[Samba] Problem with Samba4 installation - trouble at kinit
Hi. I am following the steps in the Samba4 HOWTO: http://wiki.samba.org/index.php/Samba4/HOWTO and I run into trouble at this step: [root@samba-ad ~]# kinit administra...@allenlan.net kinit: Cannot contact any KDC for realm 'ALLENLAN.NET' while getting initial credentials I performed all of the previous testing steps in the document successfully. This is CentOS 6.3. I started with Ubuntu 12.10 and ran into the same problem there, so clearly it's something I am doing wrong. When Samba is running, there is no listening socket on port 88. Does Samba implement the kerberos functionality internally? If so, does it specifically look for /etc/krb.conf? If Samba does not implement Kerberos, should I have a Kerberos server running? I am very unfamiliar with Kerberos. Which package should I have installed? Thank you. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 internal DNS not responding to DNS requests
I am not able to get the Samba4 internal DNS server to respond to DNS requests on the network. I am running Samba4 4.1.0pre1-GIT-c1fb37d on my CentOS 6.3 system. I followed the instructions here: https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO I configured Samba4 to use the internal DNS server. My Samba4 server is 192.168.0.13. Its full hostname is ubuntu-ad.allenlan.net. The realm is ALLENLAN.NET. The DNS testing section of the document passes: $host -t SRV _ldap._tcp.allenlan.net. _ldap._tcp.allenlan.net has SRV record 0 100 389 ubuntu-ad.allenlan.net. $host -t SRV _kerberos._udp.allenlan.net. _kerberos._udp.allenlan.net has SRV record 0 100 88 ubuntu-ad.allenlan.net. $host -t A ubuntu-ad.allenlan.net. ubuntu-ad.allenlan.net has address 192.168.0.13 I configured my Windows XP system with a DNS of 192.168.0.13 (Samba4 server). When I perform the Windows command nslookup ubuntu-ad.allenlan.net (or any variation of that) it reports: DNS request timed out. timeout was 2 seconds. *** Can't find server name for address 192.168.0.13: Timed out (above 3 messages repeat again) Default servers are not available Server: UnKnown Address: 192.168.0.13 The Windows system can ping the Samba4 server by IP address. Any help would be appreciated! More configuration information below. /etc/resolv.conf: domain allenlan.net nameserver 192.168.0.13 /usr/local/samba/etc/smb.conf: [global] workgroup = ALLENLAN realm = ALLENLAN.NET netbios name = UBUNTU-AD server role = active directory domain controller dns forwarder = 192.168.0.1 interfaces = 192.168.0.13 127.0.0.1 bind interfaces only = yes log level = 3 server services = smb, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns /etc/hosts: 192.168.0.13ubuntu-ad ubuntu-ad.allenlan.net 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 $hostname ubuntu-ad.allenlan.net Thank you. Lee Allen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 internal DNS not responding to DNS requests
I meant to include that in my original description. Samba is definitely listening for the DNS requests. Here it is: $ netstat -npl | grep 53 | grep LISTEN tcp0 0 127.0.0.1:530.0.0.0:* LISTEN 15799/samba tcp0 0 192.168.0.13:53 0.0.0.0:* LISTEN 15799/samba Lee On Wed, Jan 9, 2013 at 10:05 AM, Rowland Penny rpe...@f2s.com wrote: On 09/01/13 14:32, Lee Allen wrote: I am not able to get the Samba4 internal DNS server to respond to DNS requests on the network. I am running Samba4 4.1.0pre1-GIT-c1fb37d on my CentOS 6.3 system. I followed the instructions here: https://wiki.samba.org/index.**php/Samba_AD_DC_HOWTOhttps://wiki.samba.org/index.php/Samba_AD_DC_HOWTO I configured Samba4 to use the internal DNS server. My Samba4 server is 192.168.0.13. Its full hostname is ubuntu-ad.allenlan.net. The realm is ALLENLAN.NET. The DNS testing section of the document passes: $host -t SRV _ldap._tcp.allenlan.net. _ldap._tcp.allenlan.net has SRV record 0 100 389 ubuntu-ad.allenlan.net. $host -t SRV _kerberos._udp.allenlan.net. _kerberos._udp.allenlan.net has SRV record 0 100 88 ubuntu-ad.allenlan.net. $host -t A ubuntu-ad.allenlan.net. ubuntu-ad.allenlan.net has address 192.168.0.13 I configured my Windows XP system with a DNS of 192.168.0.13 (Samba4 server). When I perform the Windows command nslookup ubuntu-ad.allenlan.net (or any variation of that) it reports: DNS request timed out. timeout was 2 seconds. *** Can't find server name for address 192.168.0.13: Timed out (above 3 messages repeat again) Default servers are not available Server: UnKnown Address: 192.168.0.13 The Windows system can ping the Samba4 server by IP address. Any help would be appreciated! More configuration information below. /etc/resolv.conf: domain allenlan.net nameserver 192.168.0.13 /usr/local/samba/etc/smb.conf: [global] workgroup = ALLENLAN realm = ALLENLAN.NET netbios name = UBUNTU-AD server role = active directory domain controller dns forwarder = 192.168.0.1 interfaces = 192.168.0.13 127.0.0.1 bind interfaces only = yes log level = 3 server services = smb, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns /etc/hosts: 192.168.0.13ubuntu-ad ubuntu-ad.allenlan.net 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 $hostname ubuntu-ad.allenlan.net Thank you. Lee Allen Hi, What does 'netstat -npl | grep 53 | grep LISTEN' return? Rowland -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- *Lee Allen* email: l...@leecallen.com bus: (716) 773-2729 home: (716) 773-2326 cell: (716) 880-0854 fax: (716) 408-8844 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 internal DNS not responding to DNS requests
I was sure I had disabled firewall and SElinux on this box. But I can't establish a netcat connection to the server so something is up. Thank you! On 09/01/13 15:20, Lee Allen wrote: I meant to include that in my original description. Samba is definitely listening for the DNS requests. Here it is: $ netstat -npl | grep 53 | grep LISTEN tcp0 0 127.0.0.1:530.0.0.0:* LISTEN 15799/samba tcp0 0 192.168.0.13:53 0.0.0.0:* LISTEN 15799/samba Lee On Wed, Jan 9, 2013 at 10:05 AM, Rowland Penny rpe...@f2s.com wrote: On 09/01/13 14:32, Lee Allen wrote: I am not able to get the Samba4 internal DNS server to respond to DNS requests on the network. I am running Samba4 4.1.0pre1-GIT-c1fb37d on my CentOS 6.3 system. I followed the instructions here: https://wiki.samba.org/index.php/Samba_AD_DC_HOWTOhttps://wiki.samba.org/index.**php/Samba_AD_DC_HOWTO https:/**/wiki.samba.org/index.php/**Samba_AD_DC_HOWTOhttps://wiki.samba.org/index.php/Samba_AD_DC_HOWTO I configured Samba4 to use the internal DNS server. My Samba4 server is 192.168.0.13. Its full hostname is ubuntu-ad.allenlan.net. The realm is ALLENLAN.NET. The DNS testing section of the document passes: $host -t SRV _ldap._tcp.allenlan.net. _ldap._tcp.allenlan.net has SRV record 0 100 389 ubuntu-ad.allenlan.net. $host -t SRV _kerberos._udp.allenlan.net. _kerberos._udp.allenlan.net has SRV record 0 100 88 ubuntu-ad.allenlan.net. $host -t A ubuntu-ad.allenlan.net. ubuntu-ad.allenlan.net has address 192.168.0.13 I configured my Windows XP system with a DNS of 192.168.0.13 (Samba4 server). When I perform the Windows command nslookup ubuntu-ad.allenlan.net (or any variation of that) it reports: DNS request timed out. timeout was 2 seconds. *** Can't find server name for address 192.168.0.13: Timed out (above 3 messages repeat again) Default servers are not available Server: UnKnown Address: 192.168.0.13 The Windows system can ping the Samba4 server by IP address. Any help would be appreciated! More configuration information below. /etc/resolv.conf: domain allenlan.net nameserver 192.168.0.13 /usr/local/samba/etc/smb.conf: [global] workgroup = ALLENLAN realm = ALLENLAN.NET netbios name = UBUNTU-AD server role = active directory domain controller dns forwarder = 192.168.0.1 interfaces = 192.168.0.13 127.0.0.1 bind interfaces only = yes log level = 3 server services = smb, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns /etc/hosts: 192.168.0.13ubuntu-ad ubuntu-ad.allenlan.net 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 $hostname ubuntu-ad.allenlan.net Thank you. Lee Allen Hi, What does 'netstat -npl | grep 53 | grep LISTEN' return? Rowland -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/sambahttps://lists.samba.org/**mailman/options/samba https://**lists.samba.org/mailman/**options/sambahttps://lists.samba.org/mailman/options/samba Hi, I thought that there may have been a possibility that dnsmasq was running, the only other thoughts I have are: How did you provision? Is the firewall blocking port 53? And that good old favourite, Selinux! Rowland -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 internal DNS not responding to DNS requests - SOLVED
The problem was definitely SELinux and/or firewall (iptables). Thank you for the help. On Wed, Jan 9, 2013 at 8:38 PM, Andrew Bartlett abart...@samba.org wrote: On Wed, 2013-01-09 at 09:47 -0500, fe...@epepm.cupet.cu wrote: I am not able to get the Samba4 internal DNS server to respond to DNS requests on the network. I am running Samba4 4.1.0pre1-GIT-c1fb37d on my CentOS 6.3 system. I followed the instructions here: https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO I configured Samba4 to use the internal DNS server. My Samba4 server is 192.168.0.13. Its full hostname is ubuntu-ad.allenlan.net. The realm is ALLENLAN.NET. The DNS testing section of the document passes: $host -t SRV _ldap._tcp.allenlan.net. _ldap._tcp.allenlan.net has SRV record 0 100 389 ubuntu-ad.allenlan.net. $host -t SRV _kerberos._udp.allenlan.net. _kerberos._udp.allenlan.net has SRV record 0 100 88 ubuntu-ad.allenlan.net. $host -t A ubuntu-ad.allenlan.net. ubuntu-ad.allenlan.net has address 192.168.0.13 I configured my Windows XP system with a DNS of 192.168.0.13 (Samba4 server). When I perform the Windows command nslookup ubuntu-ad.allenlan.net (or any variation of that) it reports: DNS request timed out. timeout was 2 seconds. *** Can't find server name for address 192.168.0.13: Timed out (above 3 messages repeat again) Default servers are not available Server: UnKnown Address: 192.168.0.13 The Windows system can ping the Samba4 server by IP address. Any help would be appreciated! More configuration information below. /etc/resolv.conf: domain allenlan.net nameserver 192.168.0.13 /usr/local/samba/etc/smb.conf: [global] workgroup = ALLENLAN realm = ALLENLAN.NET netbios name = UBUNTU-AD server role = active directory domain controller dns forwarder = 192.168.0.1 interfaces = 192.168.0.13 127.0.0.1 bind interfaces only = yes log level = 3 server services = smb, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns /etc/hosts: 192.168.0.13ubuntu-ad ubuntu-ad.allenlan.net 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 $hostname ubuntu-ad.allenlan.net That was the reason I switched to bind9. The internal dns server used to keep connections open, without closing old ones, until reaching the limit of max files... I don't know wether it's been already fixed or not. But it doesn't happen with bind. This topic is been in the list before. Yes, we fixed that (with a timeout). Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- *Lee Allen* email: l...@leecallen.com bus: (716) 773-2729 home: (716) 773-2326 cell: (716) 880-0854 fax: (716) 408-8844 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] How to set ACLs with Samba4 AD?
I apologize if this is very beginner/basic. In my defense, I can't get the Samba4 documentation to compile on my system, and I can't find the man pages online (a pointer to them would be extremely helpful). And in general, I am having difficulty sorting through the documentation on the wiki because much of it is clearly pre-Samba4 and therefore obsolete, or at least questionable. It's hard to know what is relevant. Most of the posts I see here seem to be much better informed than I am. I would love to know how they obtained their knowledge. So here is my question: I am running Samba4 as an AD and file server. How do I define ACLs for the samba shares, for domain users groups? These users and groups are not defined on the underlying OS (CentOS 6.3). It seems the answer is to do it via the underlying filesystem, but how is that possible when the domain users groups are not defined in the OS? I see samba-tool has some ACL get/set capability. Is that the answer? Or is there some special magic to get CentOS to control file access by referring to the Samba4 AD? Many thanks in advance for any help. And I would be very grateful for pointers to Samba4 introductory or background material (I have used the HOW-TOs extensively). Lee Allen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How to set ACLs with Samba4 AD?
Inno, that works very well - thank you! It's not that I don't want to use samba-tool to maintain ACLs, I don't know how to -- I cannot find any documentation on the program. I have successfully compiled all of Samba4 but the docs will not compile on my system. If anybody can point me to a man page for samba-tool I would really appreciate it. Thanks again Inno! Lee On Fri, Jan 18, 2013 at 4:01 PM, Innocent Yevide inye...@yahoo.fr wrote: Hello Lee, I am not sure I understand what is your real need. but If you don't want to use samba-tool, you can use windows explorer to set your acls... assuming you have your file system supporting xattr, you can connect to your share drive from windows with a privileged account like the administrator. and then right click on the folder / property / security. you should be able to set/reset acls for users and groups what I used to do, is create my folder, give full priviledge and even acls (OS level) for all on that folder, and then as Admin on windows, I remove and set privilege for only those who need it. You might need the following under your shared folder in smb.conf: vfs objects = acl_xattr Regards, Inno. -- *De :* Lee Allen l...@leecallen.com *À :* samba@lists.samba.org *Envoyé le :* Vendredi 18 janvier 2013 22h12 *Objet :* [Samba] How to set ACLs with Samba4 AD? I apologize if this is very beginner/basic. In my defense, I can't get the Samba4 documentation to compile on my system, and I can't find the man pages online (a pointer to them would be extremely helpful). And in general, I am having difficulty sorting through the documentation on the wiki because much of it is clearly pre-Samba4 and therefore obsolete, or at least questionable. It's hard to know what is relevant. Most of the posts I see here seem to be much better informed than I am. I would love to know how they obtained their knowledge. So here is my question: I am running Samba4 as an AD and file server. How do I define ACLs for the samba shares, for domain users groups? These users and groups are not defined on the underlying OS (CentOS 6.3). It seems the answer is to do it via the underlying filesystem, but how is that possible when the domain users groups are not defined in the OS? I see samba-tool has some ACL get/set capability. Is that the answer? Or is there some special magic to get CentOS to control file access by referring to the Samba4 AD? Many thanks in advance for any help. And I would be very grateful for pointers to Samba4 introductory or background material (I have used the HOW-TOs extensively). Lee Allen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- *Lee Allen* email: l...@leecallen.com bus: (716) 773-2729 home: (716) 773-2326 cell: (716) 880-0854 fax: (716) 408-8844 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Unable to join domain, apparent DNS problem
This isn't exactly a Samba problem, but I am hoping the experts here can help me. I have been trying to get my OpenIndiana system to join a Samba4 domain and I was running into multiple problems. So I decided to test against a true Windows Server (2003) domain, to see if there is something wrong with my client-side setup. Attempting to join the WS2003 AD domain also fails. Snooping the network traffic reveals this: client: DNS query _ldap._tcp.dc._msdcs.ALLENLAN.NET: type SRV, class IN DC: no such server I found this MS link: http://technet.microsoft.com/en-us/library/cc961719.aspx Which says, in part: _ldap._tcp.dc._msdcs.DnsDomainName Allows a client to locate a domain controller (dc) of the domain named by DnsDomainName . All Windows 2000 Server based domain controllers register this SRV record. I am very new to Active Directory setup. So it is quite likely I have made a basic configuration error on the WS2003 AD setup. But true Windows clients can join the domain successfully. Any ideas? Does Samba4 automatically put this SRV record into its internal DNS server? Thank you. Lee Allen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Unable to join domain, apparent DNS problem
That also fails: lal...@oi.allenlan.net:~$ host -t SRV _ldap._tcp.allenlan.net. Host _ldap._tcp.allenlan.net. not found: 3(NXDOMAIN) lal...@oi.allenlan.net:~$ host -t SRV _ldap._tcp.dc._msdcs.allenlan.net. Host _ldap._tcp.dc._msdcs.ALLENLAN.NET. not found: 3(NXDOMAIN) I can manually add these records, but according to the MS documentation, I shouldn't need to. Lee Allen On Feb 22, 2013 6:40 AM, Federico Nan feder...@nantec.com.ar wrote: You can try to find your record doing: (taking from the official how-to) host -t SRV _ldap._tcp.samdom.example.com. 2013/2/22 Lee Allen l...@leecallen.com This isn't exactly a Samba problem, but I am hoping the experts here can help me. I have been trying to get my OpenIndiana system to join a Samba4 domain and I was running into multiple problems. So I decided to test against a true Windows Server (2003) domain, to see if there is something wrong with my client-side setup. Attempting to join the WS2003 AD domain also fails. Snooping the network traffic reveals this: client: DNS query _ldap._tcp.dc._msdcs.ALLENLAN.NET: type SRV, class IN DC: no such server I found this MS link: http://technet.microsoft.com/en-us/library/cc961719.aspx Which says, in part: _ldap._tcp.dc._msdcs.DnsDomainName Allows a client to locate a domain controller (dc) of the domain named by DnsDomainName . All Windows 2000 Server based domain controllers register this SRV record. I am very new to Active Directory setup. So it is quite likely I have made a basic configuration error on the WS2003 AD setup. But true Windows clients can join the domain successfully. Any ideas? Does Samba4 automatically put this SRV record into its internal DNS server? Thank you. Lee Allen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Unable to join domain, apparent DNS problem
I did quite a bit more research on this. Everything I read says an AD DNS should automatically set up those entries. I found a few trouble-shooting documents that suggested checking them, but nothing indicating why they might be wrong, and what to do about it. I agree that tearing down the domain and re-building it from scratch is the right approach. In the meantime, I returned to my Samba4 project, and found an error I had made on the client side. 5 minutes later my openindiana system successfully joined my Samba4 domain. So at the moment I don't have any real interest in pursuing the Windows Server issue. Thanks for your help. Lee Allen On Fri, Feb 22, 2013 at 11:13 AM, Federico Nan feder...@nantec.com.arwrote: Maybe you can try to do a setup domain again. 2013/2/22 Lee Allen l...@leecallen.com That also fails: lal...@oi.allenlan.net:~$ host -t SRV _ldap._tcp.allenlan.net. Host _ldap._tcp.allenlan.net. not found: 3(NXDOMAIN) lal...@oi.allenlan.net:~$ host -t SRV _ldap._tcp.dc._msdcs.allenlan.net. Host _ldap._tcp.dc._msdcs.ALLENLAN.NET. not found: 3(NXDOMAIN) I can manually add these records, but according to the MS documentation, I shouldn't need to. Lee Allen On Feb 22, 2013 6:40 AM, Federico Nan feder...@nantec.com.ar wrote: You can try to find your record doing: (taking from the official how-to) host -t SRV _ldap._tcp.samdom.example.com. 2013/2/22 Lee Allen l...@leecallen.com This isn't exactly a Samba problem, but I am hoping the experts here can help me. I have been trying to get my OpenIndiana system to join a Samba4 domain and I was running into multiple problems. So I decided to test against a true Windows Server (2003) domain, to see if there is something wrong with my client-side setup. Attempting to join the WS2003 AD domain also fails. Snooping the network traffic reveals this: client: DNS query _ldap._tcp.dc._msdcs.ALLENLAN.NET: type SRV, class IN DC: no such server I found this MS link: http://technet.microsoft.com/en-us/library/cc961719.aspx Which says, in part: _ldap._tcp.dc._msdcs.DnsDomainName Allows a client to locate a domain controller (dc) of the domain named by DnsDomainName . All Windows 2000 Server based domain controllers register this SRV record. I am very new to Active Directory setup. So it is quite likely I have made a basic configuration error on the WS2003 AD setup. But true Windows clients can join the domain successfully. Any ideas? Does Samba4 automatically put this SRV record into its internal DNS server? Thank you. Lee Allen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- *Lee Allen* email: l...@leecallen.com bus: (716) 773-2729 home: (716) 773-2326 cell: (716) 880-0854 fax: (716) 408-8844 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Unable to get Samba-3.6.12 to authenticate using ADS
=[] NativeLanMan=[] PrimaryDomain=[] reply_spnego_negotiate: Got secblob of size 1476 libads/kerberos_verify.c:435: enc type [18] failed to decrypt with error Decrypt integrity check failed libads/kerberos_verify.c:435: enc type [17] failed to decrypt with error Decrypt integrity check failed Found account name from PAC: lallen [] Kerberos ticket principal name is [lal...@allenlan.net] Username ALLENLAN\lallen is invalid on this system error packet at smbd/sesssetup.c(359) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE Transaction 2 of length 1508 (0 toread) switch message SMBsesssetupX (pid 85924) conn 0x0 wct=12 flg2=0xc807 setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. Doing spnego session setup NativeOS=[] NativeLanMan=[] PrimaryDomain=[] reply_spnego_negotiate: Got secblob of size 1362 libads/kerberos_verify.c:435: enc type [18] failed to decrypt with error Decrypt integrity check failed libads/kerberos_verify.c:435: enc type [17] failed to decrypt with error Decrypt integrity check failed Found account name from PAC: lallen [] Kerberos ticket principal name is [lal...@allenlan.net] Username ALLENLAN\lallen is invalid on this system error packet at smbd/sesssetup.c(359) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE receive_smb_raw_talloc failed for client 192.168.0.93 read error = NT_STATUS_CONNECTION_RESET. Server exit (failed to receive smb request) This has had me stumped for several days. Thank you for any all help. Lee Allen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Logon scripts, home directories, and Samba4 AD
I have two separate (virtual) servers: one running Samba4 functioning as an AD controller, and one running Samba 3.6.1 functioning as a file print server. I am using security=ads and winbind. Everything is working great. Where things get a little messy is with the [homes] shares. Here is what I am doing now: My Samba3 smb.conf has a typical [homes] section. I create a subdirectory for each user, and set ownership permissions. I create a logon script on the Samba4 system -- one for each user, because the username is embedded in it: net use H: \\samba3\username And then I use RSAT to set the logon script to the correct value for each user. It's just a lot of steps that need to be performed (perfectly) for each user. Is there a better way? I see RSAT allows me to specify a Home folder. Could this be a folder on the Samba3 server -- ie, \\samba3\username ? (I tried that and it did not work) I can imagine some scripts that would create the logon script on the Samba4 system, and create the necessary directories on the Samba3 system. I could probably manage that, but I hate to re-invent the wheel -- If there is a clean, orthodox way to do this, I would like to know what it is. Thank you. -- *Lee Allen* email: l...@leecallen.com bus: (716) 773-2729 home: (716) 773-2326 cell: (716) 880-0854 fax: (716) 408-8844 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Logon scripts, home directories, and Samba4 AD
I apologize if this appears twice: I posted it several hours ago and it has not appeared on the list, so I am tweaking the email address and trying again. I have two separate (virtual) servers: one running Samba4 functioning as an AD controller, and one running Samba 3.6.1 functioning as a file print server. On the Samba3 side I am using security=ads and winbind and authenticating against the Samba4 ADC. Everything is working great. Where things get a little messy is with the [homes] shares. Here is what I am doing now: My Samba3 smb.conf has a typical [homes] section. I create a subdirectory for each user, and set ownership permissions. I create a logon script on the Samba4 system -- one for each user, because the username is embedded in it: net use H: \\samba3\username And then I use RSAT to set the logon script to the correct value for each user. It's just a lot of steps that need to be performed (perfectly) for each user. Is there a better way? I see RSAT allows me to specify a Home folder. Could this be a folder on the Samba3 server -- ie, \\samba3\username ? (I tried that and it did not work) I can imagine some scripts that would create the logon script on the Samba4 system, and create the necessary directories on the Samba3 system. I could probably manage that, but I hate to re-invent the wheel -- If there is a clean, orthodox way to do this, I would like to know what it is. Thank you. Lee Allen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Logon scripts, home directories, and Samba4 AD
Thank you, that works great, and it eliminates the need to create logon scripts for each user. That's a big improvement. ADUC complains it cannot create the folder. Not surprising, because the specified folder \\samba3\username does not really exist -- it's a [homes] share, the true pathname is \\samba3\nas\homes\username. So I still need to create the directory in the samba3 system, and set permissions appropriately. Is there a way around this? The only solution I can see is to write a script that will create the necessary directories when a user is created. But that wouldn't be simple, because it's on a different server -- the user is created on the samba4 ADC and the shares are on the samba3 fileserver. On Wed, Jul 3, 2013 at 3:22 AM, Gémes Géza g...@kzsdabas.hu wrote: Hi, This could do the job Identify the home share on your samba3 fileserver (certain it is member of your samba4 domain?!) as dfs root Ex: msdfs root= yes On samba4 ads [home] msdfs proxy= \your-samba3-server\homes read only = No with rsat point to \your-samba3-server\homes Good luck --**- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --**- Even easier specify \\your-samba3-server\%**USERNAME% as the home folder setting under ADUC for all the users you want (you can even select them set this once) if you also specify home drive H: it will get mounted at that drive letter -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-bounces@lists.** samba.org samba-boun...@lists.samba.org] Im Auftrag von Lee Allen Gesendet: Mittwoch, 3. Juli 2013 00:20 An: samba@lists.samba.org; samba-technical@lists.samba.**orgsamba-techni...@lists.samba.org Betreff: [Samba] Logon scripts, home directories, and Samba4 AD I apologize if this appears twice: I posted it several hours ago and it has not appeared on the list, so I am tweaking the email address and trying again. I have two separate (virtual) servers: one running Samba4 functioning as an AD controller, and one running Samba 3.6.1 functioning as a file print server. On the Samba3 side I am using security=ads and winbind and authenticating against the Samba4 ADC. Everything is working great. Where things get a little messy is with the [homes] shares. Here is what I am doing now: My Samba3 smb.conf has a typical [homes] section. I create a subdirectory for each user, and set ownership permissions. I create a logon script on the Samba4 system -- one for each user, because the username is embedded in it: net use H: \\samba3\username And then I use RSAT to set the logon script to the correct value for each user. It's just a lot of steps that need to be performed (perfectly) for each user. Is there a better way? I see RSAT allows me to specify a Home folder. Could this be a folder on the Samba3 server -- ie, \\samba3\username ? (I tried that and it did not work) I can imagine some scripts that would create the logon script on the Samba4 system, and create the necessary directories on the Samba3 system. I could probably manage that, but I hate to re-invent the wheel -- If there is a clean, orthodox way to do this, I would like to know what it is. Thank you. Lee Allen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- *Lee Allen* email: l...@leecallen.com bus: (716) 773-2729 home: (716) 773-2326 cell: (716) 880-0854 fax: (716) 408-8844 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Logon scripts, home directories, and Samba4 AD
Daniel that's perfect - - the 'root preexec' is exactly what I need. Thank you. On Jul 3, 2013 9:33 AM, Daniel Müller muel...@tropenklinik.de wrote: So you authenticate against the samba4 ads with your samba3 is this true? Then you can do a root preexec and run a script on your samba3 server every time the users connect to [homes]. Ex: [homes] root preexec = /path-to-script/./user-home-dir %U Your script user-home-dir (where $1 is the login of the user): #!/bin/bash #if exist directory if test -d /path-to/your-users-home-dirs/$1 then #put Directory is already there in a log file echo $1 Directory already up and running /system/log/eanm.log else mkdir /path-to/your-users-home-dirs/$1 chmod -R 700 /path-to/your-users-home-dirs/$1 chown -R $1:Domain Users / path-to/your-users-home-dirs/$1 echo /path-to/your-users-home-dirs/$1 created /system/log/anm.log fi Greetings Daniel --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Lee Allen Gesendet: Mittwoch, 3. Juli 2013 14:56 An: Gémes Géza Cc: samba@lists.samba.org Betreff: Re: [Samba] Logon scripts, home directories, and Samba4 AD Thank you, that works great, and it eliminates the need to create logon scripts for each user. That's a big improvement. ADUC complains it cannot create the folder. Not surprising, because the specified folder \\samba3\username does not really exist -- it's a [homes] share, the true pathname is \\samba3\nas\homes\username. So I still need to create the directory in the samba3 system, and set permissions appropriately. Is there a way around this? The only solution I can see is to write a script that will create the necessary directories when a user is created. But that wouldn't be simple, because it's on a different server -- the user is created on the samba4 ADC and the shares are on the samba3 fileserver. On Wed, Jul 3, 2013 at 3:22 AM, Gémes Géza g...@kzsdabas.hu wrote: Hi, This could do the job Identify the home share on your samba3 fileserver (certain it is member of your samba4 domain?!) as dfs root Ex: msdfs root= yes On samba4 ads [home] msdfs proxy= \your-samba3-server\homes read only = No with rsat point to \your-samba3-server\homes Good luck --**- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --**- Even easier specify \\your-samba3-server\%**USERNAME% as the home folder setting under ADUC for all the users you want (you can even select them set this once) if you also specify home drive H: it will get mounted at that drive letter -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-bounces@lists.** samba.org samba-boun...@lists.samba.org] Im Auftrag von Lee Allen Gesendet: Mittwoch, 3. Juli 2013 00:20 An: samba@lists.samba.org; samba-technical@lists.samba.**orgsamba-techni...@lists.samba.org Betreff: [Samba] Logon scripts, home directories, and Samba4 AD I apologize if this appears twice: I posted it several hours ago and it has not appeared on the list, so I am tweaking the email address and trying again. I have two separate (virtual) servers: one running Samba4 functioning as an AD controller, and one running Samba 3.6.1 functioning as a file print server. On the Samba3 side I am using security=ads and winbind and authenticating against the Samba4 ADC. Everything is working great. Where things get a little messy is with the [homes] shares. Here is what I am doing now: My Samba3 smb.conf has a typical [homes] section. I create a subdirectory for each user, and set ownership permissions. I create a logon script on the Samba4 system -- one for each user, because the username is embedded in it: net use H: \\samba3\username And then I use RSAT to set the logon script to the correct value for each user. It's just a lot of steps that need to be performed (perfectly) for each user. Is there a better way? I see RSAT allows me to specify a Home folder. Could this be a folder on the Samba3 server -- ie, \\samba3\username ? (I tried that and it did not work) I can imagine some scripts that would create the logon script on the Samba4 system, and create the necessary directories on the Samba3 system. I could probably manage that, but I hate
[Samba] getent group by name fails
Samba 3.6.17 joined to Samba 4.2.0 AD domain, using winbind 'wbinfo -g' and 'getent group' successfully list all groups. 'getent group 10006' returns: domain users:x:10006: 'getent group domain users' fails with return code 2 partial log.winbind after above command: [2013/10/11 10:01:31.288199, 3] winbindd/winbindd_misc.c:384(winbindd_interface_version) [31911]: request interface version [2013/10/11 10:01:31.288288, 3] winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir) [31911]: request location of privileged pipe [2013/10/11 10:01:31.288421, 3] winbindd/winbindd_getgrnam.c:56(winbindd_getgrnam_send) getgrnam domain users [2013/10/11 10:01:31.288520, 3] winbindd/winbindd_msrpc.c:252(msrpc_name_to_sid) msrpc_name_to_sid: name=DOMAIN\USERS [2013/10/11 10:01:31.288547, 3] winbindd/winbindd_msrpc.c:266(msrpc_name_to_sid) name_to_sid [rpc] DOMAIN\USERS for domain DOMAIN if I specify the domain name, ie: 'getent group ALLENLAN\\domain users' it still fails... [2013/10/11 10:02:18.280728, 3] winbindd/winbindd_misc.c:384(winbindd_interface_version) [31925]: request interface version [2013/10/11 10:02:18.280823, 3] winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir) [31925]: request location of privileged pipe [2013/10/11 10:02:18.280940, 3] winbindd/winbindd_getgrnam.c:56(winbindd_getgrnam_send) getgrnam ALLENLAN\domain users [2013/10/11 10:02:18.281033, 3] winbindd/winbindd_msrpc.c:252(msrpc_name_to_sid) msrpc_name_to_sid: name=ALLENLAN\DOMAIN\USERS [2013/10/11 10:02:18.281060, 3] winbindd/winbindd_msrpc.c:266(msrpc_name_to_sid) name_to_sid [rpc] ALLENLAN\DOMAIN\USERS for domain ALLENLAN\DOMAIN Note the missing space in DOMAIN\USERS in the logs. I don't know whether this is relevant. 'getent passwd' does not have any such problems - it can query by UID or username smb.conf: [global] workgroup = ALLENLAN realm = allenlan.net password server = 192.168.0.13 preferred master = no server string = zone-samba3 security = ads encrypt passwords = yes log level = 3 log file = /var/log/samba/%m max log size = 50 printcap name = cups printing = cups winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind nested groups = yes winbind separator = \ idmap config * : backend = ad idmap config * : range = 1-10 -- *Lee Allen* -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent group by name fails
Steve thank you for pointing that out. I made those changes and it does not effect the results. 'getent group UID' works 'getent group groupname' does not work, for the same group On Fri, Oct 11, 2013 at 12:25 PM, steve st...@steve-ss.com wrote: Quite a bit missing here. Try: idmap config * : backend = tdb idmap config * : range = 9800-9900 idmap config ALLENLAN : default = yes idmap config ALLENLAN : schema mode = rfc2307 idmap config ALLENLAN : backend = ad idmap config ALLENLAN : range = 1-100 HTH Steve -- *Lee Allen* email: l...@leecallen.com bus: (404) 698-1801 home: (716) 773-2326 cell: (716) 880-0854 fax: (716) 408-8844 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent group by name fails
Those don't work for me: getent group domain users getent group Domain Users getent group Domain\ Users all fail, returning 2 I will look into sssd On Fri, Oct 11, 2013 at 2:36 PM, Rowland Penny rowlandpe...@googlemail.comwrote: On 11/10/13 19:06, Lee Allen wrote: Steve thank you for pointing that out. I made those changes and it does not effect the results. 'getent group UID' works 'getent group groupname' does not work, for the same group On Fri, Oct 11, 2013 at 12:25 PM, steve st...@steve-ss.com wrote: Quite a bit missing here. Try: idmap config * : backend = tdb idmap config * : range = 9800-9900 idmap config ALLENLAN : default = yes idmap config ALLENLAN : schema mode = rfc2307 idmap config ALLENLAN : backend = ad idmap config ALLENLAN : range = 1-100 HTH Steve Hi, have you tried 'getent group Domain\ Users' ? Mind you if all else fails, ditch winbind and use sssd getent group root:x:0: . Domain Admins:*:27: Domain Guests:*:65534: Domain Users:*:100: linuxusers:*:1: getent group 100 users:x:100: getent group users users:x:100: getent group Domain\ Users Domain Users:*:100: getent group Domain Users Domain Users:*:100: getent group domain users The last one is the only one that failed Rowland -- *Lee Allen* email: l...@leecallen.com bus: (404) 698-1801 home: (716) 773-2326 cell: (716) 880-0854 fax: (716) 408-8844 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba