Re: [Samba] [Announce] Samba 4.0.0rc1 Available for Download
Maybe this will help ;) I also cleaned up references to 'beta'. Ricky On Thu, Sep 13, 2012 at 9:55 PM, Scott Lovenberg scott.lovenb...@gmail.comwrote: On Thu, Sep 13, 2012 at 6:40 AM, Karolin Seeger ksee...@samba.org wrote: [...] - Domain member support in the 'samba' binary is in it's infancy, and is not comparable to the support found in winbindd. As such, do not use the 'samba' binary (provided for the AD server) on a member server. Stupid bug report, its should be used above, not it's. You want the possessive, not the contraction. Just for future RC release notes (it's been bothering me since the later beta release notes). :) -- Peace and Blessings, -Scott. -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] remove IP from DNS ldb
First make a backup of samba incase something goes wrong. Then `nslookup realm.tld` should give you a list of all the ip's linked to realm.tld, then you can use something like `samba-tool dns delete host realm.tld @ A ip.you.rem.oved -Uadministrator` also you will want to use `samba-tool dns delete host realm.tld host.realm.tld A ip.you.rem.oved -Uadministrator` run a `nslookup realm.tld` again and it should only show the 1 ip address. You will want to restart both bind and samba after making these changes just to be safe. Also remember that realm.tld is the realm you set during the provision. Ricky On Wed, Oct 10, 2012 at 12:25 AM, Mohammad Ebrahim Abravi lamp@gmail.com wrote: Hello install samba4beta8 white bind 9.9.1 and internal samba DNS DB on server white tow IP, then remove one of IPs. Users can not connect to the server or to communicate with a server takes . Because, Removed IP in response to client requests are sent ! How to remove not use IP from samba dns DB by Samba Tools ? -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] access my created share in smb.conf Only by Ip
With that provision line, you will default to the internal_dns dns server,
if you want to use bind9_dlz you will need to specify
--dns-backend=BIND9_DLZ ,this is the excerpt if you run samba-tool domain
provision --help
-dns-backend=NAMESERVER-BACKEND
The DNS server backend. samba_internal is the
builtin
name server (default), bind9_flatfile uses bind9
text
database to store zone information, bind9_dlz uses
samba4 AD to store zone information, none skips the
DNS setup entirely (not recommended)
Provisioning with the internal DNS server may work fine for you (it may
not, I don't know your situation exactly), but you can't run bind, then run
samba and expect it to work, you can run one or the other, but if bind is
running, and you start samba, the only errors you will see are in the
samba/log/log.samba file, samba itself will not stop, but rather that one
service samba spawns will not run. This is the same for any other service
taking a port samba uses, if it is running first, samba will just not run
that service. The code is in place and the samba binary should stop and
throw an error, but for some reason its not functioning properly. You can
verify what ports samba is using by doing a 'netstat -anp | grep samba |
grep LISTEN ' (notice the space after the LISTEN )
Good luck,
Ricky
On Sun, Nov 4, 2012 at 10:54 PM, Mohammad Ebrahim Abravi lamp@gmail.com
wrote:
*samba4 provision line : *
provision --realm=hum-office.xxx.xx.xx --domain=HUM-Office
--adminpass='p4$$word' --server-role=dc
*smb.conf :*
# Global parameters
[global]
workgroup = HUM-OFFICE
realm = hum-office.xxx.xx.xx
netbios name = HUM-AD
server role = active directory domain controller
passdb backend = samba4
[netlogon]
path =
/usr/local/samba/var/locks/sysvol/hum-office.xxx.xx.xx/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[profiles]
path =
/usr/local/samba/var/locks/sysvol/hum-office.xxx.xx.xx/profiles
browseable = yes
read only = no
[ShareDir]
path = /ShareDir
read only = No
create mask = 0600
directory mask = 0700
*Bind bind-9.9.1-P2 : *
built with '--with-gssapi=/usr/include/gssapi' '--prefix=/usr'
'--mandir=/usr/share/man' '--infodir=/usr/share/info'
'--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads'
'--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static'
'--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld'
'--with-geoip=/usr' '--enable-ipv6' 'CFLAGS=-fno-strict-aliasing'
'LDFLAGS=-Wl,-Bsymbolic-functions' 'CPPFLAGS=-D_FORTIFY_SOURCE=2'
'--with-dlz-dlopen=yes' '--with-dlopen=yes'
*named.conf*==
include /etc/bind/named.conf.options;
include /usr/local/samba/private/named.conf;
=
=
*named.conf.options*=
options {
directory /var/cache/bind;
tkey-gssapi-keytab /usr/local/samba/private/dns.keytab;
allow-recursion {
192.168.25.0/24;127.0.0.1;192.168.113.0/24;192.168.112.0/24;};
allow-query {
192.168.25.0/24;127.0.0.1;192.168.113.0/24;192.168.112.0/24; };
allow-query-cache{
192.168.25.0/24;127.0.0.1;192.168.113.0/24;192.168.112.0/24;};
forwarders {
4.2.2.4
};
dnssec-validation yes;
auth-nxdomain no;# conform to RFC1035
listen-on-v6 { any; };
};
server ::/0 {
edns no;
};
server 0.0.0.0/0 {
edns no;
};
=
On Wed, Oct 31, 2012 at 2:22 PM, Rowland Penny repe...@f2s.com wrote:
Can you please give us your samba4 provision line, a copy of your
smb.conf
and tell us if bind9 is running on the samba4 server.
Without this information, nobody can start to help you sort out your
problem.
Rowland
On 31/10/12 09:56, Mohammad Ebrahim Abravi wrote:
Hello
Upgrade to samba4 rc4 But this problem not solved
On Sat, Oct 20, 2012 at 12:40 PM, Rowland Penny rpe...@f2s.com wrote:
On 20/10/12 08:20, Mohammad Ebrahim Abravi wrote:
Hello
use your recommendations , Results:
samba4 rc3
*s4-ad - samba server Host name
test.s4.com - domain name*
*Dns Server - Samba Internal DNS server , Bind 9.9.1-P2*
*win xp*
\\test.s4.com no access
\\192.168.1.6 - no access
\\test.s4.com\myshare - no access
\\192.168.1.6\myshare - no access
*Note*: this
Re: [Samba] Samba 4.0 released - The First Free Software Active Directory Compatible Server is now available !
Very nice work! Congrats to all of the Samba team on achieving such a great milestone! Ricky On Tue, Dec 11, 2012 at 11:32 AM, Jeremy Allison j...@samba.org wrote: Samba Team Releases Samba 4.0 = December 11th 2012. The Samba Team is proud to announce the release of Samba 4.0, a major new release of the award-winning Free Software file, print and authentication server suite for Microsoft Windows clients. The First Free Software Active Directory Compatible Server == As the culmination of ten years' work, the Samba Team has created the first compatible Free Software implementation of Microsoft’s Active Directory protocols. Familiar to all network administrators, the Active Directory protocols are the heart of modern directory service implementations. Samba 4.0 comprises an LDAP directory server, Heimdal Kerberos authentication server, a secure Dynamic DNS server, and implementations of all necessary remote procedure calls for Active Directory. Samba 4.0 provides everything needed to serve as an Active Directory Compatible Domain Controller for all versions of Microsoft Windows clients currently supported by Microsoft, including the recently released Windows 8. The Samba 4.0 Active Directory Compatible Server provides support for features such as Group Policy, Roaming Profiles, Windows Administration tools and integrates with Microsoft Exchange and Free Software compatible services such as OpenChange. The Samba 4.0 Active Directory Compatible Server can also be joined to an existing Microsoft Active Directory domain, and Microsoft Active Directory Domain Controllers can be joined to a Samba 4.0 Active Directory Compatible Server, showing true peer-to-peer interoperability of the Microsoft and Samba implementations of the Active Directory protocols. Acknowledging the value of the interoperability of the Samba 4.0 Active Directory Compatible Server, Steve van Maanen, the co-founder of Starsphere LLC, an IT services company in Tokyo, said: Thanks to Samba4, I have two fully replicating Active Directory Domain controllers that boot in under 10 seconds ! It is nice to have alternatives, and Samba4 is a great one. Upgrade scripts are also provided for organizations using the previous Microsoft Windows NT Domain Controller functionality in Samba 3.x, to allow them to migrate smoothly to Samba 4.0. Suitable for low-power and embedded applications, yet scaling to large clusters, Samba 4.0 is efficient and flexible. Its Python programming interface and administration toolkit help in enterprise deployments. Created Using Microsoft Documentation = The Samba 4.0 Active Directory Compatible Server was created with help from the official protocol documentation published by Microsoft Corporation and the Samba Team would like acknowledge the documentation help and interoperability testing by Microsoft engineers that made our implementation interoperable. Active Directory is a mainstay of enterprise IT environments, and Microsoft is committed to support for interoperability across platforms, said Thomas Pfenning, director of development, Windows Server. We are pleased that the documentation and interoperability labs that Microsoft has provided have been key in the development of the Samba 4.0 Active Directory functionality. Introducing SMB2.1 File Serving Support === Samba 4.0 includes the first Free Software implementation of Microsoft's SMB2.1 file serving protocol. Building on the success of the SMB2.0 server in Samba 3.6, the Samba 4.0 file server component is an evolution of the trusted Samba file serving code that is used worldwide by vendors of file servers, such as IBM's clustered Scale Out Network Attached Storage (SONAS), and many other commercial products. In addition, the Samba 4.0 file server contains an initial implementation of SMB3, which will be further developed in later Samba 4 releases into a fully-featured SMB3 clustered file server implementation. Future developments of our SMB3 server and client suite, in combination with our expanding number of SMB3 tests, will keep driving the performance improvements and improved compatibility with Microsoft Windows that Samba users have come to expect from our software. Integrated Clustered File Server Support Building on our success as the first commercial implementation of a clustered SMB/CIFS server, Samba 4.0 provides industry-leading scalability and performance as a clustered SMB2/SMB/CIFS file server, using our clustered tdb (ctdb) technology - also available as Free Software. Clustered Samba provides a Single Server view of clustered file storage, allowing clients to connect to the least loaded server and still
Re: [Samba] Replication Ok, or not?
I think that is just a bug. Not sure if its been reported yet or not though. Ricky On Feb 12, 2013 11:18 AM, Gregory Sloop gr...@sloop.net wrote: Setup a DC using 4.0.3 - all appears to go fine... Setup a second DC and everything works fine to here...but I'm not sure if replication is actually working or not. Here's what I get from ./samba-tool drs showrepl I've also done. [./samba-tool drs kcc -Uadministrator dc2.samba.somedom.local] in an attempt to fix the replication problem. (or what I think is a problem.) [The outbound neighbors data seems hinky... and searches on similar cases don't seem to return much useful data.] --- Default-First-Site-Name\DC1 DSA Options: 0x0001 DSA object GUID: b895f491-759f-4c72-a068-d1a40d0a8f4a DSA invocationId: e72417ee-e57b-430f-b636-1d3745a94c89 INBOUND NEIGHBORS DC=ForestDnsZones,DC=samba,DC=somedom,DC=local Default-First-Site-Name\DC2 via RPC DSA object GUID: 6c05f6d6-0626-494a-8192-9d574a99cc34 Last attempt @ Tue Feb 12 09:10:15 2013 PST was successful 0 consecutive failure(s). Last success @ Tue Feb 12 09:10:15 2013 PST DC=DomainDnsZones,DC=samba,DC=somedom,DC=local Default-First-Site-Name\DC2 via RPC DSA object GUID: 6c05f6d6-0626-494a-8192-9d574a99cc34 Last attempt @ Tue Feb 12 09:10:16 2013 PST was successful 0 consecutive failure(s). Last success @ Tue Feb 12 09:10:16 2013 PST DC=samba,DC=somedom,DC=local Default-First-Site-Name\DC2 via RPC DSA object GUID: 6c05f6d6-0626-494a-8192-9d574a99cc34 Last attempt @ Tue Feb 12 09:10:17 2013 PST was successful 0 consecutive failure(s). Last success @ Tue Feb 12 09:10:17 2013 PST CN=Schema,CN=Configuration,DC=samba,DC=somedom,DC=local Default-First-Site-Name\DC2 via RPC DSA object GUID: 6c05f6d6-0626-494a-8192-9d574a99cc34 Last attempt @ Tue Feb 12 09:10:17 2013 PST was successful 0 consecutive failure(s). Last success @ Tue Feb 12 09:10:17 2013 PST CN=Configuration,DC=samba,DC=somedom,DC=local Default-First-Site-Name\DC2 via RPC DSA object GUID: 6c05f6d6-0626-494a-8192-9d574a99cc34 Last attempt @ Tue Feb 12 09:10:18 2013 PST was successful 0 consecutive failure(s). Last success @ Tue Feb 12 09:10:18 2013 PST OUTBOUND NEIGHBORS DC=ForestDnsZones,DC=samba,DC=somedom,DC=local Default-First-Site-Name\DC2 via RPC DSA object GUID: 6c05f6d6-0626-494a-8192-9d574a99cc34 Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) DC=DomainDnsZones,DC=samba,DC=somedom,DC=local Default-First-Site-Name\DC2 via RPC DSA object GUID: 6c05f6d6-0626-494a-8192-9d574a99cc34 Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) DC=samba,DC=somedom,DC=local Default-First-Site-Name\DC2 via RPC DSA object GUID: 6c05f6d6-0626-494a-8192-9d574a99cc34 Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) CN=Schema,CN=Configuration,DC=samba,DC=somedom,DC=local Default-First-Site-Name\DC2 via RPC DSA object GUID: 6c05f6d6-0626-494a-8192-9d574a99cc34 Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) CN=Configuration,DC=samba,DC=somedom,DC=local Default-First-Site-Name\DC2 via RPC DSA object GUID: 6c05f6d6-0626-494a-8192-9d574a99cc34 Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) KCC CONNECTION OBJECTS Connection -- Connection name: 6c662086-56f8-4932-aead-3ecf580e705e Enabled: TRUE Server DNS name : DC2.samba.somedom.local Server DN name : CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=somedom,DC=local TransportType: RPC options: 0x0001 Warning: No NC replicated for Connection! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] s3fs or ntvfs
In more recent versions of samba, the server services line is typically omitted (as is the dcerpc endpoint servers). If you have +smb, -s3fs, you are using ntvfs, otherwise +s3fs does just what it says (and in your line there is no smb either, which is good if you are running s3fs). As far as I remember, these lines are no longer generated by provision (since early betas I think). Also, if you start samba and see smbd running (ps ax | grep smbd), then you are using s3fs, and according to your mail, this is the case. Ricky On Tue, Feb 12, 2013 at 6:58 PM, Fabian von Romberg fromberg...@hotmail.com wrote: Hi, how can I what filer server is currently running in samba4, s3fs or ntvfs? My smb.conf looks like this: server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, web dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver Im asking as when looging from a Windows 7 client im seing in debug the following: /usr/local/samba/sbin/smbd: Initialising default vfs hooks /usr/local/samba/sbin/smbd: Initialising custom vfs hooks from [/[Default VFS]/] /usr/local/samba/sbin/smbd: Initialising custom vfs hooks from [acl_xattr] /usr/local/samba/sbin/smbd: Initialising custom vfs hooks from [dfs_samba4] /usr/local/samba/sbin/smbd: connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service IPC$ Regards, Fabian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Promoting a DC
Hi Greg, Yes, its really that simple, however you may end up needing to transfer them one role at a time if you end up getting errors (something I had to do once). Samba-tool needs a bit more documentation (on the wiki that is), however you can see more info by using --help after any command... I may start working on a wiki page for that soon. Ricky On Tue, Feb 12, 2013 at 9:31 PM, Gregory Sloop gr...@sloop.net wrote: So, I'm wondering if anyone has a howto on promoting a non-master DC to FSMO/Operation master and making it the Primary DC? [I don't see it in the Wiki and searching doesn't produce anything for me.] In my particular case, I have a couple of test DC's I've setup. Rather than tear them down, I might like to just move them into production/final testing and then replace those machines with more appropriate hardware - and promote the new DC to the master.] Perhaps this isn't the best approach - and that's fine. But even then, knowing how to make one of the non-master DC's a master under Samba4 might be a good thing to know, before I have an emergency where I need to do it. --- PS: I did one more search and got this article. https://lists.samba.org/archive/samba/2012-April/167012.html Is it really as easy as [./samba-tool fsmo transfer --role=all --realm=SOMEDOM.COM ... ] ? Again, something more formal might be nice. I'd be glad to author it on the Wiki if someone can walk me through the proper steps. [I don't want to document it if I'm not sure I'm doing it right.] TIA -Greg -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] map to guest = bad user ignored in Samba 4?
Hi Sebastian, Many of the per share options can now be done using ACL's. In this case you would open the netlogon share (via windows) start - run - \\MY-SERVER\netlogon (then press enter), then right click on a blank spot in that folder (not on any other file or folder) and select properties. Find the security tab and you can make the modifications you want (specifically adding Everyone with full permissions should give you what you are looking for, though I have not been able to test this yet). If I get a chance soon I will do some testing to make sure that the acl change is all that is needed. To find out what options are available, samba-tool testparm -v will give you a nice list (at least for global). Ricky On Wed, Feb 13, 2013 at 4:33 AM, Sebastian Arcus s...@open-t.co.uk wrote: I would like to migrate some of my Samba 3.x domains to Samba 4. Part of the functionality of the current system is allowing some Windows XP Pro computers, which are not joined to the domain, access to some public shares on the Samba server. I tried using map to guest = bad user with Samba 4 - but it appears to be completely ignored and the Windows XP machine keeps on prompting for username/password when trying to access the server share. Has this option been dropped in Samba 4? Is there another way to accomplish the same? Otherwise my Samba 4 domain seems to be working fine - and the Windows XP Pro machines which are joined to it can access the share fine. As a side note, I find it hard to figure out which smb.conf options are still available for Samba 4 and which are not. I've googled around and can't seem to find a wiki page or authoritative page. I use Samba 4.1.0pre1 Here is my smb.conf [global] workgroup = MYDOMAIN realm = mydomain.local netbios name = MY-SERVER server role = active directory domain controller idmap_ldb:use rfc2307 = yes map to guest = bad user [netlogon] path = /var/lib/samba/sysvol/**mydomain.local/scripts read only = No public = Yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] map to guest = bad user ignored in Samba 4?
Have you taken a look at https://wiki.samba.org/index.php/Samba_4/OS_Requirements#File_System_Support to ensure your file system will handle ACL's? Ricky On Fri, Feb 15, 2013 at 10:35 AM, Sebastian Arcus s...@open-t.co.uk wrote: Hi Ricky, Thanks for the reply. I have tried changing the permissions on the netlogon share and the strange thing is that none of the changes I do in the Security/ACL tab from the Windows XP machine which is joined to the domain (but on the netlogon share which is on the server) actually stick. I can access the shares fine with that machine, but if I change the permissions, it seems to just ignore the changes - no error message. I am logged in as the domain Administrator - so it seems like a bit of a mystery. Then again - maybe I've done something silly when I've setup this Samba AD DC - although I've followed all the instructions on the Samba wiki and everything else seems to be working fine. Sebastian On 14/02/13 05:31, Ricky Nance wrote: Hi Sebastian, Many of the per share options can now be done using ACL's. In this case you would open the netlogon share (via windows) start - run - \\MY-SERVER\netlogon (then press enter), then right click on a blank spot in that folder (not on any other file or folder) and select properties. Find the security tab and you can make the modifications you want (specifically adding Everyone with full permissions should give you what you are looking for, though I have not been able to test this yet). If I get a chance soon I will do some testing to make sure that the acl change is all that is needed. To find out what options are available, samba-tool testparm -v will give you a nice list (at least for global). Ricky On Wed, Feb 13, 2013 at 4:33 AM, Sebastian Arcus s...@open-t.co.uk mailto:s...@open-t.co.uk wrote: I would like to migrate some of my Samba 3.x domains to Samba 4. Part of the functionality of the current system is allowing some Windows XP Pro computers, which are not joined to the domain, access to some public shares on the Samba server. I tried using map to guest = bad user with Samba 4 - but it appears to be completely ignored and the Windows XP machine keeps on prompting for username/password when trying to access the server share. Has this option been dropped in Samba 4? Is there another way to accomplish the same? Otherwise my Samba 4 domain seems to be working fine - and the Windows XP Pro machines which are joined to it can access the share fine. As a side note, I find it hard to figure out which smb.conf options are still available for Samba 4 and which are not. I've googled around and can't seem to find a wiki page or authoritative page. I use Samba 4.1.0pre1 Here is my smb.conf [global] workgroup = MYDOMAIN realm = mydomain.local netbios name = MY-SERVER server role = active directory domain controller idmap_ldb:use rfc2307 = yes map to guest = bad user [netlogon] path = /var/lib/samba/sysvol/__**mydomain.local/scripts read only = No public = Yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/__**mailman/options/sambahttps://lists.samba.org/__mailman/options/samba https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- -- Linux vehicle CCTV - www.open-t.co.uk/iroko -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] smb.conf for Windows clients
Hi Greg, could you please provide more info on what you are needing samba to do? Is this going to be a PDC or AD DC, or simple sharing, a print server, the list goes on... give us a little bit more info to work with and someone will likely be able to help you out. Ricky On Mon, Feb 18, 2013 at 5:02 PM, Gregory Sloop gr...@sloop.net wrote: So, I'm trying to paw through the long set of smb.conf options - and it's rather daunting. I'm wondering what smb.conf options are most important/appropriate/common for mostly Windows XP/7/(possibly v8) clients. TIA -Greg -- Gregory Sloop, Principal: Sloop Network Computer Consulting 503.251.0452 x121 Voice | 503.251.0452 Fax www.sloop.net mailto:gr...@sloop.net -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] smb.conf for Windows clients
Alright, so you should find everything you are looking for here https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO_TEMP ACL's make share manipulation much easier, pretty much [share] path = /some/path/on/linux read only = no then from windows, login as the domain administrator and you can set the permissions to however you'd like. Let us know if you have any more issues. Ricky On Mon, Feb 18, 2013 at 7:40 PM, Gregory Sloop gr...@sloop.net wrote: Hi Greg, could you please provide more info on what you are needing samba to do? Is this going to be a PDC or AD DC, or simple sharing, a print server, the list goes on... give us a little bit more info to work with and someone will likely be able to help you out. Ricky Yes, of course. I should have done that initially. Sorry for the vagueness - though I'm *shocked,* *shocked I tell you* that you're not mind-readers! --- It's a Samba4 AD, operating in absence of a Windows AD/DC It's going to do file sharing, in an AD context. [Domain] We'll probably eventually use point-and-print functionality and GPO's etc. ...But initially I just want a good start on the main share. No non-windows clients are likely to use the share. Some things are clearly going to be items to use, like case [non]-sensitivity. So, I'm most interested in the important items in relation to the Share the Windows clients will see. If there are other items in the smb.conf elsewhere to be wary of, then those would be nice too. But there are so many items...having a good place to start that would avoid nasties cropping up later would be really nice. I've done a lot of this under S3, but it's been a while - and S4 changed so much I'm a new babe in the woods again. :) -Greg -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Error in DRS Showrepl
On DC2 do you have nameserver ip.to.dc.1 in your /etc/resolv.conf ? Also the Warnings are just that, a warning, they are safe to ignore. (I have them on mine, and my replication works fine.) Ricky On Wed, Feb 20, 2013 at 8:44 AM, BOTZ Franck (Informaticien) - DDT 67/SG/MGI/CI franck.b...@bas-rhin.gouv.fr wrote: Hi. Here is my problem. I have 2 DC (DC1, DC2) From DC1 I run samba-tool drs showrepl DC1 --**--** - INBOUND NEIGHBORS : OK OUTBOUND NEIGHBORS : OK KCC CONNECTION OBJECTS Connection -- Connection name: 179ef6ba-a138-46d7-9a64-**880ab4608b04 Enabled: TRUE Server DNS name : DC2.SHORTDOMAIN.LOCAL Server DN name : CN=NTDS Settings,CN=DC2,CN=Servers,CN=** Default-First-Site-Name,CN=**Sites,CN=Configuration,DC=** SHORTDOMAIN,DC=LOCAL TransportType: RPC options: 0x0001 Warning: No NC replicated for Connection! --**--** - From DC1 I run samba-tool drs showrepl DC2 --**--** - INBOUND NEIGHBORS : OK OUTBOUND NEIGHBORS : OK KCC CONNECTION OBJECTS Connection -- Connection name: 27614816-0679-43a7-8c2e-**41d36d98930a Enabled: TRUE Server DNS name : DC1.SHORTDOMAIN.LOCAL Server DN name : CN=NTDS Settings,CN=DC1,CN=Servers,CN=** Default-First-Site-Name,CN=**Sites,CN=Configuration,DC=** SHORTDOMAIN,DC=LOCAL TransportType: RPC options: 0x0001 Warning: No NC replicated for Connection! --**--** - Why those warnings ? From DC2 i run samba-tool drs showrepl DC2 --**--** - INBOUND NEIGHBORS : OK OUTBOUND NEIGHBORS : OK KCC CONNECTION OBJECTS Connection -- Connection name: 27614816-0679-43a7-8c2e-**41d36d98930a Enabled: TRUE Server DNS name : DC1.SHORTDOMAIN.LOCAL Server DN name : CN=NTDS Settings,CN=DC1,CN=Servers,CN=** Default-First-Site-Name,CN=**Sites,CN=Configuration,DC=** SHORTDOMAIN,DC=LOCAL TransportType: RPC options: 0x0001 Warning: No NC replicated for Connection! --**--** - From DC2 I run samba-tool drs showrepl DC1 Failed to bind to uuid e3514235-4b06-11d1-ab04-**00c04fc2dcd2 for e3514235-4b06-11d1-ab04-**00c04fc2dcd2@ncacn_ip_tcp:DC1[**1024,seal] NT_STATUS_UNSUCCESSFUL ERROR(class 'samba.drs_utils.drsException'**): DRS connection to DC1 failed - drsException: DRS connection to DC1 failed: (-1073741823, 'Undetermined error') File /samba/lib/python2.6/site-**packages/samba/netcmd/drs.py, line 39, in drsuapi_connect (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drsuapi_connect(ctx.**server, ctx.lp, ctx.creds) File /samba/lib/python2.6/site-**packages/samba/drs_utils.py, line 54, in drsuapi_connect raise drsException(DRS connection to %s failed: %s % (server, e)) What's that ?? Regards Franck -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent group return only local users
Did you make the appropriate symlinks for winbind.so ? I use Ubuntu and mine look like the following: root@server:/lib/x86_64-linux-gnu# ls -alh | grep winbind lrwxrwxrwx 1 root root40 Nov 23 14:45 libnss_winbind.so - /usr/local/samba/lib/libnss_winbind.so.2 lrwxrwxrwx 1 root root40 Nov 23 14:45 libnss_winbind.so.2 - /usr/local/samba/lib/libnss_winbind.so.2 However your distribution may store them in a different location, so first you need to find out where your other libnss files are at, and then cd to that directory (in my example, cd /lib/x86_64-linux-gnu ) and then do a ln -s /usr/local/samba/lib/libnss_winbind.so.2 ./ ln -s /usr/local/samba/lib/libnss_winbind.so.2 ./libnss_winbind.so (that is a lower case LN not IN) Ricky On Wed, Feb 20, 2013 at 8:24 AM, Hervé Hénoch h.hen...@isc84.org wrote: Hello I use S4 file server with nsswitch.conf (ad server is another Linux with S4) : passwd: compat winbind group: compat winbind I wonder how it can be possible that : * getent passwd is ok * but getent group returns only local users (wbinfo -g is ok and gives domain user) Any idea ? Regards -- Hervé Hénoch Responsable informatique Institut Sainte Catherine 250 chemin de Baigne-Pieds CS 80005 --- 84918 AVIGNON cedex 9 Téléphone : 04.90.27.57.44 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 Auto-start
My bet is that smbd is spawning before your upstart script causing major problems. Try to issue a update-rc.d -f smbd remove then reboot and see if your problem goes away. Ricky On Wed, Feb 20, 2013 at 3:15 PM, Gregory Sloop gr...@sloop.net wrote: MR I'll cut to the chase -- several weeks ago, I thought I had an MR upstart configuration file that would start Samba4 when the VM was MR turned on; but it turns out I was wrong. At the time there was MR nothing on the wiki about it (the links were broken). MR The script I thought was working was simply: MR start on runlevel [2345] MR exec /usr/local/samba/sbin/samba MR In any case, looking at the official wiki today, I found a new MR note, stating that the links were indeed broken and that this one should probably work: -SNIP- MR I am running Version 4.1.0pre1-GIT-f25debf on Ubuntu 12.04 LTS, MR with the samba executable at /usr/local/samba/sbin/samba and the MR conf file as /etc/init/samba4.conf. I'm the one that dug up that upstart script and put it in the Wiki. [Since the link we broken.] But I don't think the upstart script has anything to do with what ports Samba's going to listen on. While someone else may be able to offer more helpful advice, I'd guess that the difference is that the upstart is starting samba with a different config than the manual start - if you figure out how it's getting a different config, then I suspect your problem will go away or be trivially solvable. Also, while I think there's no difference in terms of if the upstart script works properly or not, I used it on version 4.0.3. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Possible bug in Samba 4 - no Recycle VFS object
Hi Sebastian, If you run ps ax | grep smbd while samba is running and see running smbd processes, then most (probably all even) vfs objects should run (including recycle). Ricky On Feb 22, 2013 4:01 AM, Sebastian Arcus s...@open-t.co.uk wrote: On 21/02/13 23:26, Jeremy Allison wrote: On Thu, Feb 21, 2013 at 07:24:26PM +, Sebastian Arcus wrote: Just a quick check here before I file a bug report. I've just checked if I can use the recycle VFS object in Samba 4 like I do in Samba 3 - and it seems that is not implemented yet. Should I file it as a bug report - or Samba 4 supports/will support this functionality in some other way? The vfs recycle module works in the same way in Samba4 that it worked in previous versions of Samba. It doesn't work with the ntvfs file server backend, but that isn't recommended anyway. Hi Jeremy. Thanks for the reply. Would that mean that it is not possible to use the recycle bin in the ADS domain mode? Sebastian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SaMBa 4.0.x homedir mapping - is possible without user account in system?
Sure, you need to setup winbind and a couple of config options and it should work fine. I will post a link later (on my mobile at the moment). This info needs added to the howto wiki. Ricky On Feb 23, 2013 10:34 AM, Celso Viana celso.via...@gmail.com wrote: Hi all, I'm testing the Samba4 and can only map the users home if I create the account in the system and samba. Does anyone know if you can do this only with the account in samba? Thanks! -- Celso Vianna BSD User: 51318 http://www.bsdcounter.org Palmas/TO -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 DC, Auth on linux side
I've not personally tried this, but have you seen how to setup this with a windows AD. I think it is a bit different , but should be possible. Remember that samba AD should work exactly as a windows AD as far as most programs are concerned. Ricky On Feb 23, 2013 11:56 AM, Chris Fischer chri...@gmx.net wrote: Hi Thomas, thank you for your answer. I managed to add posix attributes and found the Unix Attributes tab. It is working but always gives me an not allowed error. It seems to be a good idea to keep the existing Windows/*nix users and get S4 AD running stable und reliable. The second part would be to think about migration to winbind. So i have time to find a good solution for managing postfix and cyrus accounts via a directory in our company. Regards Chris Am 19.02.2013 12:56, schrieb Thomas Simmons: Hello Chris, It's pretty simple to add posix attributes via ADUC - there is a UNIX Attributes tab. The hardest part for me is remembering to go into that tab and enable it when I create new users :) If you already have these attributes with your S3 domain, classicupgrade will migrate them. With S3, I used plain LDAP auth for all of my *nix systems, and for things like Apache, OpenVPN (by way of a custom auth script), Request Tracker, etc... We also have several in-house apps that were written to use LDAP. I decided to stay with LDAP authentication for the time being, since it only required a few config edits, though I will likely deploy new systems using winbind. On Mon, Feb 18, 2013 at 4:57 PM, Chris Fischer chri...@gmx.net wrote: Hi all, i'm searching the web up and down for a while now. I had set up an Samba4 AD from debian packages successfully. Now the goal is, like S3 with LDAP, to use this AD for linux purposes. At first for auth, later to bind postfix and other services to read the directory. (When tests are successfull, i will migrate an existing S3/OpenLDAP to S4s Active Directory. Now it is difficult for me to find best practises for my project. - Should I add posix attributes to my Domain Users and how to use this approach in an easy way with ADUC or other tools and read them with nslcd. or - Should I use nslcd without posix attributes and configure some mappings like creating uidNumber from the SID or - should I use WINBIND for auth. But I have found discussions about different winbind behavior depending on S4 is used as DC or member server in AD. In production mode, there will be the need to have linux auth on the DC and one member server (NAS). So it would nice to get the same behavior on both servers. Thanks for your advice. Chris Fischer -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/sambahttps://lists.samba.org/**mailman/options/samba https://**lists.samba.org/mailman/**options/sambahttps://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SaMBa 4.0.x homedir mapping - is possible without user account in system?
https://wiki.samba.org/index.php/Samba4/Winbind Here is a link on how to setup nsswitch.conf and winbind links. Please note that you will need to find your current libnss files and place the symlinks with them (/lib may not be the correct path, in my case Ubuntu 12.04, they are in /lib/x86_64-linux-gnu). After adding those links and modifying the nsswitch.conf, you might want to add : template homedir = /home/%ACCOUNTNAME% to your smb.conf to make winbind a little happier (it defaults to /home/%WORKGROUP%/%ACCOUNTNAME%). Good luck, Ricky On Sat, Feb 23, 2013 at 12:41 PM, Ricky Nance ricky.na...@weaubleau.k12.mo.us wrote: Sure, you need to setup winbind and a couple of config options and it should work fine. I will post a link later (on my mobile at the moment). This info needs added to the howto wiki. Ricky On Feb 23, 2013 10:34 AM, Celso Viana celso.via...@gmail.com wrote: Hi all, I'm testing the Samba4 and can only map the users home if I create the account in the system and samba. Does anyone know if you can do this only with the account in samba? Thanks! -- Celso Vianna BSD User: 51318 http://www.bsdcounter.org Palmas/TO -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] some DNS trouble ...
Correct me if I am wrong, but isn't it dns forwarder = (not dns forwarderS) run your config through samba-tool testparm and see if it complains. Ricky On Tue, Feb 26, 2013 at 9:11 AM, Gregory Sloop gr...@sloop.net wrote: mmgc Well … just found that the options mmgc server role mmgc dns recursive queries mmgc dns forwarders mmgc are ignored … hmmm … well … does anyone know how to achieve the mmgc desired behavior without these options ? Perhaps I don't understand what's going on - but are you sure your DNS forwarder *IS* working properly? Because if the forwarder wasn't servicing the DNS queries, then it would *look* like [dns forwarders] wasn't working. This came up in another thread in the last week. Make sure the DNS server specified in the [dns forwarders] is actually serving DNS queries for the AD host in question. It's common for BIND to be locked down so it will handle local queries for all requests, or remote queries for zones it's auth for - but not to handle remote requests for non-auth zones. [See listen-on and allow-query in BIND docs, among other things.] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] kerberos
https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO_TEMP#Samba_AD_management may be of help. Ricky On Fri, Mar 8, 2013 at 12:53 AM, Andrew Bartlett abart...@samba.org wrote: On Wed, 2013-03-06 at 14:18 -0700, Saad Benateigha wrote: I am having a problem using kerberos I have installed samba4, and it appears to work correctly However I want to create a service principle and every time I try to use kadmin -p admin I get this error: Database error! Required KADM5 principal missing while initializing kadmin interface What am I doing wrong? Is there another command since Samba4 has it own kerberos? Please shed some light on my dilemma. Correct, you cannot use kamin against a Samba AD DC. We do not provide this interface. See samba-tool to managet your AD users. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Logon scripts
Hello Terry, You will need to define a logon script for each user in the Active Directory Users and Computers (ADUC) tool or you can do this through user GPO's (there is a logon script option under the user module). In ADUC, select a user (or highlight several users) then under the profiles tab add the filename (logon.bat for me, your's may be different) and ensure that the logon.bat exists in the netlogon share. For the GPO option you can open Group Policy MMC and select your users OU, then create new policy, name it something useful (map homes share, or run logon script for instance), edit it, and under User Configuration, click Windows Settings, scripts (logon/logoff), then double click the logon option, and add your file to the GPO under the show files button, then click Add, and select the file you just added (or created) there. Ricky On Fri, Mar 8, 2013 at 2:02 PM, Terry Austin te...@crownhardware.comwrote: Is there a detailed howto on setting up logon scripts on Samba 4? Or is it the same as for 3? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows 7 logon script not executed
Just for testing add the following line to your [netlogon] root preexec = echo %u is in %G /home/samba/netlogon/groupname.txt then try a windows logon (it won't tell windows anything, but will create the file /home/samba/netlogon/groupname.txt), then on the samba server, cat /home/samba/netlogon/groupname.txt and see what is going on. As soon as you are done testing either comment out that line, or just remove it completely. Ricky On Mon, Mar 11, 2013 at 7:13 AM, Daniel Müller muel...@tropenklinik.dewrote: The behaviour of windows 7 concerning logon scripts (ingroup-feature) is quiet different to xp. Without posting your script there is no chance to help you. --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von List Mik Gesendet: Montag, 11. März 2013 12:13 An: samba@lists.samba.org Betreff: [Samba] Windows 7 logon script not executed Hello, the configuration below, works like a charm for WinXP Prof. Clients: samba 3.5.6, configured as PDC, netlogon share, logon script is users.bat. The primary group of the Domainusers is users. the relevant parts of smb.conf: logon script = %G.bat [netlogon] path = /home/samba/netlogon public = yes writeable = no browseable = yes valid users = @Domain Users,@users Logging in from WinXP Prof. SP3 machines, the logon script is executed without problems. Logging in from Win7 Prof. SP1 machines (as same domain user), does not execute the logon script. Domain logins from Win7 Pcs in general work, roaming profiles as well, only the logon script is not executed. here comes the log of the logon process (/var/log/samba/log.testpc): [2013/03/11 11:11:41.889891, 1] smbd/service.c:1070(make_connection_snum) testpc (:::192.168.100.100) connect to service profiles initially as user testuser (uid=1011, gid=1001) (pid 17853) [2013/03/11 11:11:41.930769, 1] smbd/service.c:1070(make_connection_snum) testpc (:::192.168.100.100) connect to service profiles initially as user testpc$ (uid=1064, gid=515) (pid 17853) [2013/03/11 11:11:41.932278, 1] smbd/vfs.c:932(check_reduced_name) check_reduced_name: couldn't get realpath for testuser.v2/ntuser.ini [2013/03/11 11:11:42.312102, 0] smbd/nttrans.c:2204(call_nt_transact_ioctl) call_nt_transact_ioctl(0x1401c4): Currently not implemented. [2013/03/11 11:11:43.082440, 1] smbd/service.c:1070(make_connection_snum) testpc (:::192.168.100.100) connect to service testuser initially as user testuser (uid=1011, gid=1001) (pid 17853) [2013/03/11 11:11:43.174407, 1] smbd/service.c:1070(make_connection_snum) testpc (:::192.168.100.100) connect to service netlogon initially as user testuser (uid=1011, gid=1001) (pid 17853) [2013/03/11 11:11:56.462383, 1] smbd/service.c:1251(close_cnum) testpc (:::192.168.100.100) closed connection to service profiles [2013/03/11 11:11:56.465834, 1] smbd/service.c:1251(close_cnum) testpc (:::192.168.100.100) closed connection to service testuser [2013/03/11 11:11:56.466887, 1] smbd/service.c:1251(close_cnum) testpc (:::192.168.100.100) closed connection to service netlogon [2013/03/11 11:12:08.458230, 1] smbd/service.c:1251(close_cnum) testpc (:::192.168.100.100) closed connection to service profiles Somehow it seems, that the win7 clients, when they do a domain logon, do not consider the group users as primary group of the domain user. Any help appreciated, thanks Mik -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 AD DC and BIND
With the BIND9_DLZ backend, bind actually handles the forwarding, so you
will need to set that up in your named conf, something like the following:
options {
forwarders { 192.249.249.1; 192.249.249.3; };
};
Although, some distros break apart the named stuff, so you may need to find
information specific to your distro on this.
Ricky
On Mon, Mar 11, 2013 at 11:30 AM, Gerry Reno gr...@verizon.net wrote:
When I ran the provision I selected BIND9_DLZ.
The provision did not prompt me for a DNS forwarder IP.
So after the provision finished I entered the DNS forwarder IP manually
into smb.conf.
Should the provision have prompted for the DNS forwarder IP?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 AD DC and BIND
Sorry I don't understand what you mean by views... the provision generated named.conf should be inserted into your /etc/named/named.conf (again this varies on different distros) as an include directive, it is not meant to be a full named.conf. Ricky On Mon, Mar 11, 2013 at 6:16 PM, Gerry Reno gr...@verizon.net wrote: Since I am using views, where should I include the provision-generated named.conf? Just in the local network view? -Gerry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 AD DC and BIND
I am not 100% sure, but anywhere in the named.conf config should be sufficient, DLZ is Dynamically Loadable Zones, so samba ends up being its own zone as far as I know. Ricky On Mon, Mar 11, 2013 at 7:43 PM, Gerry Reno gr...@verizon.net wrote: On 03/11/2013 08:27 PM, Ricky Nance wrote: Sorry I don't understand what you mean by views... the provision generated named.conf should be inserted into your /etc/named/named.conf (again this varies on different distros) as an include directive, it is not meant to be a full named.conf. Ricky On Mon, Mar 11, 2013 at 6:16 PM, Gerry Reno gr...@verizon.net mailto: gr...@verizon.net wrote: Since I am using views, where should I include the provision-generated named.conf? Just in the local network view? -Gerry This is BIND views: http://www.cyberciti.biz/faq/linux-unix-bind9-named-configure-views/ aka Split-DNS related to Stealth-DNS. My question is asking where in our main named.conf do we include this provision-generated named.conf when we are using BIND views. -Gerry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] S4 Cannot Unlock Account
You should be able to use samba-tool user enable Testuser2 or possibly samba-tool user setexpiry (add a --help for more info on how to use it). Good luck, Ricky On Tue, Feb 12, 2013 at 7:17 AM, Thomas Simmons twsn...@gmail.com wrote: On Mon, Feb 11, 2013 at 6:56 PM, Thomas Simmons twsn...@gmail.com wrote: I have come across a few accounts (out of 300+) that seem to be locked that will not unlock. These accounts were migrated from S3. Can someone advise - what am I missing here? I've reset the password several times via RSAT, checking the Unlock Account checkbox, which has not helped. Resetting the user's password via smbpasswd gives me: pdb_try_account_unlock: Account dmscott administratively locked out with no bad password time. Leaving locked out. When attempting to login to WinXP, Windows states the account is locked out and log.samba shows: Kerberos: ENC-TS Pre-authentication succeeded -- dmscott@DOMAIN using arcfour-hmac-md5 [2013/02/11 18:37:40, 4] ../source4/auth/sam.c:170(authsam_account_ok) authsam_account_ok: Checking SMB password for user dmscott@DOMAIN [2013/02/11 18:37:40, 2] ../source4/auth/sam.c:191(authsam_account_ok) authsam_account_ok: Account for user dmscott@DOMAIN was locked out. Here is an ldapsearch output. I'm not seeing where/why this account is locked. # extended LDIF # # LDAPv3 # base cn=Users,dc=internal,dc=domain,dc=com with scope subtree # filter: sAMAccountName=dmscott # requesting: ALL # # Duser M. Scott, Users, internal.domain.com dn: CN=Duser M. Scott,CN=Users,DC=internal,DC=domain,DC=com instanceType: 4 whenCreated: 20121229150147.0Z uSNCreated: 4317 objectGUID:: sQU6/um9x0+gN2VOHTpmbw== badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 objectSid:: AQUAAAUVL/+1+4rRK5lRjK88/Q4AAA== logonCount: 0 sAMAccountName: dmscott sAMAccountType: 805306368 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=internal,DC=domain,DC =com logonHours:: uidNumber: 1436 objectClass: top objectClass: posixAccount objectClass: person objectClass: organizationalPerson objectClass: user unixHomeDirectory: /home/dmscott gidNumber: 513 msSFU30NisDomain: domain memberOf: CN=VPN,CN=Users,DC=internal,DC=domain,DC=com mail: duser.m.sc...@domain.com userPrincipalName: dmsc...@internal.domain.com givenName: Duser initials: M sn: Scott displayName: Duser M. Scott cn: Duser M. Scott name: Duser M. Scott scriptPath: GCS.cmd lockoutTime: 0 loginShell: /bin/bash msDS-SupportedEncryptionTypes: 0 userAccountControl: 528 accountExpires: 0 pwdLastSet: 13005098906000 userParameters: IAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC AAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAUAAEABoACAA BAEMAdAB4AEMAZgBnAFAAcgBlAHMAZQBuAHQANTUxZTBiYjAYAAgAAQBDAHQAeABDAGYAZwBGAGwA YQBnAHMAMQAwMGUwMDAxMBIACAABAEMAdAB4AFMAaABhAGQAbwB3ADAxMDAwMDAwKgACAAEAQwB0A HgATQBpAG4ARQBuAGMAcgB5AHAAdABpAG8AbgBMAGUAdgBlAGwAMDA= whenChanged: 20130211233014.0Z uSNChanged: 8816 distinguishedName: CN=Duser M. Scott,CN=Users,DC=internal,DC=domain,DC=com # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 It seems that the problem for this user is the userAccountControl attribute having a value of 528 locks the account. Changing it to 512 (what most users are set to) unlocks the account. Is there any way to do this without directly modifying the LDAP entry? -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 AD DC and BIND
I seen this error recently myself, and haven't yet investigated whats going on for sure, but I suspect its the way dns_connect is parsing everything (I seen it with the | or ) ... try with -Uadministrator%password (replacing password to be the administrator password you use) and report back please. Ricky On Tue, Mar 19, 2013 at 4:58 PM, Gerry Reno gr...@verizon.net wrote: I have Samba 4 AD DC running with BIND9_DLZ. I am trying to use samba-tool to administer dns but I keep getting this error: # /usr/local/samba/bin/samba-tool dns query 127.0.0.1 company.com www.company.com ALL Password for [COMPANY\root]: Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 for 50abc2a4-574d-40b3-9d66-ee4fd5fba076@ncacn_ip_tcp:127.0.0.1[1024,sign] NT_STATUS_NET_WRITE_FAULTERROR(runtime): uncaught exception - (-1073741614, 'NT_STATUS_NET_WRITE_FAULT') File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/dns.py, line 970, in run dns_conn = dns_connect(server, self.lp, self.creds) File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/dns.py, line 37, in dns_connect dns_conn = dnsserver.dnsserver(binding_str, lp, creds) What is this error? And how do I get rid of it? -Gerry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 AD DC and BIND
Try samba-tool dns query netbiosname company.com @ ALL -Uadministrator%HIDDEN (where netbiosname is generally the same as your computers hostname)... try to avoid using 127.0.0.1 or localhost. Also that error is often signs of DNS server not running, so doublecheck that with netstat -anp | grep 53 | grep LISTEN . Ricky On Tue, Mar 19, 2013 at 7:47 PM, Gerry Reno gr...@verizon.net wrote: On 03/19/2013 08:38 PM, Ricky Nance wrote: I seen this error recently myself, and haven't yet investigated whats going on for sure, but I suspect its the way dns_connect is parsing everything (I seen it with the | or ) ... try with -Uadministrator%password (replacing password to be the administrator password you use) and report back please. Ricky If you search for a label that is in the DNS then the command succeeds. If you search for a label that is not in the DNS it yields the following error: /usr/local/samba/bin/samba-tool dns query 127.0.0.1 company.com www.company.com ALL -Uadministrator%HIDDEN ERROR(runtime): uncaught exception - (9714, 'WERR_DNS_ERROR_NAME_DOES_NOT_EXIST') File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/dns.py, line 974, in run None, record_type, select_flags, None, None) samba-tool behaving badly -Gerry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 AD DC and BIND
Try first a kinit administrator, then enter the administrator password, then /usr/local/samba/bin/samba-tool dns query COMPANY.company.com company.com @ ALL (notice no -U this time, and the format of host.realm instead of just host... I mistyped that in the last message) and see if it works, this will cause that tool to use kerberos instead of the regular login. Ricky On Tue, Mar 19, 2013 at 8:09 PM, Gerry Reno gr...@verizon.net wrote: On 03/19/2013 09:00 PM, Ricky Nance wrote: Try samba-tool dns query netbiosname company.com http://company.com @ ALL -Uadministrator%HIDDEN (where netbiosname is generally the same as your computers hostname)... try to avoid using 127.0.0.1 or localhost. Also that error is often signs of DNS server not running, so doublecheck that with netstat -anp | grep 53 | grep LISTEN . Ricky DNS is running just fine. Otherwise I would not have gotten answers on the first good query. # ps -ef | grep named named93131013:36 ?00:00:00/usr/sbin/named -u named And that last netbiosname style command gives this error: # /usr/local/samba/bin/samba-tool dns query COMPANY company.com @ ALL -Uadministrator%HIDDEN ERROR(runtime): uncaught exception - (-1073741772, 'NT_STATUS_OBJECT_NAME_NOT_FOUND') File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/dns.py, line 970, in run dns_conn = dns_connect(server, self.lp, self.creds) File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/dns.py, line 37, in dns_connect dns_conn = dnsserver.dnsserver(binding_str, lp, creds) -Gerry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 AD DC and BIND
What is the error message now? Ricky On Tue, Mar 19, 2013 at 10:06 PM, Gerry Reno gr...@verizon.net wrote: On 03/19/2013 10:57 PM, Ricky Nance wrote: Try first a kinit administrator, then enter the administrator password, then /usr/local/samba/bin/samba-tool dns query COMPANY.company.com http://COMPANY.company.com company.com http://company.com/ @ ALL (notice no -U this time, and the format of host.realm instead of just host... I mistyped that in the last message) and see if it works, this will cause that tool to use kerberos instead of the regular login. Ricky Nope. Did the kinit and got a good ticket. # /usr/local/samba/bin/samba-tool dns query COMPANY.company.com company.com @ ALL ERROR(runtime): uncaught exception - (-1073741772, 'NT_STATUS_OBJECT_NAME_NOT_FOUND') File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/dns.py, line 970, in run dns_conn = dns_connect(server, self.lp, self.creds) File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/dns.py, line 37, in dns_connect dns_conn = dnsserver.dnsserver(binding_str, lp, creds) -Gerry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 DC Firewall settings
I think 1024 is used for replication between DC's, and since its above the 1024 range, it will jump ports if needed. Ricky On Mon, Mar 25, 2013 at 10:22 PM, steve st...@steve-ss.com wrote: On 24/03/13 15:17, Thomas Simmons wrote: On Mar 24, 2013 7:04 AM, steve st...@steve-ss.com wrote: Samba 4.0.4 on openSUSE 12.3 Hi everyone. Does anyone have a list of ports which have to be open to allow full DC operation? I'm no expert in firewalls and only have Yast at my disposal to configure it. I've tried opening samba server and DNS server ports via Yast but I must be missing something because I have to turn off the firewall to e.g. join a Windows client to the domain. Maybe Yast isn't the right tool? Cheers, Steve Hello Steve, I have the following exceptions. Most of this came from netstat and monitoring traffic. A few were picked up in Microsoft documentation, though I've not seen my DC actually use them. Take special note of the last entry. It is my understanding that Samba4 uses 1024 by default, however if that port is not available it will use 1025, 1026, etc until it finds an open port. iptables -A INPUT -p tcp --dport 389 -j ACCEPT # LDAP iptables -A INPUT -p udp --dport 389 -j ACCEPT # LDAP (UDP) iptables -A INPUT -p tcp --dport 636 -j ACCEPT # LDAPS iptables -A INPUT -p tcp --dport 53 -j ACCEPT # DNS (TCP) iptables -A INPUT -p udp --dport 53 -j ACCEPT # DNS (UDP) iptables -A INPUT -p tcp --dport 88 -j ACCEPT # Kerberos (TCP) iptables -A INPUT -p udp --dport 88 -j ACCEPT # Kerberos (UDP) iptables -A INPUT -p tcp --dport 464 -j ACCEPT # Kerberos Password (TCP) iptables -A INPUT -p udp --dport 464 -j ACCEPT # Kerberos Password (UDP) iptables -A INPUT -p tcp --dport 135 -j ACCEPT # RPC iptables -A INPUT -p udp --dport 137 -j ACCEPT # NetBIOS Name Service iptables -A INPUT -p udp --dport 138 -j ACCEPT # NetBIOS Datagram Service iptables -A INPUT -p tcp --dport 139 -j ACCEPT # NetBIOS Session Service iptables -A INPUT -p tcp --dport 445 -j ACCEPT # MS Directory Service iptables -A INPUT -p tcp --dport 3268 -j ACCEPT # MS Global Catalog iptables -A INPUT -p tcp --dport 1024 -j ACCEPT # DCOM *note this port is not static* Hi Thomas Thanks. I've now got traffic through to the DC with the firewall activated. The only thing I'm not sure of is the 1024. I have it set but in (a few brief) tests, I've not seen wireshark mention it. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Resetting administrator password
As root, samba-tool user setpassword Administrator Ricky On Mon, Mar 25, 2013 at 11:10 PM, Abha Sinha abhasinh...@gmail.com wrote: Hi, Is there anyway to reset administrator password in Samba4 if I have forgotten the current admin password ? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] GPO Computer settings not applied
Have you tried samba-tool ntacl sysvolreset yet?
Ricky
On Mar 29, 2013 2:16 PM, Pavel Valach valach.pa...@outlook.com wrote:
Hello,
I'm having one strange issue with latest stable Samba 4.0.4. I'm testing
it as a domain controller for two virtual machines.
The Samba AD DC is Debian stable, with two domain members - Windows XP Pro
and trial Windows 8 Enterprise.
User configuration using GPOs is working as expected. However, Computer
configuration is never applied properly. Event logs show this entry:
--
Source: GroupPolicy (Microsoft-Windows-GroupPolicy)
Event ID: 1058
EventData
SupportInfo1 4
SupportInfo2 820
ProcessingMode 0
ProcessingTimeInMilliseconds 516
ErrorCode 5
ErrorDescription Access is denied.
DCName debian-server.gym.internal
GPOCNName
cn={CE7B09A1-D85A-4A40-9C2F-3DD0DA013345},cn=policies,cn=system,DC=gym,DC=internal
FilePath
\\gym.internal\SysVol\gym.internal\Policies\{CE7B09A1-D85A-4A40-9C2F-3DD0DA013345}\gpt.ini
The processing of Group Policy failed. Windows attempted to read the file
\\gym.internal\SysVol\gym.internal\Policies\{CE7B09A1-D85A-4A40-9C2F-3DD0DA013345}\gpt.ini
from a domain controller and was not successful. Group Policy settings may
not be applied until this event is resolved. This issue may be transient
and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain
controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
--
a) Name resolution works, gym.internal is accessible and DNS query for
gym.internal returns correct result.
b) File gpt.ini is readable with following content:
--
[General]
Version=3
displayName=Nový objekt zásad skupiny
--
c) Distributed File System is not enabled on my VMs.
I'm suspecting a possible problem with permissions. I have already tried
to:
1) link GPO to the proper domain / OU
2) reboot computer several times
3) set various permissions for various people
Currently I have two GPOs which modify computer settings. Default Domain
Policy and Nejaka nastaveni pro ucebnu. Neither of them show up in the
GPRESULT report. Default Domain Policy modify both user and computer
configuration, Nejaka nastaveni pro ucebnu modify only computer
configuration.
Permissions for Nejaka nastaveni pro ucebnu:
- Authenticated Users - Read (from Security Filtering) - Not Inherited
- Domain Admins - Edit settings, delete, modify security - Not Inherited
- Enterprise Admins - Edit settings, delete, modify security - Not
Inherited
- ServerLogon - Read - Not Inherited
- SYSTEM - Edit settings, delete, modify security - Not Inherited
Here is result of GPRESULT /R command that ran on the Win8 VM. On Windows
XP, Computer Settings had N/A security groups - which is weird.
=
RSOP data for GYM\valachp on UC01-TEST : Logging Mode
--
OS Configuration: Member Workstation
OS Version: 6.2.9200
Site Name: N/A
Roaming Profile: N/A
Local Profile: C:\Users\valachp
Connected over a slow link?: No
COMPUTER SETTINGS
--
CN=UC01-TEST,OU=Ucebny,DC=gym,DC=internal
Last time Group Policy was applied: 29. 3. 2013 at 19:35:17
Group Policy was applied from: debian-server.gym.internal
Group Policy slow link threshold: 500 kbps
Domain Name: WINDOWS-UJ49S6B
Domain Type: WindowsNT 4
Applied Group Policy Objects
-
N/A
The following GPOs were not applied because they were filtered out
---
Local Group Policy
Filtering: Not Applied (Empty)
The computer is a part of the following security groups
---
System Mandatory Level
Everyone
BUILTIN\Users
NT AUTHORITY\SERVICE
CONSOLE LOGON
NT AUTHORITY\Authenticated Users
This Organization
BDESVC
BITS
CertPropSvc
DsmSvc
Eaphost
hkmsvc
IKEEXT
iphlpsvc
LanmanServer
MMCSS
MSiSCSI
NcaSvc
RasAuto
RasMan
RemoteAccess
Schedule
SCPolicySvc
SENS
SessionEnv
SharedAccess
ShellHWDetection
SystemEventsBroker
wercplsupport
Winmgmt
wlidsvc
wuauserv
LOCAL
BUILTIN\Administrators
USER SETTINGS
--
CN=Pavel Valach,CN=Users,DC=gym,DC=internal
Last time Group Policy was applied: 29. 3. 2013 at 19:35:17
Group Policy was applied from: debian-server.gym.internal
Group Policy slow link threshold: 500 kbps
Domain Name: GYM
Domain Type: Windows 2000
Applied Group Policy Objects
-
Default Domain Policy
Zásady pro studenty
The following GPOs were not applied because they were filtered out
---
Local Group Policy
Filtering: Not Applied (Empty)
The user is a
Re: [Samba] Ran classiupgrade, users not there
Did you fix the duplicate entries? Also does samba-tool user list show your users? Ricky On Fri, 29 Mar 2013, simon+sa...@matthews.eu wrote: I am attempting to do an upgrade from SAMBA3 to SAMBA4. I am working on a new VM rather than the existing SAMBA3 server. The old server uses tdbsam as the passdb backend. I copied the contents of /var/lib/samba and the smb.conf from the old machine to the new machine. We run a yp domain, which has the same name as the samba domain. The dns domain is different. Users exist in both the yp passwd map and the samba domain. I followed the instructions on building SAMBA here: http://opentodo.net/2013/01/**samba4-as-ad-domain-** controller-on-centos-6/http://opentodo.net/2013/01/samba4-as-ad-domain-controller-on-centos-6/ then moved to the instructions on migration here: http://wiki.samba.org/index.**php/Samba4/samba-tool/domain/** classicupgrade/HOWTO#**Upgrading_In_Placehttp://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTO#Upgrading_In_Place It appeared to finish normally (it complained about a couple of duplicate entries). However, after the classicupgrad, running /usr/local/samba/bin/pdbedit -L reveals that the users and groups do not exist. Should I expect this? If so, what database holds the user information? I should also mention that I used the dns domain for the realm in the classicupgrade command. The DNS domain is different from the YP/SAMBA domain. Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SAMBA4: pdbedit not changing SID
http://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTOhttps://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTO should help. Ricky On Tue, Apr 2, 2013 at 12:06 AM, Gémes Géza g...@kzsdabas.hu wrote: 2013-04-02 05:35 keltezéssel, simon+sa...@matthews.eu írta: On Mon, 1 Apr 2013, simon+sa...@matthews.eu wrote: On Tue, 2 Apr 2013, Andrew Bartlett wrote: On Mon, 2013-04-01 at 09:26 +0200, Gémes Géza wrote: 2013-04-01 02:36 keltezéssel, simon+sa...@matthews.eu írta: Since I don't seem to be having any luck with the classicupgrade, I decided to try starting from scratch and then adding users. I ran the command: /usr/local/samba/bin/samba-**tool domain provision --realm=my realm \ --domain=mydomain --adminpass 'mypass' --server-role=dc \ --dns-backend=BIND9_DLZ Then I tried both adding and changing users. In neither case can I change the SID with pdbedit. It seems to be added with a system-defined SID, irrespective of what I specify. pdbedit -v is able to list the user's parameters, including the SID. Any suggestions? I am pretty much stuck here trying to figure out how to migrate from an existing SAMBA3 domain to SAMBA4. Hi, Trying to add users one by one (preserving SID) is IMHO a lot harder(you would probably need to ldbmodify the user record of each one) todo, than fixing your samba3 install to have it classicupgraded. Indeed. The only way to safely import a list of users who already have SIDs is to migrate them to Samba 4.0's AD DC using one of the supported migration tools. These are 'samba-tool domain join dc' and 'samba-tool domain classicupgrade'. Perhaps I need to address why the classicupgrade did not work. I see now that I did not pass the --dbdir option when running it before. I'll try again. I went back to trying to get the classicupgrade to work: /usr/local/samba/bin/samba-**tool domain classicupgrade \ --dbdir=/var/lib/samba/ --dbdir=/var/lib/samba/ --realm=a.b \ /etc/samba/smb.conf --use-xattrs=yes For the realm, I used a subdomain of one of the two existing dns domains in the LAN. It appears to be processing the information from the old domain tdb files, although I see some errors: Cannot open idmap database, Ignoring: [Errno 2] No such file or directory Importing groups Could not add group name=Remote Desktop Users ((68, samldb: Account name (sAMAccountName) 'Remote Desktop Users' already in use!)) Could not modify AD idmap entry for sid=S-1-5-21-4254857281-**3346836279-4152649156-555, id=5077, type=ID_TYPE_GID ((32, Base-DN 'SID=S-1-5-21-4254857281-**3346836279-4152649156-555' not found)) Could not add posix attrs for AD entry for sid=S-1-5-21-4254857281-**3346836279-4152649156-555, ((32, Base-DN 'SID=S-1-5-21-4254857281-**3346836279-4152649156-555' not found)) Group already exists sid=S-1-5-21-4254857281-**3346836279-4152649156-512, groupname=Domain Admins existing_groupname=Domain Admins, Ignoring. However, after this, all I get from pdbedit -L is: # pdbedit -L RAIDSERVER$:4294967295: Administrator:4294967295: [root@samba ~]# pdbedit -L RAIDSERVER$:4294967295: Administrator:4294967295: krbtgt:4294967295:--dbdir=/**var/lib/samba/ --realm=a.b /etc/samba/smb.confnobody:99:**Nobody Any ideas? What information might help debug this? Simon Could this happen because pdbedit is from the samba3 install? I recommend doing upgrade on a new box/virtual machine where no samba3 is installed, and copying the tdb files to the new box. Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 fails to work following upgrade - library version errors
The last time you did ./configure, did you specify any arguments, if so, you will need the same arguments on this install. Also, I typically start 'fresh' by issuing a git clean -x -f -d after git pull and before ./configure. Ricky On Wed, Apr 3, 2013 at 11:06 AM, Graeme Porter graeme.por...@yahoo.co.ukwrote: Hello, I was running Samba4 for a while on my Raspberry Pi (Raspbian distro, running 3.6.11+ #371 PREEMPT armv6l kernel). The version of Samba I was running was 4.1.0pre1-GIT-fd8b258. Last night I decided to try to upgrade to see if I could upgrade it without breaking it. Note that the AD this Pi is the DC for doesn't have any physical clients as members; I was using a Virtual PC running WinXP and another running Ubuntu just to test it out - so technically there's no great loss if it did break - but I do want to start using the Pi as a DC for my physical Windows clients (my family's 3x computers - one Vista, one Win7, and one Win8), and I wanted to ensure I could upgrade it cleanly without loss of service first. So I used git pull to download the latest changes, as described in the Samba4 HOWTO guide. The configure, make, and make install stages went without a hitch (although the little Pi doesn't exactly blast through the compile, so it took several long hours). As a just-in-case, I even stopped Samba from running before I ran make install just in case the script couldn't overwrite a file that was in use. So I tried to check which version this had upgraded to by running samba -V: root@raspberrypi:/usr/local/samba4# samba -V samba: /usr/local/samba/lib/private/libcliauth.so: version `SAMBA_4.1.0PRE1_GIT_FD8B258' not found (required by samba) samba: /usr/local/samba/lib/private/libauth4.so: version `SAMBA_4.1.0PRE1_GIT_FD8B258' not found (required by samba) samba: /usr/local/samba/lib/private/libevents.so: version `SAMBA_4.1.0PRE1_GIT_FD8B258' not found (required by samba) samba: /usr/local/samba/lib/private/libcluster.so: version `SAMBA_4.1.0PRE1_GIT_FD8B258' not found (required by samba) samba: /usr/local/samba/lib/private/libprocess_model.so: version `SAMBA_4.1.0PRE1_GIT_FD8B258' not found (required by samba) samba: /usr/local/samba/lib/private/libsamdb-common.so: version `SAMBA_4.1.0PRE1_GIT_FD8B258' not found (required by samba) samba: /usr/local/samba/lib/private/libsamba-modules.so: version `SAMBA_4.1.0PRE1_GIT_FD8B258' not found (required by samba) samba: /usr/local/samba/lib/private/libndr-samba4.so: version `SAMBA_4.1.0PRE1_GIT_FD8B258' not found (required by samba) samba: /usr/local/samba/lib/private/liberrors.so: version `SAMBA_4.1.0PRE1_GIT_FD8B258' not found (required by samba) samba: /usr/local/samba/lib/private/libservice.so: version `SAMBA_4.1.0PRE1_GIT_FD8B258' not found (required by samba) samba: /usr/local/samba/lib/private/libldbsamba.so: version `SAMBA_4.1.0PRE1_GIT_FD8B258' not found (required by samba) samba: /usr/local/samba/lib/private/libMESSAGING.so: version `SAMBA_4.1.0PRE1_GIT_FD8B258' not found (required by samba) samba: /usr/local/samba/lib/private/libntvfs.so: version `SAMBA_4.1.0PRE1_GIT_FD8B258' not found (required by samba) ... huh. I hoped that maybe it was just the version argument that stopped working - so I tried to start up the samba daemon (rather than using the service samba4 start command I had used previously without fail, as this script suppresses command line output): root@raspberrypi:/usr/local/samba4# samba samba: /usr/local/samba/lib/private/libcliauth.so: version `SAMBA_4.1.0PRE1_GIT_FD8B258' not found (required by samba) samba: /usr/local/samba/lib/private/libauth4.so: version `SAMBA_4.1.0PRE1_GIT_FD8B258' not found (required by samba) samba: /usr/local/samba/lib/private/libevents.so: version `SAMBA_4.1.0PRE1_GIT_FD8B258' not found (required by samba) samba: /usr/local/samba/lib/private/libcluster.so: version `SAMBA_4.1.0PRE1_GIT_FD8B258' not found (required by samba) samba: /usr/local/samba/lib/private/libprocess_model.so: version `SAMBA_4.1.0PRE1_GIT_FD8B258' not found (required by samba) samba: /usr/local/samba/lib/private/libsamdb-common.so: version `SAMBA_4.1.0PRE1_GIT_FD8B258' not found (required by samba) samba: /usr/local/samba/lib/private/libsamba-modules.so: version `SAMBA_4.1.0PRE1_GIT_FD8B258' not found (required by samba) samba: /usr/local/samba/lib/private/libndr-samba4.so: version `SAMBA_4.1.0PRE1_GIT_FD8B258' not found (required by samba) samba: /usr/local/samba/lib/private/liberrors.so: version `SAMBA_4.1.0PRE1_GIT_FD8B258' not found (required by samba) samba: /usr/local/samba/lib/private/libservice.so: version `SAMBA_4.1.0PRE1_GIT_FD8B258' not found (required by samba) samba: /usr/local/samba/lib/private/libldbsamba.so: version `SAMBA_4.1.0PRE1_GIT_FD8B258' not found (required by samba) samba: /usr/local/samba/lib/private/libMESSAGING.so: version `SAMBA_4.1.0PRE1_GIT_FD8B258' not found (required by samba) samba:
Re: [Samba] Samba4 fails to work following upgrade - library version errors
Rowland, while that MAY work, in his case it still would have failed, you need /usr/local/samba/bin and sbin BEFORE $PATH (eg, export PATH=/usr/local/samba/bin:/usr/local/samba/sbin:$PATH) otherwise the search will be done on /bin (or sbin) before it hits the correct binary. Personally, I add the line export PATH=/usr/local/samba/bin:/usr/local/samba/sbin:$PATH on the last line of /root/.bashrc and any users .bashrc that I need to be able to use those paths. Ricky On Sat, Apr 6, 2013 at 4:49 AM, Andrew Bartlett abart...@samba.org wrote: On Fri, 2013-04-05 at 16:54 +0200, Michael Wood wrote: Hi It sounds like the samba binary on your PATH is the old version. Well spotted Michael, this one really had me stumped! Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Doubt create user samba via DSA.msc
Look at https://wiki.samba.org/index.php/Samba4/Winbind , also, samba 4 (AD DC) uses ACL's now, so you really don't need to do any per share changes anymore. Have fun, Ricky On Mon, Apr 8, 2013 at 3:03 PM, Ricardo Barbosa spidersl...@yahoo.com.brwrote: Hi. I deploy samba 4 and create user via console dsa.msc, but her not create user in /etc/passwd for settings permission in share, Its possible automatic process. Any idea?. Regards -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Internal DNS not running
What samba version are you using (samba -V) ? Also what is the output of samba-tool testparm -v --suppress-prompt | grep server services Ricky On Tue, Apr 9, 2013 at 6:34 PM, simon+sa...@matthews.eu wrote: After running the classicupgrade, configuring and starting krb5, starting the new samba4 server, I started looking at DNS. Nothing is listening on port 53, so I assume the internal DNS is not working. I have NOT specified the use of the BIND_DLZ plugin, so it should be using its internal dns server. Where should I start looking for a solution to this? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Internal DNS not running
That looks normal... Can you pastebin your log.samba... first mv or rm /usr/local/samba/var/log.samba, then restart samba, then pastebin log.samba. Also (with samba running) can you give us the output of ps ax | grep samba and the output of netstat -anp | grep LISTEN | grep samba Thanks, Ricky On Tue, Apr 9, 2013 at 7:22 PM, simon+sa...@matthews.eu wrote: On Tue, 9 Apr 2013, Ricky Nance wrote: What samba version are you using (samba -V) # samba -V Version 4.0.4 ? Also what is the output of samba-tool testparm -v --suppress-prompt | grep server services # samba-tool testparm -v --suppress-prompt | grep server services server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns Simon On Tue, Apr 9, 2013 at 6:34 PM, simon+sa...@matthews.eu wrote: After running the classicupgrade, configuring and starting krb5, starting the new samba4 server, I started looking at DNS. Nothing is listening on port 53, so I assume the internal DNS is not working. I have NOT specified the use of the BIND_DLZ plugin, so it should be using its internal dns server. Where should I start looking for a solution to this? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Internal DNS not running
Glad to hear :) Ricky On Tue, Apr 9, 2013 at 8:15 PM, Simon Matthews si...@matthews-family.org.uk wrote: On Tue, 9 Apr 2013, Ricky Nance wrote: That looks normal... Can you pastebin your log.samba... first mv or rm /usr/local/samba/var/log.**samba, then restart samba, then pastebin log.samba. Also (with samba running) can you give us the output of ps ax | grep samba and the output of netstat -anp | grep LISTEN | grep samba Thanks, Ricky, with your help, I fixed the problem. I had started krb5kdc, not realizing that the krb server was also built into samba. Once I stopped this and re-started SAMBA, the internal dns server started working. Simon On Tue, Apr 9, 2013 at 7:22 PM, simon+sa...@matthews.eu wrote: On Tue, 9 Apr 2013, Ricky Nance wrote: What samba version are you using (samba -V) # samba -V Version 4.0.4 ? Also what is the output of samba-tool testparm -v --suppress-prompt | grep server services # samba-tool testparm -v --suppress-prompt | grep server services server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns Simon On Tue, Apr 9, 2013 at 6:34 PM, simon+sa...@matthews.eu wrote: After running the classicupgrade, configuring and starting krb5, starting the new samba4 server, I started looking at DNS. Nothing is listening on port 53, so I assume the internal DNS is not working. I have NOT specified the use of the BIND_DLZ plugin, so it should be using its internal dns server. Where should I start looking for a solution to this? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba-tool modify users info?
Mike please don't encourage users to use ldbedit, there is more than a little chance that a lot of damage can be easily done. Other than that, it looks like you can still use `net sam set pwdmustchangenow user yes` Luc. Good luck, Ricky On Thu, Apr 11, 2013 at 10:54 AM, Mike Ray m...@xes-inc.com wrote: Luc- You can modify a user's attributes manually by using ldbedit. You can also modify a user's attributes via an LDIF file and the ldbmodify command . The first one may be easier/faster if you have to change only one thing; the second one is definitely more robust for large amounts of modifying and lends itself well to scripting. Check out http://www.zytrax.com/books/ldap/ch8/ for information on LDIF files. Good luck, -Mike Ray - Original Message - From: Luc Lalonde luc.lalo...@polymtl.ca To: samba@lists.samba.org Sent: Thursday, April 11, 2013 10:41:28 AM Subject: [Samba] Samba-tool modify users info? Hello, I'm wondering if there's a plan for including the possibility of modifying user attributes (must-change-at_next-login, profile-path, home-drive, home-directory, etc)? For the moment, it seems the only way to do this is when the user is created (samba-tool newuser) or by doing so via 'administrative tools' via a Windows machine. Thank You! -- Luc Lalonde, analyste - Département de génie informatique: École polytechnique de Montréal (514) 340-4711 x5049 luc.lalo...@polymtl.ca - -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Version?
Bill apt-get purge would be a better option, other than that, make sure that /usr/local/samba/bin and sbin are first in your path and all should be well still... add the following line to /root/.bashrc at the very end: export PATH=/usr/local/samba/sbin:/usr/local/samba/bin:$PATH then as root do a `. /root/.bashrc` and try `samba -V` again. (you can also add that export line to any of your users .bashrc) Ricky On Thu, Apr 11, 2013 at 7:54 PM, Bill Wilken bill.wil...@wilkenmail.comwrote: Thanks for the note. Even though I used apt-get remove to extinguish Ubuntu's distro binary, and even though samba4 didn't show up in its software manager, a check using the synaptic manager showed several pieces and parts of the old binary still hanging around. On 4/11/13 6:14 PM, Marc Muehlfeld sa...@marc-muehlfeld.de wrote: Am 11.04.2013 23:30, schrieb Bill Wilken: After removing all existing Samba folders, I downloaded,compiled, and provisioned Samba 4.0.5 under Ubuntu 12.04 desktop. But when I check for version (samba V or samba ‹version), samba responds with ³Version 4.0.0alpha18² Am I missing something? I don't know Ubuntu. But I guess your distribution maybe was shipped with that old version. And when you compile samba, you installed it e. g. to /usr/local/samba, what isn't in the path by default (or you added it to the end of your path variable). So the binary shipped with your distribution is executed instead of the one in /usr/local/samba. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] migrating from samba3+openldap+autofs to samba4 AD DC?
Id think the standard migration guide https://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTO on a test vm to work out any 'kinks' would be a good start, but you can't really sync it with openldap I don't think. However, most applications have been written to where you can use them against AD, so, I'd google around and ensure that everything you use for ldap auth, can actually be used with AD (look for MS AD, most websites aren't aware of Samba AD, but they should auth the exact same way). If you have any problems or questions, let us know. Ricky On Tue, Apr 16, 2013 at 6:36 PM, Jefferson Davis jda...@standard.k12.ca.uswrote: Any suggestions as to folks who have written fairly concise how-tos'? Much of what I've found so far is pretty vague. Also if moving to AD DC model, strategies for syncing with OpenLDAP... (Not to stir up old wounds, but the idea of multiple credential sources makes me very ill) Thanks, -Jeff -- Jefferson K Davis Technology and Information Systems Manager Standard School District 1200 North Chester Ave Bakersfield, CA 93308 661.392.2110 ext 120 (office) http://district.standard.k12.ca.us District Users: Click here to report technology issues -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Rsyncing Samba4 Roaming Profiles between servers
See the plus on drwxrwx---+, that means you have either extended attributes or ACL's (my guess would be ACL's) so, I am willing to bet you haven't told rsync to preserve xattribs or acl's in your script. getfacl, setfacl, getfattr, and setfattr will be helpful in sorting this out. Good luck, Ricky On Wed, Apr 17, 2013 at 10:32 AM, Rob Beard r...@mareandfoal.org wrote: Hi folks, I've got a bit of an issue with roaming profiles and I wondered if someone might be able to help please? :-) We've started rolling out Samba 4 across our network. Currently it's on 3 of our 4 sites, one site has two Samba servers and two sites have one Samba server each (well one site has two Samba 4 servers but one of the servers was an oldish test box which I'm planning on removing from AD when I can work out how to, but that's a separate issue). I've managed to get roaming profiles working for the users on each site. Each user is currently configured to store their roaming profile on the server on the site that they're based at. This seems to work pretty well with our Windows 7 clients and the users are happy that they can now login to any PC and get their desktop icons etc. Now my boss would like the ability to be able to login to a PC on a remote site (as in, not the site where his roaming profile is stored) and have the profile available. It seems to work without making any changes but it is quite slow logging on and off (I put this down to the fairly slow ADSL links we have between the sites). I was giving the issue some thought and tried creating a test user and changing the profile path to %logonserver%\profiles\user.name which when logging on created a profile on the logon server of whichever site I was at. However, I tried then rsyncing this profile across from one server at one site to another server (I've also tried it between two servers on the same site) but the permissions seem to get corrupted... If I look at the permissions in a Linux terminal I get the following... Output from ls -lh on Server 1: drwxrwx---+ 14 360 users 4.0K Apr 17 16:15 charles.carmichael.V2 Output from ls -lh on Server 2: drwxrwx---+ 14 360 users 4.0K Apr 17 16:15 charles.carmichael.V2 So the permissions look okay to me unless I'm missing something. If I check the permissions of the two profile folders in Windows 7 I get the following: Server 1 Permissions: SYSTEM - Full Control Charles.Carmichael - Full Control Server 2 Permissions: Everyone - None RANDOMPC$ - Full Control Random Group - Full Control Domain Users - None CREATOR OWNER - Special CREATOR GROUP - Special On Server 1 the owner is the user of the profile, on Server 2 the owner is RANDOMPC$. Both Server 1 and Server 2 are running Samba 4.0.3, Debian Squeeze AMD64 with the kernel 2.6.32-5-amd64. If it helps the filesystems are ext4 and have the options user_xattr,acl,barrier=1 in fstab. What we'd like to do is run an rsync overnight and copy the differences between the servers, but as we're coming across these issues we're a bit stuck. If anyone could help, or maybe suggest another way of syncing the roaming profiles between the servers that would be great. Thanks in advance, Rob -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 internal dns update
Sounds like you are hitting this bug ... https://bugzilla.samba.org/show_bug.cgi?id=9216 There are instructions there on how to work around this issue. Ricky On Wed, Apr 17, 2013 at 11:03 AM, Nick Semenkovich seme...@alum.mit.eduwrote: Hey Cristian: This sounds exactly like the issue I had, documented in: https://lists.samba.org/archive/samba/2013-April/172611.html When computers are first joined, it appears as though samba sets *static* DNS entries for them, even though their IPs are likely to change. I haven't yet had a chance to check the proposed fixes (either deleting/updating the entries via the Windows DNS console, or setting each client to update their DNS). The DNS settings is called Register this connection's addresses in DNS and looks like: http://imgur.com/B33UYhI Not sure if this is a bug -- seems odd, since many clients are DHCP assigned. - Nick On Wed, Apr 17, 2013 at 10:28 AM, Cristian Saavedra c...@asualcance.com wrote: Hello Last week we changed our ip range, every computer was shutdown and everything is working, but we are still getting the old ip address on the dns, my version is samba 4.0.3 and i am using internal dns This is the actual smb.conf [global] workgroup = MYCOMPANY realm = MYCOMPANY.COM.CO netbios name = DOMINIO server role = active directory domain controller idmap_ldb:use rfc2307 = yes dns forwarder = 8.8.8.8 wins support = Yes log level = 1 allow dns updates = True Any suggestions? Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Freebsd 3.5-4 New Server Profile Paths Lost
These attributes should be defined in Active Directory Users and Computers, take a look at https://wiki.samba.org/index.php/Samba_AD_management_from_windows for how to get it running, then you can select all your users and define them using the %USERNAME% variable, for home directory \\server\%USERNAME% and for profiles \\server\%USERNAME%\profile Ricky On Wed, Apr 17, 2013 at 1:46 PM, David Menzel da...@jbautotech.com wrote: I am migrating a Freebsd 8.2 Samba 3.5.11 system to Freebsd 9.1 Samba 4.0.4. I copied over all of the users home directories, local accounts, and the tdb files. I ran the classic upgrade tool, got the server up and running, and users could login however they were on fresh local profiles rather than roaming profiles. In the log file for the station, I found the following message [2013/04/13 15:42:48.565068, 3] ../source3/smbd/password.c:** 138(register_homes_share) No home directory defined for user 'DOMAINNAME\johndoe' From there, I pulled up the user data in pdbedit and found that several fields were not populated from the old server to the new. I tried manually filling in the fields, and verified the config still pointed to the profile path in the same place, however the user account still could not connect to the roaming profile directory. From the original server : #pdbedit -L -v johndoe Full Name:John Doe Home Directory: \\server1\johndoe HomeDir Drive:h: Logon Script: Profile Path: \\server1\johndoe\profile Domain: DOMAINNAME And the new Server : # pdbedit -L -v johndoe Full Name:John Doe Home Directory: HomeDir Drive:(null) Logon Script: Profile Path: Domain: I can only perform testing in the off hours, as the new server already has several other services running on it. The new server will take over the ip address and network name of the old server on its 2nd nic when it is placed into production. Any ideas? Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Strange behavior when using 'hosts allow' parameter
Do you see the same behavior if you add localhost and your hostname to hosts allow? Also, with s3fs it'd be interesting to know if the hosts allow parameter is even recognized by smbd, though I am not seeing how to check that right at the moment. example for your config: hosts allow = 10.0.0. 127. localhost myhostname Ricky On Fri, Apr 19, 2013 at 10:58 AM, Phil Quesinberry ph...@qsystemsengineering.com wrote: Some additional info on this. When copying files from another host on the network which is allowed by the hosts allow entry, I get 'denied by access rules' entries filling the log at over 1000 lines per second. Log level is currently set to 3. I'm guessing I need to file a bug report: [2013/04/19 00:24:49, 0] ../source4/lib/socket/access.c:356(socket_check_access) socket_check_access: Denied connection to 'smbd' from LOCAL/unixdom (LOCAL/unixdom) [2013/04/19 00:24:49, 3] ../source4/smbd/service_stream.c:63(stream_terminate_connection) Terminating connection - 'denied by access rules' [2013/04/19 00:24:49, 3] ../source4/smbd/process_single.c:114(single_terminate) single_terminate: reason[denied by access rules] [2013/04/19 00:24:49, 3] ../source4/lib/socket/access.c:298(only_ipaddrs_in_list) only_ipaddrs_in_list: list has non-ip address (10.0.0.) [2013/04/19 00:24:49, 0] ../source4/lib/socket/access.c:356(socket_check_access) socket_check_access: Denied connection to 'smbd' from LOCAL/unixdom (LOCAL/unixdom) [2013/04/19 00:24:49, 3] ../source4/smbd/service_stream.c:63(stream_terminate_connection) Terminating connection - 'denied by access rules' [2013/04/19 00:24:49, 3] ../source4/smbd/process_single.c:114(single_terminate) single_terminate: reason[denied by access rules] [2013/04/19 00:24:49, 3] ../source4/lib/socket/access.c:298(only_ipaddrs_in_list) only_ipaddrs_in_list: list has non-ip address (10.0.0.) [2013/04/19 00:24:49, 0] ../source4/lib/socket/access.c:356(socket_check_access) socket_check_access: Denied connection to 'smbd' from LOCAL/unixdom (LOCAL/unixdom) [2013/04/19 00:24:49, 3] ../source4/smbd/service_stream.c:63(stream_terminate_connection) Terminating connection - 'denied by access rules' [2013/04/19 00:24:49, 3] ../source4/smbd/process_single.c:114(single_terminate) single_terminate: reason[denied by access rules] [2013/04/19 00:24:49, 3] ../source4/lib/socket/access.c:298(only_ipaddrs_in_list) only_ipaddrs_in_list: list has non-ip address (10.0.0.) [2013/04/19 00:24:49, 0] ../source4/lib/socket/access.c:356(socket_check_access) socket_check_access: Denied connection to 'smbd' from LOCAL/unixdom (LOCAL/unixdom) [2013/04/19 00:24:49, 3] ../source4/smbd/service_stream.c:63(stream_terminate_connection) Terminating connection - 'denied by access rules' [2013/04/19 00:24:49, 3] ../source4/smbd/process_single.c:114(single_terminate) single_terminate: reason[denied by access rules] [2013/04/19 00:24:49, 3] ../source4/lib/socket/access.c:298(only_ipaddrs_in_list) only_ipaddrs_in_list: list has non-ip address (10.0.0.) [2013/04/19 00:24:49, 0] ../source4/lib/socket/access.c:356(socket_check_access) socket_check_access: Denied connection to 'smbd' from LOCAL/unixdom (LOCAL/unixdom) [2013/04/19 00:24:49, 3] ../source4/smbd/service_stream.c:63(stream_terminate_connection) Terminating connection - 'denied by access rules' [2013/04/19 00:24:49, 3] ../source4/smbd/process_single.c:114(single_terminate) single_terminate: reason[denied by access rules] [2013/04/19 00:24:49, 3] ../source4/lib/socket/access.c:298(only_ipaddrs_in_list) only_ipaddrs_in_list: list has non-ip address (10.0.0.) [2013/04/19 00:24:49, 0] ../source4/lib/socket/access.c:356(socket_check_access) socket_check_access: Denied connection to 'smbd' from LOCAL/unixdom (LOCAL/unixdom) [2013/04/19 00:24:49, 3] ../source4/smbd/service_stream.c:63(stream_terminate_connection) Terminating connection - 'denied by access rules' [2013/04/19 00:24:49, 3] ../source4/smbd/process_single.c:114(single_terminate) single_terminate: reason[denied by access rules] [2013/04/19 00:24:49, 3] ../source4/lib/socket/access.c:298(only_ipaddrs_in_list) only_ipaddrs_in_list: list has non-ip address (10.0.0.) [2013/04/19 00:24:49, 0] ../source4/lib/socket/access.c:356(socket_check_access) socket_check_access: Denied connection to 'smbd' from LOCAL/unixdom (LOCAL/unixdom) [2013/04/19 00:24:49, 3] ../source4/smbd/service_stream.c:63(stream_terminate_connection) Terminating connection - 'denied by access rules' [2013/04/19 00:24:49, 3] ../source4/smbd/process_single.c:114(single_terminate) single_terminate: reason[denied by access rules] [2013/04/19 00:24:49, 3] ../source4/lib/socket/access.c:298(only_ipaddrs_in_list) -- View this message in context: http://samba.2283325.n4.nabble.com/Strange-behavior-when-using-hosts-allow-parameter-tp4646968p4647026.html Sent from the
Re: [Samba] Samba 3 dynamically enable or disable share
Instead of repartitioning you could create a filesystem inside of a file... http://freecode.com/articles/virtual-filesystem-building-a-linux-filesystem-from-an-ordinary-file . Just a thought, Ricky On Mon, Apr 29, 2013 at 9:05 AM, Mauricio Alvarez maurialvarez...@rocketmail.com wrote: Michael, I really don't want to repartition--again! But yes, your idea is intresting. If there really isn't any other option (really? no-one has ever had this problem in the past?), I was thinking of something like this: * Inside each disk, at the root level, create a single directory, call it ROOTDIR01 for DISK1, ROOTDIR02 for disk2 etc. * Modify the entries in smb.conf like so: [STORAGE01] path = /mnt/DISK1/ROOTDIR01 Guest OK = false ... etc... so, if no disk is mounted, we have only /mnt/DISK1 but no ROOTDIR01. If the disk is mounted, the ROOTDIR01 is then visible and gets shared as [STORAGE01] Also, the clients see [STORAGE01] as their root dir, ignoring the ROOTDIR01 sub-level This is very crude, I wonder if it might work. Wouldn't it be very simple to just create a VERY small partition (e.g. 10MB) on the main drive (the one that your system disk is on), and mount it on e.g. /mnt. Then, even if one of your disks can't mount for some reason, only this very small partition will fill up = no problem for the rest of the system. You would still have to configure your other machines to handle disk full failures and maybe subsequently try another share... Michael -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 home share problem
So for the homes (Yes HOMES not HOME) share to work you need winbind functioning (not necessarily pam auth, but at least winbind). You can follow http://wiki.samba.org/index.php/Samba4/Winbind ... If I get some time today I will write up some sharing stuff in the S4 howto. You will also need to add under [global] template homedir = /home/%U (if you want /home/username to work, it defaults to /home/DOMAIN/USERNAME or template homedir = /home/%D/%U ) Ricky On Tue, Apr 30, 2013 at 1:53 AM, Dave Pawson dave.paw...@gmail.com wrote: On 30 April 2013 06:56, Daniel Müller muel...@tropenklinik.de wrote: Need to be: [home] not [homes] http://www.sloop.net/smb.conf.html#SECTION DESCRIPTIONS shows [homes] not singular [home] HTH DaveP And you are up and running --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Csányi Krisztián Gesendet: Samstag, 23. März 2013 20:34 An: samba@lists.samba.org Betreff: [Samba] Samba4 home share problem Hi, I have installed Samba4 and the home share functionality is not working. Samba version: 4.0.1 OS: Debian Squeeze Kernel: 2.6.32-5-amd64 The smb.conf: [global] workgroup = TESZT realm = TESZT.HU netbios name = FILESERVER server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate load printers = no printing = bsd printcap name = /dev/null show add printer wizard = no disable spoolss = yes log level = 3 syslog = 3 syslog only = yes logon path = # logon home = \\fileserver\homes\%U logon drive = H: logon script = %U.cmd [netlogon] path = /opt/samba4/var/lib/samba/sysvol/fileserver.teszt.hu/scripts read only = No [sysvol] path = /opt/samba4/var/lib/samba/sysvol read only = No [homes] path = /home read only = no After a net use h: /home command on client I get this: System error 53 has occured. The network path was not found. The user I try: Administrator and the client OS is Windows XP Pro. I think the rights on the server are ok. When I try to set the home for Administrator in AD I get the answer: The system could not create the startfolder (\\fileserver\homes\Administrator), because can't find path. Is there anybody who can use this functionality? Please help. Thanks for the replies. Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Dave Pawson XSLT XSL-FO FAQ. Docbook FAQ. http://www.dpawson.co.uk -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 does't run netlogon scripts and batch files
So a couple of things come into play here, when moving to AD you need to either create a Group Policy that will run the logon script, or set the logon script per individual. Secondly, .bat should be able to run off the network drive by setting the correct ACL's (I was thinking chmod 755 from linux worked, but I may be wrong), in windows, right click on the .bat, then hit the security tab, and add something like everyone, or authenticated users, and select the correct acl's (play around with it as I don't remember right off). Ricky On Wed, May 1, 2013 at 5:41 AM, Varda Zklir v...@yahoo.com wrote: I've tried to move from Samba 3.6.14 to Samba 4.0.5. Process went smooth, Win8Pro clients joined domain successfully. But now netlogon startup scripts does not run on clients at signin. Also .bat batch files from network shares does not executes (Win8 says do not have permissions) without execute bit set. This is the right behavior? How to get back previous? If I return 3.6.14 version everything is back to normal and works fine. Thank You. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 does't run netlogon scripts and batch files
Sorry I made the wrong assumption that you were using it as an AD DC. Conventional samba 3 stuff should all remain the same, so without testing this I am not sure what's going on. On May 1, 2013 8:44 AM, Varda Zklir v...@yahoo.com wrote: Thnaks for you reply. So a couple of things come into play here, when moving to AD you need to No, I've started Samba4 as PDC server role = classic primary domain controller and want to keep such compatibility as much as possible. either create a Group Policy that will run the logon script, or set the logon script per individual. Please point or describe to me a way to do this. Secondly, .bat should be able to run off the network drive by setting the correct ACL's (I was thinking chmod 755 from linux worked, but I may be wrong), in windows, right click on the .bat, then hit the security tab, and add something like everyone, or authenticated users, and select the correct acl's Is there a way to avoid editing access rights to 755 for executable files on network shares? Because my shares configured with create mask = 644 for user's uploaded files and I do not want to break this functionality and want keeps user's files with 644 permissions on server. Is this possible with Samba4? Thank You. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [samba4] Build requires libncurses-dev
I'd like to get a dev's input as to why this is now required, I have no problem adding it to the wiki as long as they expect it and it wasn't just something that crept in. If Jeremy or Andrew (or any other dev that sees this) would confirm this I will add it. Ricky On Fri, May 3, 2013 at 2:23 PM, Nick Semenkovich seme...@alum.mit.eduwrote: +1 for this. Looks like a new dependency that just popped up in the last few commits. On Fri, May 3, 2013 at 6:02 AM, Michael De Groote i...@sint-pietersschool.be wrote: I tried building the latest master from git on debian wheezy. It seems to require libncurses-dev. I thought to add it into the wiki as a required package to install, but it seems one needs to ask for a login to the wiki. No prob ;) Could someone add it to the wiki? Or is this an unintentional dependency that will be removed? -- Michael De Groote ICT-coordinator Sint-Pietersschool Korbeek-Lo ICT-support Sancta Maria Basisschool Leuven -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 no longer installing samba_upgradeprovision?
This tool has been 'turned off' until it can be properly fixed, or completely implemented into samba-tool dbcheck (at least that is my very limited knowledge on this subject). Ricky On Thu, May 9, 2013 at 11:42 PM, Nick Semenkovich seme...@alum.mit.eduwrote: From the latest samba4 git HEAD, I was trying to run samba_upgradeprovision, but didn't see it in /sbin/ (Actually, I saw an older version that wasn't working due to new python imports). I've tried completely reinstalling (using git clean -x -f -d; make clean), though I don't see /sbin/samba_upgradeprovision Is this tool no longer installed? (Should I file a bug against the build/install system?) - Nick -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Procedure for installing Windows drivers on Samba with CUPS
Those instructions should still work for XP, but its quite a bit different for windows 7, I need to do a wiki page on it, and will when I get some spare time, but not sure when that will be. Ricky On Wed, May 22, 2013 at 4:32 PM, steve st...@steve-ss.com wrote: On Wed, 2013-05-22 at 13:41 +0200, Tim Vangehugten wrote: Hi, Just an update: Tried today samba 4.0.6, printing works there with the automatic driver install. Best regards Tim Vangehugten Hi Are you sure? Its as you were here. No change. After the drivers are seemingly copied correctly to the print$ share, windows gives up and issues a 'Access is denied' error, as before. The last time it worked following the instructions which are now on the wiki was in 4.0.0 https://wiki.samba.org/index.php/Setup_a_printer_share Are those instructions still valid? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 + Shared Folders
First, this line in your config is formed wrong... server = s3fs services, rpc, nbt, wrepl, ldap, CLDAP, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate IF you have a need to define it yourself it should look like: server services = s3fs, rpc, nbt, wrepl, ldap, CLDAP, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate I should mention however the defaults (which is what you are currently using since samba can't parse that line) should work fine, so that line can be completely removed if you'd like. Next, on to your issue. The first time you access your share you should be doing it as DOMAIN\Administrator from windows, then you can set permissions to the share by opening the share (start - run - \\smb\test ) then right clicking on a open area (non folder/non file) of your share and selecting properties, then click on the security tab and set the permissions how you would like. Hope that helps, Ricky On Tue, May 28, 2013 at 9:44 AM, Diogo Borsoi diogobor...@gmail.com wrote: Hello dear, Could help me? I have configured a server with CentOS and Samba4, both Linux and Windows stations joined to the domain with successfully. However, I can not share access to a single set in Samba4, except share folder default (sysvol and netlogon). The error returned is Permission Denied. Follow my smb.conf: # Global parameters [global] workgroup = TEST realm = test.local netbios name = SMB active directory server role = domain controller server = s3fs services, rpc, nbt, wrepl, ldap, CLDAP, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate [netlogon] path = /usr/local/samba/var/locks/sysvol/test.local/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No [Test] path = /data/test read only = No Grateful, Diogo -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 + Shared Folders
Can you test from the samba server using smbclient //localhost/teste -UAdministrator -d5 and paste the output here if it errors out? Ricky On Tue, May 28, 2013 at 1:47 PM, Diogo Borsoi diogobor...@gmail.com wrote: Thanks Ricky, But I wrote it wrong in e-mail, my smb.conf was as you suggested. I had already tried these steps (\\test.local\test), but it did not work, I get the message ...Permission denied... Element not found # Global parameters [global] workgroup = TEST realm = test.local netbios name = SMB server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate [netlogon] path = /usr/local/samba/var/locks/sysvol/test.local/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No [teste] path = /data/teste read only = No Diogo -- = Diogo Borsoi Mobile: +55 12 91436960 http://br.linkedin.com/in/diborsoi http://diborsoi.wordpress.com/ = On Tue, May 28, 2013 at 2:49 PM, Ricky Nance ricky.na...@gmail.com wrote: First, this line in your config is formed wrong... server = s3fs services, rpc, nbt, wrepl, ldap, CLDAP, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate IF you have a need to define it yourself it should look like: server services = s3fs, rpc, nbt, wrepl, ldap, CLDAP, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate I should mention however the defaults (which is what you are currently using since samba can't parse that line) should work fine, so that line can be completely removed if you'd like. Next, on to your issue. The first time you access your share you should be doing it as DOMAIN\Administrator from windows, then you can set permissions to the share by opening the share (start - run - \\smb\test ) then right clicking on a open area (non folder/non file) of your share and selecting properties, then click on the security tab and set the permissions how you would like. Hope that helps, Ricky On Tue, May 28, 2013 at 9:44 AM, Diogo Borsoi diogobor...@gmail.com wrote: Hello dear, Could help me? I have configured a server with CentOS and Samba4, both Linux and Windows stations joined to the domain with successfully. However, I can not share access to a single set in Samba4, except share folder default (sysvol and netlogon). The error returned is Permission Denied. Follow my smb.conf: # Global parameters [global] workgroup = TEST realm = test.local netbios name = SMB active directory server role = domain controller server = s3fs services, rpc, nbt, wrepl, ldap, CLDAP, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate [netlogon] path = /usr/local/samba/var/locks/sysvol/test.local/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No [Test] path = /data/test read only = No Grateful, Diogo -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 and Profile directory issues.
Yes, with all versions of windows after XP the .V2 will be appended to the usernames, if you have a mix of pre-XP and post-XP machines you will end up with 2 profiles per user. Glad its working for you, Ricky On Thu, May 30, 2013 at 10:52 AM, David González Herrera - [DGHVoIP] i...@dghvoip.com wrote: Hi, On 5/30/2013 8:17 AM, Ricky Nance wrote: Are you logged in as DOMAIN\Administrator to the windows machine? My own dumb mistakes, I created a remote desktop connection to that server and hadn't noticed I as logged in as a non admin user. Now home directories are created as it should and profile directories are too, but with the .V2 extension. I stheis the expected behavior?, I read that this might happoen uf I had mixed Windows clients WXP, Win7 but I just have one client and it's a Win7 one. Thanks for your advise it really helped. me. Ricky On Thu, May 30, 2013 at 12:16 AM, David González Herrera - [DGHVoIP] i...@dghvoip.com wrote: On 5/28/2013 6:59 PM, Ricky Nance wrote: Odd thing, your mail was from several days ago, but it just came through on my stuff today. Lets try a couple of things, try changing [users] to [homes] and also adding a line under global: Done template homedir = /home/%ACCOUNTNAME% Done Also, comment out the directory_mode line, restart samba and then try setting it in in your active directory users and computers as \\10.10.10.5\homes\%USERNAME% and see if it works. Also can you double check after these changes that your windows user can still write to \\10.10.10.5\homes as well? Done too but now, when I select a group of users and try to change their properties the Home and Profile fields to \\10.10.10.5\homes\%USERNAME% it returns Access is Denied (I haven't created any home directory) it usually created the directories automatically after the PAM changes and all of your suggestions it can't be done anymore, I-m sure it's due to some permission thing but I just can't fiure it out myself. Thanks for your help. Thanks, Ricky On Tue, May 28, 2013 at 6:43 PM, David González Herrera - [DGHVoIP] i...@dghvoip.com wrote: Hi Ricky, Thank you very much for your reply, I dropped my subscription to the list because no one seems to care about these questions in there, then I guess what's that list for if they won't answer or at least point people to a link that won't take 30secs, well anyways On 5/28/2013 4:44 PM, Ricky Nance wrote: First think you should check is to see if winbind is setup properly (resolving names in Ubuntu as it should be) if not, have a look at https://wiki.samba.org/index.php/Samba4/Winbind#Using_libnss_winbind (section 2 is the important one, section 3 is if you need *nix to authenticate using samba). Ok, did all of these steps and everything seems to work, except that I can't login to the *nix box (ubuntu Serevr 12.04) using the AD users but system users can, that's good :) A quick test would be mkdir /home/test chown someADuser /home/test ls -alhd /home/test (replace someADuser with one of your AD users). If that is working as expected, then the user you are logged into windows with may not have permissions to write to your Users share, if both of those are good, paste your [users] section of your smb.conf and we will go from there. This worked fine indeed, root@samba:~# mkdir /home/test chown dominic /home/test ls -alhd /home/test drwxr-xr-x 2 MUNDO\dominic root 4.0K May 29 01:34 /home/test My smb.conf looks like this: root@samba:~# cat /usr/local/samba/etc/smb.conf # Global parameters [global] workgroup = MUNDO realm = mundo.local netbios name = SAMBA server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate template shell = /bin/bash # Debug logging information log level = 4 log file= /var/log/samba.log max log size= 50 debug timestamp = yes bind interfaces only = yes interfaces = eth1 wins support= yes [users] directory_mode: parameter = 0700 path= /home comment = Users Home Share read only = no browsable = yes [profiles] path= /usr/local/samba/var/profiles browseable = no read only = no writable= yes store dos attributes = Yes directory mask = 0700 create mask = 0600 printable = no profile acls= yes csc policy = disable [netlogon] path = /usr/local/samba/var/locks/sysvol/mundo.local/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No Thanks again. Ricky On Mon, May 20, 2013 at 7:50 PM, David
Re: [Samba] Problems during connect to server and listing files
Jerry, you could install a commercially supported linux or other OS and then you would have a help line in your time of need... I am sorry if your free software doesn't have the support you would like to see, but there is no call to be rude about it. I have seen this happen more on the samba lists than it should, and frankly I am getting a little tired of it. If you have something useful to add to your post (configs, how things are supposed to work, etc) then add that, otherwise please leave the negative comments to yourself. (Now is a good time to mention that I am a user and not a samba team member, so this view is mine and mine alone, but it really gets on my nerves when people are rude about things). Now that I have that out of the way, you have given us a small snippet of your log, from which server you haven't said and are using a pretty old version of samba. What packages did CentOS update that might have caused this? Is it possible an option in your configs has been depreciated? You mention I can connect to a share on the Solaris server from either a linux or windows workstation. I get connected but I don't see any of the files in the share directory ( which resides on the CentOS server) is this over nfs, smbclient, or cifs? Thanks, Ricky On Mon, Jun 3, 2013 at 11:23 AM, Jerry Lowry jlo...@edt.com wrote: Well, thanks so much for the help, NOT! I suppose no one has any ideas or thoughts on trouble shooting this problem. could be samba, could be nfs, could be imap. Tried them all an no one seems to want to help. So much for community effort! On 05/29/2013 02:49 PM, Jerry Lowry wrote: So, no one has any ideas on this ? CentOS is running Samba version : 3.0.33-3.39.el5_8 ( DMB, Preferred, NO LMB ) Solaris is running Samba version : 3.0.28 (LMB, Preferred ) This was working before an update on the CentOS system, which installed the present version. Is there anything that may have broken communications between these two version? As I said below, I can connect to a share on the Solaris server from either a linux or windows workstation. I get connected but I don't see any of the files in the share directory ( which resides on the CentOS server). Any ideas? jerry On 05/28/2013 09:50 AM, Jerry Lowry wrote: Hi, first time poster. I am having trouble getting one of my servers to list all the files in the directory. Consequently, it is failing to work with email when users create new sub folders ( main problem). background: we have two servers -old solaris 10 system running as server not smb master which is mail server -new linux CentOS 5.9 system running as master that also serves as file server if I create a sub folder in mail ( either Thunderbird or Outlook ) the file gets created on the CentOS system but does not get listed via imap subscribe which is running on the solaris system. The file permissions are correct and I can dump the file header which tells me that it is a mail file. But the smb server on the CentOS system apparently is not serving the file to the solaris system. Also, if I connect from a windows client to the solaris server I only get one file in the list, whereas on the CentOS system it will give the complete listing. I have some debug listing but not sure if this is shows the problem. thanks, jerry debug listing: [2013/05/28 08:37:49, 2] smbd/sesssetup.c:(1200) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2013/05/28 08:37:49, 2] smbd/sesssetup.c:(1200) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2013/05/28 08:37:49, 2] auth/auth.c:(319) check_ntlm_password: Authentication for user [jlowry] - [jlowry] FAILED with error NT_STATUS_WRONG_PASSWORD [2013/05/28 08:38:03, 2] smbd/sesssetup.c:(1200) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2013/05/28 08:38:03, 2] smbd/sesssetup.c:(1200) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2013/05/28 08:38:04, 2] auth/auth.c:(309) check_ntlm_password: authentication for user [jlowry] - [jlowry] - [jlowry] succeeded [2013/05/28 08:38:04, 0] auth/auth_util.c:(792) create_builtin_administrators: Failed to create Administrators [2013/05/28 08:38:04, 2] auth/auth_util.c:(914) create_local_nt_token: Failed to create BUILTIN\Administrators group! [2013/05/28 08:38:04, 0] auth/auth_util.c:(758) create_builtin_users: Failed to create Users [2013/05/28 08:38:04, 2] auth/auth_util.c:(941) create_local_nt_token: Failed to create BUILTIN\Users group! [2013/05/28 08:38:04, 1] smbd/service.c:(1033) bagby (10.10.10.2) connect to service jlowry initially as user jlowry (uid=1002, gid=1010) (pid 8145) -- To unsubscribe from this list go to the following URL and read the instructions:
Re: [Samba] Replication Samba PDC to Samba BDC
@Giedrius Not exactly, as I wrote in my other posts to mailing list, this is glibc's nss dns resolvers' (libnss_dns.so) issue that is ignoring hostnames with _ (*_*msdcs) Which OS's does that affect? @David, Is your nameserver (in /etc/resolv.conf) on dcA ip.to.dc.a and on dcB ip.to.dc.b if so, what happens when you set them both to A? how about when you set them both to B? I'd play around with that a bit until you get a good replication, then restart samba on both DC's and set them properly (dcA needs ip.to.dc.a and dcB needs ip.to.dc.b) . Ricky On Tue, Jun 4, 2013 at 1:59 AM, David González Herrera - [DGHVoIP] i...@dghvoip.com wrote: On 6/4/2013 1:28 AM, Giedrius wrote: 2013.06.04 09:10, David González Herrera - [DGHVoIP] rašė: On 6/3/2013 11:57 PM, Giedrius wrote: Hi, 2013.06.04 04:16, David González Herrera - [DGHVoIP] rašė: Hi, Let's see if any of the questions gets answered or at least I get ponte dto something that can help me. I followed this wiki: http://wiki.samba.org/index.**php/Samba4/HOWTO/Join_a_** domain_as_a_DC#Getting_ready_**for_joining_Samba_as_a_DC_to_** an_existing_domainhttp://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC#Getting_ready_for_joining_Samba_as_a_DC_to_an_existing_domain I have my S4 domain running, I compiled and installed another S4 to replicate the first server and joined successfully to the domain but replication seems to be broken. Commandused: root@bdc:~# samba-tool domain join mundo.local DC -Uadministrator --realm=mundo.local --password=Mugr3P0pO --dns-backend=BIND9_DLZ Finding a writeable DC for domain 'mundo.local' Found DC samba.mundo.local workgroup is mundo realm is mundo.local checking sAMAccountName Adding CN=BDC,OU=Domain Controllers,DC=mundo,DC=local Adding CN=BDC,CN=Servers,CN=Default-**First-Site-Name,CN=Sites,CN=** Configuration,DC=mundo,DC=**local Adding CN=NTDS Settings,CN=BDC,CN=Servers,CN=**Default-First-Site-Name,CN=** Sites,CN=Configuration,DC=**mundo,DC=local Adding SPNs to CN=BDC,OU=Domain Controllers,DC=mundo,DC=local Setting account password for BDC$ Enabling account Calling bare provision No IPv6 address will be assigned Provision OK for domain DN DC=mundo,DC=local Starting replication Schema-DN[CN=Schema,CN=**Configuration,DC=mundo,DC=**local] objects[402/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=**Configuration,DC=mundo,DC=**local] objects[804/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=**Configuration,DC=mundo,DC=**local] objects[1206/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=**Configuration,DC=mundo,DC=**local] objects[1550/1550] linked_values[0/0] Analyze and apply schema objects Partition[CN=Configuration,DC=**mundo,DC=local] objects[402/1614] linked_values[0/0] Partition[CN=Configuration,DC=**mundo,DC=local] objects[804/1614] linked_values[0/0] Partition[CN=Configuration,DC=**mundo,DC=local] objects[1206/1614] linked_values[0/0] Partition[CN=Configuration,DC=**mundo,DC=local] objects[1608/1614] linked_values[0/0] Partition[CN=Configuration,DC=**mundo,DC=local] objects[1614/1614] linked_values[28/0] Replicating critical objects from the base DN of the domain Partition[DC=mundo,DC=local] objects[98/98] linked_values[31/0] Partition[DC=mundo,DC=local] objects[336/238] linked_values[74/0] Done with always replicated NC (base, config, schema) Replicating DC=DomainDnsZones,DC=mundo,DC=**local Partition[DC=DomainDnsZones,**DC=mundo,DC=local] objects[42/42] linked_values[0/0] Replicating DC=ForestDnsZones,DC=mundo,DC=**local Partition[DC=ForestDnsZones,**DC=mundo,DC=local] objects[18/18] linked_values[0/0] Partition[DC=ForestDnsZones,**DC=mundo,DC=local] objects[36/18] linked_values[0/0] Committing SAM database Sending DsReplicateUpdateRefs for all the replicated partitions Setting isSynchronized and dsServiceName Setting up secrets database Joined domain mundo (SID S-1-5-21-1918558401-**2200574552-2151153235) as a DC Seemed to have succeded, then I radn the recommended tests # ldbsearch -H /usr/local/samba/private/sam.**ldb '(invocationid=*)' --cross-ncs objectguid # record 1 dn: CN=NTDS Settings,CN=BDC,CN=Servers,CN=**Default-First-Site-Name,CN=** Sites,CN=Configuration,DC=**mundo,DC=local objectGUID: 7106cbf4-3cf6-4ed9-b019-**dd937035b1e7 # record 2 dn: CN=NTDS Settings,CN=SAMBA,CN=Servers,**CN=Default-First-Site-Name,CN=** Sites,CN=Configuration,DC=**mundo,DC=local objectGUID: ad828198-a723-44c2-8d7f-**d5f801e2849f # returned 2 records # 2 entries # 0 referrals These testes run from the BDC seem to work. host -t CNAME ad828198-a723-44c2-8d7f-**d5f801e2849f._msdcs.mundo.** local ad828198-a723-44c2-8d7f-**d5f801e2849f._msdcs.mundo.**local is an alias for samba.mundo.local. host -t CNAME 7106cbf4-3cf6-4ed9-b019-**dd937035b1e7._msdcs.mundo.** local 7106cbf4-3cf6-4ed9-b019-**dd937035b1e7._msdcs.mundo.**local is an alias for bdc.mundo.local. root@bdc:~# host -t A bdc.mundo.local.
Re: [Samba] Problem with AD users and groups
I'd double check on the samba server it self if you can connect to it using smbclient... `smbclient //localhost/sysvol -Uadministrator` if that fails try `smbclient //localhost/sysvol -d5 -Uadministrator` and paste the output in your reply. If it succeeds then you can pretty much bet on a connectivity issue... by the way, why isn't samba listening on port 88 in your last mail? It might be worth it to try a `killall samba sleep 5 samba -i -M single -d3` and look for any error messages ... anyway those are just a couple of my suggestions. Ricky On Thu, Jun 6, 2013 at 8:30 PM, Marcelo Ruriani systemad...@helpinghandsofgreenup.org wrote: On 6/6/13 5:15 PM, Marc Muehlfeld wrote: Hello Marcelo, Am 06.06.2013 22:47, schrieb Marcelo Ruriani: It seems I locked myself out. I have tried these steps: turn off the firewall, ntacl sysvol reset, and dis-join from domain. The ntacl sysvol reset returns errors (which I'll post if necessary) the dis-join worked fine but I cannot re-join to the domain because it doesn't detect our domain and throws up an error domain could not be contacted and DNS name doesn't exist. * IP connection between the hosts is fine? (ping each other) * Do you use the internal DNS or Bind DLZ? * Is Samba/Bind listening on port 53? Use 'netstat -taunp', to make sure, that nothing else is listening on this port and prevent the correct DNS to start up. * Can you check: https://wiki.samba.org/index.** php/Samba_AD_DC_HOWTO#Testing_**DNShttps://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Testing_DNS Regards, Marc Dear List Mark, Thank you for the reply. To answer your questions. I am using the internal DNS. The DNS testing reveals that host -t SRV _ldap (and so on) plus host -t SRV _kerberos (and so on) return with a not found error. The A record test works fine. Samba is listening on TCP port 53, 636, 1024, 3268, 3269, 389, 135 (and UDP 53) smbd is listening on TCP port 139, 445 The clients ping the server (ip and domain name) fine and the server pings the clients fine. My followup question will appear after this reply. Marcelo -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem with AD users and groups
Re provisioning will wipe out your entire samba DB, so I would try to avoid that if at all possible, figure out if something else is listening on port 88, stop it, and restart samba (its the kerberos stuff). The smbclient command isn't all that helpful (sometimes it is, sometimes not), so you may try it with a higher debug level (-d10) but don't paste that here as it will get quite lengthy, use a pastebin and give us the link if you don't mind (if you think its more helpful that is). Good luck, Ricky On Fri, Jun 7, 2013 at 12:56 PM, Marcelo Ruriani systemad...@helpinghandsofgreenup.org wrote: On 6/7/13 10:51 AM, Ricky Nance wrote: I'd double check on the samba server it self if you can connect to it using smbclient... `smbclient //localhost/sysvol -Uadministrator` if that fails try `smbclient //localhost/sysvol -d5 -Uadministrator` and paste the output in your reply. If it succeeds then you can pretty much bet on a connectivity issue... by the way, why isn't samba listening on port 88 in your last mail? It might be worth it to try a `killall samba sleep 5 samba -i -M single -d3` and look for any error messages ... anyway those are just a couple of my suggestions. Ricky On Thu, Jun 6, 2013 at 8:30 PM, Marcelo Ruriani systemad...@helpinghandsofgreenup.org wrote: On 6/6/13 5:15 PM, Marc Muehlfeld wrote: Hello Marcelo, Am 06.06.2013 22:47, schrieb Marcelo Ruriani: It seems I locked myself out. I have tried these steps: turn off the firewall, ntacl sysvol reset, and dis-join from domain. The ntacl sysvol reset returns errors (which I'll post if necessary) the dis-join worked fine but I cannot re-join to the domain because it doesn't detect our domain and throws up an error domain could not be contacted and DNS name doesn't exist. * IP connection between the hosts is fine? (ping each other) * Do you use the internal DNS or Bind DLZ? * Is Samba/Bind listening on port 53? Use 'netstat -taunp', to make sure, that nothing else is listening on this port and prevent the correct DNS to start up. * Can you check: https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Testing_DNS Regards, Marc Dear List Mark, Thank you for the reply. To answer your questions. I am using the internal DNS. The DNS testing reveals that host -t SRV _ldap (and so on) plus host -t SRV _kerberos (and so on) return with a not found error. The A record test works fine. Samba is listening on TCP port 53, 636, 1024, 3268, 3269, 389, 135 (and UDP 53) smbd is listening on TCP port 139, 445 The clients ping the server (ip and domain name) fine and the server pings the clients fine. My followup question will appear after this reply. Marcelo -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba To list, Mark, Ricky, I must admit I am unsure why it isn't listening on port 88! I will do that kill all samba thing later and reply if that does the trick. On the tests you asked me to do, this is my output of terminal: (I apologize for formatting) root@ad:/# /usr/local/samba/bin/smbclient //localhost/sysvol -U%administrator Domain=[AD.HHG.COM] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-94f11e9] tree connect failed: NT_STATUS_ACCESS_DENIED root@ad:/# /usr/local/samba/bin/smbclient //localhost/sysvol -d5 -U%administrator INFO: Current debug levels: all: 5 tdb: 5 printdrivers: 5 lanman: 5 smb: 5 rpc_parse: 5 rpc_srv: 5 rpc_cli: 5 passdb: 5 sam: 5 auth: 5 winbind: 5 vfs: 5 idmap: 5 quota: 5 acls: 5 locking: 5 msdfs: 5 dmapi: 5 registry: 5 lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) INFO: Current debug levels: all: 5 tdb: 5 printdrivers: 5 lanman: 5 smb: 5 rpc_parse: 5 rpc_srv: 5 rpc_cli: 5 passdb: 5 sam: 5 auth: 5 winbind: 5 vfs: 5 idmap: 5 quota: 5 acls: 5 locking: 5 msdfs: 5 dmapi: 5 registry: 5 params.c:pm_process() - Processing configuration file /usr/local/samba/etc/smb.conf Processing section [global] doing parameter workgroup = AD.HHG.COM doing parameter realm = HHG.COM doing parameter netbios name = AD doing parameter server role = active directory domain controller doing parameter dns forwarder = 192.168.1.1 pm_process() returned Yes added interface eth0 ip=fe80::222:19ff:fe95:7f31%eth0 bcast=fe80:::::%eth0 netmask=::::: added interface eth0 ip=192.168.1.10 bcast=192.168.1.255 netmask=255.255.255.0 Netbios name list:- my_netbios_names[0]=AD Client started (version 4.1.0pre1-GIT-94f11e9). Opening cache file at /usr/local/samba/var/lock/gencache.tdb Opening cache file at /usr/local/samba/var/lock/gencache_notrans.tdb sitename_fetch: No stored sitename for HHG.COM name localhost#20 found. Connecting to ::1 at port 445 Socket
Re: [Samba] Samba 4 Additional DC existing domain
Kinit doesn't have output on all systems (ubuntu is one of them) after running that, klist should show that you have an active ticket. Also do what Marc says samba -i -M single and see where samba is failing the startup. Ricky On Tue, Jun 11, 2013 at 10:38 AM, Marc Muehlfeld sa...@marc-muehlfeld.dewrote: Hello Dino, Am 11.06.2013 17:11, schrieb Dino Edwards: Using Ubuntu 10.04 LTS 32-bit. Tried following the wiki to install an additional DC in an existing AD domain. Here are the steps I took: 1. Installed the Ubuntu prerequisites and then I built from source. It compiled and installed successfully to /usr/local/samba 2. Skipped Step 1 Provision Samba according to the wiki It's not required to install as an additional DC in existing domain 3. Went to step 2 Starting your Samba AD DC located here: http://wiki.samba.org/index.**php/Samba4/HOWTO/Join_a_**domain_as_a_DChttp://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC 4. Set /etc/krb5.conf with the following: [libdefaults] dns_lookup_realm = true dns_lookup_kdc = true default_realm = mydomain.local 5. Ran kinit Administrator and put in the domain admin password and I got absolutely no output. The command ran and I got no error or any indication that anything happened. Apparently I'm supposed to get something like this: 6. Ticket cache: FILE:/tmp/krb5cc_0 7. Default principal: administrator@mydomain.local 8. 9. Valid starting ExpiresService principal 10.11/11/12 17:29:51 11/12/12 03:29:51 krbtgt/ Additionally, running /usr/local/samba/sbin/samba does nothing also. When I c heck for any samba running processes I get nothing. I'm stuck. I would appreciate some assistance on this. Thanks a lot Did you followed *all* steps from the http://wiki.samba.org/index.**php/Samba4/HOWTO/Join_a_**domain_as_a_DChttp://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC HowTo? I didn't saw, in the steps you had listed, that you joined the domain, etc. Can you start Samba with the following command and see, what it outputs: # samba -i -M single Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4.0.6 Ubuntu Package Available
On Tue, Jun 11, 2013 at 11:38 AM, Mike Ray m...@xes-inc.com wrote: On a possibly related note: replication spits out WERR_BADFILE for all inbound/outbound neighbors on the PDC. The secondary DC states the inbound is successful (even though they appear to not actually be) but attempts nothing for outbound. A lot of times the WERR_BADFILE is due to the nameserver line in your /etc/resolv.conf, you need to set it to one of your DC's, then restart BOTH samba servers and see if that line goes away. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 Additional DC existing domain
On Tue, Jun 11, 2013 at 3:19 PM, Marc Muehlfeld sa...@marc-muehlfeld.dewrote: I changed the HowTo a bit, to make it more clear, that the output shown is from klist and not kinit. Marc, thanks for adding that :). Also dns forwarder = 8.8.8.8 the 8.8.8.8 there is a Google dns server, so that ip WILL work :) but if you have a local one you'd rather use, then use it. (8.8.4.4 is another google one if I recall right) Ricky -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How to add a client to a domain?
You should use either root or administrator (depending on your setup), however, any user with the SeMachineAccountPrivilege http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/rights.html will be able to add machines to the domain (root just has all of the Se privileges by default). Ricky On Tue, Jun 18, 2013 at 4:03 AM, quiz...@lavabit.com wrote: Thanks for your advice René. I checked the two clients and the one that is already part of the domain did have these entries. The client I'm trying to connect didn't so I added them. I restarted the client and tried to join it into the domain. I still get a promt for an user and account that can join/connect to the domain. What sort of account should be given here? I've tried a few combinations but none succeeded. The documentation I referred to earlier brings up a few alternative approaches, one being a Samba account that has root privileges on the Samba server. Just to point out: Besides the actual domain the clients are part of there also seems to be a domain solely for the server (the server is named FOOBAR and there's a corresponding FOOBAR domain) Hi, did you change the registry of your Windows 7 Client? Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters] DomainCompatibilityMode=dword:0001 DNSNameResolutionRequired=dword: Sounds a lot like you did not. Am 18.06.2013 08:03, schrieb quiz...@lavabit.com: Hello I have recently inherited a small domain consisting of a linux server running samba 3.6 and one client computer running Windows 7. I want to add another client (also running Windows 7) to the domain. Previously adding clients has been done by manually creating a linux machine account and samba account. I have created the accounts for the new client but when I try to configure it to be part of the domain a window pops up prompting for an account and password that can join the domain. I don't really know what to enter here and I am unable to add the machine. Quoting from the documentation: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-memb er.html#machine-trust-accounts When the user elects to make the client a domain member, Windows 200x prompts for an account and password that has privileges to create machine accounts in the domain. A Samba administrator account (i.e., a Samba account that has root privileges on the Samba server) must be entered here; the operation will fail if an ordinary user account is given. The necessary privilege can be assured by creating a Samba SAM account for root or by granting the SeMachineAccountPrivilege privilege to the user account. What should I do sucessfully add the client to the domain? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Again, Windows 7 access to Samba server: Strange performance/delay problems while opening share
Hi Ralf, please have a look at https://lists.samba.org/archive/samba/2013-June/173960.html Ricky On Tue, Jun 18, 2013 at 3:42 AM, Ralf lists.samba@rb.7bg.de wrote: Hello list, when i wrote my first mail with this content, I received only the lists digest. To be able to answer, I switched this, to single message mode. So, here again. I have strange performance issue with an single Windows 7 client in a simple network setup with one samba server, and various windows clients (Win XP, Windows 7). All clients can open shares with explorer, without any delay (the share contents are listed directly). But one client, a lenovo Windows 7 Laptop has strange problems opening these same shares. The time from opening a share, until the share is listed, varies betwenn (seldom) direct response, and in most cases delays between 3 and 20 seconds, in seldom extrem cases 1-2 minutes. It is does not depend on the switch port. The problem also appears while being connected with other switch ports, different ethernet cables or on a WLAN/WIFI connection. Because this is the only Windows 7 client with this kind of problems, i reinstalled the machine from scratch (with the lenovo version of windows 7 from the hidden partition), hoping this problem was caused by any kind of windows weiredness (the windows 7 installation was one or two years old). The only change was, there were no more delays in listing shares, longer than 20 seconds, so the core problem still exists. What possibilities do I have, to solve this problem? My next step was, to capture the network traffic this client does, while opening an specific share. I captured also the traffic caused by two other windows 7 clients, which do not have any delay issues while opening the same share. My knowledge about samba network packages is far to low, to be able to find the problem. In my desparation now, I joined this list, hoping there is anybody, who can give me a hint to the right direction, to solve this problem. Is here anybody who can read this traffic dumps, and may be see whet this clients problem is? I could also post thes three traffic dumps, they are small (about 15k each). Who can i contact, to help me solving this problem? Thanks, Ralf -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba+LDAP: NT_STATUS_UNSUCCESSFUL because of primary group SID mismatch
You might look into net getlocalsid, net getdomainsid, net setlocalsid and net setdomainsid commands, you may be able to set the samba servers the same as your ldap sid... just a though. Remember, messing around with SID's can cause major issues, so export all sids to file and be ready set them back if everything goes wrong. (net getdomainsid sidbackup.txt to export them on the samba side of things) Ricky On Thu, Jun 20, 2013 at 8:04 AM, Gaiseric Vandal gaiseric.van...@gmail.comwrote: If I follow correctly the LDAP server is NOT in the domain? The Samba accounts should be using the SID of the Samba PDC not the SID of the LDAP server. This of course means that a Samba member server can't use the same LDAP back end (at least for Samba authentication.) Long and short - I found it easiest to have LDAP server on the same machine as the DC. I have one PDC and one BDC (sometimes 2 BDC's.) Each PDC uses its own ldap server and the ldap servers are configure for replication. The simplest solution may be to set the local and domain sid of the LDAP server to the same sid as the DC, and join the LDAP server to the domain as a DC. On 06/20/13 04:26, Philipp Lies wrote: Hi, I'm trying to get my new samba server running for a few days now and I start losing my mind over not figuring out what I'm doing wrong. Here's my setup: OpenLDAP 2.4.21 server with ~15 groups and 100 users, all having a unix and a samba NT password stored in the LDAP as well as a User SID and Primary Group SID assigned and stored in the LDAP, derived from the SID of the LDAP Server. Now I want several samba servers to use the LDAP server to authenticate users. One samba server is a CentOS 6.3 configured with NSS/PAM using the ldap server. getent passwd/group returns all users and ssh to the samba machine works for all users. Samba is v3.6.9-151.el6. Now here's the smb.conf (I removed the shares): [global] workgroup = X security = user passdb backend = ldapsam:ldap://myldapserver ldap suffix = dc=mydomain,dc=com ldap admin dn = cn=replicator,dc=mydomain,dc=**com ldap user suffix = ou=users ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap ssl = start tls The ldap connection works, as `pdbedit -L` shows pm_process() returned Yes smbldap_search_domain_info: Searching for:[((objectClass=**sambaDomain)(sambaDomainName=**SAMBAHOSTNAME))] StartTLS issued: using a TLS connection smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server The LDAP server is successfully connected smbldap_search_paged: base = [dc=mydomain,dc=com], filter = [((uid=*)(objectclass=**sambaSamAccount))],scope = [2], pagesize = [1024] smbldap_search_paged: search was successful sid S-1-5-21-[LDAPSID]-5168 does not belong to our domain and then the last message repeats for all uids. Using `smbclient -L localhost -U someid` the log file says: check_ntlm_password: Checking password for unmapped user [XXX]\[someid]@[SAMBAHOST] with the new password interface check_ntlm_password: mapped user is: [SAMBAHOST]\[someid]@[** SAMBAHOST] StartTLS issued: using a TLS connection smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server The LDAP server is successfully connected init_sam_from_ldap: Entry found for user: someid Home server: SAMBAHOST Home server: SAMBAHOST init_group_from_ldap: Entry found for group: 1011 init_group_from_ldap: Entry found for group: 1011 Primary group S-1-5-21-[LDAPSID]-1000 for user someid is a UNKNOWN and not a domain group Forcing Primary Group to 'Domain Users' for someid ntlm_password_check: Checking NTLMv2 password with domain [CIN] sam_account_ok: Checking SMB password for user someid The primary group domain sid(S-1-5-21-[LOCALSID]-513) does not match the domain sid(S-1-5-21-[LDAPSID]) for someid(S-1-5-21-[LDAPSID]-**5708) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL' check_ntlm_password: Authentication for user [someid] - [someid] FAILED with error NT_STATUS_UNSUCCESSFUL What I see here is that the samba server does not recognize the primary group of the user (which is an existing group in the LDAP) and therefor maps the primary group to its local Domain Users group which then obviously does not match the domainSID of the userid. But why doesn't the samba server recognize the group? Or is there a different underlying problem? What I tried so far: Changing the SID of the samba server to the SID of the LDAP server, but `net setlocalsid S-...` did not change the local SID. No error message, just executed successfully but getlocalsid returned the old SID. Setting the domainsid of the samba server to the
Re: [Samba] sysvol path samba-tool classic upgrade
Is this during provision or after? If its after, you can just modify your smb.conf under the [sysvol] change the path= line... if its during, then I will need to do some checking when I get home as I don't have S4 setup here at work. Ricky On Tue, Jun 25, 2013 at 9:37 AM, Stéphane PURNELLE stephane.purne...@corman.be wrote: Hi, I test samba4 on test server. I have an error when samb-too; try to create sysvol directory. samba-tool display a error message FS don't support ACL it seems that sysvol directory is created under locks directory. What are locks directory ? How can I specify a other path for sysvol (path with ACL support) My structure is : Samba installation : /usr/local/samba Samba configuration : /srv/etc/samba samba private file /srv/private Samba lock diretory /srv/var/lib Samba state directory /srv/var/locks /srv will be a mirrored FS in production servers without no ACL support. data are on other FS with XFS filesystem and are also mirrored. regards Stéphane Purnelle --- Stéphane PURNELLE Admin. Systèmes et Réseaux Service Informatique Corman S.A. Tel : 00 32 (0)87/342467 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] file server or member server?
Steve, in simplest terms, a member server is just that, a member of the domain serving something (print services, file services, etc). A file server is generally part of either a member server, or it can be part of the domain server, its simply the part of the server that is handling how the files are transferred. A domain server would be either a PDC or AD DC, something that handles authentication, in some environments, you will find a NT4 style PDC (Primary Domain Controller), in others you will find AD DC's (Active Directory Domain Controllers), and still yet, there will be others that are just simple authentication (simple file servers, mainly used in home networks). With all that said, you can mix and match somewhat, all DC's (Domain Controller, AKA domain server) have the capability of serving files (file server), but a member server MUST be part of the domain as it does not provide authentication, it only checks with a DC to see what parts of the file server it can access. I feel like I am saying what has already been said, so if you could be more specific about what kind of hierarchy you have, I could give you a more specific answer. For the most part, if its serving files and in a domain, but not providing authentication itself, its a 'member server', if its NOT in a domain, but simply serving files to any and all windows clients, its a simple file server, if its in a domain and providing the domain with username/password authentication its a domain server (or domain controller). Hope that helps, Ricky On Mon, Jul 1, 2013 at 5:34 PM, steve st...@steve-ss.com wrote: On Mon, 2013-07-01 at 22:36 +0100, Jonathan Buzzard wrote: Thanks for the input. But. . . In both NT4 style and AD domains you have servers called domain servers . . .now you've introduced yet another term. What's a domain server? I could make a guess and I'm almost certain it would be correct. But would I? Can anyone simply give a plain English definition on any of these in a samba context: - file server - member server and now - domain server I know that language evolves, but having to move the goalposts so often depending on what post you read is a nightmare for non native English speakers. It would help enormously over here, if we all stuck to calling a spade a spade. Thanks for reading, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Domain Rename
Like Michael said, samba 4 as an AD DC would probably not be happy if you just change the 'workgroup = ' line in your smb.conf (as a matter of fact, that line shouldn't exist in a AD DC setup in my opinion) the domain is more than likely embedded very deep inside of the LDB's, and I would strongly recommend against changing those, however, with sufficient backups and lots of luck you might be successful in changing it (look into ldbsearch and ldbedit if you are really REALLY brave). I think even changing every instance in the LDB's however will still not work, as during provision the machine joins itself to the domain (yes it joins itself to itself if I recall right). I would try to avoid this at all costs, but if you must do it, starting over may be your best option. Just my thoughts, Ricky -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Win8 account sees its home share, but does not have permissions to access
Can you log into the linux machine with the user mark and write files to /home/mark without issue? What is the output of smbclient //localhost/homes -Umark -d5 (then at a smb:\ do ls). Just a couple of things I would look at\try. Ricky -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Win8 account sees its home share, but does not have permissions to access
Mark, which distro are you running? On Tue, Jul 2, 2013 at 2:00 PM, Mark Galeck m...@xpliant.com wrote: Can you log into the linux machine with the user mark and write files to /home/mark without issue? Certainly. I don't know Samba, but I do know Unix/Linux and as far as I can tell, everything on Linux is working fine, as well as on the Windows 8 side. What is the output of smbclient //localhost/homes -Umark -d5 (then at a smb:\ do ls) ?? Command not found - I can't execute this on Linux. I use /bin/systemctl status smb.service to get status On Tue, Jul 2, 2013 at 11:52 AM, Ricky Nance ricky.na...@gmail.comwrote: Can you log into the linux machine with the user mark and write files to /home/mark without issue? What is the output of smbclient //localhost/homes -Umark -d5 (then at a smb:\ do ls). Just a couple of things I would look at\try. Ricky -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Win8 account sees its home share, but does not have permissions to access
Try yum install samba-client as root, then see if that command will work. If smbclient works then, it would probably be best to see if we can get a packet capture of when you try to access the share from the windows 8 machine (btw, which version of windows 8 are you running?). Also, does it work from windows 8 if you do a start - run - \\192.168.221.32\homes instead of \\192.168.221.32\mark ? Ricky -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Win8 account sees its home share, but does not have permissions to access
So what is the output of `ls -alhZ /home | grep mark` ? Ricky -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Win8 account sees its home share, but does not have permissions to access
You just did, there are rules there ' unconfined_u:object_r:user_home_dir_t' this leads me to think selinux is your issue, however, I can't say that I have messed around with selinux at all, so maybe someone else can chime in and help you out. You should be able to disable it temporarly just to check. Please refer to the following thread https://ask.fedoraproject.org/question/10507/how-to-disable-fedora-17-selinux/ Thanks, Ricky -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem to demote samba4 dc
I had this happen the other day and ran it down to the DomainDNS and ForestDNS not transferring fully. I haven't yet had time to file a bug on this. Ricky On Wed, Jul 31, 2013 at 8:35 AM, Davy HUBERT davy.hub...@univ-montp3.frwrote: Hi all, I recently migrated our samba 3 domain to an AD domain using Samba 4 classic upgrade tool. Well, everything seems to work fine since i'm still alive ;) . I promoted a Windows 2k8 box as a new DC of this domain and I transfer the 5 FSMO roles to it. Now I would like to demote the Samba4 DC but when I tried I got this message : # samba-tool domain demote ERROR: Current DC is still the owner of 2 role(s), use the role command to transfer roles to another DC When check the fsmo roles status via samba-tool fsmo show it confirms that the Samba 4 DC doesn't own anything. How can I manage to demote the Samba 4 box ? Best regards, Davy. -- Davy HUBERT DSI/SMI - Unité Systèmes Université Paul-Valéry, Montpellier 3 davy.hub...@univ-montp3.fr -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 as member server
How does your /etc/krb5.conf file look? On Tue, Aug 6, 2013 at 2:21 PM, Klaus Rörig kroe...@gmail.com wrote: Hi! Authentication works when I set 'password server = server01', but then testparm complains: WARNING: The setting 'security=ads' should NOT be combined with the 'password server' parameter. (by default Samba will discover the correct DC to contact automatically). But Samba doesn't. DNS is working: host -t srv _kerberos._tcp _kerberos._tcp.verwaltung.leibniz-remscheid.de has SRV record 0 100 88 server01.verwaltung.leibniz-remscheid.de. host server01 server01.verwaltung.leibniz-remscheid.de has address 192.168.20.200 Klaus On Tue, Aug 6, 2013 at 5:13 PM, steve st...@steve-ss.com wrote: On Tue, 2013-08-06 at 14:34 +0200, Klaus Rörig wrote: Hi! I set up s3 on the fileserver now but I cannot connect to my share. 'wbinfo -u' lists all user 'wbinfo-g' lists all groups getent also list the queried user. But when I try to connect from Win7 to my s3 share, it asks for creds but does not accept any. I cannot see any log entries. What's wrong now? Hi Too general without knowing a bit more: Who is logged in on the Win7 box? Is the Win7 box joined to the domain? What are the permissions on /srv and /srv/share? Can the user access the share if logged in on the file server? Can the user access the share using smbclient? Does the share appear as a folder in explorer? What does the windows security tab give for the share? Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Speed differences for windows clients
If you have a socket options line in your config, comment it out and restart smbd and see if that helps. On Aug 13, 2013 4:17 AM, Philipp Lies philipp.l...@cin.uni-tuebingen.de wrote: Am 8/13/2013 10:50 AM, schrieb L.P.H. van Belle: Try the following. Since Win7 does traffic shaping. in adminstrative dos box. run netsh interface tcp set global autotuning=disabled ( the original setting is : netsh interface tcp set global autotuningl=normal ) and test again. Thanks, this boosted the speed ~5MB/s for both connections but the difference between server 1 and server 2 is still at ~10-15 MB/s. It's nothing critical, I'm just curious what could cause this. Cheers Philipp Gr. Louis -Oorspronkelijk bericht- Van: j...@samba.org [mailto:samba-boun...@lists.samba.org] Namens Jeremy Allison Verzonden: dinsdag 13 augustus 2013 2:18 Aan: Philipp Lies CC: samba@lists.samba.org Onderwerp: Re: [Samba] Speed differences for windows clients On Mon, Aug 12, 2013 at 10:00:18AM +0200, Philipp Lies wrote: Hi, we have a strange phenomenon with the transfer speed between windows clients and samba servers. Here's the setup: server 1: centos 6.3 with samba 3.5.10 server 2: centos 6.4 with samba 3.6.9 both servers are configured as BDC and have - aside from netbios name - identical smb.conf which contains ldapsam as backend and all other parameters are not set (i.e. default) When I mount a share from a linux client, the transfer speed is ~112MB/sec to either server from any linux client. However, when I mount a share from Windows clients, the speed to server 1 is ~95MB/s and to server 2 ~85MB/s. We tested this with several windows clients (all running Windows 7 with all updates). The speed difference between linux client and windows client is not what's confusing me but that server 2 is always slower than server 1. Any ideas what could cause this? Nope. Need more data :-). Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Options for paid Samba (4) support
Hi Mark, not trying to hijack the thread, but I can give you some roaming profile tips in a new thread if you will create it. As for the paid support, you might look into Sernet ( http://www.sernet.de/ ), I am not sure of the extent of what they support and where, but I know they are one option. Ricky On Wed, Aug 14, 2013 at 10:55 AM, Mark Fox mark@ecacs16.ab.ca wrote: Hi, After years of Samba 3 working great, we are trying to move a testing Samba 4 AD system into production and have been making progress, but keep hitting show stoppers. (For example, roaming profiles with redirected folders usually work for most users. However, some users consistently can't see their profile on some machines, despite the profile and redirected folders looking fine on the server.) It occurred to me that after setting up a Samba 4 environment so many times, we can now do it in minutes. I'm sure if the right person were looking over our shoulder, they would spot our mistake. But a little Googling hasn't turned up any options to buy that person's time. The link to the support website (http://www.samba.org/samba/support.html) in the Samba Guide is broken. Surely, there must be some options to buy support. I must be looking in the wrong place. I'd love to throw some money at the Samba community, and am in a position to do so, but can't just donate... For that matter, I can't find a place where I could donate either. Mark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] share permissions
Temporarily turn off selinux, if that fixes your issue you will need to adjust the selinux rules to take care of the problem (or just completely disable selinux). Also if you do a ls -alhDZ /home/me/mytestshare before you turn it off it can tell you if selinux is on, then run that again after its turned off to confirm. You can read about disabling/turning off selinux at http://www.revsys.com/writings/quicktips/turn-off-selinux.html Ricky On Thu, Aug 15, 2013 at 10:44 PM, Kevin Field k...@brantaero.com wrote: I have a share setup on a Samba 4.0.8 / CentOS 6.4 box that is successfully replicating with a W2K3 server. I'm following the HOWTO here: https://wiki.samba.org/index.**php/Setup_and_configure_file_**shareshttps://wiki.samba.org/index.php/Setup_and_configure_file_shares [mytest] path = /home/me/mytestshare -- with or without trailing slash read only = No On the W2K3 box, I can browse to \\newdc and I see my test share listed there. I can also see it if I connect to newdc in Computer Management. However, what I can't get from either of those places is a Security tab if I right-click the share and go to Properties. There's a Share Permissions tab in CM only that says that Everyone has Full Control. Despite that, if I try to double-click the share in Explorer, I get: --- \\newdc --- \\newdc\mytest is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions. Access is denied. --- OK --- My account has all privileges I can think of, including the SeDiskOperatorPrivilege as laid out in the HOWTO. Even if I chmod 777 /home/me/mytestshare I get this error. What am I missing? Thanks, Kev -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] share permissions
Have a look at http://www.centos.org/docs/5/html/5.2/Deployment_Guide/sec-sel-enable-disable.html and you will probably have to reboot after making the changes. I have seen this cause more problems then not, so I would start with disabling it and see if it fixes your problem. Also since you are using a /home/me before your share, you need to make sure you have at least 755 permissions in both /home and /home/me, it might be a good idea to make a directory named /srv/mytestshare instead. Ricky On Fri, Aug 16, 2013 at 8:14 PM, Kevin Field k...@brantaero.com wrote: Interestingly, I couldn't turn off selinux using their method: $ sudo echo 0 /selinux/enforce -bash: /selinux/enforce: Permission denied Perhaps it's a CentOS thing. Anyway, `sudo setenforce 0` seemed to work in that it didn't give me an error message, but OTOH didn't seem to work in that the output of ls -alhDZ was the same: drwxrwxr-x. me me unconfined_u:object_r:samba_**share_t:s0 mytestshare But in any case, it still gives me the same error from Windows. Also something strange happened, after a while I could not navigate to \\newdc without a similar error, but I had not been doing anything in the system, so I'm not sure what might have caused it. Running `sudo killall samba` and then `sudo samba` made it suddenly be browseable again. Maybe not related...not sure... Anyway thanks for your help, Ricky. Any other ideas? BTW I had set up the selinux permissions on the mytestshare dir per the HOWTO at http://wiki.centos.org/HowTos/**SetUpSambahttp://wiki.centos.org/HowTos/SetUpSamba. I'm pretty sure that's why it says samba_share_t on the ls output above. Kev On 2013-08-16 11:52 AM, Ricky Nance wrote: Temporarily turn off selinux, if that fixes your issue you will need to adjust the selinux rules to take care of the problem (or just completely disable selinux). Also if you do a ls -alhDZ /home/me/mytestshare before you turn it off it can tell you if selinux is on, then run that again after its turned off to confirm. You can read about disabling/turning off selinux at�http://www.revsys.com/**writings/quicktips/turn-off-**selinux.htmlhttp://www.revsys.com/writings/quicktips/turn-off-selinux.html Ricky On Thu, Aug 15, 2013 at 10:44 PM, Kevin Field k...@brantaero.com mailto:k...@brantaero.com wrote: I have a share setup on a Samba 4.0.8 / CentOS 6.4 box that is successfully replicating with a W2K3 server. �I'm following the HOWTO here: https://wiki.samba.org/index._**_php/Setup_and_configure_file_** __shareshttps://wiki.samba.org/index.__php/Setup_and_configure_file___shares https://wiki.samba.org/index.**php/Setup_and_configure_file_**shareshttps://wiki.samba.org/index.php/Setup_and_configure_file_shares [mytest] � � � � path = /home/me/mytestshare -- with or without trailing slash � � � � read only = No On the W2K3 box, I can browse to \\newdc and I see my test share listed there. �I can also see it if I connect to newdc in Computer Management. �However, what I can't get from either of those places is a Security tab if I right-click the share and go to Properties. �There's a Share Permissions tab in CM only that says that Everyone has Full Control. Despite that, if I try to double-click the share in Explorer, I get: --- \\newdc --- \\newdc\mytest is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions. Access is denied. --- OK --- My account has all privileges I can think of, including the SeDiskOperatorPrivilege as laid out in the HOWTO. Even if I chmod 777 /home/me/mytestshare I get this error. What am I missing? Thanks, Kev -- To unsubscribe from this list go to the following URL and read the instructions: �https://lists.samba.org/__**mailman/options/sambahttps://lists.samba.org/__mailman/options/samba https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] share permissions
Permissions are hard to explain (possibly because I don't fully understand them myself I guess), but if you have a directory (say /srv) and you give it 0700 permissions, then only the person that owns that directory is able to see anything under it, however if you give it 0755, then ANYONE can see (the second 5 is R-X for everyone) whats in there, now you have a directory under that, lets call it share, (so /srv/share) and you give it permissions of 0777, then everyone can read/write in the share folder, but no one can write to the /srv folder except the owner. So when you had a share under /home/user (which is typically /home is 755, and the /home/user is 0700) then no one had access to the underlying directories (even if the underlying directory is 777, because the user simply can't get to that point)... If anyone disagree's or could explain this better please feel free to do so, I am not opposed to learning new things :) Ricky On Tue, Aug 20, 2013 at 10:10 AM, Kevin Field k...@brantaero.com wrote: Aha! Moving it worked. I can now see it from Windows. If I chmod 777 on the directory I can also add files to it from Windows. However, I don't quite understand why the parent of the share directory affects it. BTW /home/me has 700 permissions and /srv has 755. If the +x on /srv allows the +x on my test share directory to allow Windows to browse it, why doesn't the -w on /srv prevent the +w on my test share directory from allowing Windows to create files there? I always thought negative permissions took precedence in ACL, generally? Thanks, Kev On 2013-08-20 10:22 AM, Kevin Field wrote: Hi Ricky, I don't think I should have to reboot. setenforce is documented to work without rebooting. If I need to reboot a Linux server to troubleshoot something like this--and I hear SELinux is often a first thing to try disabling to troubleshoot--then it's worse than Windows for rebooting requirements. But I'm pretty sure that's simply not true. Otherwise this is meaningless: $ sudo setenforce 0 $ sudo getenforce Permissive Also I'm a bit confused as to why the permissions on /home should affect /home/me if I've explicitly set them on /home/me and haven't defined some kind of ACL inheritance policy. Is it the default that higher directories' permissions override lower ones in CentOS? Or is it a Samba fileshare thing? I would like to know exactly how this works, but in any case, I'll try moving the share and see how it goes. Thanks, Kev On 2013-08-17 9:47 AM, Ricky Nance wrote: Have a look at http://www.centos.org/docs/5/**html/5.2/Deployment_Guide/sec-** sel-enable-disable.htmlhttp://www.centos.org/docs/5/html/5.2/Deployment_Guide/sec-sel-enable-disable.html and you will probably have to reboot after making the changes. I have seen this cause more problems then not, so I would start with disabling it and see if it fixes your problem. Also since you are using a /home/me before your share, you need to make sure you have at least 755 permissions in both /home and /home/me, it might be a good idea to make a directory named /srv/mytestshare instead. Ricky On Fri, Aug 16, 2013 at 8:14 PM, Kevin Field k...@brantaero.com mailto:k...@brantaero.com wrote: Interestingly, I couldn't turn off selinux using their method: $ sudo echo 0 /selinux/enforce -bash: /selinux/enforce: Permission denied Perhaps it's a CentOS thing. Anyway, `sudo setenforce 0` seemed to work in that it didn't give me an error message, but OTOH didn't seem to work in that the output of ls -alhDZ was the same: drwxrwxr-x. me me unconfined_u:object_r:samba___**share_t:s0 mytestshare But in any case, it still gives me the same error from Windows. Also something strange happened, after a while I could not navigate to \\newdc without a similar error, but I had not been doing anything in the system, so I'm not sure what might have caused it. Running `sudo killall samba` and then `sudo samba` made it suddenly be browseable again. Maybe not related...not sure... Anyway thanks for your help, Ricky. Any other ideas? BTW I had set up the selinux permissions on the mytestshare dir per the HOWTO at http://wiki.centos.org/HowTos/**__SetUpSambahttp://wiki.centos.org/HowTos/__SetUpSamba http://wiki.centos.org/**HowTos/SetUpSambahttp://wiki.centos.org/HowTos/SetUpSamba . I'm pretty sure that's why it says samba_share_t on the ls output above. Kev On 2013-08-16 11:52 AM, Ricky Nance wrote: Temporarily turn off selinux, if that fixes your issue you will need to adjust the selinux rules to take care of the problem (or just completely disable selinux). Also if you do a ls -alhDZ /home/me/mytestshare before you turn it off it can tell you if selinux is on, then run that again after its turned off
Re: [Samba] share permissions
No, you can use /home/srv/share as long as srv (under home) is 755 permissions. Samba does run as root, but it also still obeys the rules underlying file system. Ricky On Thu, Aug 22, 2013 at 10:19 AM, Kevin Field k...@brantaero.com wrote: I can understand that. However, I'm a bit confused about how this is supposed to be practical in the case of Samba. Samba runs as root, so it can see everything. I'm telling it to share a particular folder. Why should it look at the ACLs of folders above that, when there's no way they will be otherwise accessible via Samba? The reason I bother with this question is that /home and /srv are on two different partitions. I set it up so that the bulk of space would be available under /home. Okay, so it sounds like links can come to rescue here. I dig around and it seems that hard links on directories have not been allowed since the 70's. Symbolic links could work, but if you enable the following of symbolic links in smb.conf, it can open up security holes. So to me it seems there's no workaround for a design that doesn't make sense in the first place (checking the ACLs of parent directories even if you're root and they're irrelevant to the application of sharing the given directory.) Am I missing something? Thanks, Kev On 2013-08-20 11:22 AM, Ricky Nance wrote: Permissions are hard to explain (possibly because I don't fully understand them myself I guess), but if you have a directory (say /srv) and you give it 0700 permissions, then only the person that owns that directory is able to see anything under it, however if you give it 0755, then ANYONE can see (the second 5 is R-X for everyone) whats in there, now you have a directory under that, lets call it share, (so /srv/share) and you give it permissions of 0777, then everyone can read/write in the share folder, but no one can write to the /srv folder except the owner. So when you had a share under /home/user (which is typically /home is 755, and the /home/user is 0700) then no one had access to the underlying directories (even if the underlying directory is 777, because the user simply can't get to that point)... If anyone disagree's or could explain this better please feel free to do so, I am not opposed to learning new things :) Ricky On Tue, Aug 20, 2013 at 10:10 AM, Kevin Field k...@brantaero.com mailto:k...@brantaero.com wrote: Aha! Moving it worked. I can now see it from Windows. If I chmod 777 on the directory I can also add files to it from Windows. However, I don't quite understand why the parent of the share directory affects it. BTW /home/me has 700 permissions and /srv has 755. If the +x on /srv allows the +x on my test share directory to allow Windows to browse it, why doesn't the -w on /srv prevent the +w on my test share directory from allowing Windows to create files there? I always thought negative permissions took precedence in ACL, generally? Thanks, Kev On 2013-08-20 10:22 AM, Kevin Field wrote: Hi Ricky, I don't think I should have to reboot. setenforce is documented to work without rebooting. If I need to reboot a Linux server to troubleshoot something like this--and I hear SELinux is often a first thing to try disabling to troubleshoot--then it's worse than Windows for rebooting requirements. But I'm pretty sure that's simply not true. Otherwise this is meaningless: $ sudo setenforce 0 $ sudo getenforce Permissive Also I'm a bit confused as to why the permissions on /home should affect /home/me if I've explicitly set them on /home/me and haven't defined some kind of ACL inheritance policy. Is it the default that higher directories' permissions override lower ones in CentOS? Or is it a Samba fileshare thing? I would like to know exactly how this works, but in any case, I'll try moving the share and see how it goes. Thanks, Kev On 2013-08-17 9:47 AM, Ricky Nance wrote: Have a look at http://www.centos.org/docs/5/_**_html/5.2/Deployment_Guide/** sec-__sel-enable-disable.htmlhttp://www.centos.org/docs/5/__html/5.2/Deployment_Guide/sec-__sel-enable-disable.html http://www.centos.org/docs/5/** html/5.2/Deployment_Guide/sec-**sel-enable-disable.htmlhttp://www.centos.org/docs/5/html/5.2/Deployment_Guide/sec-sel-enable-disable.html and you will probably have to reboot after making the changes. I have seen this cause more problems then not, so I would start with disabling it and see if it fixes your problem. Also since you are using a /home/me before your share, you need to make sure you have at least
Re: [Samba] share permissions
It looks at all of them, but the important thing is that its 0755 all the way to the folder being used (if there is any XXX0 permissions on the way to the folder it will cause things to fail, which is the case with the 'me' part of /home/me/share as it has 0700 permissions). On Thu, Aug 22, 2013 at 10:54 AM, Kevin Field k...@brantaero.com wrote: Oh, so it only looks at the immediate parent's permissions? Not the grandparent? I find that even more bewildering but a whole lot easier to work with if that's the case :) Thanks, Kev On 2013-08-22 11:44 AM, Ricky Nance wrote: No, you can use /home/srv/share as long as srv (under home) is 755 permissions. Samba does run as root, but it also still obeys the rules underlying file system. Ricky On Thu, Aug 22, 2013 at 10:19 AM, Kevin Field k...@brantaero.com mailto:k...@brantaero.com wrote: I can understand that. However, I'm a bit confused about how this is supposed to be practical in the case of Samba. Samba runs as root, so it can see everything. I'm telling it to share a particular folder. Why should it look at the ACLs of folders above that, when there's no way they will be otherwise accessible via Samba? The reason I bother with this question is that /home and /srv are on two different partitions. I set it up so that the bulk of space would be available under /home. Okay, so it sounds like links can come to rescue here. I dig around and it seems that hard links on directories have not been allowed since the 70's. Symbolic links could work, but if you enable the following of symbolic links in smb.conf, it can open up security holes. So to me it seems there's no workaround for a design that doesn't make sense in the first place (checking the ACLs of parent directories even if you're root and they're irrelevant to the application of sharing the given directory.) Am I missing something? Thanks, Kev On 2013-08-20 11:22 AM, Ricky Nance wrote: Permissions are hard to explain (possibly because I don't fully understand them myself I guess), but if you have a directory (say /srv) and you give it 0700 permissions, then only the person that owns that directory is able to see anything under it, however if you give it 0755, then ANYONE can see (the second 5 is R-X for everyone) whats in there, now you have a directory under that, lets call it share, (so /srv/share) and you give it permissions of 0777, then everyone can read/write in the share folder, but no one can write to the /srv folder except the owner. So when you had a share under /home/user (which is typically /home is 755, and the /home/user is 0700) then no one had access to the underlying directories (even if the underlying directory is 777, because the user simply can't get to that point)... If anyone disagree's or could explain this better please feel free to do so, I am not opposed to learning new things :) Ricky On Tue, Aug 20, 2013 at 10:10 AM, Kevin Field k...@brantaero.com mailto:k...@brantaero.com mailto:k...@brantaero.com mailto:k...@brantaero.com wrote: Aha! Moving it worked. I can now see it from Windows. If I chmod 777 on the directory I can also add files to it from Windows. However, I don't quite understand why the parent of the share directory affects it. BTW /home/me has 700 permissions and /srv has 755. If the +x on /srv allows the +x on my test share directory to allow Windows to browse it, why doesn't the -w on /srv prevent the +w on my test share directory from allowing Windows to create files there? I always thought negative permissions took precedence in ACL, generally? Thanks, Kev On 2013-08-20 10:22 AM, Kevin Field wrote: Hi Ricky, I don't think I should have to reboot. setenforce is documented to work without rebooting. If I need to reboot a Linux server to troubleshoot something like this--and I hear SELinux is often a first thing to try disabling to troubleshoot--then it's worse than Windows for rebooting requirements. But I'm pretty sure that's simply not true. Otherwise this is meaningless: $ sudo setenforce 0 $ sudo getenforce Permissive Also I'm a bit confused as to why
Re: [Samba] share permissions
No problem, glad its working :) Ricky On Thu, Aug 22, 2013 at 11:59 AM, Kevin Field k...@brantaero.com wrote: Oh, I see. At first I read it as /home/me/srv. Gotcha. It works! Thanks very much Ricky! -K On 2013-08-22 12:49 PM, Ricky Nance wrote: It looks at all of them, but the important thing is that its 0755 all the way to the folder being used (if there is any XXX0 permissions on the way to the folder it will cause things to fail, which is the case with the 'me' part of /home/me/share as it has 0700 permissions). On Thu, Aug 22, 2013 at 10:54 AM, Kevin Field k...@brantaero.com mailto:k...@brantaero.com wrote: Oh, so it only looks at the immediate parent's permissions? Not the grandparent? I find that even more bewildering but a whole lot easier to work with if that's the case :) Thanks, Kev On 2013-08-22 11:44 AM, Ricky Nance wrote: No, you can use /home/srv/share as long as srv (under home) is 755 permissions. Samba does run as root, but it also still obeys the rules underlying file system. Ricky On Thu, Aug 22, 2013 at 10:19 AM, Kevin Field k...@brantaero.com mailto:k...@brantaero.com mailto:k...@brantaero.com mailto:k...@brantaero.com wrote: I can understand that. However, I'm a bit confused about how this is supposed to be practical in the case of Samba. Samba runs as root, so it can see everything. I'm telling it to share a particular folder. Why should it look at the ACLs of folders above that, when there's no way they will be otherwise accessible via Samba? The reason I bother with this question is that /home and /srv are on two different partitions. I set it up so that the bulk of space would be available under /home. Okay, so it sounds like links can come to rescue here. I dig around and it seems that hard links on directories have not been allowed since the 70's. Symbolic links could work, but if you enable the following of symbolic links in smb.conf, it can open up security holes. So to me it seems there's no workaround for a design that doesn't make sense in the first place (checking the ACLs of parent directories even if you're root and they're irrelevant to the application of sharing the given directory.) Am I missing something? Thanks, Kev On 2013-08-20 11:22 AM, Ricky Nance wrote: Permissions are hard to explain (possibly because I don't fully understand them myself I guess), but if you have a directory (say /srv) and you give it 0700 permissions, then only the person that owns that directory is able to see anything under it, however if you give it 0755, then ANYONE can see (the second 5 is R-X for everyone) whats in there, now you have a directory under that, lets call it share, (so /srv/share) and you give it permissions of 0777, then everyone can read/write in the share folder, but no one can write to the /srv folder except the owner. So when you had a share under /home/user (which is typically /home is 755, and the /home/user is 0700) then no one had access to the underlying directories (even if the underlying directory is 777, because the user simply can't get to that point)... If anyone disagree's or could explain this better please feel free to do so, I am not opposed to learning new things :) Ricky On Tue, Aug 20, 2013 at 10:10 AM, Kevin Field k...@brantaero.com mailto:k...@brantaero.com mailto:k...@brantaero.com mailto:k...@brantaero.com mailto:k...@brantaero.com mailto:k...@brantaero.com mailto:k...@brantaero.com mailto:k...@brantaero.com wrote: Aha! Moving it worked. I can now see it from Windows. If I chmod 777 on the directory I can also add files to it from Windows. However, I don't quite understand why the parent of the share directory affects it. BTW /home/me has 700
Re: [Samba] AD DC eventually not browsable without restart
I wonder if your hitting the /run/lock fill up that another user reported on a week or two ago (they are using ubuntu). I think the solution was to make that tmpfs partition bigger (like 50 mb instead of 5 mb). next time it is unresponsive check and see what the output of 'df -h' is. Ricky On Sat, Aug 24, 2013 at 10:02 AM, Kevin Field k...@brantaero.com wrote: I've upgraded to 4.0.9 and this behaviour persists. Should I file a bug report, do you think? Is nobody else experiencing this? Thanks, Kev On 2013-08-20 11:40 AM, Kristofer Pettijohn wrote: You may want to see if it is this bug, which is fixed in 4.0.9: https://bugzilla.samba.org/**show_bug.cgi?id=9820https://bugzilla.samba.org/show_bug.cgi?id=9820 --**--** *From: *Kevin Field k...@brantaero.com *To: *samba@lists.samba.org *Sent: *Tuesday, August 20, 2013 9:38:32 AM *Subject: *[Samba] AD DC eventually not browsable without restart I have a SerNet Samba 4.0.8 AD DC running on CentOS 6.4 (newdc) replicating from a W2K3 DC (olddc). When I first launch Samba using `sudo samba`, I can go to the Windows server and browse to \\newdc in Explorer, and I see mytestshare, netlogon, printers, sysvol, and Printers and Faxes. After a while (I'm not sure how long precisely, but under 24 hours) I could not navigate to \\newdc without the following error: --- \\newdc --- \\newdc is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions. The Server service is not started. --- OK --- But in the interim, I had not been doing anything in the system, so I'm not sure what might have caused it. One time it even happened on a weekend when no backup or anything particularly special is scheduled while I was away. Anyway, running `sudo killall samba` and then `sudo samba` makes it suddenly browsable again. This is happening every day. I guess it would be best to figure this problem out before we make Samba the only DC. Here's my smb.conf, mostly set up by samba-tool, and now a work in progress to add the extras we will use: # Global parameters [global] workgroup = MYDOMAIN realm = mydomain.lan netbios name = NEWDC server role = active directory domain controller server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, smb, dns allow dns updates = true dns forwarder = 192.168.1.1 #dns recursive queries = yes dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, winreg, srvsvc # dcerpc endpoint servers = winreg srvsvc load printers = yes printing = cups [netlogon] path = /var/lib/samba/sysvol/**mydomain.lan/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No [printers] comment = All Printers path = /var/spool/samba browseable = Yes read only = No printable = Yes [print$] comment = Point and Print Printer Drivers path = /var/lib/samba/printing read only = No [mytestshare] path = /srv/mytestshare/ read only = No Any ideas? Thanks, Kev -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] OpenSSH auth in SAMBA4 LDAP
If you are using winbind, you can use template home directory = and template shell = in your smb.conf (man smb.conf for a more accurate description).. Ricky On Mon, Aug 26, 2013 at 2:58 PM, Bruno Vane bro...@gmail.com wrote: Marc, it seems that the problem was actually that the posix information were blank and I could not edit them. Made domain provision again with the option --use RFC2307. After creating the user in AD (via RSAT in Win7) I need to manually enable NIS domain info for that user. After this, I got to access via SSH using the Samba4 LDAP. Now i have to research how to auto-create the home dir and change the shell to /bin/bash. Very thank you for your help! root@samba:~# getent passwd bruno.vane bruno.vane:*:1:513:Bruno Vane:/home/bruno.vane:/bin/sh bruno.vane@Suporte-VR:~$ ssh -l bruno.vane 177.84.70.200 bruno.vane@177.84.70.200's password: Could not chdir to home directory /home/bruno.vane: No such file or directory $ 2013/8/26 Marc Muehlfeld sa...@marc-muehlfeld.de Am 26.08.2013 20:12, schrieb Luca Olivetti: - Now you should be able to see all accounts (the local and domain accounts), when you type # getent passwd I tried it on a test VM, but it only showed accounts migrated from samba 3+ldap (since they have the posix attributes), new users/groups added via samba-tool or windows didn't appear. Of course this would only work if you have posix information in your directory. If you don't want to manage them in AD, you can use winbind or sssd. But there you have other requirements (machine joined to domain, kerberos, ...). Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/samba https://lists.samba.org/mailman/options/samba -- Bruno Vane HPM Tecnologia (24) 9278-7195 / (24) 3345-0002 skype: broonu www.zamix.com.br | www.superonda.com.br -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.6.9 on Centos 6.4 and very slow first access to fileserver
On Wed, Sep 4, 2013 at 4:16 PM, Michal Bruncko michal.brun...@gmail.comwrote: socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 I'd start with commenting out that line and see if things get better.. then check also with (on the samba machine) smbclient //localhost/share -d10 -Uusername and see if you can get any more info. Also from the samba machine check and see if smbclient //10.31.155.247/support -d10 -Uusername is helpful. Maybe something will give you a clue. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How to allow users to be local admin
Its been a long time, but I think NTPoledit would let you create a .pol file you could put on the netlogon share and have the groups linked. Example, make a domain group called privileged and then create a policy that adds the privileged group to the local admins group... It'd be worth a shot. Ricky On Thu, Sep 5, 2013 at 2:21 AM, Götz Reinicke - IT Koordinator goetz.reini...@filmakademie.de wrote: Am 04.09.13 17:00, schrieb Gregory Sloop: GRIK Am 02.09.13 18:20, schrieb Marc Muehlfeld: Hello Götz, Am 02.09.2013 14:43, schrieb Götz Reinicke - IT Koordinator: it's some time that I had to touch our samba installation and may be somewon can point me to the right direction. We run a samba-3.6.9 PDC with ldap backend and windows 7 clients. Everything for normal users is working fine (domain logon, roaming profiles). But now we'd like to enable our systemadministartors to login to any workstation with there domain user and install software or do other administrative things. I'v read a bit about domian accounts and mappings. But I'm not sure where to add or change what. The admins affected are also in a special posix group. There are also Domain Admins and Administrators posix groups and net groupmap entries. Would be great if some one can help me. I'm not sure if this is possible with an NT4-style domain. With (Samba) AD it is, if you plan to migrate. Then you can use restricted groups for that ( http://community.spiceworks.com/how_to/show/907-gpo-to-push-out-local-administrators-across-a-domain ). I don't know how many clients you have. If it's a manageable size, you can create a group in your domain, go to each workstation and add this domain group to the local administrators group once. Then everyone who is member of that domain group is automatically local admin on each of that machines (this is what you do with the restricted group in AD in 2 mins, without leaving your desk). You only have to add this domain group on every PC you reinstall. But if it's a possibility, migrate to Samba AD. AD brings you many great features, expecially GPO, multi master replication, etc. GRIK Hi Marc, currently we dont plan a change to Samba AD, and editing every GRIK client to support local grous sounds currently a bit to mutch. (we have GRIK about 200 windows clients and one admin :) ) GRIK Is ther not any other chance or way? The admins are very reliabel, so GRIK they also might have more rights as the normal local admin. GRIK I was thinking of may be putting tham in the group Domain Admins which GRIK is also used to add workstations to the domain. GRIK Or is that something different regarding rights? GRIK Thanks for your feedback. /Götz Yes, making those users members of the Domain Admins group will fix it - but it also has the *usually* undesired side-effect of also making those people *DOMAIN ADMINS!*!! Making a domain group members of the local Admins group on each machine also works without the side-effect of giving them domain root equivalent accounts. The first can be done from a single action on the DC - but the second generally requires action at each station. [Without and AD controller that is.] So, roll the dice. Do you really trust that these folks you want to have local admin privs won't whack the domain intentionally or unintentionally? If you feel good enough about that - then perhaps it's right for you. Hi Greg, thanks for pointing that out, I'll get some dices and check with the head of departement (currently only three people are considered to be domain admins including me) Regards . Götz -- Götz Reinicke IT-Koordinator Tel. +49 7141 969 82 420 Fax +49 7141 969 55 420 E-Mail goetz.reini...@filmakademie.de Filmakademie Baden-Württemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzender des Aufsichtsrats: Jürgen Walter MdL Staatssekretär im Ministerium für Wissenschaft, Forschung und Kunst Baden-Württemberg Geschäftsführer: Prof. Thomas Schadt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] AD DC eventually not browsable without restart
Have you disabled syslinux? That is what that change looks like to me. Ricky On Thu, Sep 5, 2013 at 3:26 PM, Kevin Field k...@brantaero.com wrote: I just noticed something interesting, since I have /etc under version control: /etc/mtab changed thusly: -tmpfs /dev/shm tmpfs rw,rootcontext=system_u:**object_r:tmpfs_t:s0 0 0 +tmpfs /dev/shm tmpfs rw 0 0 Does this mean anything to our troubleshooting? Thanks, Kev On 2013-09-04 2:02 PM, Kevin Field wrote: Yeah, it's still tmpfs 5.9G 0 5.9G 0% /dev/shm The really odd thing is, currently, it's telling me this if I try to access it from OLDDC, running Windows Server 2003. But if I remote into another computer (GEYSER) on the network that's running Windows XP, I can access \\NEWDC just fine. Back to OLDDC and it still doesn't work. Besides the OS I noticed another difference, running echo %logonserver% from GEYSER, it reports \\G5, whereas running that on OLDDC reports \\OLDDC. I know this is normal behaviour, but I wonder if it has anything to do with it. I also wonder if, if I leave GEYSER logged in long enough, I'll have the same result on it as I do on OLDDC. So nobody else is having this browsability problem, eh? Kev On 2013-08-24 1:41 PM, Kevin Field wrote: Hmm...it hasn't been long enough since a restart yet, because it's not doing it ATM, but nonetheless if it's a question of an extra 45 mb I think we have it covered: tmpfs 5.9G 0 5.9G 0% /dev/shm But I'll check anyway next opportunity and report back if it's a positive. Kev On 2013-08-24 11:51 AM, Ricky Nance wrote: I wonder if your hitting the /run/lock fill up that another user reported on a week or two ago (they are using ubuntu). I think the solution was to make that tmpfs partition bigger (like 50 mb instead of 5 mb). next time it is unresponsive check and see what the output of 'df -h' is. Ricky On Sat, Aug 24, 2013 at 10:02 AM, Kevin Field k...@brantaero.com mailto:k...@brantaero.com wrote: I've upgraded to 4.0.9 and this behaviour persists. Should I file a bug report, do you think? �Is nobody else experiencing this? Thanks, Kev On 2013-08-20 11:40 AM, Kristofer Pettijohn wrote: You may want to see if it is this bug, which is fixed in 4.0.9: https://bugzilla.samba.org/__**show_bug.cgi?id=9820https://bugzilla.samba.org/__show_bug.cgi?id=9820 https://bugzilla.samba.org/**show_bug.cgi?id=9820https://bugzilla.samba.org/show_bug.cgi?id=9820 --**__** --__ *From: *Kevin Field k...@brantaero.com mailto:k...@brantaero.com *To: *samba@lists.samba.org mailto:samba@lists.samba.org *Sent: *Tuesday, August 20, 2013 9:38:32 AM *Subject: *[Samba] AD DC eventually not browsable without restart I have a SerNet Samba 4.0.8 AD DC running on CentOS 6.4 (newdc) replicating from a W2K3 DC (olddc). �When I first launch Samba using `sudo samba`, I can go to the Windows server and browse to \\newdc in Explorer, and I see mytestshare, netlogon, printers, sysvol, and Printers and Faxes. After a while (I'm not sure how long precisely, but under 24 hours) I could not navigate to \\newdc without the following error: --- \\newdc --- \\newdc is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions. The Server service is not started. --- OK --- But in the interim, I had not been doing anything in the system, so I'm not sure what might have caused it. �One time it even happened on a weekend when no backup or anything particularly special is scheduled while I was away. Anyway, running `sudo killall samba` and then `sudo samba` makes it suddenly browsable again. This is happening every day. �I guess it would be best to figure this problem out before we make Samba the only DC. Here's my smb.conf, mostly set up by samba-tool, and now a work in progress to add the extras we will use: # Global parameters [global] � � � � � workgroup = MYDOMAIN � � � � � realm = mydomain.lan � � � � � netbios name = NEWDC � � � � � server role = active directory domain controller � � � � � server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, smb, dns � � � � � allow dns updates = true � � � � � dns forwarder = 192.168.1.1
Re: [Samba] AD DC eventually not browsable without restart
:**3118: WARNING: forestFunctionality not setup [2013/09/06 13:53:21.498801, 0] ../source4/smb_server/smb/** service.c:127(make_connection) make_connection: couldn't find service *.: NT_STATUS_OBJECT_NAME_NOT_** FOUND [2013/09/06 13:53:23.152701, 0] ../source4/smb_server/smb/** service.c:127(make_connection) make_connection: couldn't find service DESKTOP.INI: NT_STATUS_OBJECT_NAME_NOT_**FOUND The forestFunctionality errors are from the Windows AD replication status tool. Thanks, Kev On 2013-09-06 1:46 PM, Ricky Nance wrote: Next time its unresponsive, try hitting it with \\ip.to.new.dc and see if its browsable, also get the output of netstat -anp | grep samba\|smbd as well as tail -n 50 /usr/local/samba/var/log.samba and tail -n 50 usr/local/samba/var/log.smbd (adjust the path as needed), also I am interested if top has anything to say about samba or smbd (as for processor and memory usage). Ricky On Fri, Sep 6, 2013 at 12:12 PM, Kevin Field k...@brantaero.com mailto:k...@brantaero.com wrote: Yep, that's exactly it. Thanks! Kev On 2013-09-06 10:16 AM, Ricky Nance wrote: Have you disabled syslinux? That is what that change looks like to me. Ricky On Thu, Sep 5, 2013 at 3:26 PM, Kevin Field k...@brantaero.com mailto:k...@brantaero.com mailto:k...@brantaero.com mailto:k...@brantaero.com wrote: I just noticed something interesting, since I have /etc under version control: /etc/mtab changed thusly: -tmpfs /dev/shm tmpfs rw,rootcontext=system_u:**object_r:tmpfs_t:s0 0 0 +tmpfs /dev/shm tmpfs rw 0 0 Does this mean anything to our troubleshooting? Thanks, Kev On 2013-09-04 2:02 PM, Kevin Field wrote: Yeah, it's still tmpfs 5.9G 0 5.9G 0% /dev/shm The really odd thing is, currently, it's telling me this if I try to access it from OLDDC, running Windows Server 2003. But if I remote into another computer (GEYSER) on the network that's running Windows XP, I can access \\NEWDC just fine. Back to OLDDC and it still doesn't work. Besides the OS I noticed another difference, running echo %logonserver% from GEYSER, it reports \\G5, whereas running that on OLDDC reports \\OLDDC. I know this is normal behaviour, but I wonder if it has anything to do with it. I also wonder if, if I leave GEYSER logged in long enough, I'll have the same result on it as I do on OLDDC. So nobody else is having this browsability problem, eh? Kev On 2013-08-24 1:41 PM, Kevin Field wrote: Hmm...it hasn't been long enough since a restart yet, because it's not doing it ATM, but nonetheless if it's a question of an extra 45 mb I think we have it covered: tmpfs 5.9G 0 5.9G 0% /dev/shm But I'll check anyway next opportunity and report back if it's a positive. Kev On 2013-08-24 11:51 AM, Ricky Nance wrote: I wonder if your hitting the /run/lock fill up that another user reported on a week or two ago (they are using ubuntu). I think the solution was to make that tmpfs partition bigger (like 50 mb instead of 5 mb). next time it is unresponsive check and see what the output of 'df -h' is. Ricky On Sat, Aug 24, 2013 at 10:02 AM, Kevin Field k...@brantaero.com mailto:k...@brantaero.com mailto:k...@brantaero.com mailto:k...@brantaero.com mailto:k...@brantaero.com mailto:k...@brantaero.com mailto:k...@brantaero.com mailto:k...@brantaero.com wrote: I've upgraded to 4.0.9 and this behaviour persists. Should I file a bug report, do you think? �Is nobody else experiencing this? Thanks, Kev
Re: [Samba] AD DC eventually not browsable without restart
Next time its unresponsive, try hitting it with \\ip.to.new.dc and see if its browsable, also get the output of netstat -anp | grep samba\|smbd as well as tail -n 50 /usr/local/samba/var/log.samba and tail -n 50 usr/local/samba/var/log.smbd (adjust the path as needed), also I am interested if top has anything to say about samba or smbd (as for processor and memory usage). Ricky On Fri, Sep 6, 2013 at 12:12 PM, Kevin Field k...@brantaero.com wrote: Yep, that's exactly it. Thanks! Kev On 2013-09-06 10:16 AM, Ricky Nance wrote: Have you disabled syslinux? That is what that change looks like to me. Ricky On Thu, Sep 5, 2013 at 3:26 PM, Kevin Field k...@brantaero.com mailto:k...@brantaero.com wrote: I just noticed something interesting, since I have /etc under version control: /etc/mtab changed thusly: -tmpfs /dev/shm tmpfs rw,rootcontext=system_u:__**object_r:tmpfs_t:s0 0 0 +tmpfs /dev/shm tmpfs rw 0 0 Does this mean anything to our troubleshooting? Thanks, Kev On 2013-09-04 2:02 PM, Kevin Field wrote: Yeah, it's still tmpfs 5.9G 0 5.9G 0% /dev/shm The really odd thing is, currently, it's telling me this if I try to access it from OLDDC, running Windows Server 2003. But if I remote into another computer (GEYSER) on the network that's running Windows XP, I can access \\NEWDC just fine. Back to OLDDC and it still doesn't work. Besides the OS I noticed another difference, running echo %logonserver% from GEYSER, it reports \\G5, whereas running that on OLDDC reports \\OLDDC. I know this is normal behaviour, but I wonder if it has anything to do with it. I also wonder if, if I leave GEYSER logged in long enough, I'll have the same result on it as I do on OLDDC. So nobody else is having this browsability problem, eh? Kev On 2013-08-24 1:41 PM, Kevin Field wrote: Hmm...it hasn't been long enough since a restart yet, because it's not doing it ATM, but nonetheless if it's a question of an extra 45 mb I think we have it covered: tmpfs 5.9G 0 5.9G 0% /dev/shm But I'll check anyway next opportunity and report back if it's a positive. Kev On 2013-08-24 11:51 AM, Ricky Nance wrote: I wonder if your hitting the /run/lock fill up that another user reported on a week or two ago (they are using ubuntu). I think the solution was to make that tmpfs partition bigger (like 50 mb instead of 5 mb). next time it is unresponsive check and see what the output of 'df -h' is. Ricky On Sat, Aug 24, 2013 at 10:02 AM, Kevin Field k...@brantaero.com mailto:k...@brantaero.com mailto:k...@brantaero.com mailto:k...@brantaero.com wrote: I've upgraded to 4.0.9 and this behaviour persists. Should I file a bug report, do you think? �Is nobody else experiencing this? Thanks, Kev On 2013-08-20 11:40 AM, Kristofer Pettijohn wrote: You may want to see if it is this bug, which is fixed in 4.0.9: https://bugzilla.samba.org/___**_show_bug.cgi?id=9820https://bugzilla.samba.org/show_bug.cgi?id=9820 https://bugzilla.samba.org/__**show_bug.cgi?id=9820https://bugzilla.samba.org/__show_bug.cgi?id=9820 https://bugzilla.samba.org/__**show_bug.cgi?id=9820https://bugzilla.samba.org/__show_bug.cgi?id=9820 https://bugzilla.samba.org/**show_bug.cgi?id=9820https://bugzilla.samba.org/show_bug.cgi?id=9820 --** --**--__--__ *From: *Kevin Field k...@brantaero.com mailto:k...@brantaero.com mailto:k...@brantaero.com mailto:k...@brantaero.com *To: *samba@lists.samba.org mailto:samba@lists.samba.org mailto:samba@lists.samba.org mailto:samba@lists.samba.org** *Sent: *Tuesday, August 20, 2013 9:38:32 AM *Subject: *[Samba] AD DC eventually not browsable without restart I have a SerNet Samba 4.0.8 AD DC running on CentOS 6.4 (newdc) replicating from
Re: [Samba] manpage Samba4
Which distribution are you running? On Sep 7, 2013 7:02 PM, Erik Silva eriky...@gmail.com wrote: Hi there, I installed the samba4 following the wiki : https://wiki.samba.org/index.* *php/Samba_AD_DC_HOWTOhttps://wiki.samba.org/index.php/Samba_AD_DC_HOWTO ./configure make make install but I not found the manpages #man samba No manual entry for samba! Any solution? thanks! Erik Silva -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] delete kerberos databases and start over
Everything you mention shows that you are using samba as an AD DC, with
that being said, you should NOT be running your own KDC server, samba
provides this already. With samba stopped, double check that port 88 is not
being used ' netstat -anp | grep 88 | grep LISTEN ' If there is
something using that port, then kill it and try to restart samba and see if
thing start working better then. If not, start samba, then post the last
~25 lines of /usr/local/samba/var/log.samba and log.smbd if you don't mind.
Ricky
On Tue, Sep 24, 2013 at 12:10 PM, jimc jesmey...@gmail.com wrote:
Hi.
Something happened with my Kerberos database*. I don't know what. I don't
care much (right now).
What I need to do now is to recover.
I am running a small home network: 3 win7 boxes, 2 xps, 2 Mint Linux and
one Puppy.
I tried deleting /usr/local/samba/private/* and
/usr/local/samba/etc/smb.conf as the how-to suggests, then doing a
samba-tool domain provision.
All my Windoze boxes event logs say they can't establish a secure
connection to authenticate.
SSH works; I can get in via putty or via ssh on a Linux box.
I have added the users using samba-tool user add jjkwkla.
Kinit works. When I kinit jjkwkla, it asks for a password, then complains
that it will expire.
When I try kadmin, it says
'Authenticating as principal jjkwkla/admin@domain.suffix with password
kadmin: Client not found in Kerberos database while initializing kadmin
interface'
smbclient works.
samba-tool testparm complains about long share names, but nothing else.
krb5.conf is:
[libdefaults]
default_realm = DOMAIN.SUFFIX
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
DOMAIN.SUFFIX = {
kdc = thisbox.domain.suffix:88
admin_server = thisbox.domain.suffix:749
default_domain = domain.suffix
}
kdc.conf is:
[kdcdefaults]
kdc_ports 750,88
[realms]
domain.suffix = {
database_name = /usr/local/samba/private/**principal
admin_keytab = FILE:/usr/local/samba/private/**.keytab
acl_file = /etc/krb5kdc/kadm5.acl
keys_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 9107d 5h 0m 0s
max_renewable_life = 9300d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = aes256-cts:normal arcfour-hmac:normal
des3-hmac-sha 1:normal des-cbc-crc:normal des:normal des:v4 des:norealm
des:onlyrealm des:afs3
}
I would appreciate any help you could give. As I said, I'm not interested
in knowing why. This box is my print server and I need it!
-thanks!
-jimc
*At least I think it's my Kerberos database...
--
To unsubscribe from this list go to the following URL and read the
instructions:
https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
