Re: [Samba] MSDFS on [homes] share for two samba servers
Hello Daniel, also thanks for your answer. Your second hint with msfds proxy: it can be applied also for homedirectories/homes shares? Because it seems like just whole share redirect (directly from configuration file) to another server/share. I think that maybe this can be applied on virtual server, but this statements need to be added for everyone user in organization... so it is little more laborious, but in result we can use the most simple url for every user in form \\virtual.filesrv\user. And in configuration there should be: [user_on_B] msdfs proxy=\\hostB\share-on-B or [user_on_A] msdfs proxy=\\hostA\share-on-A it is correct understanding of msdfs proxy? thanks michal thanks michal On 12. 1. 2012 12:04, Daniel Müller wrote: Hello, just use a cluster file system or ex: your host A has all the homes/shares of your users. Make it a host msdfs=yes and define a root dfs on it for all share that should be unique on both hosts. Host B is linked by msdfs proxy=\\hostA\share-on-A. That should do Good luck Daniel On Wed, 11 Jan 2012 19:28:42 +0100, Michal Bruncko michal.brun...@gmail.com wrote: Hello list, we have two samba servers on two localities with bigger distance between them. On both localities there are organizational staff working. And I am trying to configure homedirectories for all of staff in this way: - all users will have same beginning part of URL path where is their homedir located (i.e. \\files.example.com\loginname) for unification and central acces - but because the lower speed link between both localities there is need to locate homedirs: -- for locality A - on server A on that locality -- for locality B - on server B on that locality fine, thats are requirements. So I have decided to use MSDFS in combination with [homes] in this way: - on server A (which will acts as files.example.com) there will be homedirs MSDFS links for users on locality B pointed to their real homedirs on server B (with classic symlink syntax user_on_locality_B - msdfs:IP_of_server_B\user_on_locality_B ) So if user Bob from locality B will access its homedir, it will be transparently redirected from Server A to its homedir on closest server B. this is nice theory. but in practicle, is this feasible with current version of samba 3.x? What is the best practicles for cases like this mine? Is there any way for dispatching homedirs to two/more servers? thanks michal -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] MSDFS on [homes] share for two samba servers
Hello Jonathan, thank you for answer. You have right, that is good idea with making standalone (virtual) redirection server for all people. But here is another question: it is possible creates this redirection shares on that virtual server with the most simple path like \\virtual.filesrv\user ? Or i need to using something like this: \\virtual.filesrv\msdfs_share\user ? You know, people are lazy and they will not be using longer path if the know simplest one to their homedirs (we are not using this samba server as domain controller (although it is so configured for this purpose) - so there are not folder redirection nor policy using). thanks michal On 12. 1. 2012 10:45, Jonathan Buzzard wrote: On Wed, 2012-01-11 at 19:28 +0100, Michal Bruncko wrote: Hello list, we have two samba servers on two localities with bigger distance between them. On both localities there are organizational staff working. And I am trying to configure homedirectories for all of staff in this way: - all users will have same beginning part of URL path where is their homedir located (i.e. \\files.example.com\loginname) for unification and central acces - but because the lower speed link between both localities there is need to locate homedirs: -- for locality A - on server A on that locality -- for locality B - on server B on that locality fine, thats are requirements. So I have decided to use MSDFS in combination with [homes] in this way: - on server A (which will acts as files.example.com) there will be homedirs MSDFS links for users on locality B pointed to their real homedirs on server B (with classic symlink syntax user_on_locality_B - msdfs:IP_of_server_B\user_on_locality_B ) So if user Bob from locality B will access its homedir, it will be transparently redirected from Server A to its homedir on closest server B. I don't think that will work because a share must be all MSDFS. So the [homes] share on server A cannot serve up both home directory shares to local users and do MSDFS redirection for none local users at the same time. The best way I know of is for their to be a third server say homes.example.com that does MSDFS redirection for all users. It is not doing much so a light weight virtual machine will do the job. That does work and has been for a number of years now. JAB. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4 ldb_wrap open of idmap.ldb
Hi everyone Version 4.0.0alpha18-GIT-bfc7481 I'm using nslcd to map Samba 4 users to uid:gid and home directory. At startup I get this: ldb_wrap open of secrets.ldb WARNING: no socket to connect to and /var/log/messages shows: Jan 15 14:20:13 hh3 nslcd[2425]: [334873] failed to bind to LDAP server ldap://h h3.site/: Can't contact LDAP server: Transport endpoint is not connected Jan 15 14:20:13 hh3 nslcd[2425]: [334873] no available LDAP server found, sleepi ng 1 seconds Samba loads and I can wbinfo -u but it takes around 2 minutes for getent passwd to kick in. Then finally I get this: auth_check_password_send: Checking password for unmapped user [CACTUS]\[Administrator]@[(null)] auth_check_password_send: mapped user is: [CACTUS]\[Administrator]@[(null)] And Linux clients can finally logon. Qn. Why does it take so long for the LDAP to become available? Is there something wrong with my nslcd config? Not a problem but the 2 minute wait is annoying/worrying. cat /etc/nslcd.conf # This is the configuration file for the LDAP nameservice # switch library's nslcd daemon. It configures the mapping # between NSS names (see /etc/nsswitch.conf) and LDAP # information in the directory. # See the manual page nslcd.conf(5) for more information. # The user and group nslcd should run as. #uid nslcd #gid nslcd uid nslcd-user gid nslcd-user # The uri pointing to the LDAP server to use for name lookups. # Multiple entries may be specified. The address that is used # here should be resolvable without using LDAP (obviously). #uri ldap://127.0.0.1/ #uri ldaps://127.0.0.1/ #uri ldapi://%2fvar%2frun%2fldapi_sock/ # Note: %2f encodes the '/' used as directory separator uri ldap://hh3.site/ # The LDAP version to use (defaults to 3 # if supported by client library) #ldap_version 3 # The distinguished name of the search base. base dc=hh3,dc=site # The distinguished name to bind to the server with. # Optional: default is to bind anonymously. binddn cn=Administrator,cn=Users,dc=hh3,dc=site # The credentials to bind with. # Optional: default is no credentials. # Note that if you set a bindpw you should check the permissions of this file. bindpw 1234@Abc # The distinguished name to perform password modifications by root by. #rootpwmoddn cn=admin,dc=example,dc=com # The default search scope. #scope sub #scope one #scope base # Customize certain database lookups. #base group ou=Groups,dc=example,dc=com #base passwd ou=People,dc=example,dc=com #base shadow ou=People,dc=example,dc=com #scope group onelevel #scope hosts sub # Bind/connect timelimit. #bind_timelimit 30 # Search timelimit. #timelimit 30 # Idle timelimit. nslcd will close connections if the # server has not been contacted for the number of seconds. #idle_timelimit 3600 # Use StartTLS without verifying the server certificate. #ssl start_tls #tls_reqcert never # CA certificates for server certificate verification #tls_cacertdir /etc/ssl/certs #tls_cacertfile /etc/ssl/ca.cert # Seed the PRNG if /dev/urandom is not provided #tls_randfile /var/run/egd-pool # SSL cipher suite # See man ciphers for syntax #tls_ciphers TLSv1 # Client certificate and key # Use these, if your server requires client authentication. #tls_cert #tls_key # NDS mappings #map group uniqueMember member # Mappings for Services for UNIX 3.5 #filter passwd (objectClass=User) #mappasswd uid msSFU30Name #mappasswd userPassword msSFU30Password #mappasswd homeDirectorymsSFU30HomeDirectory #mappasswd homeDirectorymsSFUHomeDirectory #filter shadow (objectClass=User) #mapshadow uid msSFU30Name #mapshadow userPassword msSFU30Password #filter group (objectClass=Group) #mapgroup uniqueMember msSFU30PosixMember # Mappings for Services for UNIX 2.0 #filter passwd (objectClass=User) #mappasswd uid msSFUName #mappasswd userPassword msSFUPassword #mappasswd homeDirectorymsSFUHomeDirectory #mappasswd gecosmsSFUName #filter shadow (objectClass=User) #mapshadow uid msSFUName #mapshadow userPassword msSFUPassword #mapshadow shadowLastChange pwdLastSet #filter group (objectClass=Group) #mapgroup uniqueMember posixMember # Mappings for Active Directory #pagesize 1000 #referrals off #filter passwd ((objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)) mappasswd uid sAMAccountName mappasswd homeDirectoryunixHomeDirectory #mappasswd gecosdisplayName #filter shadow ((objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)) mapshadow uid sAMAccountName #mapshadow shadowLastChange pwdLastSet #filter group (objectClass=group) #mapgroup uniqueMember member # Mappings for AIX SecureWay #filter passwd (objectClass=aixAccount) #mappasswd uid userName #mappasswd userPassword passwordChar #mappasswd
Re: [Samba] Samba 4 kerberos and kinit
On 14 January 2012 12:52, steve st...@steve-ss.com wrote: On 14/01/12 03:19, Michael Wood wrote: On 14 January 2012 01:24, stevest...@steve-ss.com wrote: [...] drwxr-xr-x 118 root root 12288 Jan 13 23:55 etc -rw--- 1 root root 1225 Jan 13 12:12 krb5.keytab That's fine, but is that what nslcd is using? Ah. Well spotted! The nslcd docs recommends you run it as a separate user, so I created a user and group for nslcd and specified them in nslcd.conf. nslcd is running as nslcd:nslcd So nslcd can't get inside the keytab. Is that correct? (can't test it as am not by the DC at the moment) Sounds likely. So you probably need to export a keytab for your nslcd principal to a new keytab (e.g. /var/run/nslcd/nslcd.tkt) and make sure that nslcd has permission to read it. No other user should have read access. -- Michael Wood esiot...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 ldb_wrap open of idmap.ldb
Hi On 15 January 2012 15:49, steve st...@steve-ss.com wrote: Hi everyone Version 4.0.0alpha18-GIT-bfc7481 I'm using nslcd to map Samba 4 users to uid:gid and home directory. At startup I get this: ldb_wrap open of secrets.ldb WARNING: no socket to connect to and /var/log/messages shows: Jan 15 14:20:13 hh3 nslcd[2425]: [334873] failed to bind to LDAP server ldap://h h3.site/: Can't contact LDAP server: Transport endpoint is not connected Jan 15 14:20:13 hh3 nslcd[2425]: [334873] no available LDAP server found, sleepi ng 1 seconds [...] I don't know why the above happens, but...: cat /etc/nslcd.conf [...] # The user and group nslcd should run as. #uid nslcd #gid nslcd uid nslcd-user gid nslcd-user Just a guess, but this might cause a problem. I believe you created a Samba user called nslcd-user and it looks like this is what you're trying to use here. (Also, AD does not support using the same name for a user and a group, I believe.) So before nslcd starts fully it would need to look up those values, but in order to do that it needs to talk to Samba. It seems to me that this might be problematic. Maybe you should use a local Linux user for running nslcd and just use the Samba nslcd-user account for nslcd's authentication to Samba. # The distinguished name to bind to the server with. # Optional: default is to bind anonymously. binddn cn=Administrator,cn=Users,dc=hh3,dc=site I think you want CN=nslcd-user,CN=Users,DC=hh3,DC=site here. # The credentials to bind with. # Optional: default is no credentials. # Note that if you set a bindpw you should check the permissions of this file. bindpw 1234@Abc I think if your Kerberos config is working correctly this should not be necessary. #sasl_mech GSSAPI sasl_realm HH3.SITE #krb5_ccname /tmp/krb5cc_0 Try using /var/run/nslcd/nslcd.tkt after exporting the nslcd-user's SPN to it and making sure nslcd can read it. -- Michael Wood esiot...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows 7 There are currently no logon servers available to service the logon request
On Sat, Jan 14, 2012 at 7:53 AM, Suraj Rathod suraj.rat...@solutionenterprises.co.in wrote: but I am still facing There are currently no logon servers available to service the logon request Check out the official howto: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/ Make sure your clients have NetBIOS enabled and configured with the WINS server address (easily done via dhcp). -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 ldb_wrap open of idmap.ldb
On 01/15/2012 04:17 PM, Michael Wood wrote: Hi On 15 January 2012 15:49, stevest...@steve-ss.com wrote: Hi everyone Version 4.0.0alpha18-GIT-bfc7481 I'm using nslcd to map Samba 4 users to uid:gid and home directory. At startup I get this: ldb_wrap open of secrets.ldb WARNING: no socket to connect to and /var/log/messages shows: Jan 15 14:20:13 hh3 nslcd[2425]: [334873] failed to bind to LDAP server ldap://h h3.site/: Can't contact LDAP server: Transport endpoint is not connected Jan 15 14:20:13 hh3 nslcd[2425]: [334873] no available LDAP server found, sleepi ng 1 seconds [...] I don't know why the above happens, but...: cat /etc/nslcd.conf [...] # The user and group nslcd should run as. #uid nslcd #gid nslcd uid nslcd-user gid nslcd-user Just a guess, but this might cause a problem. I believe you created a Samba user called nslcd-user and it looks like this is what you're trying to use here. (Also, AD does not support using the same name for a user and a group, I believe.) So before nslcd starts fully it would need to look up those values, but in order to do that it needs to talk to Samba. It seems to me that this might be problematic. Maybe you should use a local Linux user for running nslcd and just use the Samba nslcd-user account for nslcd's authentication to Samba. OK. I think you're correct there. I've deleted the Samba 4 user nslcd-user and created a host principal instead (you can't create a principal for just nslcd, but I thought that as it's running on the host then, well. . .): samba-tool user add host-account samba-tool spn add host host account samba-tool domain exportkeytab /etc/krb5.keytab --principal=/host/HH3.SITE gives me the following keytab: KVNO Principal -- 1 HH3$@HH3.SITE 1 HH3$@HH3.SITE 1 HH3$@HH3.SITE 1 administra...@hh3.site 1 administra...@hh3.site 1 administra...@hh3.site 1 host-acco...@hh3.site 1 host-acco...@hh3.site 1 host-acco...@hh3.site 1 dns-...@hh3.site 1 dns-...@hh3.site 1 dns-...@hh3.site 1 krb...@hh3.site 1 krb...@hh3.site 1 krb...@hh3.site 1 ste...@hh3.site 1 ste...@hh3.site 1 ste...@hh3.site 1 host/hh3.s...@hh3.site 1 host/hh3.s...@hh3.site 1 host/hh3.s...@hh3.site # The distinguished name to bind to the server with. # Optional: default is to bind anonymously. binddn cn=Administrator,cn=Users,dc=hh3,dc=site I think you want CN=nslcd-user,CN=Users,DC=hh3,DC=site here. # The credentials to bind with. # Optional: default is no credentials. # Note that if you set a bindpw you should check the permissions of this file. bindpw 1234@Abc I think if your Kerberos config is working correctly this should not be necessary. It seems as though the Samba 4 LDAP needs authentication. Without the binddn and password I get: ldb_wrap open of secrets.ldb auth_check_password_send: Checking password for unmapped user []\[]@[(null)] auth_check_password_send: mapped user is: []\[]@[(null)] and getent passwd fails to show the Samba 4 users. With the binddn and passwd: ldb_wrap open of secrets.ldb auth_check_password_send: Checking password for unmapped user [CACTUS]\[Administrator]@[(null)] auth_check_password_send: mapped user is: [CACTUS]\[Administrator]@[(null)] Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' getent springs to life and all is well. #sasl_mech GSSAPI sasl_realm HH3.SITE #krb5_ccname /tmp/krb5cc_0 Try using /var/run/nslcd/nslcd.tkt after exporting the nslcd-user's SPN to it and making sure nslcd can read it. That seems impossible to do. But I'll return here if what I've done so far doesn't work. I think this comes down to the differences between kerberos user accounts, with passwords, and kerberos machine accounts without passwords but with principals instead. Does that make sense? All seems well. steve2 can login both here on the server, on an openSUSE client and on a win 7 client, so he must have a ticket somewhere. klist gives: klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) so the tickets must be stored internally somewhere or maybe somewhere in Australia;) After kinit steve2 Password for ste...@hh3.site: Warning: Your password will expire in 40 days on Fri Feb 24 18:37:06 2012 and klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ste...@hh3.site Valid starting ExpiresService principal 01/15/12 16:58:00 01/16/12 02:58:00 krbtgt/hh3.s...@hh3.site renew until 01/16/12 16:57:54 It looks as though steve2 is good for 10 hours. What is the significance of Default principal? Surely, if I have created a host principal then I want that to be the default principal. Otherwise, everything will collape in 10 hours unless steve2 gets another ticket! My next question is, will the host principal keep nslcd alive beyond then? The other bit is that I created the keytab on
Re: [Samba] Samba 4 kerberos and kinit
On 01/15/2012 04:04 PM, Michael Wood wrote: On 14 January 2012 12:52, stevest...@steve-ss.com wrote: On 14/01/12 03:19, Michael Wood wrote: On 14 January 2012 01:24, stevest...@steve-ss.comwrote: [...] drwxr-xr-x 118 root root 12288 Jan 13 23:55 etc -rw--- 1 root root 1225 Jan 13 12:12 krb5.keytab That's fine, but is that what nslcd is using? Ah. Well spotted! The nslcd docs recommends you run it as a separate user, so I created a user and group for nslcd and specified them in nslcd.conf. nslcd is running as nslcd:nslcd So nslcd can't get inside the keytab. Is that correct? (can't test it as am not by the DC at the moment) Sounds likely. So you probably need to export a keytab for your nslcd principal to a new keytab (e.g. /var/run/nslcd/nslcd.tkt) and make sure that nslcd has permission to read it. No other user should have read access. The problem is that I can't have a principal for nslcd. IOW I can't do this: samba-tool spn add nslcd some-user I could do this samba-tool spn add host someuser but already have a host principal added to the main keytab. I keep coming back to this. I can have a principal for host and I can have a principal for nfs but I can't have a principal for nslcd. Even tough /etc/nslcd.conf allows me to add a kerberos realm, is that good enough? Anyway, I've a 10 hour experiment in progress as on the other thread. Fingers crossed! Thanks, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 ldb_wrap open of idmap.ldb
#sasl_mech GSSAPI sasl_realm HH3.SITE #krb5_ccname /tmp/krb5cc_0 Try using /var/run/nslcd/nslcd.tkt after exporting the nslcd-user's SPN to it and making sure nslcd can read it. On openSUSE, /var/run/nslcd is deleted on stopping nslcd so it would have to go somewhere else. (On Ubuntu, it survives a restart however). Just here for the record in case others had a problem. Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 3.6 problems with idmap rid
Hi! I am using mainly Samba 3.5 on CentOS, and I was very pleased with idmap_rid backend for SID-to-RID mappings. But on Solaris 10, I can only use 3.6 because OpenCSW ships only 3.6. Problem is, things are changed and are not working as expected... Here is my config on RHEL Samba 3.5: [global] workgroup = WINDOMAIN realm = WINDOMAIN.LOCAL server string = localserver (Samba ver. %v) security = ADS allow trusted domains = No password server = someserver.windomain.local log file = /var/log/samba/log.%m load printers = No local master = No domain master = No idmap backend = idmap_rid:WINDOMAIN=1-4 idmap uid = 1-4 idmap gid = 1-4 winbind use default domain = Yes cups options = raw And it works like a charm. On a version 3.6: [global] workgroup = WINDOMAIN realm = WINDOMAIN.LOCAL server string = localserver (Samba ver. %v) security = ADS allow trusted domains = No username map = /etc/opt/csw/samba/smbusers syslog = 0 log file = /var/opt/csw/samba/log/%m.log max log size = 500 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No local master = No domain master = No winbind use default domain = Yes idmap config * : range = 1-4 idmap config * : backend = rid : WINDOMAIN=1-4 Now, on a 3.6 I have the following problem: # net ads testjoin Join is OK # net rpc testjoin Join to 'WINDOMAIN' is OK # net getlocalsid SID for domain LOCALSERVER is: S-1-5-21-1414315435-1886595200-1013317001 # wbinfo -u | grep jakov.sosic jakov.sosic # wbinfo -i jakov.sosic failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user jakov.sosic Where am I wrong? Why can't I get rid mappings for domain users? -- Jakov Sosic www.srce.unizg.hr -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.6 problems with idmap rid
On 01/15/2012 12:35 PM, Jakov Sosic wrote: Hi! I am using mainly Samba 3.5 on CentOS, and I was very pleased with idmap_rid backend for SID-to-RID mappings. But on Solaris 10, I can only use 3.6 because OpenCSW ships only 3.6. Problem is, things are changed and are not working as expected... Here is my config on RHEL Samba 3.5: [global] workgroup = WINDOMAIN realm = WINDOMAIN.LOCAL server string = localserver (Samba ver. %v) security = ADS allow trusted domains = No password server = someserver.windomain.local log file = /var/log/samba/log.%m load printers = No local master = No domain master = No idmap backend = idmap_rid:WINDOMAIN=1-4 idmap uid = 1-4 idmap gid = 1-4 winbind use default domain = Yes cups options = raw And it works like a charm. On a version 3.6: [global] workgroup = WINDOMAIN realm = WINDOMAIN.LOCAL server string = localserver (Samba ver. %v) security = ADS allow trusted domains = No username map = /etc/opt/csw/samba/smbusers syslog = 0 log file = /var/opt/csw/samba/log/%m.log max log size = 500 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No local master = No domain master = No winbind use default domain = Yes idmap config * : range = 1-4 idmap config * : backend = rid : WINDOMAIN=1-4 Now, on a 3.6 I have the following problem: # net ads testjoin Join is OK # net rpc testjoin Join to 'WINDOMAIN' is OK # net getlocalsid SID for domain LOCALSERVER is: S-1-5-21-1414315435-1886595200-1013317001 # wbinfo -u | grep jakov.sosic jakov.sosic # wbinfo -i jakov.sosic failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user jakov.sosic Where am I wrong? Why can't I get rid mappings for domain users? Jakov, That looks similar to what Robert LeBlanc posted with Samba Bug 8676 (Debian Bug 652679). Compare his findings to what you see. https://bugzilla.samba.org/show_bug.cgi?id=8676 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652679 On my test systems using RID, I see similar, but not identical symptoms to his HASH backend. For me, a reboot will restore connectivity until I need to restart Samba or winbind. Then nothing but another reboot will get winbind working again. Dale -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.6 problems with idmap rid
On 01/15/2012 07:59 PM, Dale Schroeder wrote: Jakov, That looks similar to what Robert LeBlanc posted with Samba Bug 8676 (Debian Bug 652679). Compare his findings to what you see. https://bugzilla.samba.org/show_bug.cgi?id=8676 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652679 On my test systems using RID, I see similar, but not identical symptoms to his HASH backend. For me, a reboot will restore connectivity until I need to restart Samba or winbind. Then nothing but another reboot will get winbind working again. On Solaris 10u10 and OpenCSW last Samba package (3.6.1) even reboot doesn't help :-/ -- Jakov Sosic www.srce.unizg.hr -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 kerberos and kinit
Sorry, forgot to copy the list. On 15 January 2012 18:32, steve st...@steve-ss.com wrote: On 01/15/2012 04:04 PM, Michael Wood wrote: On 14 January 2012 12:52, stevest...@steve-ss.com wrote: On 14/01/12 03:19, Michael Wood wrote: On 14 January 2012 01:24, stevest...@steve-ss.com wrote: [...] drwxr-xr-x 118 root root 12288 Jan 13 23:55 etc -rw--- 1 root root 1225 Jan 13 12:12 krb5.keytab That's fine, but is that what nslcd is using? Ah. Well spotted! The nslcd docs recommends you run it as a separate user, so I created a user and group for nslcd and specified them in nslcd.conf. nslcd is running as nslcd:nslcd So nslcd can't get inside the keytab. Is that correct? (can't test it as am not by the DC at the moment) Sounds likely. So you probably need to export a keytab for your nslcd principal to a new keytab (e.g. /var/run/nslcd/nslcd.tkt) and make sure that nslcd has permission to read it. No other user should have read access. The problem is that I can't have a principal for nslcd. IOW I can't do this: samba-tool spn add nslcd some-user I must admit that I don't know why you can't do something like this: # samba-tool user create nslcd-user --random-password User 'nslcd-user' created successfully # samba-tool spn add nslcd/hh3.hh3.site nslcd-user # samba-tool spn list nslcd-user nslcd-user User CN=nslcd-user,CN=Users,DC=hh3,DC=site has the following servicePrincipalName: nslcd/hh3.hh3.site # samba-tool domain exportkeytab --principal=nslcd/hh3.hh3.site nslcd.keytab # ls -l nslcd.keytab -rw--- 1 root root 253 2012-01-15 23:10 nslcd.keytab If that works, try getting nslcd to use it. I could do this samba-tool spn add host someuser but already have a host principal added to the main keytab. I keep coming back to this. I can have a principal for host and I can have a principal for nfs but I can't have a principal for nslcd. Even tough Why if you can do it for NFS, why not for nslcd? /etc/nslcd.conf allows me to add a kerberos realm, is that good enough? Well, either it will need to have the password hard coded in the config file like you have it at the moment, I believe, or it will need a ticket to access the directory. Anyway, I've a 10 hour experiment in progress as on the other thread. Fingers crossed! -- Michael Wood esiot...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 kerberos and kinit
On 01/15/2012 10:23 PM, Michael Wood wrote: On 15 January 2012 18:32, stevest...@steve-ss.com wrote: On 01/15/2012 04:04 PM, Michael Wood wrote: On 14 January 2012 12:52, stevest...@steve-ss.com wrote: On 14/01/12 03:19, Michael Wood wrote: On 14 January 2012 01:24, stevest...@steve-ss.com wrote: [...] drwxr-xr-x 118 root root 12288 Jan 13 23:55 etc -rw--- 1 root root 1225 Jan 13 12:12 krb5.keytab That's fine, but is that what nslcd is using? Ah. Well spotted! The nslcd docs recommends you run it as a separate user, so I created a user and group for nslcd and specified them in nslcd.conf. nslcd is running as nslcd:nslcd So nslcd can't get inside the keytab. Is that correct? (can't test it as am not by the DC at the moment) Sounds likely. So you probably need to export a keytab for your nslcd principal to a new keytab (e.g. /var/run/nslcd/nslcd.tkt) and make sure that nslcd has permission to read it. No other user should have read access. The problem is that I can't have a principal for nslcd. IOW I can't do this: samba-tool spn add nslcd some-user I must admit that I don't know why you can't do something like this: # samba-tool user create nslcd-user --random-password User 'nslcd-user' created successfully # samba-tool spn add nslcd/hh3.hh3.site nslcd-user # samba-tool spn list nslcd-user nslcd-user User CN=nslcd-user,CN=Users,DC=hh3,DC=site has the following servicePrincipalName: nslcd/hh3.hh3.site # samba-tool domain exportkeytab --principal=nslcd/hh3.hh3.site nslcd.keytab # ls -l nslcd.keytab -rw--- 1 root root 253 2012-01-15 23:10 nslcd.keytab If that works, try getting nslcd to use it. Hi Michael. The problem is this: root@hh3:/home/steve# samba-tool user add nslcd-user New Password: User 'nslcd-user' created successfully root@hh3:/home/steve# samba-tool spn add nslcd nslcd-user root@hh3:/home/steve# samba-tool domain exportkeytab nslcd.keytab --principal=nslcd/HH3.SITE ERROR(runtime): uncaught exception - Key table entry not found File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py, line 167, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py, line 88, in run net.export_keytab(keytab=keytab, principal=principal) root@hh3:/home/steve# samba-tool domain exportkeytab --principal=nslcd/hh3.hh3.site nslcd.keytab ERROR(runtime): uncaught exception - Key table entry not found File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py, line 167, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py, line 88, in run net.export_keytab(keytab=keytab, principal=principal) And finally, just for good measure: root@hh3:/home/steve# samba-tool domain exportkeytab --principal=nslcd/HH3.SITE nslcd.keytab ERROR(runtime): uncaught exception - Key table entry not found File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py, line 167, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py, line 88, in run net.export_keytab(keytab=keytab, principal=principal) i.e., unlike host and nfs, nslcd cannot be made made into a principal to put in a keytab. Do you think that the host principal will take care of this even though it is in root:root /etc/krb5.keytab and nslcd is running as nslcd-user? Anyway, just 4 hours to go to see if the world collapses when steve2's ticket expires. Meanwhile, he's been creating and editing files on both win 7 and Linux clients without once being asked for a password. As you say, fingers crossed. Do I win 10 €uros! Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] idmap config doesn't allow range to be changed?
Hi there I've just upgraded a working samba-3.5.8 CentOS-4.9 (yes - pretty old) server to samba-3.6.1 and can't change idmap config. We almost immediately had issues with it not working for some users - and the logs showed we'd run out of idmap mappings (strange that never happened before with the older version...) Anyway, I edited smb.conf so that idmap config * : range = 1-9 idmap config * : backend = tdb ...but when I run testparm -sv|grep idmap I still see idmap config * : range = 1-2 i.e. that doesn't appear to be editable! That makes no sense - any ideas what's gone wrong? I suspect the server has some old library that is triggering this - but don't know where to look...? Thanks -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Prevent smbd from consulting winbindd
Colleagues, I am running smbd in a setup described in http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#id2604553 under Winbind is not used; users and groups are local. Samba is running in the security=domain mode, but all Windows users are being mapped to Unix users in /etc/passwd. Now I need to run winbindd for Squid authentication. The problem is, as soon as I start winbindd, smbd begins consulting it and all Windows users start receiving uids/gids different from those in /etc/passwd. How do I prevent smbd from consulting winbindd and make it use the old /etc/passwd mechanism for uids? TIA for any input. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba