Re: [Samba] Exchange setup failure
On Thu, 2012-07-12 at 17:01 -0700, Harsh Shah wrote: I am trying to install Exchange 2010 with Samba. I am able to install the Management tools but setup of the Mailbox role fails. Is this known to work with Samba 4.0 beta 3? The release notes mention that Samba beta 3 is able to handle installation of exchange but some issues prevent run-time operation. This is very much a work in progress, and if you are able to assist us in progressing this support (it will need code patches almost certainly) this would be very welcome. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] waf workaround?
On Thu, 2012-07-12 at 20:50 -0700, Linda W wrote: Is it possible to build samba without waf? It has slowed down my local samba builds by a factor of 5-10x -- it seems to lack any parallelism, and on a 12 core machine, that really sucks. Waf builds are quite parallel, just call make -j. Using this is a standard part of our regular builds on our 24 way autobuild server. When going through it's tests, it's noticeably slower than the configure shell tests that do the same... But then the build/make parts all go by like molasses... What is wrong with standard make tools that proprietary - going back a generation or two, stuff had to be used? Waf is free software: https://code.google.com/p/waf/ What did it solve that wasn't solvable in a standard make? It solved and solves many problems. https://wiki.samba.org/index.php/Waf has some details. In short, we tried a perl and Makefile based system for Samba4, and the issues that created lead us to seeking a new build system. See also BUILD_SYSTEMS.txt https://gitweb.samba.org/?p=samba.git;a=blob;f=BUILD_SYSTEMS.txt;h=2aff56d81aa27c92c76bbba65632c3eef481e7b8;hb=HEAD Maybe waf can be configured to create a standard makefile to handle the more complex configuration parts, and then let make do what it does best? There is much more to our build system then just Makefile-like construction. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] compiling samba 3.4.8 on CentOS_6.2
On 13/07/12 02:36, Heather Choi wrote: How is Samba 3.6 against ADS broken? I have Samba 3.6.6 on SL6.2 with ADS and it's running great... In general it is in my belief not broken, and even the generic Samba packages that come with RHEL 6.2 and it's rebuilds work for me against our 2008R2 AD. What I would say is that this bit of Samba configuration is poorly documented and seems to keep changing between releases, so a working config on 3.5 is bust on 3.6 etc. Trying to compile 3.4.8 on anything is a really retrograde step anyway given that you will be making your box open to a remote root compromise... JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can't get idmap connected to AD unix attribs
On 13/07/12 07:10, Nick Triantos wrote: It turns out that setting idmap config * : ad was the cause of my failures. For some reason, that backend is not compiled into the Ubuntu packages (or at least, when I ran with debug = 3 for winbind, I saw that the backend 'ad' was failing to load. It does seem, from my very non-scientific study of the list over the past few days, that a large number of questions seem to be focused on connecting samba with AD. Hopefully this can be made more rock-solid in the future. regards, -Nick On Jul 11, 2012, at 10:50 AM, Rowland Penny wrote: On 11/07/12 17:38, Nick Triantos wrote: Hi Rowland, Yes, I've added their unix attributes. It looks like there is a long-open bug in winbind/samba 3.6.x that may be causing the error below (https://bugzilla.samba.org/show_bug.cgi?id=8676). I'm now stuck behind that so I'm trying to downgrade to 3.5.x. regards, -Nick On Jul 11, 2012, at 7:05 AM, Rowland Penny wrote: On 11/07/12 01:57, Nick Triantos wrote: Thanks Robert. I've tried switching over to the AD back-end (which does sound like what I want), but I still receive only the errors: failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND I restarted both winbind and smbd after changing the config. Is there some cache I have to flush, or some other config that needs to be changed beyond the settings in smb.conf? thanks again! -Nick My updated smb.conf: workgroup = CORP security = ADS #password server = 192.168.77.251 realm = CORP.MYCOMPANY.COM allow trusted domains = yes winbind use default domain = yes winbind nested groups = YES idmap config CORP : backend = ad idmap config CORP : default = yes idmap config CORP : schema_mode = rfc2307 idmap config CORP : range = 800 - 9 On Jul 10, 2012, at 7:27 AM, Robert Freeman-Day wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nick, I think what you may be looking for is the ad backend: https://www.samba.org/samba/docs/man/manpages-3/idmap_ad.8.html Since you are using tdb in your config, it is using a local database and allocates UID/GIDs on the fly...first come, first served. So a user may not get the same UID from one machine to the next. Robert On 07/10/2012 12:20 AM, Nick Triantos wrote: Hi, I'm trying to get an Ubuntu 12.04 system's Samba (3.6.3) and Winbind to map userids and groups to the unix attributes in an AD 2008 server. I can see that when I perform an ldapsearch, I'm able to read the attributes, and for one of my accounts, the id should be 1001. However, when I run 'wbinfo -iusername', I get back something like 920. At one point, I was setting the idmap range to start at 900, but I've since removed that from my config, and restarted winbindd and smbd. I've also tried to 'net cache flush'. I also see wbinfo -isomeuserusually returns: failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user someuser The relevant parts of my smb.conf are below. I've tried patching this together from various tuts and help pages. Any guidance would be very helpful. thanks! -Nick [global] workgroup = CORP security = ADS password server = 192.168.77.251 realm = CORP.MYCOMPANY.COM allow trusted domains = yes winbind use default domain = yes winbind nested groups = YES idmap config CORP : backend = tdb idmap config CORP : default = yes idmap config CORP : schema_mode = rfc2307 idmap config CORP : range = 1000 - idmap config * : backend = tdb encrypt passwords = true obey pam restrictions = yes client use spnego = yes client ntlmv2 auth = yes encrypt passwords = true restrict anonymous = 2 unix password sync = yes winbind enum groups = yes winbind enum users = yes winbind nss info = rfc2307 - - -- Robert Freeman-Day https://launchpad.net/~presgas GPG Public Key: http://keyserver.ubuntu.com:11371/pks/lookup?op=getsearch=0xBA9DF9ED3E4C7D36 - -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/8O4QACgkQup357T5MfTZprwCeJ7iMF7NcxUctOd7bOAFqT4ZZ AAgAoMqnWGK5E5LWZxxMxsUaVhfbil9Y =yLz3 - -END PGP SIGNATURE- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/8O7UACgkQup357T5MfTaCgACdHU8bg9f9cJ9+xgH6GuBchjJ+ 3iQAoLndWChQKGLDkeGGTRaCM00LwHKb =eagU -END PGP SIGNATURE- Hi, just a thought, have you added the RFC2307 uid/gid values to your users on the AD server? if you haven't, there will be nothing to find and it may throw the error that you are getting. Rowland -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba I am playing about with this on a Xubuntu 12.04 client against a
Re: [Samba] Can't get idmap connected to AD unix attribs
Hi Rowland, Yes, I've added their unix attributes. It looks like there is a long-open bug in winbind/samba 3.6.x that may be causing the error below (https://bugzilla.samba.org/show_bug.cgi?id=8676). I'm now stuck behind that so I'm trying to downgrade to 3.5.x. regards, -Nick On Jul 11, 2012, at 7:05 AM, Rowland Penny wrote: On 11/07/12 01:57, Nick Triantos wrote: Thanks Robert. I've tried switching over to the AD back-end (which does sound like what I want), but I still receive only the errors: failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND I restarted both winbind and smbd after changing the config. Is there some cache I have to flush, or some other config that needs to be changed beyond the settings in smb.conf? thanks again! -Nick My updated smb.conf: workgroup = CORP security = ADS #password server = 192.168.77.251 realm = CORP.MYCOMPANY.COM allow trusted domains = yes winbind use default domain = yes winbind nested groups = YES idmap config CORP : backend = ad idmap config CORP : default = yes idmap config CORP : schema_mode = rfc2307 idmap config CORP : range = 800 - 9 On Jul 10, 2012, at 7:27 AM, Robert Freeman-Day wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nick, I think what you may be looking for is the ad backend: https://www.samba.org/samba/docs/man/manpages-3/idmap_ad.8.html Since you are using tdb in your config, it is using a local database and allocates UID/GIDs on the fly...first come, first served. So a user may not get the same UID from one machine to the next. Robert On 07/10/2012 12:20 AM, Nick Triantos wrote: Hi, I'm trying to get an Ubuntu 12.04 system's Samba (3.6.3) and Winbind to map userids and groups to the unix attributes in an AD 2008 server. I can see that when I perform an ldapsearch, I'm able to read the attributes, and for one of my accounts, the id should be 1001. However, when I run 'wbinfo -iusername', I get back something like 920. At one point, I was setting the idmap range to start at 900, but I've since removed that from my config, and restarted winbindd and smbd. I've also tried to 'net cache flush'. I also see wbinfo -isomeuser usually returns: failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user someuser The relevant parts of my smb.conf are below. I've tried patching this together from various tuts and help pages. Any guidance would be very helpful. thanks! -Nick [global] workgroup = CORP security = ADS password server = 192.168.77.251 realm = CORP.MYCOMPANY.COM allow trusted domains = yes winbind use default domain = yes winbind nested groups = YES idmap config CORP : backend = tdb idmap config CORP : default = yes idmap config CORP : schema_mode = rfc2307 idmap config CORP : range = 1000 - idmap config * : backend = tdb encrypt passwords = true obey pam restrictions = yes client use spnego = yes client ntlmv2 auth = yes encrypt passwords = true restrict anonymous = 2 unix password sync = yes winbind enum groups = yes winbind enum users = yes winbind nss info = rfc2307 - - -- Robert Freeman-Day https://launchpad.net/~presgas GPG Public Key: http://keyserver.ubuntu.com:11371/pks/lookup?op=getsearch=0xBA9DF9ED3E4C7D36 - -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/8O4QACgkQup357T5MfTZprwCeJ7iMF7NcxUctOd7bOAFqT4ZZ AAgAoMqnWGK5E5LWZxxMxsUaVhfbil9Y =yLz3 - -END PGP SIGNATURE- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/8O7UACgkQup357T5MfTaCgACdHU8bg9f9cJ9+xgH6GuBchjJ+ 3iQAoLndWChQKGLDkeGGTRaCM00LwHKb =eagU -END PGP SIGNATURE- Hi, just a thought, have you added the RFC2307 uid/gid values to your users on the AD server? if you haven't, there will be nothing to find and it may throw the error that you are getting. Rowland -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] compiling samba 3.4.8 on CentOS_6.2
Too late to save grief, I've been grieving on this for weeks now. I'm rolling back to 3.4.8 because I heard from several sources that idmap against AD has broken at some point since then. I'd obviously prefer to install 3.4.8 from an RPM or (even better) a yum repository somewhere but can't seem to find any for this distro and/or version. I haven't heard from anywhere that the idmap -- ad problem is fixed in 3.6. Is it? If so, I'd be happy to try that instead. I confess I'm unfamiliar with how to use RPM's to install the source and then compile from there. Install the RPM and then from some newly created source folder I ./configure / make / make install / etc? From the github link below, how do I get an actual rpm file to install? Can anyone point me toward a howto? Or I could get the plain source tarball from samba.org for some later version (that's where I'm getting 3.4.8). But it seems likely I'll have the same trouble with the daemon not starting. Or can anyone answer my actual question? For example, how to get logging working so I can get some clues on why the binary fails to start? Hope to hear from you. Randy -Original Message- From: Nico Kadel-Garcia [mailto:nka...@gmail.com] Sent: Tuesday, July 10, 2012 6:07 PM To: Randy Rue Cc: samba@lists.samba.org Subject: Re: [Samba] compiling samba 3.4.8 on CentOS_6.2 On Tue, Jul 10, 2012 at 7:32 PM, Randy Rue randy...@gmail.com wrote: Hello All. Been trying without avail to make idmap work with my AD so I can get real UID/GID for SSH logins on a CentOS_6 box. Have heard from several sources that idmap has seen some serious changes since 3.5 and decided to roll back from the stock 3.5 that comes with CentOS_6 to 3.4.8. I'd like to see if it has the same problems. Save yourself some grief. Either go to www.samba.org for a more recent version, or look at: https://github.com/nkadel/samba-3.6.4-srpm for some useful and very buildable tools for a more recent release. Installed a clean build of CentOS_6.2. Stopped the samba service, removed the package using yum and excluded samba* from yum updates in /etc/yum.conf. Downloaded and extracted the 3.4.8 tarball. cd into samba-3.../source3 and ran: the autoconfig.sh script ./configure make make install copied the smb.init script from the packaging/RHEL/setup folder to /etc/init.d and made it executable chkconfig --add smb chkconfig smb on service smb start fails. Tries to start both smbd and nmbd and both fail. First I get errors about libraries. copied the libtalloc.so.1 file from /usr/local/samba/lib to /usr/lib64 fixed that one Then I get errors about not finding the binaries linked /usr/local/samba/sbin/smbd and nmbd to /sbin and fixed that one This feels like a hack. I also tried adding /usr/local/samba/sbin to the path. Also a hack but made no difference. Now if I try service smb start (or restart) I get failures from the init script. Or I can try smbd directly and I get no response (it appears to start) but ps shows that it didn't start. I've turned debug level and log level up to 3 in smb.conf (tried both arguments) but I get nothing in /var/log/syslog and nothing in any file in /var/log/samba when I try to start it. Forgive the anecdotal tone of the above, I'm working mostly from memory and have probably garbled a path or file name. Then again, I've been through these steps six or more times now. Am I missing something obvious? Hope to hear from you, Randy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba help?
On Thursday 12 July 2012 1:31:06 am Gémes Géza wrote: Hi Miklos, Hello Geza, I stand chastised and apologize. I didn't mean to hijack someone's thread. I also didn't plan to ask for help in Hungarian, and this is just a coincidence. However, if you can help me I'll take whatever I can get, so thank you. My question/problem is that I have no windows background at all and am trying to configure Samba with Active Directory. I also have no access to any windows machines to test my configuration so I don't know if it works. I believe I'm almost there but how do I know if it's really working? SWAT works fine, but Winbindd won't start. infadmnq:/lssrc -g samba Subsystem GroupPID Status smbd samba14221530 active nmbd samba13893726 active winbindd samba inoperative I ran testparm and it comes back clean. infadmnq:/testparm Load smb config files from /usr/lib/smb.conf Processing section [samba_infaQ] Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions [global] workgroup = HUMC security = DOMAIN auth methods = winbind password server = dchumc01, dchumc02 client NTLMv2 auth = Yes syslog = 3 log file = /var/log/samba ldap ssl = no idmap uid = 1-2 idmap gid = 1-2 winbind enum users = Yes winbind enum groups = Yes [samba_infaQ] comment = Share for DBA SAs path = /samba_infaQ I run: smbclient -L '\\fileserver1\DECN_Shared\' -U INFAservice and I get two pages of output starting like this: Sharename Type Comment - --- CHRT_Shared Disk CHRT Departmental Shared Files HEDU_Shared Disk HEDU Departmental Shared Files MREC_Shared Disk MREC Departmental Shared Files PHBL_Shared Disk PHBL Departmental Shared Files PHRM_Shared Disk PHRM Departmental Shared Files SLAB_Shared Disk SLAB Departmental Shared Files SPAS_Shared Disk SPAS Departmental Shared Files SPTY_Shared Disk SPTY Departmental Shared Files WomenChild Disk Kosonok minden sekitsegett!! Miklos First question: What does wbinfo -p, wbinfo -u and wbinfo -g returns? You wrote, that you have to authenticate your users against an AD. Have you joined it (e.g. net ads join -U username_of_an_AD_user_with_the_priviledge_of_joining (for example an administrator))? Regards Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba I've found that I need to do a few things to make Samba work with AD (and, it does for me. I must have 15 server (Linux and *BSD) connected to our network via Win2008R2-based AD). First, I believe you have to get kerberos set up properly on your Linux box. Next, configure nsswitch.conf to use winbind. Then, you must join the box to the domain, just as Geza mentioned. After that, start samba. Finally, you can run the commands that Geza suggested (wbinfo -p, wbinfo -u and wbinfo -g. I'd also suggest getent passwd). These steps are all very well documented, and, are easy to find, but if you have a problem with anything, let us know. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can't get idmap connected to AD unix attribs
It turns out that setting idmap config * : ad was the cause of my failures. For some reason, that backend is not compiled into the Ubuntu packages (or at least, when I ran with debug = 3 for winbind, I saw that the backend 'ad' was failing to load. It does seem, from my very non-scientific study of the list over the past few days, that a large number of questions seem to be focused on connecting samba with AD. Hopefully this can be made more rock-solid in the future. regards, -Nick On Jul 11, 2012, at 10:50 AM, Rowland Penny wrote: On 11/07/12 17:38, Nick Triantos wrote: Hi Rowland, Yes, I've added their unix attributes. It looks like there is a long-open bug in winbind/samba 3.6.x that may be causing the error below (https://bugzilla.samba.org/show_bug.cgi?id=8676). I'm now stuck behind that so I'm trying to downgrade to 3.5.x. regards, -Nick On Jul 11, 2012, at 7:05 AM, Rowland Penny wrote: On 11/07/12 01:57, Nick Triantos wrote: Thanks Robert. I've tried switching over to the AD back-end (which does sound like what I want), but I still receive only the errors: failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND I restarted both winbind and smbd after changing the config. Is there some cache I have to flush, or some other config that needs to be changed beyond the settings in smb.conf? thanks again! -Nick My updated smb.conf: workgroup = CORP security = ADS #password server = 192.168.77.251 realm = CORP.MYCOMPANY.COM allow trusted domains = yes winbind use default domain = yes winbind nested groups = YES idmap config CORP : backend = ad idmap config CORP : default = yes idmap config CORP : schema_mode = rfc2307 idmap config CORP : range = 800 - 9 On Jul 10, 2012, at 7:27 AM, Robert Freeman-Day wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nick, I think what you may be looking for is the ad backend: https://www.samba.org/samba/docs/man/manpages-3/idmap_ad.8.html Since you are using tdb in your config, it is using a local database and allocates UID/GIDs on the fly...first come, first served. So a user may not get the same UID from one machine to the next. Robert On 07/10/2012 12:20 AM, Nick Triantos wrote: Hi, I'm trying to get an Ubuntu 12.04 system's Samba (3.6.3) and Winbind to map userids and groups to the unix attributes in an AD 2008 server. I can see that when I perform an ldapsearch, I'm able to read the attributes, and for one of my accounts, the id should be 1001. However, when I run 'wbinfo -iusername', I get back something like 920. At one point, I was setting the idmap range to start at 900, but I've since removed that from my config, and restarted winbindd and smbd. I've also tried to 'net cache flush'. I also see wbinfo -isomeuser usually returns: failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user someuser The relevant parts of my smb.conf are below. I've tried patching this together from various tuts and help pages. Any guidance would be very helpful. thanks! -Nick [global] workgroup = CORP security = ADS password server = 192.168.77.251 realm = CORP.MYCOMPANY.COM allow trusted domains = yes winbind use default domain = yes winbind nested groups = YES idmap config CORP : backend = tdb idmap config CORP : default = yes idmap config CORP : schema_mode = rfc2307 idmap config CORP : range = 1000 - idmap config * : backend = tdb encrypt passwords = true obey pam restrictions = yes client use spnego = yes client ntlmv2 auth = yes encrypt passwords = true restrict anonymous = 2 unix password sync = yes winbind enum groups = yes winbind enum users = yes winbind nss info = rfc2307 - - -- Robert Freeman-Day https://launchpad.net/~presgas GPG Public Key: http://keyserver.ubuntu.com:11371/pks/lookup?op=getsearch=0xBA9DF9ED3E4C7D36 - -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/8O4QACgkQup357T5MfTZprwCeJ7iMF7NcxUctOd7bOAFqT4ZZ AAgAoMqnWGK5E5LWZxxMxsUaVhfbil9Y =yLz3 - -END PGP SIGNATURE- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/8O7UACgkQup357T5MfTaCgACdHU8bg9f9cJ9+xgH6GuBchjJ+ 3iQAoLndWChQKGLDkeGGTRaCM00LwHKb =eagU -END PGP SIGNATURE- Hi, just a thought, have you added the RFC2307 uid/gid values to your users on the AD server? if you haven't, there will be nothing to find and it may throw the error that you are getting. Rowland -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions:
Re: [Samba] Linux SSO with samba4?
Hi Steve, I have looked through your Ubuntu SSO howto and there seems to a bit of confusion when it comes to the nslcd service. According to Ubuntu's official SSO howto at https://help.ubuntu.com/community/SingleSignOn , one configures nslcd for kerberos on the client side, but according to your howto, nslcd is configured on the kerberos server side. Also, you mentioned how to configure nslcd on the client side on this mailing list. Does this mean that nslcd must be configured for kerberos on both the client and the server side? br, Quinn On Thu, Jul 12, 2012 at 5:33 PM, steve st...@steve-ss.com wrote: On 12/07/12 17:07, Quinn Plattel wrote: yes, i found your windows/linux setup via google earlier, but the setup was based on OpenSuse which made it a little difficult in some areas when it comes to Ubuntu - particularly the nfs server setup section. But thanks for the info! :-) There's an Ubuntu howto on the same site which includes the NFS. http://linuxcostablanca.**blogspot.com.es/2012/01/samba-**4-ubuntu.htmlhttp://linuxcostablanca.blogspot.com.es/2012/01/samba-4-ubuntu.html Cheers, Steve -- Best regards/Med venlig hilsen, Quinn Plattel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Dynamic DNS Update problem -- Ubuntu 12.04
Hello, I've been struggling with this issue for a few days now. My configuration is pretty much a stock Ubuntu 12.04 server, with samba4 and bind9 installed from packages. Samba - 4.0.0alpha18 bind - 9.8.1-P1 I've recompiled the bind package to add dlz support (added flag --with-dlopen), but I'm getting an error whenever a domain client connects and attempts to update its DNS record: Jul 12 20:21:05 test named[3252]: samba_dlz: starting transaction on zone demo.local Jul 12 20:21:05 test named[3252]: samba_dlz: allowing update of signer=demomachine\$\@DEMO.LOCAL name=demomachine.demo.local tcpaddr= type= key=456-ms-7.204-3a3a3d1.f31c37e4-cbf2-11e1-a98f-000c2941b972/160/0 Jul 12 20:21:05 test named[3252]: samba_dlz: allowing update of signer=demomachine\$\@DEMO.LOCAL name=demomachine.demo.local tcpaddr= type=A key=456-ms-7.204-3a3a3d1.f31c37e4-cbf2-11e1-a98f-000c2941b972/160/0 Jul 12 20:21:05 test named[3252]: samba_dlz: allowing update of signer=demomachine\$\@DEMO.LOCAL name=demomachine.demo.local tcpaddr= type=A key=456-ms-7.204-3a3a3d1.f31c37e4-cbf2-11e1-a98f-000c2941b972/160/0 Jul 12 20:21:05 test named[3252]: client 172.16.1.1#59645: updating zone 'demo.local/NONE': deleting rrset at 'demomachine.demo.local' Jul 12 20:21:05 test named[3252]: client 172.16.1.1#59645: updating zone 'demo.local/NONE': deleting rrset at 'demomachine.demo.local' A Jul 12 20:21:05 test named[3252]: samba_dlz: failed to modify DC=demomachine,DC=demo.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=saluna,DC=net - objectclass: modify message must have elements/attributes! Jul 12 20:21:05 test named[3252]: samba_dlz: cancelling transaction on zone demo.local Does anyone have an idea of what is wrong? Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Linux SSO with samba4?
Hi Bernd, I looked through your solaris sso setup and I noticed that you use autofs for auto-mounting /home. Will this not give problems with mobile platforms when they don't have access to there home directories? There is some interesting info on SSO and cached credentials here: https://help.ubuntu.com/community/SingleSignOn br, Quinn On Thu, Jul 12, 2012 at 1:46 PM, Bernd Markgraf bernd.markg...@med.ovgu.dewrote: Hi, I am running such a setup for over 2 years now. Samba4 acting as AD for the Windows Clients and LDAP/Kerberos for Linux and Solars clients. All users are stored centrally and no local users on the clients. I'd have to dig for more information on the setup though, as it's been a while since I implemented it. http://phaedrus77.blogspot.de/2010/04/samba4-ad-domain-controller-to-serve.html?showComment=190497132#c1731870195842128401 has my notes on setting up the Solaris clients. Linux was mostly similar enough with further information on several other sites. HTH, Bernd -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Linux SSO with samba4?
On Fri, 2012-07-13 at 14:40 +0200, Quinn Plattel wrote: Hi Bernd, I looked through your solaris sso setup and I noticed that you use autofs for auto-mounting /home. Will this not give problems with mobile platforms when they don't have access to there home directories? It sure would, but since there are no mobile devices running a Unix flavour around here, I'm ok with that. For the Windows notebooks - they keep a cached copy of the profile (unfortunately). All data are to be kept on site, at least that's the plan ;-) Bernd -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Understanding kerberos principals in samba4
Hi, When I have a service on a client that tries to use kerberos and I get errors such as these in the log.samba file: Kerberos: UNKNOWN -- host/ubuntu-test.mydomain.net @ MYDOMAIN.NET: no such entry found in hdb Does this mean that the kerberos authentication system is looking for the principal host/ubuntu-test.mydomain.net @ MYDOMAIN.NET in samba4's domain or in the server's /etc/krb5.keytab file? I have tried adding this principal to the /etc/krb5.keytab file using ktutil, but this error still pops up. I noticed that you can export a principal into a keytab file using samba-tool domain exportkeytab but how do you add the principal to the domain? Will adding the missing principal using samba-tool spn solve problems like these? According to https://help.ubuntu.com/community/SingleSignOn , you add a host to the kerberos realm by doing these two commands on the kerberos server: kadmin: addprinc -randkey host/client.example.com @ EXAMPLE.COM kadmin: ktadd -k ~/client.keytab host/client.example.com @ EXAMPLE.COM I am guessing that kadmin: ktadd -k ~/client.keytab host/client.example.com@ EXAMPLE.COM is the equivalent of samba-tool domain exportkeytab ~/client.keytab --principal=host/client.example.com but what is the equivalent of kadmin: addprinc -randkey host/client.example.com @ EXAMPLE.COM under samba4 ??? br, Quinn -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Fwd: Linux SSO with samba4?
For the list -- Forwarded message -- From: Bernd Markgraf bernd.markg...@med.ovgu.de Date: Fri, Jul 13, 2012 at 2:44 PM Subject: Re: [Samba] Linux SSO with samba4? To: Quinn Plattel qie...@gmail.com Cc: samba samba@lists.samba.org On Fri, 2012-07-13 at 14:40 +0200, Quinn Plattel wrote: Hi Bernd, I looked through your solaris sso setup and I noticed that you use autofs for auto-mounting /home. Will this not give problems with mobile platforms when they don't have access to there home directories? It sure would, but since there are no mobile devices running a Unix flavour around here, I'm ok with that. For the Windows notebooks - they keep a cached copy of the profile (unfortunately). All data are to be kept on site, at least that's the plan ;-) Bernd -- Best regards/Med venlig hilsen, Quinn Plattel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] ldbsearch/kerberos issue
Samba 4.0.0beta3, CentOS 6.2 I can successfully perform an ldbsearch on the Samba ldb by specifying the -U parameter: # ldbsearch -H ldap://hostname -U username and while I can kinit successfully, I cannot use the resulting ticket to connect: # ldbsearch -H ldap://hostname --kerberos=yes --krb5-ccache=/tmp/krb5cc_0 Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER Failed to connect to 'ldap://name' with backend 'ldap': (null) Failed to connect to ldap://name - (null) Would appreciate a clue. Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Linux SSO with samba4?
On 13/07/12 14:20, Quinn Plattel wrote: Does this mean that nslcd must be configured for kerberos on both the client and the server side? Yes. nss-ldapd/nslcd must be running at both client and server ends. To save time, we made a usb memory stick with a script to copy the keytab, nslcd.conf and nsswitch.conf for new Linux clients. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ldbsearch/kerberos issue
On 13/07/12 17:35, Steve Thompson wrote: Samba 4.0.0beta3, CentOS 6.2 I can successfully perform an ldbsearch on the Samba ldb by specifying the -U parameter: # ldbsearch -H ldap://hostname -U username and while I can kinit successfully, I cannot use the resulting ticket to connect: # ldbsearch -H ldap://hostname --kerberos=yes --krb5-ccache=/tmp/krb5cc_0 Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER Failed to connect to 'ldap://name' with backend 'ldap': (null) Failed to connect to ldap://name - (null) Would appreciate a clue. Steve Hi Steve /tmp/krb5cc_0 is root's cache. Are you issuing the command as root? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ldbsearch/kerberos issue
On Fri, 13 Jul 2012, steve wrote: /tmp/krb5cc_0 is root's cache. Are you issuing the command as root? Yes, for the purposes of this particular test. However, the result is the same if I run as any other user, using the appropriate ticket cache. Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Migrated Server Hardware - Now Experiencing Some Client Drops
I have recently upgrade the hardware that the Samba server was running on. This also included an OS and Samba version upgrade. Old Server OpenSuSe 11.1 Samba 3.2.7 New Server OpenSuSe 12.1 Samba 3.6.3 I moved over everything located in the /etc/samba directory from the old hardware to the new hardware. I set the new server to use the same IP Address, services, hostname. The only difference between the two servers (besides hardware) is the OS and the Samba revision. It's been about two weeks now and since the switch, I have had between none and upwards of three clients losing connection to the server for a short period of time. The clients do not show anything beyond themselves and maybe one other workstation on the network for upwards of 5 minutes. I have seen the following error in the log.nmbd file: [2012/07/13 10:55:06, 0] nmbd/nmbd_browsesync.c:486(get_domain_master_name_node_status_fail) get_domain_master_name_node_status_fail: Doing a node status request to the domain master browser at IP 192.168.254.57 failed. Which has not repeated for several hours. In searching through my DHCP lease log, ip address 192.168.254.57 is no longer leased and it is not holding the hostname of the PC that had that address. My smb.conf file has the OS Level set to 65, which should be high enough to be the master browser for the network. I also have the DHCP server providing the server's address as the WINS Server and the smb.conf file has WINS Support active and I am running the Winbind server. Is there a log level that may show me more information as to what might be duking it out with the new Samba Server? (The old server is not longer connected to the network, it is available only as a last resort back-up at this time.) -- Regards, Robert Adkins -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Change Password in Clients Windows
Hi, I'm need users with windows change password. l use samba version 3.5 only for autentication. Is possible? Great. OBS: I use this lines in my samba. unix password sync = yes pam password change = yes passwd program = /usr/bin/passwd %u passwd chat = *New*password* %n\n *Re*ype*new*password* %n\n \ *passwd:*all*authentication*tokens*updated*successfully* -- - Atenciosamente, Cristiano Furtado dos Santos CAD Analyst Salvador - Bahia http://www.ekaaty.org Ekaaty Linux Educacional um novo futuro para educação no Brasil. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Linux SSO with samba4?
On Thu, 2012-07-12 at 13:22 +0200, Quinn Plattel wrote: Hi, I think it is great that samba4 has a single sign on solution for Windows platforms and it seems to work well too, but I am wondering is it possible to do the same for a Linux environment? I have been studying how to implement single sign on using the Ubuntu way through this document: https://help.ubuntu.com/community/SingleSignOn and I am wondering if I can do the same with samba4 where the samba4 just replaces openldap and the kerberos server components. On a windows client, you can login as a user though active directory even though that user is not defined locally on the client. Can you do the same in a Linux environment? I have done some testing and the results so far looks as if it is not quite there yet. For example, if I ssh to a machine using kerberos credentials, I cannot ssh to it without have a local account defined on that machine. Does a kerberos/ldap solution solve that kind of problem? We recommend and support joining Samba as a domain member to Samba4 for these situations. This will handle doing a login with kerberos, including a local kerberos ticket etc, providing the account via nss and everything else. The server can be Samba4 or Microsoft's AD. You may be interested in idmap_ad as an IDMAP module on the clients. Thanks, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Understanding kerberos principals in samba4
On Fri, 2012-07-13 at 15:12 +0200, Quinn Plattel wrote: Hi, When I have a service on a client that tries to use kerberos and I get errors such as these in the log.samba file: Kerberos: UNKNOWN -- host/ubuntu-test.mydomain.net @ MYDOMAIN.NET: no such entry found in hdb Does this mean that the kerberos authentication system is looking for the principal host/ubuntu-test.mydomain.net @ MYDOMAIN.NET in samba4's domain That would be in the domain. hdb is a reference to our sam.ldb in this case. or in the server's /etc/krb5.keytab file? I have tried adding this principal to the /etc/krb5.keytab file using ktutil, but this error still pops up. I noticed that you can export a principal into a keytab file using samba-tool domain exportkeytab but how do you add the principal to the domain? Will adding the missing principal using samba-tool spn solve problems like these? Yes. According to https://help.ubuntu.com/community/SingleSignOn , you add a host to the kerberos realm by doing these two commands on the kerberos server: kadmin: addprinc -randkey host/client.example.com @ EXAMPLE.COM kadmin: ktadd -k ~/client.keytab host/client.example.com @ EXAMPLE.COM I am guessing that kadmin: ktadd -k ~/client.keytab host/client.example.com@ EXAMPLE.COM is the equivalent of samba-tool domain exportkeytab ~/client.keytab --principal=host/client.example.com but what is the equivalent of kadmin: addprinc -randkey host/client.example.com @ EXAMPLE.COM under samba4 ??? If the client doesn't wish to have any Samba integration it would be adding a user, adding an spn, setting a random password and then using the exportkeytab command you mentioned. However, joining the machine using Samba would be more likely what you want, ie run 'net ads join' on the client, and look into the keytab options in the smb.conf for how to have Samba maintain a system keytab for your other services. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] force group + acls
Hi everyone, So I'm trying to copy files from a windows share to a samba share. I'm using robocopy to mirror file files a permissions, but I've recently hit a little problem with the interaction of permissions, and I'm not sure how to fix it. What's happening is that after a file is copied, it's permissions are updated. What I end up with is Domain Users (the default group) is assigned to the file with no permissions, and the builtin Users group is assigned, via ACLs, with full permissions. Of course, the problem is that the builtin Users group actually contains the Domain Users group, so I end up with a case of Domain Users being unable to access the file. Now, in an ideal world, unix filesystems would implement ACLs in a way that isn't a kludgey bolt-on feature, but since it is, I'd like samba to help me work around it and set the unix group to something which will then be ignored when reporting file permissions back to Windows. I thought that I found this feature in the force group command, but I was wrong. Force group sounds exactly like what I want. I want samba to assign a default group, e.g. root, to all of my files, and then add and modify additional groups via the ACL system. This would prevent the wackiness I'm seeing, and get ACLs working properly. However, what ends up happening in this case is that the file is created as me, with the default group set to root (yay!), then the permissions are fixed, and the owner is set to root and the group is set to Domain Users. This seems a bit strange to me because Domain Users is not mentioned in the Windows ACLs at all, so it makes me wonder: a) Why is the group being set to Domain Users at all? b) Why isn't the group still forced to root as I asked? One option I've considered is messing with the various mode bits. I could, for example, ensure that the default group always had full permissions (or at least read-only permissions), but that changes the problem because now I am granting permissions where there were none before. I'm using samba version 3.6.3, on Ubuntu 12.04. Here is my config: == [global] log level = 3 server string = samba netbios name = samba interfaces = 10.0.0.36 security = ads realm = DOMAIN.COM workgroup = DOMAIN # I want to see the domain name as part of the user name: winbind use default domain = no winbind separator = + # From here we configure the idmaps idmap config * : backend = tdb idmap config * : range = 5000-6000 idmap config DOMAIN: default = yes idmap config DOMAIN: backend = rid idmap config DOMAIN: range = 10-20 winbind enum users = yes winbind enum groups = yes winbind nested groups = Yes # how many nested groups to traverse: winbind expand groups = 10 client use spnego = yes encrypt passwords = true restrict anonymous = 2 # Windows doesn't have this restriction, so neigther do we: hide dot files = no # Use extended ACL attributes to store windows permissions: vfs objects = acl_xattr ea support = yes map acl inherit = yes store dos attributes = yes map hidden = no map system = no map archive = no map readonly = no # Just to be safe: invalid users = root # Reccommended for ADS security mode: #name resolve order = wins bcast template homedir = /srv/Homes/%D/%U template shell = /bin/false unix extensions = no # Allocate file blocks at creation time (no sparse files), helps # with quotas. strict allocate = yes allocation roundup size = 1024 [Share] path = /srv/Share writable = yes admin users = DOMAIN+mike #force group = root #force directory security mode = 0070 == Please let me know if I can provide more information. Thanks, Mike (: -- m...@piratehaven.org---The_glass_is_too_big -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] compiling samba 3.4.8 on CentOS_6.2
You really shouldn't bother trying to compile Samba by hand. If you want Samba 3.4, get this: http://ftp.sernet.de/pub/samba/3.4/rhel/6/x86_64/ On 07/13/2012 03:51 AM, Jonathan Buzzard wrote: On 13/07/12 02:36, Heather Choi wrote: How is Samba 3.6 against ADS broken? I have Samba 3.6.6 on SL6.2 with ADS and it's running great... In general it is in my belief not broken, and even the generic Samba packages that come with RHEL 6.2 and it's rebuilds work for me against our 2008R2 AD. What I would say is that this bit of Samba configuration is poorly documented and seems to keep changing between releases, so a working config on 3.5 is bust on 3.6 etc. Trying to compile 3.4.8 on anything is a really retrograde step anyway given that you will be making your box open to a remote root compromise... JAB. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 10b818b s3-auth_samba4: Explain that check_samba4_security is actually unused via 1013fab lib/util: Allocate enough space to reference blob-data[len] from 15fedb3 s3-auth Remove unused global_machine_account_needs_changing http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 10b818bb222aaec4de2c31594e5ca48102f7af6a Author: Andrew Bartlett abart...@samba.org Date: Fri Jul 13 15:51:49 2012 +1000 s3-auth_samba4: Explain that check_samba4_security is actually unused Because of the evolution in the way the auth handling has been done, we do not need this code any more. Raw NTLM Session setup X is done via the auth4 context which returns a full session info. Andrew Bartlett Autobuild-User(master): Andrew Bartlett abart...@samba.org Autobuild-Date(master): Fri Jul 13 10:04:05 CEST 2012 on sn-devel-104 commit 1013fab5f82f283335a5d8cbb1bfde8a80d7979c Author: Andrew Bartlett abart...@samba.org Date: Fri Jul 13 15:42:08 2012 +1000 lib/util: Allocate enough space to reference blob-data[len] Found by Thomas Hood jdth...@gmail.com using valgrind. Thanks! Andrew Bartlett --- Summary of changes: lib/util/asn1.c|6 +++--- source3/auth/auth_samba4.c | 10 ++ 2 files changed, 13 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/lib/util/asn1.c b/lib/util/asn1.c index c23bf65..70637a3 100644 --- a/lib/util/asn1.c +++ b/lib/util/asn1.c @@ -844,7 +844,7 @@ bool asn1_read_OctetString(struct asn1_data *data, TALLOC_CTX *mem_ctx, DATA_BLO return false; } *blob = data_blob_talloc(mem_ctx, NULL, len+1); - if (!blob-data) { + if (!blob-data || blob-length len) { data-has_error = true; return false; } @@ -927,8 +927,8 @@ bool asn1_read_BitString(struct asn1_data *data, TALLOC_CTX *mem_ctx, DATA_BLOB } if (!asn1_read_uint8(data, padding)) return false; - *blob = data_blob_talloc(mem_ctx, NULL, len); - if (!blob-data) { + *blob = data_blob_talloc(mem_ctx, NULL, len+1); + if (!blob-data || blob-length len) { data-has_error = true; return false; } diff --git a/source3/auth/auth_samba4.c b/source3/auth/auth_samba4.c index ff73ffb..6093de4 100644 --- a/source3/auth/auth_samba4.c +++ b/source3/auth/auth_samba4.c @@ -31,6 +31,16 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH +/* + * This hook is currently unused, as all NTLM logins go via the hooks + * provided by make_auth4_context_s4() below. + * + * This is only left in case we find a way that it might become useful + * in future. Importantly, this routine returns the information + * needed for a NETLOGON SamLogon, not what is needed to establish a + * session. + */ + static NTSTATUS check_samba4_security(const struct auth_context *auth_context, void *my_private_data, TALLOC_CTX *mem_ctx, -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 27e20d5 s3: Make us survive smb2.lock.rw-shared with aio enabled from 10b818b s3-auth_samba4: Explain that check_samba4_security is actually unused http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 27e20d5d60ea8aa526bcb7c2dfc18dd2de0bb97b Author: Volker Lendecke v...@samba.org Date: Fri Jul 13 08:38:07 2012 +0200 s3: Make us survive smb2.lock.rw-shared with aio enabled schedule_aio_smb2_write can return NT_STATUS_FILE_LOCK_CONFLICT. This is a valid error code that smb2.lock.rw-shared expects and checks for. The code before this patch maps this to NT_STATUS_FILE_CLOSED, masking the real, correct error message. Signed-off-by: Jeremy Allison j...@samba.org Autobuild-User(master): Jeremy Allison j...@samba.org Autobuild-Date(master): Fri Jul 13 21:53:51 CEST 2012 on sn-devel-104 --- Summary of changes: source3/smbd/smb2_write.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/smbd/smb2_write.c b/source3/smbd/smb2_write.c index 8ddd8cc..6a78939 100644 --- a/source3/smbd/smb2_write.c +++ b/source3/smbd/smb2_write.c @@ -318,7 +318,7 @@ static struct tevent_req *smbd_smb2_write_send(TALLOC_CTX *mem_ctx, if (!NT_STATUS_EQUAL(status, NT_STATUS_RETRY)) { /* Real error in setting up aio. Fail. */ - tevent_req_nterror(req, NT_STATUS_FILE_CLOSED); + tevent_req_nterror(req, status); return tevent_req_post(req, ev); } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 726ecf6 Fix bug #9016 - Connection to outbound trusted domain goes offline. from 27e20d5 s3: Make us survive smb2.lock.rw-shared with aio enabled http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 726ecf6a915ff534af4076e9d0cdebf8b5435d61 Author: Jeremy Allison j...@samba.org Date: Fri Jul 13 16:25:23 2012 -0700 Fix bug #9016 - Connection to outbound trusted domain goes offline. By the time we've gotten to init_dc_connection_network() we shouldn't be second guessing the caller by calling winbindd_can_contact_domain(). If for some reason we do need to restrict the contact list here we can add a condition to only contact the primary domain or domains listed in the tdc cache, but I don't think that's neccessary. Autobuild-User(master): Jeremy Allison j...@samba.org Autobuild-Date(master): Sat Jul 14 03:17:57 CEST 2012 on sn-devel-104 --- Summary of changes: source3/winbindd/winbindd_cm.c |6 -- 1 files changed, 0 insertions(+), 6 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index f52e723..f1e4204 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -1740,12 +1740,6 @@ static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain) return NT_STATUS_OK; } - if (!winbindd_can_contact_domain(domain)) { - invalidate_cm_connection(domain-conn); - domain-initialized = True; - return NT_STATUS_OK; - } - if (connection_ok(domain)) { if (!domain-initialized) { set_dc_type_and_flags(domain); -- Samba Shared Repository