists.samba.org Subject: [Samba] PDC: The trust relationship ... failed from the beginning Hi, When I try a net logon from Windows 7 64-bit Business (don't have any other Windows machines), I get The trust relationship between this workstation and the primary domain failed. The discussion I've found around the Web regarding this error message seems to be only in the context of the 30 day password expiry issue, where the solution is to simply rejoin the domain. Unfortunately, I have this problem *always*, and rejoining does not help. I have not been able to do a net login at all, from the first time I tried. At the same time, there's no problem accessing the Samba shares by going to \\SMB in Windows Explorer and logging in with the same user accounts. # smbstatus Samba version 3.6.7-48.12.1-2831-SUSE-SL12.2-x86_64 The LAN is on 172.16. and the Samba machine is also the LAN's DNS server; not using LDAP. We had been using Samba for simple file sharing, with no domain functionality enabled, and with the Windows machines on the network configured as members of the workgroup. We recently decided to set Samba as a PDC and support roaming profiles, and have been blocked by this trust error. I made some changes to smb.conf, which can be seen here: http://pastebin.com/raw.php?i=qKvQq3W2 The profiles directory was chmod 2775 and its group changed from root to users. The netlogon directory is 755. Initially, in smb.conf the name resolve order was starting with dns, but Windows 7 kept giving me an error about not finding the domain when I tried to change from workgroup to domain, so I took that out and set wins as the first item in the list. # cat /etc/samba/smbusers: root = administrator Administrator admin nobody = guest pcguest smbguest I added root to smbpasswd. I also executed the following: net groupmap add ntgroup=Domain Admins unixgroup=root rid=512 type=d net groupmap add ntgroup=Domain Users unixgroup=users rid=513 type=d net groupmap add ntgroup=Domain Guests unixgroup=nobody rid=514 type=d net rpc rights grant -U root URBASE\Domain Admins SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege SeRemoteShutdownPrivilege The Windows machines are configured as specified on wiki.samba.org/index.php/Windows7 (that is, I only edited DomainCompatibilityMode and DNSNameResolutionRequired). Changing from workgroup to domain and rebooting, then trying to log in with one of the SMB users gives me the The trust relationship between this workstation and the primary domain failed error. I can only log into the local machine account. If, instead of changing from workgroup to domain directly, I try to use the network ID wizard, it eventually leads to the same error when it tries to set up the domain user. Looking at /etc/samba/smbpasswd, the machine account shows up there so the add machine script seems to be working; however, # tail /var/log/samba/log.smbd [2013/01/23 14:26:16.350332, 0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client BRIX machine account BRIX$ [2013/01/23 14:26:16.352562, 0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client BRIX machine account BRIX$ [2013/01/23 14:37:22.518159, 0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client BRIX machine account BRIX$ Why is it not working? I don't know how to troubleshoot this. I've tried removing the machine from the domain then taking it out of smbpasswd and the Unix accounts, and then rejoining, but same errors. I tried manually adding the IP address in the Windows machine's WINS setting, but it doesn't make a difference. One thing I'm unsure of is the DNS suffixes thing which seems to be mentioned on some sites in association with this. In the Windows clients, under Append these DNS suffixes (in order) we've normally had as suffix the DNS master zone for the LAN, which is different from the domain name in smb.conf -- if that matters at all given joining the domain should be using WINS instead of DNS for name resolution. I tried adding the domain in there anyway, but it doesn't help. Can anyone kindly help? I've asked on a couple of other forums but to no avail... Are the clocks synchronised between the 2 machines? According to http://community.spiceworks.com/topic/170347-trust-relationship-between-this -workstation-and-primary-domain-failed clock discrepancy can be one cause of this problem. Moray. To err is human; to purr, feline. -- To unsubscribe from this list go
Re: [Samba] PDC: The trust relationship ... failed from the beginning
On 1/24/2013 7:31 PM, Nico Kadel-Garcia wrote: On Thu, Jan 24, 2013 at 8:57 PM, Eimac Dude eimacd...@aol.com wrote: Brought in a new Windows 7 64-bit machine and that one works... So it seems to be a Windows configuration issue, but what other settings could possibly cause this authentication failure? The new machine is a recent clean install and uses MSE as antivirus, whereas the older workstations use AVG and Ad-Aware. But I doubt the antivirus could cause the difference. And I don't see any difference in the network configuration of the machines. Any suggestions? I can't simply replace all Windows clients on our network... The new machine has a new hostname? Are they both statically configured in DNS? Do they both have all the system patches? And have you tried yanking out AVG and replacing it with MSE? All have same new patches. The new machine has a different hostname. But I've also tried changing the hostname of the old machine... The only thing I didn't test yet is removing AVG. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] PDC: The trust relationship ... failed from the beginning
Hi, When I try a net logon from Windows 7 64-bit Business (don't have any other Windows machines), I get The trust relationship between this workstation and the primary domain failed. The discussion I've found around the Web regarding this error message seems to be only in the context of the 30 day password expiry issue, where the solution is to simply rejoin the domain. Unfortunately, I have this problem *always*, and rejoining does not help. I have not been able to do a net login at all, from the first time I tried. At the same time, there's no problem accessing the Samba shares by going to \\SMB in Windows Explorer and logging in with the same user accounts. # smbstatus Samba version 3.6.7-48.12.1-2831-SUSE-SL12.2-x86_64 The LAN is on 172.16. and the Samba machine is also the LAN's DNS server; not using LDAP. We had been using Samba for simple file sharing, with no domain functionality enabled, and with the Windows machines on the network configured as members of the workgroup. We recently decided to set Samba as a PDC and support roaming profiles, and have been blocked by this trust error. I made some changes to smb.conf, which can be seen here: http://pastebin.com/raw.php?i=qKvQq3W2 The profiles directory was chmod 2775 and its group changed from root to users. The netlogon directory is 755. Initially, in smb.conf the name resolve order was starting with dns, but Windows 7 kept giving me an error about not finding the domain when I tried to change from workgroup to domain, so I took that out and set wins as the first item in the list. # cat /etc/samba/smbusers: root = administrator Administrator admin nobody = guest pcguest smbguest I added root to smbpasswd. I also executed the following: net groupmap add ntgroup=Domain Admins unixgroup=root rid=512 type=d net groupmap add ntgroup=Domain Users unixgroup=users rid=513 type=d net groupmap add ntgroup=Domain Guests unixgroup=nobody rid=514 type=d net rpc rights grant -U root URBASE\Domain Admins SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege SeRemoteShutdownPrivilege The Windows machines are configured as specified on wiki.samba.org/index.php/Windows7 (that is, I only edited DomainCompatibilityMode and DNSNameResolutionRequired). Changing from workgroup to domain and rebooting, then trying to log in with one of the SMB users gives me the The trust relationship between this workstation and the primary domain failed error. I can only log into the local machine account. If, instead of changing from workgroup to domain directly, I try to use the network ID wizard, it eventually leads to the same error when it tries to set up the domain user. Looking at /etc/samba/smbpasswd, the machine account shows up there so the add machine script seems to be working; however, # tail /var/log/samba/log.smbd [2013/01/23 14:26:16.350332, 0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client BRIX machine account BRIX$ [2013/01/23 14:26:16.352562, 0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client BRIX machine account BRIX$ [2013/01/23 14:37:22.518159, 0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client BRIX machine account BRIX$ Why is it not working? I don't know how to troubleshoot this. I've tried removing the machine from the domain then taking it out of smbpasswd and the Unix accounts, and then rejoining, but same errors. I tried manually adding the IP address in the Windows machine's WINS setting, but it doesn't make a difference. One thing I'm unsure of is the DNS suffixes thing which seems to be mentioned on some sites in association with this. In the Windows clients, under Append these DNS suffixes (in order) we've normally had as suffix the DNS master zone for the LAN, which is different from the domain name in smb.conf -- if that matters at all given joining the domain should be using WINS instead of DNS for name resolution. I tried adding the domain in there anyway, but it doesn't help. Can anyone kindly help? I've asked on a couple of other forums but to no avail... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] PDC: The trust relationship ... failed from the beginning
Brought in a new Windows 7 64-bit machine and that one works... So it seems to be a Windows configuration issue, but what other settings could possibly cause this authentication failure? The new machine is a recent clean install and uses MSE as antivirus, whereas the older workstations use AVG and Ad-Aware. But I doubt the antivirus could cause the difference. And I don't see any difference in the network configuration of the machines. Any suggestions? I can't simply replace all Windows clients on our network... On 1/24/2013 11:43 AM, Eimac Dude wrote: Hi, When I try a net logon from Windows 7 64-bit Business (don't have any other Windows machines), I get The trust relationship between this workstation and the primary domain failed. The discussion I've found around the Web regarding this error message seems to be only in the context of the 30 day password expiry issue, where the solution is to simply rejoin the domain. Unfortunately, I have this problem *always*, and rejoining does not help. I have not been able to do a net login at all, from the first time I tried. At the same time, there's no problem accessing the Samba shares by going to \\SMB in Windows Explorer and logging in with the same user accounts. # smbstatus Samba version 3.6.7-48.12.1-2831-SUSE-SL12.2-x86_64 The LAN is on 172.16. and the Samba machine is also the LAN's DNS server; not using LDAP. We had been using Samba for simple file sharing, with no domain functionality enabled, and with the Windows machines on the network configured as members of the workgroup. We recently decided to set Samba as a PDC and support roaming profiles, and have been blocked by this trust error. I made some changes to smb.conf, which can be seen here: http://pastebin.com/raw.php?i=qKvQq3W2 The profiles directory was chmod 2775 and its group changed from root to users. The netlogon directory is 755. Initially, in smb.conf the name resolve order was starting with dns, but Windows 7 kept giving me an error about not finding the domain when I tried to change from workgroup to domain, so I took that out and set wins as the first item in the list. # cat /etc/samba/smbusers: root = administrator Administrator admin nobody = guest pcguest smbguest I added root to smbpasswd. I also executed the following: net groupmap add ntgroup=Domain Admins unixgroup=root rid=512 type=d net groupmap add ntgroup=Domain Users unixgroup=users rid=513 type=d net groupmap add ntgroup=Domain Guests unixgroup=nobody rid=514 type=d net rpc rights grant -U root URBASE\Domain Admins SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege SeRemoteShutdownPrivilege The Windows machines are configured as specified on wiki.samba.org/index.php/Windows7 (that is, I only edited DomainCompatibilityMode and DNSNameResolutionRequired). Changing from workgroup to domain and rebooting, then trying to log in with one of the SMB users gives me the The trust relationship between this workstation and the primary domain failed error. I can only log into the local machine account. If, instead of changing from workgroup to domain directly, I try to use the network ID wizard, it eventually leads to the same error when it tries to set up the domain user. Looking at /etc/samba/smbpasswd, the machine account shows up there so the add machine script seems to be working; however, # tail /var/log/samba/log.smbd [2013/01/23 14:26:16.350332, 0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client BRIX machine account BRIX$ [2013/01/23 14:26:16.352562, 0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client BRIX machine account BRIX$ [2013/01/23 14:37:22.518159, 0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client BRIX machine account BRIX$ Why is it not working? I don't know how to troubleshoot this. I've tried removing the machine from the domain then taking it out of smbpasswd and the Unix accounts, and then rejoining, but same errors. I tried manually adding the IP address in the Windows machine's WINS setting, but it doesn't make a difference. One thing I'm unsure of is the DNS suffixes thing which seems to be mentioned on some sites in association with this. In the Windows clients, under Append these DNS suffixes (in order) we've normally had as suffix the DNS master zone for the LAN, which is different from the domain name in smb.conf -- if that matters at all given joining the domain should be using WINS instead of DNS for name resolution. I tried adding the domain in there anyway, but it doesn't help. Can anyone kindly help? I've asked on a couple of other
Re: [Samba] PDC: The trust relationship ... failed from the beginning
On Thu, Jan 24, 2013 at 8:57 PM, Eimac Dude eimacd...@aol.com wrote: Brought in a new Windows 7 64-bit machine and that one works... So it seems to be a Windows configuration issue, but what other settings could possibly cause this authentication failure? The new machine is a recent clean install and uses MSE as antivirus, whereas the older workstations use AVG and Ad-Aware. But I doubt the antivirus could cause the difference. And I don't see any difference in the network configuration of the machines. Any suggestions? I can't simply replace all Windows clients on our network... The new machine has a new hostname? Are they both statically configured in DNS? Do they both have all the system patches? And have you tried yanking out AVG and replacing it with MSE? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC group list empty
I give all of your indexes in my conf but nothing changed: ls -l *bdb -rw--- 1 openldap openldap 61440 Dec 3 14:22 cn.bdb -rw--- 1 openldap openldap 8192 Dec 3 14:22 dc.bdb -rw--- 1 openldap openldap 28672 Dec 3 14:22 displayName.bdb -rw--- 1 openldap openldap 40960 Dec 3 12:29 dn2id.bdb -rw--- 1 openldap openldap 8192 Nov 22 10:42 entryCSN.bdb -rw--- 1 openldap openldap 8192 Nov 22 10:42 entryUUID.bdb -rw--- 1 openldap openldap 8192 Dec 3 14:22 gidNumber.bdb -rw--- 1 openldap openldap 36864 Dec 3 14:22 givenName.bdb -rw--- 1 openldap openldap 294912 Dec 3 13:10 id2entry.bdb -rw--- 1 openldap openldap 8192 Dec 3 14:22 loginShell.bdb -rw--- 1 openldap openldap 45056 Dec 3 14:22 mail.bdb -rw--- 1 openldap openldap 69632 Dec 3 14:22 memberUid.bdb -rw--- 1 openldap openldap 36864 Dec 3 14:22 objectClass.bdb -rw--- 1 openldap openldap 8192 Dec 3 14:22 ou.bdb -rw--- 1 openldap openldap 8192 Dec 3 14:22 sambaDomainName.bdb -rw--- 1 openldap openldap 8192 Dec 3 14:22 sambaGroupType.bdb -rw--- 1 openldap openldap 8192 Dec 3 14:22 sambaPrimaryGroupSID.bdb -rw--- 1 openldap openldap 8192 Dec 3 14:22 sambaSID.bdb -rw--- 1 openldap openldap 8192 Dec 3 14:22 sambaSIDList.bdb -rw--- 1 openldap openldap 40960 Dec 3 14:22 sn.bdb -rw--- 1 openldap openldap 45056 Dec 3 14:22 uid.bdb -rw--- 1 openldap openldap 8192 Dec 3 14:22 uidNumber.bdb -rw--- 1 openldap openldap 8192 Nov 20 17:03 uniqueMember.bdb Any other suggestion? On Fri, Nov 30, 2012 at 6:16 PM, Harry Jede walk2...@arcor.de wrote: Am Donnerstag, 29. November 2012 schrieben Sie: I still dont understand why ldap search filter generated by samba ( i have this from samba log ) cannot find anything in database: smbldap_search_paged: base = [dc=gymsnv,dc=sk], filter = [((objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=S-1-5- 21-2390795950-2727105968-4008069955*))],scope = [2], pagesize = [1024] [2012/11/29 18:15:14.227560, 3] lib/smbldap.c:1591(smbldap_search_paged) smbldap_search_paged: search was successful [2012/11/29 18:15:14.227647, 3] rpc_server/srv_pipe_hnd.c:121(free_pipe_context) free_pipe_context: destroying talloc pool of size 0 If I remove sambaSID and try to find it in ldap, I will get all my groups. Filter = ((objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=*)) Is this normal behavior or my ldap configuration can be incorrect? That's not normal. What indexes have you set? # ldapsearch -LLLY external -H ldapi:/// -b cn=config (objectclass=*) olcDBIndex This are my indexes: dn: olcDatabase={1}hdb,cn=config olcDbIndex: objectClass eq olcDbIndex: uidNumber eq olcDbIndex: gidNumber eq olcDbIndex: loginShell eq olcDbIndex: uid eq,pres,sub olcDbIndex: memberUid eq,pres,sub olcDbIndex: uniqueMember eq,pres olcDbIndex: sambaSID eq olcDbIndex: sambaPrimaryGroupSID eq olcDbIndex: sambaGroupType eq olcDbIndex: sambaSIDList eq olcDbIndex: sambaDomainName eq olcDbIndex: displayName eq,sub olcDbIndex: givenName eq,sub olcDbIndex: mail eq,sub olcDbIndex: dhcpHWAddress eq olcDbIndex: dhcpClassData eq olcDbIndex: cn eq,pres,sub olcDbIndex: sn eq,pres,sub olcDbIndex: ou eq olcDbIndex: dc eq olcDbIndex: default sub And this shows the files: # cd /var/lib/ldap/ # ls -l *bdb -rw--- 1 openldap openldap 32768 18. Nov 15:49 cn.bdb -rw--- 1 openldap openldap 8192 1. Jan 2012 dc.bdb -rw--- 1 openldap openldap 8192 18. Nov 15:49 dhcpHWAddress.bdb -rw--- 1 openldap openldap 24576 23. Aug 10:08 displayName.bdb -rw--- 1 openldap openldap 24576 18. Nov 15:49 dn2id.bdb -rw--- 1 openldap openldap 8192 23. Aug 10:08 gidNumber.bdb -rw--- 1 openldap openldap 8192 1. Jun 21:57 givenName.bdb -rw--- 1 openldap openldap 98304 27. Nov 22:54 id2entry.bdb -rw--- 1 openldap openldap 8192 23. Aug 10:08 loginShell.bdb -rw--- 1 openldap openldap 8192 1. Jun 21:57 mail.bdb -rw--- 1 openldap openldap 8192 1. Jun 2012 memberUid.bdb -rw--- 1 openldap openldap 16384 27. Nov 22:54 objectClass.bdb -rw--- 1 openldap openldap 8192 1. Jun 19:57 ou.bdb -rw--- 1 openldap openldap 8192 23. Aug 08:54 sambaDomainName.bdb -rw--- 1 openldap openldap 8192 10. Mai 2012 sambaGroupType.bdb -rw--- 1 openldap openldap 8192 23. Aug 08:54 sambaPrimaryGroupSID.bdb -rw--- 1 openldap openldap 8192 23. Aug 10:08 sambaSID.bdb -rw--- 1 openldap openldap 8192 27. Nov 22:54 sambaSIDList.bdb -rw--- 1 openldap openldap 8192 1. Jun 21:57 sn.bdb -rw--- 1 openldap openldap 8192 23. Aug 10:08 uid.bdb -rw--- 1 openldap openldap 8192 23. Aug 10:08 uidNumber.bdb -rw--- 1 openldap openldap 8192 1. Jan 2012 uniqueMember.bdb root@capella:/var/lib/ldap# -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions:
Re: [Samba] Samba PDC group list empty
Am Donnerstag, 29. November 2012 schrieben Sie: I still dont understand why ldap search filter generated by samba ( i have this from samba log ) cannot find anything in database: smbldap_search_paged: base = [dc=gymsnv,dc=sk], filter = [((objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=S-1-5- 21-2390795950-2727105968-4008069955*))],scope = [2], pagesize = [1024] [2012/11/29 18:15:14.227560, 3] lib/smbldap.c:1591(smbldap_search_paged) smbldap_search_paged: search was successful [2012/11/29 18:15:14.227647, 3] rpc_server/srv_pipe_hnd.c:121(free_pipe_context) free_pipe_context: destroying talloc pool of size 0 If I remove sambaSID and try to find it in ldap, I will get all my groups. Filter = ((objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=*)) Is this normal behavior or my ldap configuration can be incorrect? That's not normal. What indexes have you set? # ldapsearch -LLLY external -H ldapi:/// -b cn=config (objectclass=*) olcDBIndex This are my indexes: dn: olcDatabase={1}hdb,cn=config olcDbIndex: objectClass eq olcDbIndex: uidNumber eq olcDbIndex: gidNumber eq olcDbIndex: loginShell eq olcDbIndex: uid eq,pres,sub olcDbIndex: memberUid eq,pres,sub olcDbIndex: uniqueMember eq,pres olcDbIndex: sambaSID eq olcDbIndex: sambaPrimaryGroupSID eq olcDbIndex: sambaGroupType eq olcDbIndex: sambaSIDList eq olcDbIndex: sambaDomainName eq olcDbIndex: displayName eq,sub olcDbIndex: givenName eq,sub olcDbIndex: mail eq,sub olcDbIndex: dhcpHWAddress eq olcDbIndex: dhcpClassData eq olcDbIndex: cn eq,pres,sub olcDbIndex: sn eq,pres,sub olcDbIndex: ou eq olcDbIndex: dc eq olcDbIndex: default sub And this shows the files: # cd /var/lib/ldap/ # ls -l *bdb -rw--- 1 openldap openldap 32768 18. Nov 15:49 cn.bdb -rw--- 1 openldap openldap 8192 1. Jan 2012 dc.bdb -rw--- 1 openldap openldap 8192 18. Nov 15:49 dhcpHWAddress.bdb -rw--- 1 openldap openldap 24576 23. Aug 10:08 displayName.bdb -rw--- 1 openldap openldap 24576 18. Nov 15:49 dn2id.bdb -rw--- 1 openldap openldap 8192 23. Aug 10:08 gidNumber.bdb -rw--- 1 openldap openldap 8192 1. Jun 21:57 givenName.bdb -rw--- 1 openldap openldap 98304 27. Nov 22:54 id2entry.bdb -rw--- 1 openldap openldap 8192 23. Aug 10:08 loginShell.bdb -rw--- 1 openldap openldap 8192 1. Jun 21:57 mail.bdb -rw--- 1 openldap openldap 8192 1. Jun 2012 memberUid.bdb -rw--- 1 openldap openldap 16384 27. Nov 22:54 objectClass.bdb -rw--- 1 openldap openldap 8192 1. Jun 19:57 ou.bdb -rw--- 1 openldap openldap 8192 23. Aug 08:54 sambaDomainName.bdb -rw--- 1 openldap openldap 8192 10. Mai 2012 sambaGroupType.bdb -rw--- 1 openldap openldap 8192 23. Aug 08:54 sambaPrimaryGroupSID.bdb -rw--- 1 openldap openldap 8192 23. Aug 10:08 sambaSID.bdb -rw--- 1 openldap openldap 8192 27. Nov 22:54 sambaSIDList.bdb -rw--- 1 openldap openldap 8192 1. Jun 21:57 sn.bdb -rw--- 1 openldap openldap 8192 23. Aug 10:08 uid.bdb -rw--- 1 openldap openldap 8192 23. Aug 10:08 uidNumber.bdb -rw--- 1 openldap openldap 8192 1. Jan 2012 uniqueMember.bdb root@capella:/var/lib/ldap# -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC group list empty
Hello again, I do not know what On Tue, Nov 27, 2012 at 9:08 PM, Harry Jede walk2...@arcor.de wrote: On 20:15:56 wrote Andrej Šimko: net getdomainsid SID for local machine HOST is: S-1-5-21-2390795950-2727105968-4008069955 SID for domain EXAMPLE is: S-1-5-21-2390795950-2727105968-4008069955 I compared my smb.conf with yours. I have ldap suffix before ldap group suffix. I switched that but result still the same. ldapsearch -LLLY external -H ldapi:/// cn=admin dn 2/dev/null dn: cn=admin,dc=example,dc=sk tdbdump /var/lib/samba/secrets.tdb - looks ok ( the password too ) ldapsearch -LLLY external -H ldapi:/// ((objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)(uid =users))) 2/dev/null dn: sambaSID=S-1-5-32-545,ou=Groups,dc=example,dc=sk objectClass: sambaSidEntry objectClass: sambaGroupMapping sambaSID: S-1-5-32-545 sambaGroupType: 4 displayName: Users gidNumber: 1 sambaSIDList: S-1-5-21-2390795950-2727105968-4008069955-513 Sorry, that I haven't seen this in your mail at 09:07 This is a working group object: # ldapsearch -LLLY external -H ldapi:/// ((objectclass=sambaGroupMapping)(|(cn=users)(displayname=users) (uid=users))) 2/dev/null dn: cn=users,ou=groups,dc=europa,dc=xx objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 545 cn: users description: Netbios Domain Users sambaSID: S-1-5-32-545 sambaSIDList: S-1-5-21-3958726613-3318811842-4132420312-513 sambaGroupType: 4 displayName: Users The main difference ist the objectclass posixGroup instead of sambaSidEntry. Samba Group Mapping is not a simple task. Your definition with objectclass=sambasidentry is not totally wrong, but the intended use is that you store your posixgroups in /etc/group or in NIS. With an LDAP backend that is not the best approach. I dont understand what are you trying to say :( Do you think that if I have all necessary groups in /etc/group or in NIS, than the windows computer will find grups in domain? I still dont understand why ldap search filter generated by samba ( i have this from samba log ) cannot find anything in database: smbldap_search_paged: base = [dc=gymsnv,dc=sk], filter = [((objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=S-1-5-21-2390795950-2727105968-4008069955*))],scope = [2], pagesize = [1024] [2012/11/29 18:15:14.227560, 3] lib/smbldap.c:1591(smbldap_search_paged) smbldap_search_paged: search was successful [2012/11/29 18:15:14.227647, 3] rpc_server/srv_pipe_hnd.c:121(free_pipe_context) free_pipe_context: destroying talloc pool of size 0 If I remove sambaSID and try to find it in ldap, I will get all my groups. Filter = ((objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=*)) Is this normal behavior or my ldap configuration can be incorrect? Here the three standard definitions with objectclass=posixgroup ### A primary group: posix and windows primary members should NOT stored here dn: cn=teachers,ou=groups,dc=europa,dc=xx cn: teachers objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 1001 sambaSID: S-1-5-21-3958726613-3318811842-4132420312-3003 sambaGroupType: 2 displayName: teachers # getent group teachers teachers:*:1001: # net rpc group members teachers # nothing ### A regular group in posix, a global group in windows members are stored in memberUid dn: cn=DomainAdmins,ou=groups,dc=europa,dc=xx objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 512 cn: DomainAdmins memberUid: Administrator memberUid: root description: Netbios Domain Administrators sambaSID: S-1-5-21-3958726613-3318811842-4132420312-512 sambaGroupType: 2 displayName: Domain Admins # getent group domainadmins DomainAdmins:*:512:Administrator,root # Asking for the Windows name, which is stored in displayName # net rpc group members domain admins EUROPA\Administrator EUROPA\root # Asking for the posix name, which is stored in cn # net rpc group members domainadmins EUROPA\Administrator EUROPA\root ### A windows/samba builtin group no posix members Windows members must be stored in sambaSIDList. These type of groups will be used in Windows OS (client and/or server) # ldapsearch -LLLY external -H ldapi:/// ((objectclass=sambaGroupMapping)(cn=administrators)) 2/dev/null dn: cn=Administrators,ou=groups,dc=europa,dc=xx objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 544 cn: Administrators description: Netbios Domain Members can fully administer the computer sambaSID: S-1-5-32-544 sambaSIDList: S-1-5-21-3958726613-3318811842-4132420312-512 sambaGroupType: 4 displayName: Administrators # getent group administrators Administrators:*:544: # net rpc group members administrators EUROPA\Domain Admins ### -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the
Re: [Samba] Samba PDC group list empty
Hi Simo, Hi this is my listing: net -U administrator rpc group members Administrators Enter administrator's password: Couldn't list alias members Your samba server WILL not list the members of this global group, mostly a security issue. ldapsearch -xLLL '((objectclass=sambaGroupMapping)(sambaGroupType=4) (sambaSID=S-1-5-32*))' ldapsearch -xLLL '((objectclass=sambaGroupMapping)(sambaGroupType=4) (sambaSID=*))' dn: sambaSID=S-1-5-32-545,ou=Groups,dc=example,dc=sk objectClass: sambaSidEntry objectClass: sambaGroupMapping sambaSID: S-1-5-32-545 sambaGroupType: 4 displayName: Users gidNumber: 1 sambaSIDList: S-1-5-21-2390795950-2727105968-4008069955-513 Your LDAP client WILL list the group members. Do you know what does this mean? The reason is often wrong configured smbldap-tools. Check the /etc/smbldap-tools/smbldap.conf file for the wrong SID entry. net getdomainsid SID for local machine HOST is: S-1-5-21-2242576961-186067218-2214866780 SID for domain EXAMPLE is: S-1-5-21-2390795950-2727105968-4008069955 Your server and your domain have different SIDs, that may be is yor problem. Try: # net setlocalsid S-1-5-21-2390795950-2727105968-4008069955 and restart samba. Thanks. -- regards Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC group list empty
Hi Simo, please post to the list !!! On Tue, Nov 27, 2012 at 9:56 AM, Harry Jede walk2...@arcor.de wrote: Hi Simo, Hi this is my listing: net -U administrator rpc group members Administrators Enter administrator's password: Couldn't list alias members Your samba server WILL not list the members of this global group, mostly a security issue. User administrator has all rights, so I dont think it is a security issue. Or do you know some checks that I could try? ldapsearch -xLLL '((objectclass=sambaGroupMapping)(sambaGroupType=4) (sambaSID=S-1-5-32*))' ldapsearch -xLLL '((objectclass=sambaGroupMapping)(sambaGroupType=4) (sambaSID=*))' dn: sambaSID=S-1-5-32-545,ou=Groups,dc=example,dc=sk objectClass: sambaSidEntry objectClass: sambaGroupMapping sambaSID: S-1-5-32-545 sambaGroupType: 4 displayName: Users gidNumber: 1 sambaSIDList: S-1-5-21-2390795950-2727105968-4008069955-513 Your LDAP client WILL list the group members. Do you know what does this mean? The reason is often wrong configured smbldap-tools. Check the /etc/smbldap-tools/smbldap.conf file for the wrong SID entry. SID in smbldap.conf is: SID=S-1-5-21-2390795950-2727105968-4008069955 So that is correct. net getdomainsid SID for local machine HOST is: S-1-5-21-2242576961-186067218-2214866780 SID for domain EXAMPLE is: S-1-5-21-2390795950-2727105968-4008069955 Your server and your domain have different SIDs, that may be is yor problem. Try: # net setlocalsid S-1-5-21-2390795950-2727105968-4008069955 and restart samba. Tried that, nothing changed. Post: net getdomainsid Do the following steps (enclosed with ###) in order ### I compared my smb.conf with yours. I have ldap suffix before ldap group suffix. ldap suffix = dc=europa,dc=xx ldap admin dn= cn=admin,dc=europa,dc=xx ldap group suffix= ou=groups ldap user suffix = ou=people,ou=accounts ldap machine suffix = ou=machines,ou=accounts and I have NOT installed winbindd! ### Check if you have the groups defined in LDAP and in /etc/groups. The groups should only be in LDAP. ### check the admin account in ldap: # ldapsearch -LLLY external -H ldapi:/// cn=admin dn 2/dev/null dn: cn=admin,dc=europa,dc=xx Check that your ldap admin password is OK. # tdbdump /var/lib/samba/secrets.tdb look for: { key(45) = SECRETS/LDAP_BIND_PW/cn=admin,dc=europa,dc=xx data(12) = ThePassword\00 } Try to bind with this password: # ldapsearch -xLLL -D cn=admin,dc=europa,dc=xx -w ThePassword ((objectclass=sambaGroupMapping)(|(cn=users)(displayname=users) (uid=users))) Check if root get the same result: # ldapsearch -LLLY external -H ldapi:/// ((objectclass=sambaGroupMapping)(|(cn=users)(displayname=users) (uid=users))) 2/dev/null ### at last, search for duplicate names: # ldapsearch -xLLL ((objectclass=sambaGroupMapping)(|(cn=users) (displayname=users)(uid=users))) dn You should get one result. Thanks. -- regards Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC group list empty
net getdomainsid SID for local machine HOST is: S-1-5-21-2390795950-2727105968-4008069955 SID for domain EXAMPLE is: S-1-5-21-2390795950-2727105968-4008069955 I compared my smb.conf with yours. I have ldap suffix before ldap group suffix. I switched that but result still the same. ldapsearch -LLLY external -H ldapi:/// cn=admin dn 2/dev/null dn: cn=admin,dc=example,dc=sk tdbdump /var/lib/samba/secrets.tdb - looks ok ( the password too ) ldapsearch -LLLY external -H ldapi:/// ((objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)(uid=users))) 2/dev/null dn: sambaSID=S-1-5-32-545,ou=Groups,dc=example,dc=sk objectClass: sambaSidEntry objectClass: sambaGroupMapping sambaSID: S-1-5-32-545 sambaGroupType: 4 displayName: Users gidNumber: 1 sambaSIDList: S-1-5-21-2390795950-2727105968-4008069955-513 ldapsearch -xLLL ((objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)(uid=users))) dn dn: sambaSID=S-1-5-32-545,ou=Groups,dc=example,dc=sk I do not see anything bad, I do not have installed windbindd On Tue, Nov 27, 2012 at 2:46 PM, Harry Jede walk2...@arcor.de wrote: (displayname=users)(uid=users))) dn -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC group list empty
On 20:15:56 wrote Andrej Šimko: net getdomainsid SID for local machine HOST is: S-1-5-21-2390795950-2727105968-4008069955 SID for domain EXAMPLE is: S-1-5-21-2390795950-2727105968-4008069955 I compared my smb.conf with yours. I have ldap suffix before ldap group suffix. I switched that but result still the same. ldapsearch -LLLY external -H ldapi:/// cn=admin dn 2/dev/null dn: cn=admin,dc=example,dc=sk tdbdump /var/lib/samba/secrets.tdb - looks ok ( the password too ) ldapsearch -LLLY external -H ldapi:/// ((objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)(uid =users))) 2/dev/null dn: sambaSID=S-1-5-32-545,ou=Groups,dc=example,dc=sk objectClass: sambaSidEntry objectClass: sambaGroupMapping sambaSID: S-1-5-32-545 sambaGroupType: 4 displayName: Users gidNumber: 1 sambaSIDList: S-1-5-21-2390795950-2727105968-4008069955-513 Sorry, that I haven't seen this in your mail at 09:07 This is a working group object: # ldapsearch -LLLY external -H ldapi:/// ((objectclass=sambaGroupMapping)(|(cn=users)(displayname=users) (uid=users))) 2/dev/null dn: cn=users,ou=groups,dc=europa,dc=xx objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 545 cn: users description: Netbios Domain Users sambaSID: S-1-5-32-545 sambaSIDList: S-1-5-21-3958726613-3318811842-4132420312-513 sambaGroupType: 4 displayName: Users The main difference ist the objectclass posixGroup instead of sambaSidEntry. Samba Group Mapping is not a simple task. Your definition with objectclass=sambasidentry is not totally wrong, but the intended use is that you store your posixgroups in /etc/group or in NIS. With an LDAP backend that is not the best approach. Here the three standard definitions with objectclass=posixgroup ### A primary group: posix and windows primary members should NOT stored here dn: cn=teachers,ou=groups,dc=europa,dc=xx cn: teachers objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 1001 sambaSID: S-1-5-21-3958726613-3318811842-4132420312-3003 sambaGroupType: 2 displayName: teachers # getent group teachers teachers:*:1001: # net rpc group members teachers # nothing ### A regular group in posix, a global group in windows members are stored in memberUid dn: cn=DomainAdmins,ou=groups,dc=europa,dc=xx objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 512 cn: DomainAdmins memberUid: Administrator memberUid: root description: Netbios Domain Administrators sambaSID: S-1-5-21-3958726613-3318811842-4132420312-512 sambaGroupType: 2 displayName: Domain Admins # getent group domainadmins DomainAdmins:*:512:Administrator,root # Asking for the Windows name, which is stored in displayName # net rpc group members domain admins EUROPA\Administrator EUROPA\root # Asking for the posix name, which is stored in cn # net rpc group members domainadmins EUROPA\Administrator EUROPA\root ### A windows/samba builtin group no posix members Windows members must be stored in sambaSIDList. These type of groups will be used in Windows OS (client and/or server) # ldapsearch -LLLY external -H ldapi:/// ((objectclass=sambaGroupMapping)(cn=administrators)) 2/dev/null dn: cn=Administrators,ou=groups,dc=europa,dc=xx objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 544 cn: Administrators description: Netbios Domain Members can fully administer the computer sambaSID: S-1-5-32-544 sambaSIDList: S-1-5-21-3958726613-3318811842-4132420312-512 sambaGroupType: 4 displayName: Administrators # getent group administrators Administrators:*:544: # net rpc group members administrators EUROPA\Domain Admins ### -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC group list empty
Hai, The debian 3.5.6 is buggy, use de 3.6.6 version from backports, fixed my problems also. Louis -Oorspronkelijk bericht- Van: andrej.si...@gmail.com [mailto:samba-boun...@lists.samba.org] Namens Andrej Šimko Verzonden: vrijdag 23 november 2012 9:11 Aan: samba@lists.samba.org Onderwerp: [Samba] Samba PDC group list empty Dear samba users, I have very strange problem. I have Samba PDC up and running, but only thing is missing. I cannot see any Domain Groups at all. Here is my config: Debian Squeeze: ii samba 2:3.5.6~dfsg-3squeeze8 SMB/CIFS file, print, and login server for Unix ii samba-common2:3.5.6~dfsg-3squeeze8 common files used by both the Samba server and client ii samba-common-bin2:3.5.6~dfsg-3squeeze8 common files used by both the Samba server and client ii samba-doc 2:3.5.6~dfsg-3squeeze8 Samba documentation /etc/samba/smb.conf [global] dos charset = CP852 unix charset = UTF8 display charset = UTF8 workgroup = EXAMPLE server string = %h server map to guest = Bad User passdb backend = ldapsam:ldap://127.0.0.1/ pam password change = Yes passwd program = /usr/sbin/smbldap-passwd -u %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated* syslog = 0 time server = Yes log file = /var/log/samba/samba.log log level = 3 max log size = 1000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 add user script = /usr/sbin/smbldap-useradd -m %u -d /home/%u %u delete user script = /usr/sbin/smbldap-userdel %u -r %u add group script = /usr/sbin/smbldap-groupadd -p %g delete group script = /usr/sbin/smbldap-groupdel %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u add machine script = /usr/sbin/smbldap-useradd -w %u logon script = logon.bat domain logons = Yes os level = 10 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes ldap admin dn = cn=admin,dc=example,dc=sk ldap delete dn = Yes ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap machine suffix = ou=Computers ldap suffix = dc=example,dc=sk ldap ssl = no ldap user suffix = ou=Users panic action = /usr/share/samba/panic-action %d map acl inherit = Yes case sensitive = No hide unreadable = Yes map hidden = Yes map system = Yes [homes] comment = Home Directories valid users = %S read only = No create mask = 0644 directory mask = 0700 browseable = No path = /data/samba/homes [netlogon] comment = Network Logon Service path = /data/samba/netlogon read only = No guest ok = Yes locking = No share modes = No [profiles] comment = Users profiles path = /data/samba/profiles read only = No create mask = 0600 directory mask = 0700 hide files = /desktop.ini/ browseable = No /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc Name Service Switch' for information about this file. passwd: compat ldap group: compat ldap shadow: compat ldap hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc:db files netgroup: nis /etc/ldap/ldap.conf # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. host 127.0.0.1 base dc=example,dc=sk binddn cn=admin,dc=example,dc=sk bindpw secret bind_policy soft pam_password exop timelimit 15 nss_base_passwd ou=Users,dc=example,dc=sk nss_base_shadow ou=Users,dc=example,dc=sk nss_base_group ou=Groups,dc=example,dc=sk net getdomainsid SID for local machine HOST is: S-1-5-21-2242576961-186067218-2214866780 SID for domain EXAMPLE is: S-1-5-21-2390795950-2727105968-4008069955 net groupmap list Domain Admins (S-1-5-21-2390795950-2727105968-4008069955-512) - Domain Admins Domain Users (S-1-5-21-2390795950-2727105968-4008069955-513) - Domain Users Domain Guests (S-1-5-21-2390795950-2727105968-4008069955-514) - Domain Guests Domain Computers (S-1-5-21-2390795950-2727105968-4008069955-515) - Domain Computers Administrators (S-1-5-32-544) - Administrators Account Operators (S-1-5-32-548) - Account Operators Print Operators (S-1-5-32-550) - Print Operators Backup Operators (S-1-5-32-551) - Backup Operators Replicators (S-1-5-32-552) - Replicators The strange thing is, if I try on Win XP to search groups, i see in logs: smbldap_search_paged: base = [dc=example,dc=sk], filter = [((objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=S -1-5-21-2390795950-2727105968-4008069955*))],scope = [2], pagesize = [1024] smbldap_search_paged: base = [dc=example,dc=sk], filter
[Samba] Samba PDC group list empty
Dear samba users, I have very strange problem. I have Samba PDC up and running, but only thing is missing. I cannot see any Domain Groups at all. Here is my config: Debian Squeeze: ii samba 2:3.5.6~dfsg-3squeeze8 SMB/CIFS file, print, and login server for Unix ii samba-common2:3.5.6~dfsg-3squeeze8 common files used by both the Samba server and client ii samba-common-bin2:3.5.6~dfsg-3squeeze8 common files used by both the Samba server and client ii samba-doc 2:3.5.6~dfsg-3squeeze8 Samba documentation /etc/samba/smb.conf [global] dos charset = CP852 unix charset = UTF8 display charset = UTF8 workgroup = EXAMPLE server string = %h server map to guest = Bad User passdb backend = ldapsam:ldap://127.0.0.1/ pam password change = Yes passwd program = /usr/sbin/smbldap-passwd -u %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated* syslog = 0 time server = Yes log file = /var/log/samba/samba.log log level = 3 max log size = 1000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 add user script = /usr/sbin/smbldap-useradd -m %u -d /home/%u %u delete user script = /usr/sbin/smbldap-userdel %u -r %u add group script = /usr/sbin/smbldap-groupadd -p %g delete group script = /usr/sbin/smbldap-groupdel %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u add machine script = /usr/sbin/smbldap-useradd -w %u logon script = logon.bat domain logons = Yes os level = 10 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes ldap admin dn = cn=admin,dc=example,dc=sk ldap delete dn = Yes ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap machine suffix = ou=Computers ldap suffix = dc=example,dc=sk ldap ssl = no ldap user suffix = ou=Users panic action = /usr/share/samba/panic-action %d map acl inherit = Yes case sensitive = No hide unreadable = Yes map hidden = Yes map system = Yes [homes] comment = Home Directories valid users = %S read only = No create mask = 0644 directory mask = 0700 browseable = No path = /data/samba/homes [netlogon] comment = Network Logon Service path = /data/samba/netlogon read only = No guest ok = Yes locking = No share modes = No [profiles] comment = Users profiles path = /data/samba/profiles read only = No create mask = 0600 directory mask = 0700 hide files = /desktop.ini/ browseable = No /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc Name Service Switch' for information about this file. passwd: compat ldap group: compat ldap shadow: compat ldap hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc:db files netgroup: nis /etc/ldap/ldap.conf # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. host 127.0.0.1 base dc=example,dc=sk binddn cn=admin,dc=example,dc=sk bindpw secret bind_policy soft pam_password exop timelimit 15 nss_base_passwd ou=Users,dc=example,dc=sk nss_base_shadow ou=Users,dc=example,dc=sk nss_base_group ou=Groups,dc=example,dc=sk net getdomainsid SID for local machine HOST is: S-1-5-21-2242576961-186067218-2214866780 SID for domain EXAMPLE is: S-1-5-21-2390795950-2727105968-4008069955 net groupmap list Domain Admins (S-1-5-21-2390795950-2727105968-4008069955-512) - Domain Admins Domain Users (S-1-5-21-2390795950-2727105968-4008069955-513) - Domain Users Domain Guests (S-1-5-21-2390795950-2727105968-4008069955-514) - Domain Guests Domain Computers (S-1-5-21-2390795950-2727105968-4008069955-515) - Domain Computers Administrators (S-1-5-32-544) - Administrators Account Operators (S-1-5-32-548) - Account Operators Print Operators (S-1-5-32-550) - Print Operators Backup Operators (S-1-5-32-551) - Backup Operators Replicators (S-1-5-32-552) - Replicators The strange thing is, if I try on Win XP to search groups, i see in logs: smbldap_search_paged: base = [dc=example,dc=sk], filter = [((objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=S-1-5-21-2390795950-2727105968-4008069955*))],scope = [2], pagesize = [1024] smbldap_search_paged: base = [dc=example,dc=sk], filter = [((objectclass=sambaGroupMapping)(sambaGroupType=4)(sambaSID=S-1-5-21-2390795950-2727105968-4008069955*))],scope = [2], pagesize = [1024] smbldap_search_paged: base = [dc=example,dc=sk], filter = [((objectclass=sambaGroupMapping)(sambaGroupType=4)(sambaSID=S-1-5-32*))],scope = [2], pagesize = [1024] If I try to search in ldap with that filter, I
Re: [Samba] Samba PDC group list empty
On 18:32:29 wrote Andrej Šimko: Dear samba users, I have very strange problem. I have Samba PDC up and running, but only thing is missing. I cannot see any Domain Groups at all. ... net getdomainsid SID for local machine HOST is: S-1-5-21-2242576961-186067218-2214866780 SID for domain EXAMPLE is: S-1-5-21-2390795950-2727105968-4008069955 net groupmap list Domain Admins (S-1-5-21-2390795950-2727105968-4008069955-512) - Domain Admins Domain Users (S-1-5-21-2390795950-2727105968-4008069955-513) - Domain Users Domain Guests (S-1-5-21-2390795950-2727105968-4008069955-514) - Domain Guests Domain Computers (S-1-5-21-2390795950-2727105968-4008069955-515) - Domain Computers Administrators (S-1-5-32-544) - Administrators Account Operators (S-1-5-32-548) - Account Operators Print Operators (S-1-5-32-550) - Print Operators Backup Operators (S-1-5-32-551) - Backup Operators Replicators (S-1-5-32-552) - Replicators The strange thing is, if I try on Win XP to search groups, i see in logs: smbldap_search_paged: base = [dc=example,dc=sk], filter = [((objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=S-1-5-2 1-2390795950-2727105968-4008069955*))],scope = [2], pagesize = [1024] smbldap_search_paged: base = [dc=example,dc=sk], filter = [((objectclass=sambaGroupMapping)(sambaGroupType=4)(sambaSID=S-1-5-2 1-2390795950-2727105968-4008069955*))],scope = [2], pagesize = [1024] smbldap_search_paged: base = [dc=example,dc=sk], filter = [((objectclass=sambaGroupMapping)(sambaGroupType=4)(sambaSID=S-1-5-3 # net help rpc group Usage: net rpc group Alias for net rpc group list global local builtin net rpc group add Create specified group net rpc group delete Delete specified group net rpc group addmem Add member to group net rpc group delmem Remove member from group net rpc group list List groups net rpc group members List group members net rpc group rename Rename group # net -U root rpc group members Administrators EUROPA\Domain Admins view this output: # ldapsearch -xLLL '((objectclass=sambaGroupMapping)(sambaGroupType=4) (sambaSID=S-1-5-32*))' dn: cn=Administrators,ou=groups,dc=europa,dc=xx objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 544 cn: Administrators memberUid: Administrator description: Netbios Domain Members can fully administer the computer sambaSID: S-1-5-32-544 sambaSIDList: S-1-5-21-3958726613-3318811842-4132420312-512 sambaGroupType: 4 displayName: Administrators dn: cn=users,ou=groups,dc=europa,dc=xx objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 545 cn: users description: Netbios Domain Users sambaSID: S-1-5-32-545 sambaSIDList: S-1-5-21-3958726613-3318811842-4132420312-513 sambaGroupType: 4 displayName: Users dn: cn=guests,ou=groups,dc=europa,dc=xx objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 546 cn: guests memberUid: nobody description: Netbios Domain Guests sambaSID: S-1-5-32-546 sambaSIDList: S-1-5-21-3958726613-3318811842-4132420312-514 sambaGroupType: 4 displayName: Guests dn: cn=AccountOperators,ou=groups,dc=europa,dc=xx objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 548 cn: AccountOperators description: Netbios Domain Users to manipulate users accounts sambaSID: S-1-5-32-548 sambaGroupType: 4 displayName: Account Operators dn: cn=PrintOperators,ou=groups,dc=europa,dc=xx objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 550 cn: PrintOperators description: Netbios Domain Print Operators sambaSID: S-1-5-32-550 sambaGroupType: 4 displayName: Print Operators dn: cn=BackupOperators,ou=groups,dc=europa,dc=xx objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 551 cn: BackupOperators description: Netbios Domain Members can bypass file security to back up files sambaSID: S-1-5-32-551 sambaGroupType: 4 displayName: Backup Operators dn: cn=Replicators,ou=groups,dc=europa,dc=xx objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 552 cn: Replicators description: Netbios Domain Supports file replication in a sambaDomainName sambaSID: S-1-5-32-552 sambaGroupType: 4 displayName: Replicators If I try to search in ldap with that filter, I always get zero matches. I also tried to use wbinfo, wbinfo -u list all my users, wbinfo -g list is empty. If I try getent passwd and getent group I see all my users and groups. Can somebody help me with this? Thank you! -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Windows 7 clients not joining domain with Samba PDC
Yes I searched, I tried fixes, I pulled my hair out and finally gave in. New Windows 7 desktop trying to join a domain happily service XP clients from Samba 3.5.10 on Centos 6.3. I've applied the registry fix from https://wiki.samba.org/index.php/Windows7#Windows_7_Registry_settings and rebooted, no joy. I've tried nikonz' changes from http://www.tomshardware.com/forum/75-63-windows-samba-issue with no joy. Each time I try to have the machine join the domain, I get the following in the machine specific error log: [2012/11/22 15:28:45.189030, 0] lib/util_sock.c:474(read_fd_with_timeout) [2012/11/22 15:28:45.189331, 0] lib/util_sock.c:1441(get_peer_addr_internal) getpeername failed. Error was Transport endpoint is not connected read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by peer. followed by the message: The join operation was not successful. This could be because an existing computer account having the name MACHINENAME was previously created using a different set of credentials. Use a different computer name, or contact your administrator to remove any stale conflicting account. The error was: Access is denied. How can I get Windows 7 to play nice and join in with the domain? -- Daniel Foster Technical Director 34SP.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] PDC and BDCs : net rpc testjoin
Thanks Gémes! I'sorry about my ignorance, but what is a aka classic domain? My samba version is 3.5.10-116.el6_2. OS: Red Hat Enterprise Linux Server release 6.2 / Linux 2.6.32-131.6.1.el6.x86_64 Best regards, Marcio Oliveira. 2012/10/23 Gémes Géza g...@kzsdabas.hu 2012-10-22 20:10 keltezéssel, Marcio Oli írta: I think the question is simple, so anybody could help me with this? The questions are: 1. The samba PDCs and BDCs have obligation to be joined to domain? In a samba3 (aka classic domain not) 2. The net rpc testjoin command must to return OK in this case? IF joined yes Thanks, Marcio Oliveira 2012/10/19 Marcio Oli marcio.oli...@gmail.com People, I have one PDC and a BDC on the matrix side and two BDCs on the branch office. I don't know if it is a problem. Anybody could help me? PDC # net rpc testjoin get_schannel_session_key: could not fetch trust account password for domain 'DOMAIN_NAME' net_rpc_join_ok: failed to get schannel session key from server PDC for domain DOMAIN_NAME. Error was NT_STATUS_CANT_ACCESS_DOMAIN_**INFO Join to domain 'DOMAIN_NAME' is not valid: NT_STATUS_CANT_ACCESS_DOMAIN_**INFO BDCs # net rpc testjoin net_rpc_join_ok: failed to get schannel session key from server PDC for domain DOMAIN_NAME. Error was NT_STATUS_ACCESS_DENIED Join to domain 'DOMAIN_NAME' is not valid: NT_STATUS_ACCESS_DENIED What should I do to solve these problems? Thanks, -- Marcio Oliveira. Tudo concorre para o bem daqueles que amam à Deus. (Rom 8,28) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- Marcio Oliveira. Tudo concorre para o bem daqueles que amam à Deus. (Rom 8,28) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] PDC and BDCs : net rpc testjoin
Hi On 23 October 2012 16:48, Marcio Oli marcio.oli...@gmail.com wrote: Thanks Gémes! I'sorry about my ignorance, but what is a aka classic domain? aka classic domain now (I think Geza meant to say now instead of not) means that the type of domain that Samba3 implements is now also known as a classic domain. I hope my explanation helps :) My samba version is 3.5.10-116.el6_2. OS: Red Hat Enterprise Linux Server release 6.2 / Linux 2.6.32-131.6.1.el6.x86_64 Best regards, Marcio Oliveira. 2012/10/23 Gémes Géza g...@kzsdabas.hu 2012-10-22 20:10 keltezéssel, Marcio Oli írta: I think the question is simple, so anybody could help me with this? The questions are: 1. The samba PDCs and BDCs have obligation to be joined to domain? In a samba3 (aka classic domain not) [...] -- Michael Wood esiot...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] PDC and BDCs : net rpc testjoin
Hi Marcio On 23 October 2012 21:01, Marcio Oli marcio.oli...@gmail.com wrote: Ok Michalel, thanks. But is not clear to me yet. The samba PDCs and BDCs have obligation to be joined to domain? In other words, I need to type a manual linux command within Samba Domain Controllers (like: # net rpc join [DOMAIN] -U AdminUserofDomain) . I think Geza was saying that you do (for Samba 3), but I have not run a Samba 3 PDC/BDC before, so I am not the one to answer that question. Regards, Marcio. 2012/10/23 Michael Wood esiot...@gmail.com Hi On 23 October 2012 16:48, Marcio Oli marcio.oli...@gmail.com wrote: Thanks Gémes! I'sorry about my ignorance, but what is a aka classic domain? aka classic domain now (I think Geza meant to say now instead of not) means that the type of domain that Samba3 implements is now also known as a classic domain. I hope my explanation helps :) My samba version is 3.5.10-116.el6_2. OS: Red Hat Enterprise Linux Server release 6.2 / Linux 2.6.32-131.6.1.el6.x86_64 Best regards, Marcio Oliveira. 2012/10/23 Gémes Géza g...@kzsdabas.hu 2012-10-22 20:10 keltezéssel, Marcio Oli írta: I think the question is simple, so anybody could help me with this? The questions are: 1. The samba PDCs and BDCs have obligation to be joined to domain? In a samba3 (aka classic domain not) [...] -- Michael Wood esiot...@gmail.com -- Marcio Oliveira. Tudo concorre para o bem daqueles que amam à Deus. (Rom 8,28) -- Michael Wood esiot...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] PDC and BDCs : net rpc testjoin
2012-10-23 23:52 keltezéssel, Michael Wood írta: Hi Marcio On 23 October 2012 21:01, Marcio Oli marcio.oli...@gmail.com wrote: Ok Michalel, thanks. But is not clear to me yet. The samba PDCs and BDCs have obligation to be joined to domain? In other words, I need to type a manual linux command within Samba Domain Controllers (like: # net rpc join [DOMAIN] -U AdminUserofDomain) . I think Geza was saying that you do (for Samba 3), but I have not run a Samba 3 PDC/BDC before, so I am not the one to answer that question. OK First: Thanks Michael for correcting my typo Second: For Samba3 PDC/BDC there is no need to be joined to the domain, if you do not plan to use winbind on them (e.g. for trusted domains, or ldapsam:editposix stuff) Hope that is clearer now. Regards, Marcio. 2012/10/23 Michael Wood esiot...@gmail.com Hi On 23 October 2012 16:48, Marcio Oli marcio.oli...@gmail.com wrote: Thanks Gémes! I'sorry about my ignorance, but what is a aka classic domain? aka classic domain now (I think Geza meant to say now instead of not) means that the type of domain that Samba3 implements is now also known as a classic domain. I hope my explanation helps :) My samba version is 3.5.10-116.el6_2. OS: Red Hat Enterprise Linux Server release 6.2 / Linux 2.6.32-131.6.1.el6.x86_64 Best regards, Marcio Oliveira. 2012/10/23 Gémes Géza g...@kzsdabas.hu 2012-10-22 20:10 keltezéssel, Marcio Oli írta: I think the question is simple, so anybody could help me with this? The questions are: 1. The samba PDCs and BDCs have obligation to be joined to domain? In a samba3 (aka classic domain not) [...] -- Michael Wood esiot...@gmail.com -- Marcio Oliveira. Tudo concorre para o bem daqueles que amam à Deus. (Rom 8,28) Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] PDC and BDCs : net rpc testjoin
I think the question is simple, so anybody could help me with this? The questions are: 1. The samba PDCs and BDCs have obligation to be joined to domain? 2. The net rpc testjoin command must to return OK in this case? Thanks, Marcio Oliveira 2012/10/19 Marcio Oli marcio.oli...@gmail.com People, I have one PDC and a BDC on the matrix side and two BDCs on the branch office. I don't know if it is a problem. Anybody could help me? PDC # net rpc testjoin get_schannel_session_key: could not fetch trust account password for domain 'DOMAIN_NAME' net_rpc_join_ok: failed to get schannel session key from server PDC for domain DOMAIN_NAME. Error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO Join to domain 'DOMAIN_NAME' is not valid: NT_STATUS_CANT_ACCESS_DOMAIN_INFO BDCs # net rpc testjoin net_rpc_join_ok: failed to get schannel session key from server PDC for domain DOMAIN_NAME. Error was NT_STATUS_ACCESS_DENIED Join to domain 'DOMAIN_NAME' is not valid: NT_STATUS_ACCESS_DENIED What should I do to solve these problems? Thanks, -- Marcio Oliveira. Tudo concorre para o bem daqueles que amam à Deus. (Rom 8,28) -- Marcio Oliveira. Tudo concorre para o bem daqueles que amam à Deus. (Rom 8,28) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] PDC and BDCs : net rpc testjoin
2012-10-22 20:10 keltezéssel, Marcio Oli írta: I think the question is simple, so anybody could help me with this? The questions are: 1. The samba PDCs and BDCs have obligation to be joined to domain? In a samba3 (aka classic domain not) 2. The net rpc testjoin command must to return OK in this case? IF joined yes Thanks, Marcio Oliveira 2012/10/19 Marcio Oli marcio.oli...@gmail.com People, I have one PDC and a BDC on the matrix side and two BDCs on the branch office. I don't know if it is a problem. Anybody could help me? PDC # net rpc testjoin get_schannel_session_key: could not fetch trust account password for domain 'DOMAIN_NAME' net_rpc_join_ok: failed to get schannel session key from server PDC for domain DOMAIN_NAME. Error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO Join to domain 'DOMAIN_NAME' is not valid: NT_STATUS_CANT_ACCESS_DOMAIN_INFO BDCs # net rpc testjoin net_rpc_join_ok: failed to get schannel session key from server PDC for domain DOMAIN_NAME. Error was NT_STATUS_ACCESS_DENIED Join to domain 'DOMAIN_NAME' is not valid: NT_STATUS_ACCESS_DENIED What should I do to solve these problems? Thanks, -- Marcio Oliveira. Tudo concorre para o bem daqueles que amam à Deus. (Rom 8,28) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] PDC and BDCs : net rpc testjoin
People, I have one PDC and a BDC on the matrix side and two BDCs on the branch office. I don't know if it is a problem. Anybody could help me? PDC # net rpc testjoin get_schannel_session_key: could not fetch trust account password for domain 'DOMAIN_NAME' net_rpc_join_ok: failed to get schannel session key from server PDC for domain DOMAIN_NAME. Error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO Join to domain 'DOMAIN_NAME' is not valid: NT_STATUS_CANT_ACCESS_DOMAIN_INFO BDCs # net rpc testjoin net_rpc_join_ok: failed to get schannel session key from server PDC for domain DOMAIN_NAME. Error was NT_STATUS_ACCESS_DENIED Join to domain 'DOMAIN_NAME' is not valid: NT_STATUS_ACCESS_DENIED What should I do to solve these problems? Thanks, -- Marcio Oliveira. Tudo concorre para o bem daqueles que amam à Deus. (Rom 8,28) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] PDC: realm changed: authentication aborted
Hi list, We have a network with some XP and some Windows 7 computer, we use samba 3.6.6 on debian 6.0.6 from debian-backports. It's a pdc with passdb backend = ldapsam. In our logs there are lots of: ARCServer slapd[1263]: SASL [conn=46778] Failure: realm changed: authentication aborted I found out that at that time this emerges the tcpdump says: 12:59:54.656399 IP client.49551 192.168.43.202.ldap: Flags [S], seq 3802010171, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 12:59:54.656444 IP 192.168.43.202.ldap client.49551: Flags [S.], seq 3999710145, ack 3802010172, win 5840, options [mss 1460,nop,nop,sackOK,nop,wscale 6], length 0 12:59:54.656831 IP client.49551 192.168.43.202.ldap: Flags [.], ack 1, win 256, length 0 12:59:54.665734 IP client.49551 192.168.43.202.ldap: Flags [P.], seq 1:351, ack 1, win 256, length 350 12:59:54.665756 IP 192.168.43.202.ldap client.49551: Flags [.], ack 351, win 108, length 0 12:59:54.677914 IP 192.168.43.202.ldap client.49551: Flags [P.], seq 1:377, ack 351, win 108, length 376 12:59:54.678040 IP 192.168.43.202.ldap client.49551: Flags [P.], seq 377:391, ack 351, win 108, length 14 12:59:54.678316 IP client.49551 192.168.43.202.ldap: Flags [.], ack 391, win 255, length 0 12:59:54.678707 IP client.49551 192.168.43.202.ldap: Flags [P.], seq 351:391, ack 391, win 255, length 40 12:59:54.679001 IP 192.168.43.202.ldap client.49551: Flags [P.], seq 391:672, ack 391, win 108, length 281 12:59:54.679619 IP client.49551 192.168.43.202.ldap: Flags [P.], seq 391:678, ack 672, win 254, length 287 12:59:54.679858 IP 192.168.43.202.ldap client.49551: Flags [P.], seq 672:758, ack 678, win 125, length 86 12:59:54.680464 IP client.49551 192.168.43.202.ldap: Flags [P.], seq 678:689, ack 758, win 253, length 11 12:59:54.680480 IP client.49551 192.168.43.202.ldap: Flags [F.], seq 689, ack 758, win 253, length 0 12:59:54.680710 IP 192.168.43.202.ldap client.49551: Flags [F.], seq 758, ack 690, win 125, length 0 12:59:54.680987 IP client.49551 192.168.43.202.ldap: Flags [.], ack 759, win 253, length 0 This happens every 15 minutes per Win7 machine on the client wireshark says: //client-server 0„ X c„ O x ‡ objectclass0„ + subschemaSubentry dsServiceName namingContexts defaultNamingContext schemaNamingContext configurationNamingContext rootDomainNamingContext supportedControl supportedLDAPVersion supportedLDAPPolicies supportedSASLMechanisms dnsHostName ldapServiceName serverName supportedCapabilities //server -client 0‚ t d‚ m 0‚ g0' namingContexts1 dc=arc-aachen,dc=de0À supportedControl1« 2.16.840.1.113730.3.4.18 2.16.840.1.113730.3.4.2 1.3.6.1.4.1.4203.1.10.1 1.2.840.113556.1.4.319 1.2.826.0.1.3344810.2.3 1.3.6.1.1.13.2 1.3.6.1.1.13.1 1.3.6.1.1.120 supportedLDAPVersion1 307 supportedSASLMechanisms1 CRAM-MD5 DIGEST-MD5 NTLM0# subschemaSubentry1 cn=Subschema0e //client-server 0„ `„ £„ DIGEST-MD5 //server-client 0‚ a‚ @SASL(0): successful result: security flags do not match required‡Änonce=cryptic1,realm=ARCServer.arc-aachen.de,qop=auth,auth-int, auth-conf,cipher=rc4-40,rc4-56,rc4,des,3des,maxbuf=65536,charset=utf-8, algorithm=md5-sess //client-server 0„ `„ £„ DIGEST-MD5 ‚ õusername=client$,realm=arcd,nonce=cryptic1,digest-uri=ldap/ARCSERVER, cnonce=cryptic2,nc=0001,response=cryptic3,qop=auth-conf,cipher=3des, charset=utf-8 //server-client 0T aO 1 HSASL(-13): authentication failure: realm changed: authentication aborted //client-server 0„ B I understand that the win7 machine tries to ask the server something concernig the network, but the problem is, that the server expects a reply from client.arc-aachen.de but gets a reply from client.arcd. But why? extracts from smb.conf: [global] workgroup = ARCD netbios name = ARCServer # domain settings domain master = yes domain logons = yes os level = 100 preferred master = yes wins support = no passdb backend = ldapsam ldap suffix = dc=arc-aachen,dc=de ldap admin dn = cn=samba,dc=arc-aachen,dc=de ldap user suffix = ou=users ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap idmap suffix = ou=idmaps [...] I know this is a slapd problem if this server wouldn't be our samba file server this problem would not emerge. Does anybody know what to do? Thanks for your help Sebastian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] failed to get machine password for account samba pdc + ldap
I have th next problen when a machine is already on in a mi domain after a few day this messages begin in /var/log/log. [2012/10/04 09:51:51.004275, 0] rpc_server/srv_netlog_nt.c:692(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: failed to get machine password for account PCU1$: NT_STATUS_ACCESS_DENIED [2012/10/04 09:51:55.741838, 0] rpc_server/srv_netlog_nt.c:475(get_md4pw) get_md4pw: Workstation PCUIOZR03TN07$: no account in domain [2012/10/04 09:51:55.741883, 0] rpc_server/srv_netlog_nt.c:692(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: failed to get machine password for account PCU$: NT_STATUS_ACCESS_DENIED [2012/10/04 09:51:55.744344, 0] rpc_server/srv_netlog_nt.c:475(get_md4pw) get_md4pw: Workstation PCUIOZR03TN07$: no account in domain [2012/10/04 09:51:55.744371, 0] rpc_server/srv_netlog_nt.c:692(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: failed to get machine password for account PCU333$: NT_STATUS_ACCESS_DENIED [2012/10/04 09:51:55.747119, 0] rpc_server/srv_netlog_nt.c:475(get_md4pw) get_md4pw: Workstation PCUIOZR03TN07$: no account in domain [2012/10/04 09:51:55.747150, 0] rpc_server/srv_netlog_nt.c:692(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: failed to get machine password for account PCU4$: NT_STATUS_ACCESS_DENIED I have the same error with th other pc in my domain if someone have a solution ??? thanks The strange thing is that the machines are on the domain in the LDAP when you query the active directory returns the PC Information -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC: Admin tools?
I use apache directory studio for LDAP management. It is not samba specific but it is easy enough to use existing user, group or machine objects as templates for new ones. It runs on Windows and Linux (and maybe on Mac.) On 08/25/12 16:39, John Drescher wrote: On Sat, Aug 25, 2012 at 4:34 PM, Alberto Moreno ports...@gmail.com wrote: Guys. I have use smbldap-tools to handle my accounts for my PDC with samba+openldap. Now, I ask here because a lot of people have PDC running on their networks, what tools do u use to manage your openldap db for samba: users, machines, groups? Working with Centos 6.x. Any input will be appreciated, thanks!!! I use ldap account manager to manage my users / machines / group accounts. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC: Admin tools?
On 30/08/12 18:57, Gaiseric Vandal wrote: I use apache directory studio for LDAP management. It is not samba specific but it is easy enough to use existing user, group or machine objects as templates for new ones. It runs on Windows and Linux (and maybe on Mac.) On 08/25/12 16:39, John Drescher wrote: On Sat, Aug 25, 2012 at 4:34 PM, Alberto Moreno ports...@gmail.com wrote: Guys. I have use smbldap-tools to handle my accounts for my PDC with samba+openldap. Now, I ask here because a lot of people have PDC running on their networks, what tools do u use to manage your openldap db for samba: users, machines, groups? Working with Centos 6.x. Any input will be appreciated, thanks!!! I use ldap account manager to manage my users / machines / group accounts. John Hi openSUSE's yast has a really nice and little known frontend to LDAP which handles samba objects too. You can point and click your way through adding/deleting samba specific users and groups. It also has an LDAP browser similar to phpldapadmin. I'm not sure if Yast will fire up on Centos but may be worth a look. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba PDC: Admin tools?
Guys. I have use smbldap-tools to handle my accounts for my PDC with samba+openldap. Now, I ask here because a lot of people have PDC running on their networks, what tools do u use to manage your openldap db for samba: users, machines, groups? Working with Centos 6.x. Any input will be appreciated, thanks!!! -- LIving the dream... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC: Admin tools?
On Sat, Aug 25, 2012 at 4:34 PM, Alberto Moreno ports...@gmail.com wrote: Guys. I have use smbldap-tools to handle my accounts for my PDC with samba+openldap. Now, I ask here because a lot of people have PDC running on their networks, what tools do u use to manage your openldap db for samba: users, machines, groups? Working with Centos 6.x. Any input will be appreciated, thanks!!! I use ldap account manager to manage my users / machines / group accounts. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problems connecting win7 client to new Samba PDC
The Domain Users group should have automatically been added to the local users group when you joined the domain. When I upgraded from Samba 3.0.x to 3.5.x I had a error in the group mappings on one of the DC's that cause problems for a while. I also had to explicitly add a mapping for the nobody user and group. I think I may have explicitly granted the domain administrator the privileged to add machines to the domain http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/rights.html#rp-privs But I think I only had to do that because the administrator was not recognized as being a domain admin (or local admin) because the group mapping was broken. If you add a network user to the local admin group, and login works, then there is definitely a local security issue.My guess is that the OS creates the new user local profile directory but then has problems assigning file permissions/ownership for the network user. On XP , if you right click My Computer and look at profiles, you could see if the profile for a user was local, roaming or temporary. Win 7 should have the same option. On 08/09/12 18:03, Brandon wrote: Are your group mappings correct? I ask because it may be that the Domain Users is not properly recognized as a member of the Users group on the PC. Can you login as the domain (or local) admins and explicitly add domain users and domain groups to a local group? An update to this: I was able to add domain users after a reboot. So I've added MYWORKGROUP\myadmin to my Users group on the local machine. I was also able to search my domain for users, and came up with a list of my users, a nobody user, and a Domain Admins group. I've added MYWORKGROUP\myadmin (user) and MYWORKGROUP\Domain Admins (group) to the User group on the local machine. I am still getting the same errors when logging on though. It seems to me like it's trying to pull a roaming profile when I have roaming profiles disabled (or I thought I did), and/or windows doesn't actually know the netbios name, based on the series of these events: Windows cannot copy file \\?\C:\Users\Default\Documents to location \\?\C:\Users\TEMP.MYWORKGROUP\Documents. This error may be caused by network problems or insufficient security rights. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problems connecting win7 client to new Samba PDC
Here's some more information on my problem: smb.conf: --- begin smb.conf --- [global] workgroup = MYWORKGROUP server string = %h server (Samba, Ubuntu) map to guest = Bad User obey pam restrictions = Yes pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 add machine script = /usr/sbin/useradd -g machines -c %u machine account -d /var/lib/samba -s /bin/false %u logon script = logon.cmd logon path = logon home = domain logons = Yes dns proxy = No usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d idmap config * : backend = tdb [homes] comment = Home Directories valid users = %S read only = No create mask = 0700 directory mask = 0700 browseable = No [netlogon] comment = Network Logon Service path = /srv/samba/netlogon guest ok = Yes [printers] comment = All Printers path = /var/spool/samba create mask = 0700 printable = Yes print ok = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/printers --- end smb.conf --- Here's the pdbedit -Lv spitout for my user: --- begin output--- Unix username:myadmin NT username: Account Flags:[U ] User SID: S-1-5-21-2762049607-2166809996-183419993-1000 Primary Group SID:S-1-5-21-2762049607-2166809996-183419993-513 Full Name: Home Directory: HomeDir Drive: Logon Script: logon.cmd Profile Path: Domain: MYWORKGROUP Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Wed, 06 Feb 2036 10:06:39 EST Kickoff time: Wed, 06 Feb 2036 10:06:39 EST Password last set:Wed, 08 Aug 2012 17:54:50 EDT Password can change: Wed, 08 Aug 2012 17:54:50 EDT Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FF --- end output --- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problems connecting win7 client to new Samba PDC
did you make the appropriate registry changes on Win 7 as per http://wiki.samba.org/index.php/Windows7 On 08/09/12 09:28, Brandon wrote: Here's some more information on my problem: smb.conf: --- begin smb.conf --- [global] workgroup = MYWORKGROUP server string = %h server (Samba, Ubuntu) map to guest = Bad User obey pam restrictions = Yes pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 add machine script = /usr/sbin/useradd -g machines -c %u machine account -d /var/lib/samba -s /bin/false %u logon script = logon.cmd logon path = logon home = domain logons = Yes dns proxy = No usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d idmap config * : backend = tdb [homes] comment = Home Directories valid users = %S read only = No create mask = 0700 directory mask = 0700 browseable = No [netlogon] comment = Network Logon Service path = /srv/samba/netlogon guest ok = Yes [printers] comment = All Printers path = /var/spool/samba create mask = 0700 printable = Yes print ok = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/printers --- end smb.conf --- Here's the pdbedit -Lv spitout for my user: --- begin output--- Unix username:myadmin NT username: Account Flags:[U ] User SID: S-1-5-21-2762049607-2166809996-183419993-1000 Primary Group SID:S-1-5-21-2762049607-2166809996-183419993-513 Full Name: Home Directory: HomeDir Drive: Logon Script: logon.cmd Profile Path: Domain: MYWORKGROUP Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Wed, 06 Feb 2036 10:06:39 EST Kickoff time: Wed, 06 Feb 2036 10:06:39 EST Password last set:Wed, 08 Aug 2012 17:54:50 EDT Password can change: Wed, 08 Aug 2012 17:54:50 EDT Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FF --- end output --- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problems connecting win7 client to new Samba PDC
Have you tried adding a machine account for your CLIENTPC i.e. # pdbedit -a -m -u CLIENTPC This will create the CLIENTPC$ account it was squawking about. In my experience, the machine needs a Samba account too. Cheers, Andrew Mark | Development Analyst | www.aimsystems.ca local: 519-837-1072 | fax: 519-837-4063 | int'l 800-465-2961 12-350 Speedvale Ave. W. | Guelph, ON | N1H 7M7 | Canada On 12-08-09 09:28 AM, Brandon wrote: Here's some more information on my problem: smb.conf: --- begin smb.conf --- [global] workgroup = MYWORKGROUP server string = %h server (Samba, Ubuntu) map to guest = Bad User obey pam restrictions = Yes pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 add machine script = /usr/sbin/useradd -g machines -c %u machine account -d /var/lib/samba -s /bin/false %u logon script = logon.cmd logon path = logon home = domain logons = Yes dns proxy = No usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d idmap config * : backend = tdb [homes] comment = Home Directories valid users = %S read only = No create mask = 0700 directory mask = 0700 browseable = No [netlogon] comment = Network Logon Service path = /srv/samba/netlogon guest ok = Yes [printers] comment = All Printers path = /var/spool/samba create mask = 0700 printable = Yes print ok = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/printers --- end smb.conf --- Here's the pdbedit -Lv spitout for my user: --- begin output--- Unix username:myadmin NT username: Account Flags:[U ] User SID: S-1-5-21-2762049607-2166809996-183419993-1000 Primary Group SID:S-1-5-21-2762049607-2166809996-183419993-513 Full Name: Home Directory: HomeDir Drive: Logon Script: logon.cmd Profile Path: Domain: MYWORKGROUP Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Wed, 06 Feb 2036 10:06:39 EST Kickoff time: Wed, 06 Feb 2036 10:06:39 EST Password last set:Wed, 08 Aug 2012 17:54:50 EDT Password can change: Wed, 08 Aug 2012 17:54:50 EDT Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FF --- end output --- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problems connecting win7 client to new Samba PDC
did you make the appropriate registry changes on Win 7 as per http://wiki.samba.org/index.php/Windows7 Yes, I've downloaded the 3.6.3 script and ran it on the client, as well as manually checked that the settings were only the two described in the wiki article Have you tried adding a machine account for your CLIENTPC i.e. # pdbedit -a -m -u CLIENTPC Yes, I let the account be auto-generated when connecting to the domain. I should have specified that there are other users I didn't include in the print out. Here is the machine account from pdbedit (note that I changed the logon script in smb.conf from .cmd to .bat a few minutes ago, and the update can be seen here): --- Unix username:CLIENTPC$ NT username: Account Flags:[W ] User SID: S-1-5-21-2762049607-2166809996-183419993-1001 Primary Group SID:S-1-5-21-2762049607-2166809996-183419993-513 Full Name:CLIENTPC$ Home Directory: HomeDir Drive: Logon Script: logon.bat Profile Path: Domain: MYWORKGROUP Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Wed, 06 Feb 2036 10:06:39 EST Kickoff time: Wed, 06 Feb 2036 10:06:39 EST Password last set:Wed, 08 Aug 2012 13:44:36 EDT Password can change: Wed, 08 Aug 2012 13:44:36 EDT Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FF --- Also, I've got a bit more information from the log.CLIENTPC: [2012/08/09 10:14:56.686577, 0] rpc_server/srv_pipe.c:500(pipe_schannel_auth_bind) pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2 [2012/08/09 10:14:56.794994, 0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client CLIENTPC machine account CLIENTPC$ There are also a number of windows events: --- begin windows events paste --- The winlogon notification subscriber Profiles failed a critical notification event. Windows cannot copy file C:\Users\Default\NTUSER.DAT to location C:\Users\myadmin\NTUSER.DAT. This error may be caused by network problems or insufficient security rights. Windows cannot copy file \\?\C:\Users\Default\Videos to location \\?\C:\Users\myadmin\Videos. This error may be caused by network problems or insufficient security rights. Windows cannot copy file \\?\C:\Users\Default\Saved Games to location \\?\C:\Users\myadmin\Saved Games. This error may be caused by network problems or insufficient security rights. Note: To keep e-mail shorter I won't paste them all, but the last events repeat with a bunch of similar directories There are too many profile copy errors. Refer to the previous events for details. Windows will not log any additional copy errors for this copy process. Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off. Windows cannot copy file C:\Users\Default\NTUSER.DAT to location C:\Users\TEMP.MYWORKGROUP\NTUSER.DAT. This error may be caused by network problems or insufficient security rights. Note: This last event again repeats with a number of similar directories There are too many profile copy errors. Refer to the previous events for details. Windows will not log any additional copy errors for this copy process. Windows cannot log you on because your profile cannot be loaded. Check that you are connected to the network, and that your network is functioning correctly. The winlogon notification subscriber Sens failed a notification event. --- end windows events paste --- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problems connecting win7 client to new Samba PDC
that looks OK. You should not need a login script defined for a computer account. Are you able to login as the Domain Administrator? Are your group mappings correct? I ask because it may be that the Domain Users is not properly recognized as a member of the Users group on the PC. Can you login as the domain (or local) admins and explicitly add domain users and domain groups to a local group? On 08/09/12 10:37, Brandon wrote: did you make the appropriate registry changes on Win 7 as per http://wiki.samba.org/index.php/Windows7 Yes, I've downloaded the 3.6.3 script and ran it on the client, as well as manually checked that the settings were only the two described in the wiki article Have you tried adding a machine account for your CLIENTPC i.e. # pdbedit -a -m -u CLIENTPC Yes, I let the account be auto-generated when connecting to the domain. I should have specified that there are other users I didn't include in the print out. Here is the machine account from pdbedit (note that I changed the logon script in smb.conf from .cmd to .bat a few minutes ago, and the update can be seen here): --- Unix username:CLIENTPC$ NT username: Account Flags:[W ] User SID: S-1-5-21-2762049607-2166809996-183419993-1001 Primary Group SID:S-1-5-21-2762049607-2166809996-183419993-513 Full Name:CLIENTPC$ Home Directory: HomeDir Drive: Logon Script: logon.bat Profile Path: Domain: MYWORKGROUP Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Wed, 06 Feb 2036 10:06:39 EST Kickoff time: Wed, 06 Feb 2036 10:06:39 EST Password last set:Wed, 08 Aug 2012 13:44:36 EDT Password can change: Wed, 08 Aug 2012 13:44:36 EDT Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FF --- Also, I've got a bit more information from the log.CLIENTPC: [2012/08/09 10:14:56.686577, 0] rpc_server/srv_pipe.c:500(pipe_schannel_auth_bind) pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2 [2012/08/09 10:14:56.794994, 0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client CLIENTPC machine account CLIENTPC$ There are also a number of windows events: --- begin windows events paste --- The winlogon notification subscriber Profiles failed a critical notification event. Windows cannot copy file C:\Users\Default\NTUSER.DAT to location C:\Users\myadmin\NTUSER.DAT. This error may be caused by network problems or insufficient security rights. Windows cannot copy file \\?\C:\Users\Default\Videos to location \\?\C:\Users\myadmin\Videos. This error may be caused by network problems or insufficient security rights. Windows cannot copy file \\?\C:\Users\Default\Saved Games to location \\?\C:\Users\myadmin\Saved Games. This error may be caused by network problems or insufficient security rights. Note: To keep e-mail shorter I won't paste them all, but the last events repeat with a bunch of similar directories There are too many profile copy errors. Refer to the previous events for details. Windows will not log any additional copy errors for this copy process. Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off. Windows cannot copy file C:\Users\Default\NTUSER.DAT to location C:\Users\TEMP.MYWORKGROUP\NTUSER.DAT. This error may be caused by network problems or insufficient security rights. Note: This last event again repeats with a number of similar directories There are too many profile copy errors. Refer to the previous events for details. Windows will not log any additional copy errors for this copy process. Windows cannot log you on because your profile cannot be loaded. Check that you are connected to the network, and that your network is functioning correctly. The winlogon notification subscriber Sens failed a notification event. --- end windows events paste --- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problems connecting win7 client to new Samba PDC
On 8/9/2012 10:58 AM, Gaiseric Vandal wrote: that looks OK. You should not need a login script defined for a computer account. This must have been generated from smb.conf, I didn't actually change anything. Are you able to login as the Domain Administrator? No. myadmin is supposed to be the domain administrator. I followed this guide for setting up domain admins (even though I'm running 12.04): https://help.ubuntu.com/11.04/serverguide/samba-dc.html # net rpc rights list -U myadmin Enter myadmin's password: SeMachineAccountPrivilege Add machines to domain SeTakeOwnershipPrivilege Take ownership of files or other objects SeBackupPrivilege Back up files and directories SeRestorePrivilege Restore files and directories SeRemoteShutdownPrivilege Force shutdown from a remote system SePrintOperatorPrivilege Manage printers SeAddUsersPrivilege Add users and groups to the domain SeDiskOperatorPrivilege Manage disk shares SeSecurityPrivilege System security Is this correct? Are your group mappings correct? I ask because it may be that the Domain Users is not properly recognized as a member of the Users group on the PC. Can you login as the domain (or local) admins and explicitly add domain users and domain groups to a local group? When I try to add MYWORKGROUP\myadmin to Users group from the local admin I get this: The following error occurred while using the user name and password you entered: Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again. As far as I know, I don't have any other connections going with the server (except SSH). -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problems connecting win7 client to new Samba PDC
Are your group mappings correct? I ask because it may be that the Domain Users is not properly recognized as a member of the Users group on the PC. Can you login as the domain (or local) admins and explicitly add domain users and domain groups to a local group? An update to this: I was able to add domain users after a reboot. So I've added MYWORKGROUP\myadmin to my Users group on the local machine. I was also able to search my domain for users, and came up with a list of my users, a nobody user, and a Domain Admins group. I've added MYWORKGROUP\myadmin (user) and MYWORKGROUP\Domain Admins (group) to the User group on the local machine. I am still getting the same errors when logging on though. It seems to me like it's trying to pull a roaming profile when I have roaming profiles disabled (or I thought I did), and/or windows doesn't actually know the netbios name, based on the series of these events: Windows cannot copy file \\?\C:\Users\Default\Documents to location \\?\C:\Users\TEMP.MYWORKGROUP\Documents. This error may be caused by network problems or insufficient security rights. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Problems connecting win7 client to new Samba PDC
Hey, I'm running the latest Ubuntu 12.04 Samba 3.6.3, I just want a simple PDC for authentication. Client is win7 32 bit with latest updates. The client can join the domain, but I can't log in with any users, it gives me The User Profile Service service failed the logon. User profile cannot be loaded. Looking at the log, I've found this: [2012/08/08 17:08:39.747592, 0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client CLIENTPC machine account CLIENTPC$ Any ideas on what the problem is? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC and Local Group Policies on XP
What did you use kixtart,poledit...? It seems that you did not set the rights on your netlogon the right way!? --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von benedikt.wies...@bw-systems.net Gesendet: Montag, 30. Juli 2012 18:39 An: samba@lists.samba.org Betreff: [Samba] Samba PDC and Local Group Policies on XP Hi *, I have reinstalled a server with the newest version of samba and configured it as PDC based on this tutorial (http://www.nicht-blau.de/2010/12/28/howto-samba-3-5-6-pdc-primary-domain-co ntroller-und-windows-7-2/). I then copied the old profiles folder onto the new server and set the permissions. But however before the reinstallation every Domainuser in the Domain accepted the Group Policies I set up at every Win XP computer (i.e. Setting a specific Wallpaper, Setting a specific design, deny access to system controls) and now they are consequently ignored. Example: I log on as Administrator (locally): - I have no access to system controls - I have my Wallpaper - I have my Design (Group policies are working) I log on as Domainuser: - I have full rights, I can do everything - I have a blue Wallpaper - Nothing happened to the design What the hell is going wrong? Why does a Domainuser has more rights than the administrator and why does the group policies do nothing? I hope somebody can help me. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Unable to join Samba PDC with version 3.6.5 (works with 3.3.15)
Hello Folks, I am unable to join any linux Samba clients to my Samba-3.6.5 PDC with clients running 3.4.x, 3.5.x, or 3.6.x versions. However, 3.3.x works fine and so do my Windows clients. When I do a 'net rpc join' I get a 'successfuly joined domain' message with say 3.6.5, but I am unable to authenticate on the domain thereafter. Any clues? I can send the configurations (smb.conf) of the server and client if it can help solve this mystery. I suspect I'm just missing a configuration directive on the client side... but I can't seem to find any reference in the documentation. On the Samba-3.6.5 PDC, we're using a LDAP backend. Thanks in advance! -- Luc Lalonde, analyste - Département de génie informatique: École polytechnique de Montréal (514) 340-4711 x5049 luc.lalo...@polymtl.ca - -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] PDC How to change workstation setting?
Will be easy, but I don't want to install something that I normally don't use to just change 1 field. But appreciated your input thanks!!! On Mon, May 28, 2012 at 1:37 PM, John Drescher dresche...@gmail.com wrote: Got it, I will give a try, thanks!!! One easy way to do that is Ldap account manager. http://www.ldap-account-manager.org/lamcms/changelog John -- LIving the dream... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] PDC How to change workstation setting?
On Sun, 2012-05-27 at 21:15 -0700, Alberto Moreno wrote: Maybe I wasn't clear. In a NT4 domain, u have a option to setup on which machines a user can login, this way u can know that a X user can only use his own computer. Once u migrate NT4 to SAMBA-LDAP, that setting goes to Workstation field. check this: pdbedit -L -v -u user1 smbldap_search_domain_info: Searching for:[((objectClass=sambaDomain)(sambaDomainName=X))] smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server init_sam_from_ldap: Entry found for user: itello Unix username:user1 NT username: user1 Account Flags:[U ] User SID: XXX Primary Group SID:XXX Full Name:One User Home Directory: HomeDir Drive:O: Logon Script: /sbin/nologin Profile Path: Domain: XXX Account desc:kITCHEN Workstations: MACHINE-X = Munged dial: Logon time: Tue, 04 Jan 2011 07:08:28 PST Logoff time: never Kickoff time: never Password last set:Sat, 26 May 2012 13:07:23 PDT Password can change: Sat, 26 May 2012 13:07:23 PDT Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FF As u can see the field Workstations it means that this user can only login on this machine on this domain. How can I change that field? If you are using LDAP, the easy option might be to change it directly in LDAP - just remove the ldap attribute. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] PDC How to change workstation setting?
On Mon, May 28, 2012 at 2:07 AM, Andrew Bartlett abart...@samba.org wrote: On Sun, 2012-05-27 at 21:15 -0700, Alberto Moreno wrote: Maybe I wasn't clear. In a NT4 domain, u have a option to setup on which machines a user can login, this way u can know that a X user can only use his own computer. Once u migrate NT4 to SAMBA-LDAP, that setting goes to Workstation field. check this: pdbedit -L -v -u user1 smbldap_search_domain_info: Searching for:[((objectClass=sambaDomain)(sambaDomainName=X))] smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server init_sam_from_ldap: Entry found for user: itello Unix username: user1 NT username: user1 Account Flags: [U ] User SID: XXX Primary Group SID: XXX Full Name: One User Home Directory: HomeDir Drive: O: Logon Script: /sbin/nologin Profile Path: Domain: XXX Account desc: kITCHEN Workstations: MACHINE-X = Munged dial: Logon time: Tue, 04 Jan 2011 07:08:28 PST Logoff time: never Kickoff time: never Password last set: Sat, 26 May 2012 13:07:23 PDT Password can change: Sat, 26 May 2012 13:07:23 PDT Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FF As u can see the field Workstations it means that this user can only login on this machine on this domain. How can I change that field? If you are using LDAP, the easy option might be to change it directly in LDAP - just remove the ldap attribute. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Got it, I will give a try, thanks!!! -- LIving the dream... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] PDC How to change workstation setting?
Got it, I will give a try, thanks!!! One easy way to do that is Ldap account manager. http://www.ldap-account-manager.org/lamcms/changelog John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] PDC How to change workstation setting?
Hi people. I migrate some PDC NT4 to samba 3.3.x, some users have info the Workstations parameter, I need to remove that info, because they cannot login on any other machine, I have read the pdbedit, smbldap-usermod but wont't where I can do that. Any info will be appreciated, thanks!!! -- LIving the dream... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] PDC How to change workstation setting?
Maybe I wasn't clear. In a NT4 domain, u have a option to setup on which machines a user can login, this way u can know that a X user can only use his own computer. Once u migrate NT4 to SAMBA-LDAP, that setting goes to Workstation field. check this: pdbedit -L -v -u user1 smbldap_search_domain_info: Searching for:[((objectClass=sambaDomain)(sambaDomainName=X))] smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server init_sam_from_ldap: Entry found for user: itello Unix username:user1 NT username: user1 Account Flags:[U ] User SID: XXX Primary Group SID:XXX Full Name:One User Home Directory: HomeDir Drive:O: Logon Script: /sbin/nologin Profile Path: Domain: XXX Account desc:kITCHEN Workstations: MACHINE-X = Munged dial: Logon time: Tue, 04 Jan 2011 07:08:28 PST Logoff time: never Kickoff time: never Password last set:Sat, 26 May 2012 13:07:23 PDT Password can change: Sat, 26 May 2012 13:07:23 PDT Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FF As u can see the field Workstations it means that this user can only login on this machine on this domain. How can I change that field? Thanks!!! On Sun, May 27, 2012 at 4:41 PM, Dewayne Geraghty dewayne.gerag...@heuristicsystems.com.au wrote: If you're asking where on the PC, its in Control Panel- System - Computer Name - Change button. This will help you to connect to the samba domain; but there is a lot more that you'll need. Also I'd recommend going to the samba 3.6 series, as there are configuration changes that you'll need to make from samba 3.3 to the more recent stream. Unfortunately you'll need to be clearer on what your problem is. Regards, Dewayne. -- LIving the dream... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Problem joining to a Samba PDC (Probably caused by unix charset)
Hello, trying to join a Windows 7 64-Bit PC to a Samba PDC (3.6.5) fails with message Domain not found or no connection possible. After some testing I found that the problem was caused by the Samba-parameter unix charset = ISO8859-1. When I start the nmbd with same config-file just without the unix charset the PC can join the domain (smbd runs with org. config-file. Samba runs on CentOS6 (en_US.UTF-8)). Is this the expected behavior? (At the moment I need ISO8859-1 because the files were saved with this charset). Best regards, Ralf -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem joining to a Samba PDC (Probably caused by unix charset)
On Fri, May 25, 2012 at 12:56:50PM +0200, Ralf Aumueller wrote: Hello, trying to join a Windows 7 64-Bit PC to a Samba PDC (3.6.5) fails with message Domain not found or no connection possible. After some testing I found that the problem was caused by the Samba-parameter unix charset = ISO8859-1. When I start the nmbd with same config-file just without the unix charset the PC can join the domain (smbd runs with org. config-file. Samba runs on CentOS6 (en_US.UTF-8)). Is this the expected behavior? (At the moment I need ISO8859-1 because the files were saved with this charset). We think this is bug #8373 https://bugzilla.samba.org/show_bug.cgi?id=8373 for which we have a patch currently undergoing test. With more testing it'll be fixed in the next 3.6.x release. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba PDC + ldap: segfault in uid_to_sid/_nss_ldap_getpwuid_r
All, on a fairly large (73 TB XFS) file server running CentOS 6.2, samba 3.5.10-116.el6_2 I see pretty frequently backtraces like this one: May 11 15:54:19 vrfs001 smbd[11709]: [2012/05/11 15:54:19.793851, 0] lib/fault.c:46(fault_report) May 11 15:54:19 vrfs001 smbd[11709]: === May 11 15:54:19 vrfs001 smbd[11709]: [2012/05/11 15:54:19.793921, 0] lib/fault.c:47(fault_report) May 11 15:54:19 vrfs001 smbd[11709]: INTERNAL ERROR: Signal 11 in pid 11709 (3.5.10-116.el6_2.slrdbg2) May 11 15:54:19 vrfs001 smbd[11709]: Please read the Trouble-Shooting section of the Samba3-HOWTO May 11 15:54:19 vrfs001 smbd[11709]: [2012/05/11 15:54:19.793947, 0] lib/fault.c:49(fault_report) May 11 15:54:19 vrfs001 smbd[11709]: May 11 15:54:19 vrfs001 smbd[11709]: From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf May 11 15:54:19 vrfs001 smbd[11709]: [2012/05/11 15:54:19.793982, 0] lib/fault.c:50(fault_report) May 11 15:54:19 vrfs001 smbd[11709]: === May 11 15:54:19 vrfs001 smbd[11709]: [2012/05/11 15:54:19.794010, 0] lib/util.c:1490(smb_panic) May 11 15:54:19 vrfs001 smbd[11709]: PANIC (pid 11709): internal error May 11 15:54:19 vrfs001 smbd[11709]: [2012/05/11 15:54:19.826895, 0] lib/util.c:1594(log_stack_trace) May 11 15:54:19 vrfs001 smbd[11709]: BACKTRACE: 29 stack frames: May 11 15:54:19 vrfs001 smbd[11709]:#0 smbd(log_stack_trace+0x1a) [0x7fae111cc8aa] May 11 15:54:19 vrfs001 smbd[11709]:#1 smbd(smb_panic+0x1f) [0x7fae111cc96f] May 11 15:54:19 vrfs001 smbd[11709]:#2 smbd(+0x36b26d) [0x7fae111bc26d] May 11 15:54:19 vrfs001 smbd[11709]:#3 /lib64/libc.so.6(+0x32900) [0x7fae0e030900] May 11 15:54:19 vrfs001 smbd[11709]:#4 /lib64/libnss_ldap.so.2(_nss_ldap_getpwuid_r+0x15d) [0x7fae03586a6d] May 11 15:54:19 vrfs001 smbd[11709]:#5 /lib64/libc.so.6(getpwuid_r+0xdd) [0x7fae0e0a84ed] May 11 15:54:19 vrfs001 smbd[11709]:#6 /lib64/libc.so.6(getpwuid+0x6f) [0x7fae0e0a7ddf] May 11 15:54:19 vrfs001 smbd[11709]:#7 smbd(+0x31bd5d) [0x7fae1116cd5d] May 11 15:54:19 vrfs001 smbd[11709]:#8 smbd(+0x32174f) [0x7fae1117274f] May 11 15:54:19 vrfs001 smbd[11709]:#9 smbd(uid_to_sid+0x10b) [0x7fae1117291b] May 11 15:54:19 vrfs001 smbd[11709]:#10 smbd(create_file_sids+0x1f) [0x7fae10facd0f] May 11 15:54:19 vrfs001 smbd[11709]:#11 smbd(+0x164689) [0x7fae10fb5689] May 11 15:54:19 vrfs001 smbd[11709]:#12 smbd(posix_get_nt_acl+0x10b) [0x7fae10fb63fb] May 11 15:54:19 vrfs001 smbd[11709]:#13 smbd(+0x1872bd) [0x7fae10fd82bd] May 11 15:54:19 vrfs001 smbd[11709]:#14 smbd(smb_vfs_call_get_nt_acl+0x2d) [0x7fae10fa7b9d] May 11 15:54:19 vrfs001 smbd[11709]:#15 smbd(can_access_file_acl+0x6f) [0x7fae10fc7d1f] May 11 15:54:19 vrfs001 smbd[11709]:#16 smbd(reply_ntcreate_and_X+0xf25) [0x7fae10f69a65] May 11 15:54:19 vrfs001 smbd[11709]:#17 smbd(+0x1690f5) [0x7fae10fba0f5] May 11 15:54:19 vrfs001 smbd[11709]:#18 smbd(+0x169497) [0x7fae10fba497] May 11 15:54:19 vrfs001 smbd[11709]:#19 smbd(+0x1699f8) [0x7fae10fba9f8] May 11 15:54:19 vrfs001 smbd[11709]:#20 smbd(run_events+0x22b) [0x7fae111dcbbb] May 11 15:54:19 vrfs001 smbd[11709]:#21 smbd(smbd_process+0x82b) [0x7fae10fb966b] May 11 15:54:19 vrfs001 smbd[11709]:#22 smbd(+0x678fce) [0x7fae114c9fce] May 11 15:54:19 vrfs001 smbd[11709]:#23 smbd(run_events+0x22b) [0x7fae111dcbbb] May 11 15:54:19 vrfs001 smbd[11709]:#24 smbd(+0x38bee1) [0x7fae111dcee1] May 11 15:54:19 vrfs001 smbd[11709]:#25 smbd(_tevent_loop_once+0x90) [0x7fae111dd2c0] May 11 15:54:19 vrfs001 smbd[11709]:#26 smbd(main+0xb7b) [0x7fae114cad2b] May 11 15:54:19 vrfs001 smbd[11709]:#27 /lib64/libc.so.6(__libc_start_main+0xfd) [0x7fae0e01ccdd] May 11 15:54:19 vrfs001 smbd[11709]:#28 smbd(+0xea849) [0x7fae10f3b849] May 11 15:54:19 vrfs001 smbd[11709]: [2012/05/11 15:54:19.827188, 0] lib/fault.c:326(dump_core) May 11 15:54:19 vrfs001 smbd[11709]: dumping core in /var/log/samba/cores/smbd pwuid information is stored in OpenLDAP on this machine - could this be related? anyone ever seen this - any clue how to debug this further? thanks, guenter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Update Samba PDC - win7 stop working
Hi, we have tried to update our rather old samba PDC. The system is running on Novell SLES 10 SP2 with the samba RPM from Sernet. We stopped everything and updated (booting from DVD, using offline update) the machine to SLES 11 SP1 started samba and everything was fine - expect all WIN 7 and W2008XX Server. Those clients were not able to use the domain. XP and Vista (32 and 64) worked without any problems. After 2h of searching we switched back to the old Installation, to get everything back to work. The PDC is a virtual machine. so using the snapshot worked very well ;) However I do not have the log files anymore :( OLD OSSamba ver SLES 10 SP2 (i586)samba3-3.3.4-39 NEW OSSamba ver SLES 11 SP1 (i586)samba-3.4.3 *) Has anybody seen this kind of behavior ? (Doing samba update - Win7 is not able to use the domain anymore) *) Is there a way to test those steps ? The pdc is using our LDAP Server, so we can not simply clone the pdc and test everything in a separate network... (or we have to clone a couple of server ...) *) When we update the PDC and we get everything working - which version is recommended (3.4.X // 3.5.X. // 3.6.X ) ? -- Bye, Peer _ Max-Planck-Institut fuer Biogeochemie Dr. Peer-Joachim Koch Hans-Knöll Str.10Telefon: ++49 3641 57-6705 D-07745 Jena Telefax: ++49 3641 57-7705 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Update Samba PDC - win7 stop working
You need to run samba 3.5 or samba 3.6 from sernet. To get your Win 7 and W2008 Server in the domain you need to do some registry entries. See: http://wiki.samba.org/index.php/Windows7 If you are running a virtual machine I suggest to move from SLES to centos Good Luck Daniel --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Dr.Peer-Joachim Koch Gesendet: Donnerstag, 29. März 2012 08:31 An: samba@lists.samba.org Betreff: [Samba] Update Samba PDC - win7 stop working Hi, we have tried to update our rather old samba PDC. The system is running on Novell SLES 10 SP2 with the samba RPM from Sernet. We stopped everything and updated (booting from DVD, using offline update) the machine to SLES 11 SP1 started samba and everything was fine - expect all WIN 7 and W2008XX Server. Those clients were not able to use the domain. XP and Vista (32 and 64) worked without any problems. After 2h of searching we switched back to the old Installation, to get everything back to work. The PDC is a virtual machine. so using the snapshot worked very well ;) However I do not have the log files anymore :( OLD OSSamba ver SLES 10 SP2 (i586)samba3-3.3.4-39 NEW OSSamba ver SLES 11 SP1 (i586)samba-3.4.3 *) Has anybody seen this kind of behavior ? (Doing samba update - Win7 is not able to use the domain anymore) *) Is there a way to test those steps ? The pdc is using our LDAP Server, so we can not simply clone the pdc and test everything in a separate network... (or we have to clone a couple of server ...) *) When we update the PDC and we get everything working - which version is recommended (3.4.X // 3.5.X. // 3.6.X ) ? -- Bye, Peer _ Max-Planck-Institut fuer Biogeochemie Dr. Peer-Joachim Koch Hans-Knöll Str.10Telefon: ++49 3641 57-6705 D-07745 Jena Telefax: ++49 3641 57-7705 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Update Samba PDC - win7 stop working
Hi, thanks for the hints. Am 29.03.2012 10:13, schrieb Daniel Müller: You need to run samba 3.5 or samba 3.6 from sernet. So 3.4 from Novell will *never* work ? After running the update of the OS we simply have to use the sernet rpm and everything is fine ? To get your Win 7 and W2008 Server in the domain you need to do some registry entries. See: http://wiki.samba.org/index.php/Windows7 We are already running the WIN7 machines with the registry entries. On the old installation everything is fine. If you are running a virtual machine I suggest to move from SLES to centos Good Luck Daniel --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Dr.Peer-Joachim Koch Gesendet: Donnerstag, 29. März 2012 08:31 An: samba@lists.samba.org Betreff: [Samba] Update Samba PDC - win7 stop working Hi, we have tried to update our rather old samba PDC. The system is running on Novell SLES 10 SP2 with the samba RPM from Sernet. We stopped everything and updated (booting from DVD, using offline update) the machine to SLES 11 SP1 started samba and everything was fine - expect all WIN 7 and W2008XX Server. Those clients were not able to use the domain. XP and Vista (32 and 64) worked without any problems. After 2h of searching we switched back to the old Installation, to get everything back to work. The PDC is a virtual machine. so using the snapshot worked very well ;) However I do not have the log files anymore :( OLD OSSamba ver SLES 10 SP2 (i586)samba3-3.3.4-39 NEW OSSamba ver SLES 11 SP1 (i586)samba-3.4.3 *) Has anybody seen this kind of behavior ? (Doing samba update - Win7 is not able to use the domain anymore) *) Is there a way to test those steps ? The pdc is using our LDAP Server, so we can not simply clone the pdc and test everything in a separate network... (or we have to clone a couple of server ...) *) When we update the PDC and we get everything working - which version is recommended (3.4.X // 3.5.X. // 3.6.X ) ? -- Bye, Peer _ Max-Planck-Institut fuer Biogeochemie Dr. Peer-Joachim Koch Hans-Knöll Str.10Telefon: ++49 3641 57-6705 D-07745 Jena Telefax: ++49 3641 57-7705 -- Mit freundlichem Gruß Peer-Joachim Koch _ Max-Planck-Institut fuer Biogeochemie Dr. Peer-Joachim Koch Hans-Knöll Str.10Telefon: ++49 3641 57-6705 D-07745 Jena Telefax: ++49 3641 57-7705 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Update Samba PDC - win7 stop working
Samba 3.4 will work but 3.5 Samba sernet and 3.6 Samba sernet are closer to win7 and w2008. --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Dr.Peer-Joachim Koch Gesendet: Donnerstag, 29. März 2012 10:56 An: samba@lists.samba.org Betreff: Re: [Samba] Update Samba PDC - win7 stop working Hi, thanks for the hints. Am 29.03.2012 10:13, schrieb Daniel Müller: You need to run samba 3.5 or samba 3.6 from sernet. So 3.4 from Novell will *never* work ? After running the update of the OS we simply have to use the sernet rpm and everything is fine ? To get your Win 7 and W2008 Server in the domain you need to do some registry entries. See: http://wiki.samba.org/index.php/Windows7 We are already running the WIN7 machines with the registry entries. On the old installation everything is fine. If you are running a virtual machine I suggest to move from SLES to centos Good Luck Daniel --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Dr.Peer-Joachim Koch Gesendet: Donnerstag, 29. März 2012 08:31 An: samba@lists.samba.org Betreff: [Samba] Update Samba PDC - win7 stop working Hi, we have tried to update our rather old samba PDC. The system is running on Novell SLES 10 SP2 with the samba RPM from Sernet. We stopped everything and updated (booting from DVD, using offline update) the machine to SLES 11 SP1 started samba and everything was fine - expect all WIN 7 and W2008XX Server. Those clients were not able to use the domain. XP and Vista (32 and 64) worked without any problems. After 2h of searching we switched back to the old Installation, to get everything back to work. The PDC is a virtual machine. so using the snapshot worked very well ;) However I do not have the log files anymore :( OLD OSSamba ver SLES 10 SP2 (i586)samba3-3.3.4-39 NEW OSSamba ver SLES 11 SP1 (i586)samba-3.4.3 *) Has anybody seen this kind of behavior ? (Doing samba update - Win7 is not able to use the domain anymore) *) Is there a way to test those steps ? The pdc is using our LDAP Server, so we can not simply clone the pdc and test everything in a separate network... (or we have to clone a couple of server ...) *) When we update the PDC and we get everything working - which version is recommended (3.4.X // 3.5.X. // 3.6.X ) ? -- Bye, Peer _ Max-Planck-Institut fuer Biogeochemie Dr. Peer-Joachim Koch Hans-Knöll Str.10Telefon: ++49 3641 57-6705 D-07745 Jena Telefax: ++49 3641 57-7705 -- Mit freundlichem Gruß Peer-Joachim Koch _ Max-Planck-Institut fuer Biogeochemie Dr. Peer-Joachim Koch Hans-Knöll Str.10Telefon: ++49 3641 57-6705 D-07745 Jena Telefax: ++49 3641 57-7705 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC with Windows 7 support request
On 02/16/12 06:21, Dermot wrote: 2012/1/31 Jiří Procházka jiri.procha...@norbou.com: Dear Samba support team, I have a question on Samba 3.5.8 please, which is not solved by searching the forums. I tried all suggested solutions, but nothing take effect. ... Domain users experience a slow login performance on Windows 7 clients that are joined into a samba domain (Samba version 3.5.4). The Windows 7 client was joined successfully into the domain with the Windows 7 registry settings adjusted according to http://wiki.samba.org/index.php/Windows7 (DomainCompatibilityMode = 0 and DNSNameResolutionRequired = 0). ... I have had similar problems. I was referred to the message in the mailing list archive [1]. I have applied what was described - used gpedit.msc - this but I am still experiencing slow login times, exactly 40 seconds on each workstation. I just checked on one workstation where the user had a jpeg as his desktop background, I mention this because there are references to a Window7 bug about slow login and a plain desktop, and that has the correct group policy setting and still the login time was exactly 40 seconds. I too be interested in hearing what others have to say on this. Thanks, Dermot. 1) http://www.mail-archive.com/samba@lists.samba.org/msg104494.html Are you using roaming profiles ? Are you using offline folders- I had problems with offline folders and Windows 7- it could break offline authentication. Does the Windows event log show anything about problems locating a domain controller? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] PDC and Windows 2003 R2
Hi, I need to join a windows 2003 R2 to a samba (3.5.7-3.5.1) PDC through a cisco VPN ... (nice!). The error at the windows : A doming controller for the domain MyDomain could not be contacted any ideas ? thanks ! Jp -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] PDC and Windows 2003 R2
To do cross-subnet domain control you will need to use WINS On Fri, 2012-03-16 at 19:57 -0300, jp_listero wrote: Hi, I need to join a windows 2003 R2 to a samba (3.5.7-3.5.1) PDC through a cisco VPN ... (nice!). The error at the windows : A doming controller for the domain MyDomain could not be contacted any ideas ? thanks ! Jp -- Bob Miller 867-334-7117 / 867-633-3760 http://computerisms.ca b...@computerisms.ca Network, Internet, Server, and Open Source Solutions -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba PDC/NIS client
On Sun, Mar 11, 2012 at 4:09 AM, Tony Molloy tony.mol...@ul.ie wrote: On Sunday 11 March 2012 05:31:35 Simon Matthews wrote: On Sat, Mar 10, 2012 at 4:24 PM, Gaiseric Vandal gaiseric.van...@gmail.comwrote: Do you have password sync enabled?If password sync is enabled, samba will try to use the passwd command to set the unix password. But with nis, you probably might need something nis specific. On solaris it was “passwd –r nis” - not sure about linux.Probably better to just disable password sync. I've got a very similar setup to you. Except I use a smbpasswd file. No, I don't have this option enabled. I am not sure how it is relevant. Problem summary: The samba PDC is an NIS client getent passwd retruns the passwd data. The user's SAMBA password was set using smbpasswd The user's NIS passwd was set using yppasswd So far all the same. ALL I had to do to allow domain logins was: ypcat passwd | grep username /etc/passwd Why duplicate the password entries. I just have them in NIS and /etc/passwd just has the system passwords. Note that after copying the user details to /etc/passwd, the password that was set with smbpasswd was the password that was used with the successful domain login. Don't really uinderstand what you mean by domain logins 1. Create the user under linux first 2. Use smbpasswd to add the user to samba You now have a user in both linux and samba but remember the passwords are stored separately, changing one does not change the other. 3. Edit /etc/nsswitch.conf. Set passwd:files nis shdow: files Removing the nis entry from shadow: in /etc/nsswitch.conf solved the issue. I don't understand why, but it did . Simon That works for me. YMMV Tony Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba PDC/NIS client
If your NIS passwd file did NOT have a valid password, maybe samba or unix was rejecting logins as a security measure. On 03/12/12 13:33, Simon Matthews wrote: On Sun, Mar 11, 2012 at 4:09 AM, Tony Molloytony.mol...@ul.ie wrote: On Sunday 11 March 2012 05:31:35 Simon Matthews wrote: On Sat, Mar 10, 2012 at 4:24 PM, Gaiseric Vandal gaiseric.van...@gmail.comwrote: Do you have password sync enabled?If password sync is enabled, samba will try to use the passwd command to set the unix password. But with nis, you probably might need something nis specific. On solaris it was “passwd –r nis” - not sure about linux.Probably better to just disable password sync. I've got a very similar setup to you. Except I use a smbpasswd file. No, I don't have this option enabled. I am not sure how it is relevant. Problem summary: The samba PDC is an NIS client getent passwd retruns the passwd data. The user's SAMBA password was set using smbpasswd The user's NIS passwd was set using yppasswd So far all the same. ALL I had to do to allow domain logins was: ypcat passwd | grepusername/etc/passwd Why duplicate the password entries. I just have them in NIS and /etc/passwd just has the system passwords. Note that after copying the user details to /etc/passwd, the password that was set with smbpasswd was the password that was used with the successful domain login. Don't really uinderstand what you mean by domain logins 1. Create the user under linux first 2. Use smbpasswd to add the user to samba You now have a user in both linux and samba but remember the passwords are stored separately, changing one does not change the other. 3. Edit /etc/nsswitch.conf. Set passwd:files nis shdow: files Removing the nis entry from shadow: in /etc/nsswitch.conf solved the issue. I don't understand why, but it did . Simon That works for me. YMMV Tony Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba PDC/NIS client
On Monday 12 March 2012 17:33:28 Simon Matthews wrote: On Sun, Mar 11, 2012 at 4:09 AM, Tony Molloy tony.mol...@ul.ie wrote: On Sunday 11 March 2012 05:31:35 Simon Matthews wrote: On Sat, Mar 10, 2012 at 4:24 PM, Gaiseric Vandal gaiseric.van...@gmail.comwrote: Do you have password sync enabled?If password sync is enabled, samba will try to use the passwd command to set the unix password. But with nis, you probably might need something nis specific. On solaris it was “passwd –r nis” - not sure about linux.Probably better to just disable password sync. I've got a very similar setup to you. Except I use a smbpasswd file. No, I don't have this option enabled. I am not sure how it is relevant. Problem summary: The samba PDC is an NIS client getent passwd retruns the passwd data. The user's SAMBA password was set using smbpasswd The user's NIS passwd was set using yppasswd So far all the same. ALL I had to do to allow domain logins was: ypcat passwd | grep username /etc/passwd Why duplicate the password entries. I just have them in NIS and /etc/passwd just has the system passwords. Note that after copying the user details to /etc/passwd, the password that was set with smbpasswd was the password that was used with the successful domain login. Don't really uinderstand what you mean by domain logins 1. Create the user under linux first 2. Use smbpasswd to add the user to samba You now have a user in both linux and samba but remember the passwords are stored separately, changing one does not change the other. 3. Edit /etc/nsswitch.conf. Set passwd:files nis shdow: files Removing the nis entry from shadow: in /etc/nsswitch.conf solved the issue. I don't understand why, but it did . Simon The shadow file /etc/shadow stores the passwords associated with the entries in the password file /etc/passwd. It has nothing to do with the NIS password database which stores the passwords in the actual database entries. Tony That works for me. YMMV Tony Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba PDC/NIS client
On Sunday 11 March 2012 05:31:35 Simon Matthews wrote: On Sat, Mar 10, 2012 at 4:24 PM, Gaiseric Vandal gaiseric.van...@gmail.comwrote: Do you have password sync enabled?If password sync is enabled, samba will try to use the passwd command to set the unix password. But with nis, you probably might need something nis specific. On solaris it was “passwd –r nis” - not sure about linux.Probably better to just disable password sync. I've got a very similar setup to you. Except I use a smbpasswd file. No, I don't have this option enabled. I am not sure how it is relevant. Problem summary: The samba PDC is an NIS client getent passwd retruns the passwd data. The user's SAMBA password was set using smbpasswd The user's NIS passwd was set using yppasswd So far all the same. ALL I had to do to allow domain logins was: ypcat passwd | grep username /etc/passwd Why duplicate the password entries. I just have them in NIS and /etc/passwd just has the system passwords. Note that after copying the user details to /etc/passwd, the password that was set with smbpasswd was the password that was used with the successful domain login. Don't really uinderstand what you mean by domain logins 1. Create the user under linux first 2. Use smbpasswd to add the user to samba You now have a user in both linux and samba but remember the passwords are stored separately, changing one does not change the other. 3. Edit /etc/nsswitch.conf. Set passwd:files nis shdow: files That works for me. YMMV Tony Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba PDC/NIS client
Do you have password sync enabled?If password sync is enabled, samba will try to use the passwd command to set the unix password. But with nis, you probably might need something nis specific. On solaris it was passwd -r nis - not sure about linux.Probably better to just disable password sync. From: Simon Matthews [mailto:simon.d.matth...@gmail.com] Sent: Friday, March 09, 2012 4:04 PM To: gaiseric.van...@gmail.com Cc: samba@lists.samba.org Subject: Re: [Samba] samba PDC/NIS client On Fri, Mar 9, 2012 at 6:15 AM, Gaiseric Vandal gaiseric.van...@gmail.com wrote: I don't think is this a samba issue. Samba accounts need to have a corresponding unix account. Shouldn't matter if they are in NIS or /etc/passwd. If you have users in both it could get a problem. Is getent passwd really showing the users from NIS? Yes. In fact, for those users who are in both the /etc/passwd and nis tables, it shows both entries (and the details match between both entries) How about getent shadow (assuming a linux machine and not solaris, No, this only shows the users with entries in /etc/shadow. However: 1. getent passwd includes the hashed passwords of users in the nis tables 2. It was not necessary to add the user to /etc/shadow in order to allow samba domain logins. All I had to do was add the user to /etc/passwd. and probably doesn't matter anyway.) Do you have an /etc/nsswitch.conf entry for shadow: files nis Yes Are you missing the : in the nsswitch.conf entries? No. Are your user names all in lower case? Are they all 8 characters or under. Yes. Simon On 03/08/12 22:46, Simon Matthews wrote: I have a server which is a samba PDC and has recently been converted to an NIS client. For historic reasons, many users login information is in the local machine's /etc/passwd and /etc/shadow files. samba is set up to use a tdbsam database. I got the first indication of problems when I tried to add a user using the smbpasswd -a command. I found that smbpasswd would not recognize the user unless either the username was in the /etc/passwd file, or I changed /etc/nsswitch.conf from passwd compat TO: passwd files nis However, if I make the latter change, the user cannot log into any Windows machines that are controlled by my PDC. To allow logins, all I have to do is ypcat passwd | grepusername/etc/passwd After this, the user can log in. Is there any configuration of samba that will allow it to properly recognize user data from the NIS map and not require the user to be listed in the /etc/passwd file? Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba PDC/NIS client
On Sat, Mar 10, 2012 at 4:24 PM, Gaiseric Vandal gaiseric.van...@gmail.comwrote: Do you have password sync enabled?If password sync is enabled, samba will try to use the passwd command to set the unix password. But with nis, you probably might need something nis specific. On solaris it was “passwd –r nis” - not sure about linux.Probably better to just disable password sync. No, I don't have this option enabled. I am not sure how it is relevant. Problem summary: The samba PDC is an NIS client getent passwd retruns the passwd data. The user's SAMBA password was set using smbpasswd The user's NIS passwd was set using yppasswd ALL I had to do to allow domain logins was: ypcat passwd | grep username /etc/passwd Note that after copying the user details to /etc/passwd, the password that was set with smbpasswd was the password that was used with the successful domain login. Simon ** ** ** ** ** ** *From:* Simon Matthews [mailto:simon.d.matth...@gmail.com] *Sent:* Friday, March 09, 2012 4:04 PM *To:* gaiseric.van...@gmail.com *Cc:* samba@lists.samba.org *Subject:* Re: [Samba] samba PDC/NIS client ** ** ** ** On Fri, Mar 9, 2012 at 6:15 AM, Gaiseric Vandal gaiseric.van...@gmail.com wrote: I don't think is this a samba issue. Samba accounts need to have a corresponding unix account. Shouldn't matter if they are in NIS or /etc/passwd. If you have users in both it could get a problem. Is getent passwd really showing the users from NIS? ** ** Yes. In fact, for those users who are in both the /etc/passwd and nis tables, it shows both entries (and the details match between both entries) ** ** How about getent shadow (assuming a linux machine and not solaris, No, this only shows the users with entries in /etc/shadow. However: 1. getent passwd includes the hashed passwords of users in the nis tables* *** 2. It was not necessary to add the user to /etc/shadow in order to allow samba domain logins. All I had to do was add the user to /etc/passwd. and probably doesn't matter anyway.) Do you have an /etc/nsswitch.conf entry for shadow: files nis Yes Are you missing the : in the nsswitch.conf entries? No. Are your user names all in lower case? Are they all 8 characters or under. ** ** Yes. ** ** Simon On 03/08/12 22:46, Simon Matthews wrote: I have a server which is a samba PDC and has recently been converted to an NIS client. For historic reasons, many users login information is in the local machine's /etc/passwd and /etc/shadow files. samba is set up to use a tdbsam database. I got the first indication of problems when I tried to add a user using the smbpasswd -a command. I found that smbpasswd would not recognize the user unless either the username was in the /etc/passwd file, or I changed /etc/nsswitch.conf from passwd compat TO: passwd files nis However, if I make the latter change, the user cannot log into any Windows machines that are controlled by my PDC. To allow logins, all I have to do is ypcat passwd | grepusername/etc/passwd After this, the user can log in. Is there any configuration of samba that will allow it to properly recognize user data from the NIS map and not require the user to be listed in the /etc/passwd file? Simon ** ** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba ** ** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba PDC/NIS client
I don't think is this a samba issue. Samba accounts need to have a corresponding unix account. Shouldn't matter if they are in NIS or /etc/passwd. If you have users in both it could get a problem. Is getent passwd really showing the users from NIS? How about getent shadow (assuming a linux machine and not solaris, and probably doesn't matter anyway.) Do you have an /etc/nsswitch.conf entry for shadow: files nis Are you missing the : in the nsswitch.conf entries? Are your user names all in lower case? Are they all 8 characters or under. On 03/08/12 22:46, Simon Matthews wrote: I have a server which is a samba PDC and has recently been converted to an NIS client. For historic reasons, many users login information is in the local machine's /etc/passwd and /etc/shadow files. samba is set up to use a tdbsam database. I got the first indication of problems when I tried to add a user using the smbpasswd -a command. I found that smbpasswd would not recognize the user unless either the username was in the /etc/passwd file, or I changed /etc/nsswitch.conf from passwd compat TO: passwd files nis However, if I make the latter change, the user cannot log into any Windows machines that are controlled by my PDC. To allow logins, all I have to do is ypcat passwd | grepusername/etc/passwd After this, the user can log in. Is there any configuration of samba that will allow it to properly recognize user data from the NIS map and not require the user to be listed in the /etc/passwd file? Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba PDC/NIS client
On Fri, Mar 9, 2012 at 6:15 AM, Gaiseric Vandal gaiseric.van...@gmail.comwrote: I don't think is this a samba issue. Samba accounts need to have a corresponding unix account. Shouldn't matter if they are in NIS or /etc/passwd. If you have users in both it could get a problem. Is getent passwd really showing the users from NIS? Yes. In fact, for those users who are in both the /etc/passwd and nis tables, it shows both entries (and the details match between both entries) How about getent shadow (assuming a linux machine and not solaris, No, this only shows the users with entries in /etc/shadow. However: 1. getent passwd includes the hashed passwords of users in the nis tables 2. It was not necessary to add the user to /etc/shadow in order to allow samba domain logins. All I had to do was add the user to /etc/passwd. and probably doesn't matter anyway.) Do you have an /etc/nsswitch.conf entry for shadow: files nis Yes Are you missing the : in the nsswitch.conf entries? No. Are your user names all in lower case? Are they all 8 characters or under. Yes. Simon On 03/08/12 22:46, Simon Matthews wrote: I have a server which is a samba PDC and has recently been converted to an NIS client. For historic reasons, many users login information is in the local machine's /etc/passwd and /etc/shadow files. samba is set up to use a tdbsam database. I got the first indication of problems when I tried to add a user using the smbpasswd -a command. I found that smbpasswd would not recognize the user unless either the username was in the /etc/passwd file, or I changed /etc/nsswitch.conf from passwd compat TO: passwd files nis However, if I make the latter change, the user cannot log into any Windows machines that are controlled by my PDC. To allow logins, all I have to do is ypcat passwd | grepusername/etc/passwd After this, the user can log in. Is there any configuration of samba that will allow it to properly recognize user data from the NIS map and not require the user to be listed in the /etc/passwd file? Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba PDC/NIS client
I have a server which is a samba PDC and has recently been converted to an NIS client. For historic reasons, many users login information is in the local machine's /etc/passwd and /etc/shadow files. samba is set up to use a tdbsam database. I got the first indication of problems when I tried to add a user using the smbpasswd -a command. I found that smbpasswd would not recognize the user unless either the username was in the /etc/passwd file, or I changed /etc/nsswitch.conf from passwd compat TO: passwd files nis However, if I make the latter change, the user cannot log into any Windows machines that are controlled by my PDC. To allow logins, all I have to do is ypcat passwd | grep username /etc/passwd After this, the user can log in. Is there any configuration of samba that will allow it to properly recognize user data from the NIS map and not require the user to be listed in the /etc/passwd file? Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC with Windows 7 support request
2012/1/31 Jiří Procházka jiri.procha...@norbou.com: Dear Samba support team, I have a question on Samba 3.5.8 please, which is not solved by searching the forums. I tried all suggested solutions, but nothing take effect. ... Domain users experience a slow login performance on Windows 7 clients that are joined into a samba domain (Samba version 3.5.4). The Windows 7 client was joined successfully into the domain with the Windows 7 registry settings adjusted according to http://wiki.samba.org/index.php/Windows7 (DomainCompatibilityMode = 0 and DNSNameResolutionRequired = 0). ... I have had similar problems. I was referred to the message in the mailing list archive [1]. I have applied what was described - used gpedit.msc - this but I am still experiencing slow login times, exactly 40 seconds on each workstation. I just checked on one workstation where the user had a jpeg as his desktop background, I mention this because there are references to a Window7 bug about slow login and a plain desktop, and that has the correct group policy setting and still the login time was exactly 40 seconds. I too be interested in hearing what others have to say on this. Thanks, Dermot. 1) http://www.mail-archive.com/samba@lists.samba.org/msg104494.html -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC with Windows 7 support request
Have you tried these settings (posted here about a year ago)? When the following local GPO is left in its default setting Samba domain logons are delayed for 30 seconds: Computer Configuration\Administrative Templates\System\User Profiles\Set maximum wait time for the network if the user has a roaming user profile or remote home directory. Enable this and set the value to 0 to work around this timeout. The timeout does not occur when logging into an Active Directory PDC running Server 2008 R2. I have not tested this with w2k8 R2 client. In addition, if the user's desktop is set to a solid background color logons of any kind (local, AD, samba) will be delayed by 30 seconds. Set the background to any .jpg image or apply Microsoft's hotfix to work around this issue. This is a cumulative timeout; that is, if the above timeout is in affect and the solid background color timeout is also in affect the delay is 60 seconds. I also experienced a 30 second timeout when I set the local GPO to Run logon scripts synchronously. This problem has inexplicably vanished and I can't replicate it though I don't see it listed in any Windows 7 updates. Might have been happening to me with Windows 7 PRO. I'll check that if anyone is interested. The fix was to apply an old Vista reg setting. Can be Googled as Vista Run logon scripts synchronously. Marc Cain On Jan 31, 2012, at 11:45 AM, Jiří Procházka wrote: Dear Samba support team, I have a question on Samba 3.5.8 please, which is not solved by searching the forums. I tried all suggested solutions, but nothing take effect. Situation: - small public school - We have Ubuntu Server 11.04 64-bit - Samba 3.5.8 as PDC - Windows XP and Windows 7 Pro SP1 clients - On Windows XP everything works. Login is quick and reliable there. Problem: But our problem is with Windows 7 domain clients, where login and logout takes more than 1,5 minute with clear user profile. Yes, we have only 100 Mbit LAN, but why XP can operate so much faster? We are using Aero with background images, but logon locally is very fast. Only using travel profiles is very slow. I have tried: - Disable IPv6, - Disabled UAC - set policies time to wait on server, - I applied all performace recommended settings suggested at samba.org for Windows 7 (http://wiki.samba.org/index.php/Windows7) Very similar post I have found here: https://bugzilla.samba.org/show_bug.cgi?id=8300 Domain users experience a slow login performance on Windows 7 clients that are joined into a samba domain (Samba version 3.5.4). The Windows 7 client was joined successfully into the domain with the Windows 7 registry settings adjusted according to http://wiki.samba.org/index.php/Windows7 (DomainCompatibilityMode = 0 and DNSNameResolutionRequired = 0). We need solve this bug, in other case we can’t use Samba as PDC and we must change the platform. Please put this request on free support boards or send me an offer for paid support. Can help adding this to GLOBAL section? domain master = yes local master = yes preffered master = yes os level = 64 Thanks a lot, I hope I’m not disturbing main Samba developers, With best regards, Jiri Prochazka Teacher from Waldorf high school in Prague Czech and English only :-) smb.conf-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba PDC with Windows 7 support request
Dear Samba support team, I have a question on Samba 3.5.8 please, which is not solved by searching the forums. I tried all suggested solutions, but nothing take effect. Situation: - small public school - We have Ubuntu Server 11.04 64-bit - Samba 3.5.8 as PDC - Windows XP and Windows 7 Pro SP1 clients - On Windows XP everything works. Login is quick and reliable there. Problem: But our problem is with Windows 7 domain clients, where login and logout takes more than 1,5 minute with clear user profile. Yes, we have only 100 Mbit LAN, but why XP can operate so much faster? We are using Aero with background images, but logon locally is very fast. Only using travel profiles is very slow. I have tried: - Disable IPv6, - Disabled UAC - set policies time to wait on server, - I applied all performace recommended settings suggested at samba.org for Windows 7 (http://wiki.samba.org/index.php/Windows7) Very similar post I have found here: https://bugzilla.samba.org/show_bug.cgi?id=8300 Domain users experience a slow login performance on Windows 7 clients that are joined into a samba domain (Samba version 3.5.4). The Windows 7 client was joined successfully into the domain with the Windows 7 registry settings adjusted according to http://wiki.samba.org/index.php/Windows7 (DomainCompatibilityMode = 0 and DNSNameResolutionRequired = 0). We need solve this bug, in other case we can’t use Samba as PDC and we must change the platform. Please put this request on free support boards or send me an offer for paid support. Can help adding this to GLOBAL section? domain master = yes local master = yes preffered master = yes os level = 64 Thanks a lot, I hope I’m not disturbing main Samba developers, With best regards, Jiri Prochazka Teacher from Waldorf high school in Prague Czech and English only :-) # # Sample configuration file for the Samba suite for Debian GNU/Linux. # # # This is the main Samba configuration file. You should read the # smb.conf(5) manual page in order to understand the options listed # here. Samba has a huge number of configurable options most of which # are not shown in this example # # Some options that are often worth tuning have been included as # commented-out examples in this file. # - When such options are commented with ;, the proposed setting #differs from the default Samba behaviour # - When commented with #, the proposed setting is the default #behaviour of Samba but the option is considered important #enough to be mentioned here # # NOTE: Whenever you modify this file you should run the command # testparm to check that you have not made any basic syntactic # errors. # A well-established practice is to name the original file # smb.conf.master and create the real config file with # testparm -s smb.conf.master smb.conf # This minimizes the size of the really used smb.conf file # which, according to the Samba Team, impacts performance # However, use this with caution if your smb.conf file contains nested # include statements. See Debian bug #483187 for a case # where using a master file is not a good idea. # #=== Global Settings === [global] ## Browsing/Identification ### # Change this to the workgroup/NT-domain name your Samba server will part of workgroup = LYCEUM # server string is the equivalent of the NT Description field server string = %h server (Samba, Ubuntu) # Windows Internet Name Serving Support Section: # WINS Support - Tells the NMBD component of Samba to enable its WINS Server # wins support = no # WINS Server - Tells the NMBD components of Samba to be a WINS Client # Note: Samba can be either a WINS Server, or a WINS Client, but NOT both ; wins server = w.x.y.z # This will prevent nmbd to search for NetBIOS names through DNS. dns proxy = no # What naming service and in what order should we use to resolve host names # to IP addresses ; name resolve order = lmhosts host wins bcast Networking # The specific set of interfaces / networks to bind to # This can be either the interface name or an IP address/netmask; # interface names are normally preferred ; interfaces = 127.0.0.0/8 eth0 # Only bind to the named interfaces and/or networks; you must use the # 'interfaces' option above to use this. # It is recommended that you enable this feature if your Samba machine is # not protected by a firewall or is a firewall itself. However, this # option cannot handle dynamic or non-broadcast interfaces correctly. ; bind interfaces only = yes Debugging/Accounting # This tells Samba to use a separate log file for each machine # that connects log file = /var/log/samba/log.%m # Cap the size of the individual log files (in KiB). max log size = 1000 # If you want Samba to only log through syslog then set the following # parameter to 'yes'. # syslog only = no
[Samba] debian samba pdc
I try to join a debian squeeze box with a debian woody samba pdc. I use samba and winbind on the squeeze box to join with the woody but keeps getting this error when doing net rpc info or net rpc testdomain root@steinerpc1:~# net rpc testjoin cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe \netlogon failed with error NT_STATUS_UNSUCCESSFUL net_rpc_join_ok: failed to get schannel session key from server woodyserver for domain domain on woody box. Error was NT_STATUS_UNSUCCESSFUL Join to domain 'domain on woody box' is not valid: NT_STATUS_UNSUCCESSFUL joining to another debian squeeze pdc is possible however. i have no log files access at the debian woody box -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba PDC cluster with RHCS
Dear Sir, I have implemented Samba PDC. Its working fine. But o do Highly Available, I have been trying to make it in 2 node cluster. Everything is running fine. But facing a problem, which I want to share. When I shift PDC to another cluster node. Everything is shifting fine. But my existing user can not log in. The can logged in again if I rejoined that mechine again to domain. I am explaining little bit more. Suppose user X can log in to my ClusterNode 1 PDC from a machine Y. If my ClusterNode 1 goes down all the resources are shifting to the ClusterNode 2. When user X try to log in from the same machine Y. X cant. I need to rejoined machine Y to the ClusterNode 2 then user X can log in. My believe. I will get a solution from you. Please. -- Rgds. *Shyfur* -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC cluster with RHCS
If you running samba3 you will need to setup a bdc to take over business of your pdc. Or a real time synced pdc copy on the other node that starts up when the real pdc is going down. In cases of ha I made also best experiences with samba4 in replication mode. Good Luck Daniel --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Md. Shyfur Rahman Gesendet: Sonntag, 11. Dezember 2011 19:04 An: ob...@samba.org Cc: samba@lists.samba.org Betreff: [Samba] Samba PDC cluster with RHCS Dear Sir, I have implemented Samba PDC. Its working fine. But o do Highly Available, I have been trying to make it in 2 node cluster. Everything is running fine. But facing a problem, which I want to share. When I shift PDC to another cluster node. Everything is shifting fine. But my existing user can not log in. The can logged in again if I rejoined that mechine again to domain. I am explaining little bit more. Suppose user X can log in to my ClusterNode 1 PDC from a machine Y. If my ClusterNode 1 goes down all the resources are shifting to the ClusterNode 2. When user X try to log in from the same machine Y. X cant. I need to rejoined machine Y to the ClusterNode 2 then user X can log in. My believe. I will get a solution from you. Please. -- Rgds. *Shyfur* -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] PDC file server on same machine?
Windows clients will give preference to a BDC (if available) when selecting a logon server over a PDC. On 12/08/2011 08:36 AM, Aaron E. wrote: I have a s3.4 pdc with a bdc,, pdc is serving around 80 users on terminal services and another 50 fat clients,,, acts as the file server.. roaming profiles etc... I have no issues other than the network card only being 100mb,, I do have a throughput issues.. but that is on the table.. On 12/07/2011 06:03 PM, John Heim wrote: How much of a resource hog is a PDC? My understanding is that authentication is done vs a BDC if available. I configured my new file server as the domain PDC because I figured it would already have to run samba. I have two other machines configured as BDCs to serve as logon servers. I'm looking for opinions on whether I'm asking for performance problems by making my file server the PDC. Actually, this machine is already serving as PDC but its not in production yet as a file server. So right now, its just the domain PDC. When I log into the domain and echo %logonserver%, it shows that one of the BDCs was the logon server, not the PDC. It doesn't look like the PDC has to do anything but handle joining machines to the domain. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] PDC file server on same machine?
On 08/12/11 00:03, John Heim wrote: How much of a resource hog is a PDC? My understanding is that authentication is done vs a BDC if available. I configured my new file server as the domain PDC because I figured it would already have to run samba. I have two other machines configured as BDCs to serve as logon servers. I'm looking for opinions on whether I'm asking for performance problems by making my file server the PDC. Actually, this machine is already serving as PDC but its not in production yet as a file server. So right now, its just the domain PDC. When I log into the domain and echo %logonserver%, it shows that one of the BDCs was the logon server, not the PDC. It doesn't look like the PDC has to do anything but handle joining machines to the domain. We have to work within a tight budget and can't afford a backup server. We serve 600 home folders and logins to 25 clients from the same box. In an educational environment we experience slow logons which we think is due to everyone logging on at once. Windows 7 logons are particularly bad. Looking at top you can see slapd and nmbd throw a fit for a minute or so. With files it's OK unless we have a group working with gimp and photoshop. Usually it's when everyone is doing the same thing at the same time e.g. when a teacher has given an instruction to do something. On a normal lan I don't think you'd have these situations. HTH Steve. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] PDC file server on same machine?
On Wed, 2011-12-07 at 17:03 -0600, John Heim wrote: How much of a resource hog is a PDC? My understanding is that authentication is done vs a BDC if available. I configured my new file server as the domain PDC because I figured it would already have to run samba. I have two other machines configured as BDCs to serve as logon servers I'm looking for opinions on whether I'm asking for performance problems by making my file server the PDC. Actually, this machine is already serving as PDC but its not in production yet as a file server. So right now, its just the domain PDC. When I log into the domain and echo %logonserver%, it shows that one of the BDCs was the logon server, not the PDC. It doesn't look like the PDC has to do anything but handle joining machines to the domain. There really isn't an answer for your question. The load implied by being a DC depends on the number of clients and how heavily they are used. If you have only a hundred or so clients, in my experience, the load is pretty mild [for modern hardware/networks]. With Samba3 domain control there isn't really a BDC/PDC distinction. Every box is a PDC that operates in parallel with the other DCs. That is a bit different than a true NT4 domain. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] PDC file server on same machine?
On 08/12/11 12:15, Adam Tauno Williams wrote: On Wed, 2011-12-07 at 17:03 -0600, John Heim wrote: How much of a resource hog is a PDC? My understanding is that authentication is done vs a BDC if available. I configured my new file server as the domain PDC because I figured it would already have to run samba. I have two other machines configured as BDCs to serve as logon servers I'm looking for opinions on whether I'm asking for performance problems by making my file server the PDC. Actually, this machine is already serving as PDC but its not in production yet as a file server. So right now, its just the domain PDC. When I log into the domain and echo %logonserver%, it shows that one of the BDCs was the logon server, not the PDC. It doesn't look like the PDC has to do anything but handle joining machines to the domain. There really isn't an answer for your question. The load implied by being a DC depends on the number of clients and how heavily they are used. If you have only a hundred or so clients, in my experience, the load is pretty mild [for modern hardware/networks]. With Samba3 domain control there isn't really a BDC/PDC distinction. Every box is a PDC that operates in parallel with the other DCs. That is a bit different than a true NT4 domain. Maybe what the OP is asking here is for examples. I realise that for security reasons admins may not be allowed to reveal their setup but it would be helpful to give some concrete figures of hardware, clients and servers that works for us. Cheers. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] PDC file server on same machine?
I have a s3.4 pdc with a bdc,, pdc is serving around 80 users on terminal services and another 50 fat clients,,, acts as the file server.. roaming profiles etc... I have no issues other than the network card only being 100mb,, I do have a throughput issues.. but that is on the table.. On 12/07/2011 06:03 PM, John Heim wrote: How much of a resource hog is a PDC? My understanding is that authentication is done vs a BDC if available. I configured my new file server as the domain PDC because I figured it would already have to run samba. I have two other machines configured as BDCs to serve as logon servers. I'm looking for opinions on whether I'm asking for performance problems by making my file server the PDC. Actually, this machine is already serving as PDC but its not in production yet as a file server. So right now, its just the domain PDC. When I log into the domain and echo %logonserver%, it shows that one of the BDCs was the logon server, not the PDC. It doesn't look like the PDC has to do anything but handle joining machines to the domain. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] PDC file server on same machine?
On Thu, 2011-12-08 at 08:36 -0500, Aaron E. wrote: I have a s3.4 pdc with a bdc,, pdc is serving around 80 users on terminal services and another 50 fat clients,,, acts as the file server.. roaming profiles etc... I have no issues other than the network card only being 100mb,, I do have a throughput issues.. but that is on the table.. Our PDC is a virtual machine. It search ~200 desktops and ~300 users. That includes roaming profiles, netlogin, and some redirected folers [some folders in the roaming profile are redirected to shares on the server]. Backend is LDAPSAM. Load is very low [with current-ish version of OpenLDAP - slapd used to burn much more juice than it does now]. Actual file-serving traffic burns up network bandwidth; but CPU and memory requirements are surprisingly low. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] PDC file server on same machine?
From: Adam Tauno Williams awill...@whitemice.org With Samba3 domain control there isn't really a BDC/PDC distinction. Every box is a PDC that operates in parallel with the other DCs. That is a bit different than a true NT4 domain. But one machine has to have the master copy of the user/machine database. From the samba documentation: * Primary Domain Controller the one that seeds the domain SAM. * Backup Domain Controller one that obtains a copy of the domain SAM. On my file server, I have a custom add user script that configures mail, sets a disk quota, configures the user's profile, and several other things. That script has to run on the file server or it can't create all the proper directories,e tc. That's why I also made that machine the PDC. Its the only machine with the ability to update the ldap database. If I made some other machine the PDC, I'd have to have2 machines with the ability to update the ldap database. In my configuration, the BDCs are also slave ldap servers. So when a user logs into the domain, I *think* it will talk to a BDC which will query its own copy of the ldap database, and log them on. But if being the PDC adds significantly to the load of the file server, I could give up on the idea of having just the one machine with the ability to update the ldap database. Having only one machine with update abilities is cleaner but if it doesn't work, it doesn't work. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] PDC file server on same machine?
How much of a resource hog is a PDC? My understanding is that authentication is done vs a BDC if available. I configured my new file server as the domain PDC because I figured it would already have to run samba. I have two other machines configured as BDCs to serve as logon servers. I'm looking for opinions on whether I'm asking for performance problems by making my file server the PDC. Actually, this machine is already serving as PDC but its not in production yet as a file server. So right now, its just the domain PDC. When I log into the domain and echo %logonserver%, it shows that one of the BDCs was the logon server, not the PDC. It doesn't look like the PDC has to do anything but handle joining machines to the domain. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Conversion Error in migration of printer drivers from Windows seven 64 to Samba PDC 3.5.11
I get problem migrating printer drivers from Windows seven 64 bits workstation to Samba PDC 3.5.11 The driver works fine on the workstation The migration command net -d 4 rpc printer MIGRATE DRIVERS XeroxM24 -S xxx.xxx.xxx.36 -U 'username' returns the messages: convert_string_internal: Conversion error: Illegal multibyte sequence (..) ndr_push_error(5): Bad character conversion cannot add driver: DOS code 0xb75c1223 All the driver files are copied on the samba server after the net rpc command and the size of each is the same between workstation and samba server. The driver is not installed in the printing tdb files. enumdrivers in rpcclient does not list anything. Is the driver faulty or not supported by Samba ? What can I do ? Below is the end of level 4 debugging output of net rcp command. got printer handle for printer: \\xxx.xxx.xxx.36\XeroxM24, server: \\xxx.xxx.xxx.36 got 1 printers migrating printer driver for: [\\xxx.xxx.xxx.36\XeroxM24] / [XeroxM24] got printer handle for printer: \\127.0.0.1\XeroxM24, server: \\127.0.0.1 got printer handle for printer: \\xxx.xxx.xxx.36\XeroxM24, server: \\xxx.xxx.xxx.36 cannot get driver (for architecture: Windows 4.0): WERR_UNKNOWN_PRINTER_DRIVER cannot get driver (for architecture: Windows NT x86): WERR_UNKNOWN_PRINTER_DRIVER cannot get driver (for architecture: Windows NT x86): WERR_UNKNOWN_PRINTER_DRIVER cannot get driver (for architecture: Windows NT R4000): WERR_INVALID_ENVIRONMENT cannot get driver (for architecture: Windows NT Alpha_AXP): WERR_INVALID_ENVIRONMENT cannot get driver (for architecture: Windows NT PowerPC): WERR_INVALID_ENVIRONMENT cannot get driver (for architecture: Windows IA64): WERR_UNKNOWN_PRINTER_DRIVER cannot create directory \x64: NT_STATUS_OBJECT_NAME_COLLISION opening file \x64\3\PSCRIPT5.DLL on originating server opening file \x64\PSCRIPT5.DLL on destination server opening file \x64\3\XRCC2EE2.PPD on originating server opening file \x64\XRCC2EE2.PPD on destination server opening file \x64\3\PS5UI.DLL on originating server opening file \x64\PS5UI.DLL on destination server opening file \x64\3\PSCRIPT.HLP on originating server opening file \x64\PSCRIPT.HLP on destination server opening file \x64\3\PSCRIPT.NTF on originating server opening file \x64\PSCRIPT.NTF on destination server opening file \x64\3\PS_SCHM.GDL on originating server opening file \x64\PS_SCHM.GDL on destination server convert_string_internal: Conversion error: Illegal multibyte sequence (..) ndr_push_error(5): Bad character conversion cannot add driver: DOS code 0xb75c1223 rpc command function failed! (NT_STATUS_UNSUCCESSFUL) return code = -1 Thank you for your help LG -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba PDC [profiles] how to add AppData/Local
Hello everybody, # smbd -V Version 3.5.6 I am running a domain controller for windows 7 clients and there is the Kerio mailserver saves important data to AppData/Local/Kerio The default [profiles] only saves AppData/Roaming how can I add AppData/Local or even the complete AppData to the profiles stored by our Samba DC? Thanks in advance, Kind regards, Jelle signature.asc Description: OpenPGP digital signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] PDC emulator overloaded
Hello all, i'm using samba + winbind yo connect to AD win 2003 on many linux box. I use winbind to retrive users and groups list quering PDC emulator. When PDC get many requests (i use squid with ntml transparent auth + winbind also) it get overloaded and slow down reply to my servers. The problem is that when this situation occur, all services stop to work, and the users (10.000) became very angry. How can i solve this problem? I know that there was only i PDC on network, so can i build a dedicate samba server to act as PDC or BDC or other to help real PDC emulator to load the share? Someone can give me advices? Thank you. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba PDC disabling roaming profiles
Hi all, I have tested it with several users (with winxp and win7) and it works fine. Hope that helps anyone who has this problem, Greetings, ESG 2011/10/11 ESGLinux esggru...@gmail.com Hi again, I have found this: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/ProfileMgmt.html#id2660484 In smb.conf Affect the following settings and ALL clients will be forced to use a local profile: logon home = http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/smb.conf.5.html#LOGONHOMEand logon path = http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/smb.conf.5.html#LOGONPATH The arguments to these parameters must be left blank. It is necessary to include the = sign to specifically assign the empty value. Anyone can confirm that this is right? can I have problems with existing profiles? Thanks, ESG 2011/10/11 ESGLinux esggru...@gmail.com Hi All, I recently have updated my samba server to 3.3.7-1. I use this server as PDC of my Windows Domain, The problem is that the profiles of the server are saved in the home dir of the users. The users have a lot of GigaB so I want to disable this feature. I have read ( http://www.linuxquestions.org/questions/linux-general-1/samba-pdc-without-roaming-profiles-2-a-47604/, for example) that this feature is disabled in the client side but I have a lof of them. So my question is if is there any way to disable it on the server side, Thanks in advance ESG -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] New Samba PDC for medium-sized mixed client domain
Look at samba4 franky. Or build your samba4 to manage your policies and so on an join a samba3 as member to carry the fileserver. I have both things done in an test and production with no bad issues. For samba4 to run as ADS you always need DNS working. There are many howtos out there. An older one I had done: HOWTO centOS 5.5 samba4 dns dynamic update/Replication -- this list. For now many things have changed (DLZ plugins for bind from samba4). Further help should be available in samba technical --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Andy Shaw Gesendet: Montag, 10. Oktober 2011 17:12 An: samba@lists.samba.org Betreff: Re: [Samba] New Samba PDC for medium-sized mixed client domain Daniel Müller wrote: First of all you should know what you want, a nt-style Domain or a ADS!? Well, if it's practical at this point, I'd be happier running an ADS - in particular, unless I've missed something, this would enable me to set group policies for the client machines, which is potentially quite useful. I suppose the question, then, is the S4+S3 combination production-ready? The next step is , you can substitute Exchange with OPENCHANGE/SOGo as part of your Samba4 ads. Fortunately, email is currently a completely separate system, hosted off-site, so I don't immediately need to worry about it :) Hadn't heard of the Openchange project before, though - will look into it with interest. Good Luck Daniel Thanks! I meant to mention before, by the way, that I obviously do intent to set up a test network rather than sticking any solution straight into production, so there shouldn't be any concerns on that score. -Andy Shaw -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba