Re: [Samba] Internal DNS stops forwarding
On 10/08/2012 11:02 AM, fe...@epepm.cupet.cu wrote: Happened again with rc2 but found that at the same time this error shows every second: [2012/10/05 09:01:39, 0] ../source4/smbd/process_single.c:56(single_accept_connection) single_accept_connection: accept: NT_STATUS_TOO_MANY_OPENED_FILES Somehow I missed this information, can you do a lsof and filter just the process that is handling the DNS requests (the one that you get from netstat -anp | grep 53). It could be related to this bug: https://bugzilla.samba.org/show_bug.cgi?id=8878 In a nutshell I suspect that our server sends forward requests to the forwarder that are never answered and the connections piles up, once we reached the limit (1024 ?) the server didn't accept any new connections. -- Matthieu Patou Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Internal DNS stops forwarding
Hi On 8 October 2012 20:02, fe...@epepm.cupet.cu wrote: Happened again with rc2 but found that at the same time this error shows every second: [2012/10/05 09:01:39, 0] ../source4/smbd/process_single.c:56(single_accept_connection) single_accept_connection: accept: NT_STATUS_TOO_MANY_OPENED_FILES After restarting everything is OK, but it happened yesterday though I didn't notice it was at the same time the dns error and this too many opened files. Next time when it happens can you do this: netstat -anp | grep 53 to get the pid of the samba process that is listening on port 53 then do gdb -p pid bt full thread apply all bt full info locals generate-core-file /tmp/core_for_dns And send to the list the info, keep the corefile in a safe place and send it upon request to one of the samba developer. Matthieu. Here we go: root@ad:~# netstat -anp | grep 53|grep samba|wc -l 1003 I think this is the direct cause of the too many open files error. The default limit for number of open files is 1024. Of course I don't know what's causing samba to start so many instances of itself in the first place. Matthieu Patou m...@samba.org wrote: Somehow I missed this information, can you do a lsof and filter just the process that is handling the DNS requests (the one that you get from netstat -anp | grep 53). e.g. try this: # lsof -n -P -i :53 It could be related to this bug: https://bugzilla.samba.org/show_bug.cgi?id=8878 In a nutshell I suspect that our server sends forward requests to the forwarder that are never answered and the connections piles up, once we reached the limit (1024 ?) the server didn't accept any new connections. Seems likely. -- Michael Wood esiot...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba 4 / replicate ldap
Hai, Is it possible to replicate the ldap of samba, it this enabled. ( for example with deltasync or syncrepl ) In need to replicate the ldap somehow.. Louis -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 4 / replicate ldap
On Tue, 2012-10-09 at 09:14 +0200, L.P.H. van Belle wrote: Hai, Is it possible to replicate the ldap of samba, it this enabled. ( for example with deltasync or syncrepl ) In need to replicate the ldap somehow.. The only two replication schemes we support are dirsync and DRS replication between windows or Samba AD DCs. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 4 / replicate ldap
Is there any good documentation on DRS and/or dirsync. Im looking for a example. Because what i did find for now, it seems i have to stick to samba 3. Louis -Oorspronkelijk bericht- Van: Andrew Bartlett [mailto:abart...@samba.org] Verzonden: dinsdag 9 oktober 2012 9:31 Aan: L.P.H. van Belle CC: samba@lists.samba.org Onderwerp: Re: [Samba] samba 4 / replicate ldap On Tue, 2012-10-09 at 09:14 +0200, L.P.H. van Belle wrote: Hai, Is it possible to replicate the ldap of samba, it this enabled. ( for example with deltasync or syncrepl ) In need to replicate the ldap somehow.. The only two replication schemes we support are dirsync and DRS replication between windows or Samba AD DCs. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 4 / replicate ldap
On Tue, 2012-10-09 at 09:39 +0200, L.P.H. van Belle wrote: Is there any good documentation on DRS and/or dirsync. Im looking for a example. This page explains how to add additional Samba4 DCs to a domain: https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC Because what i did find for now, it seems i have to stick to samba 3. Rather than asking how to do LDAP replication, perhaps you can explain what you want to achieve? Furthermore, the full facilities that Samba 3.x provided, including the LDAP passdb backend, remain in the Samba 4.0 release (use smbd/nmbd). However it won't be an AD Domain controller, it will still be what we now call a 'classic' domain controller (NT4-like). Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 64bit-portability-issue
On Mon, 2012-10-08 at 14:49 +0100, Bruno Fernandes wrote: Hi, I'm trying to build samba-4.0.0rc2.tar.gz on build.opensuse.org and I'm getting this error message: E: samba4 64bit-portability-issue ../source3/modules/vfs_full_audit.c:1837, 1853 There are patches in master for this. Please file a bug, and someone will pick the patches into the next rc release. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] wbinfo -g empty
Hello lists, I have an interesting problem with my samba 3.6.8. I cannot get a the group list with wbinfo -g command. The answer is always empty. wbinfo -u seems to work fine. Have anyone met same problem? Cant figure out where I made mistake. Thank you. See config file below. [global] workgroup = AVC netbios name = AVC-DC server string = Primary Domain Controler obey pam restrictions = Yes passwd program = /usr/bin/passwd %U passwd chat = *New*password* %n\n *Please*retype*new*password* %n\n *password*successfully*updated* passwd chat debug = Yes unix password sync = Yes log level = 1 syslog = 0 log file = /var/log/samba/%m.log max log size = 1000 load printers = No add user script = /usr/sbin/useradd -g 504 -d /dev/null -s /bin/False %U logon script = %U.bat logon path = logon drive = O: domain logons = Yes os level = 65 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes idmap config AVC : backend = tdb idmap config AVC : range =1000-9 recycle:exclude_dir = /tmp recycle:exclude = *.tmp recycle:versions = Yes recycle:touch = Yes recycle:keeptree = Yes recycle:repository = /trash/%m create mask = 0666 directory mask = 0777 veto oplock files = /*.mdb/*.MDB/*.dbf/*.DBF/ oplocks = No vfs objects = recycle -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Cannot make Windows join Samba domain
Hi Michael, thanks for the reply. I'm not sure if I have correctly checked the things you asked. I've installed Samba via apt-get, and I had to compile OpenLDAP by hand (I failed miserably trying to make it work from the apt packages). The NSLCD and SSSD packages are not installed, and there is no occurrence of nslcd nor sssd under the /usr directory. Regarding the scope filter, the only configuration I found (that I think is related to scope) is the following line from the smbldap.conf file: scope=sub Célio Em 08/10/2012, às 23:25, Michael Starling mlstarlin...@hotmail.com escreveu: I'm curious as to what modules you're using for NSS lookups? SSSD, or NSLCD and pam_ldap? I'd make sure you aren't using scope filters as this has caused me similar headaches in the past. On Oct 8, 2012, at 9:04 PM, Celio Cidral Jr ccid...@gmail.com wrote: Hi, I'm having an issue trying to make a Windows machine sambaserveroin a Samba domain. Samba is running with LDAP backend (OpenLDAP). When I try to join the domain, Windows says that the machine account does not exist. The machine account, however, is successfully created in the LDAP directory after the join fails. When I try to join again, Windows says that the account already exists. Has anyone here already experienced such problem? This is a fresh install of Samba + OpenLDAP. I already ran smbldap-populate, all initial accounts and groups are present in the database. Some info: OpenLDAP 2.4.32 Samba 3.6.3-2ubuntu2.3 (amb64) smb.conf: [global] workgroup = RTS server string = %h map to guest = Bad User passdb backend = ldapsam:ldap://127.0.0.1 passwd program = /usr/sbin/smbldap-passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 add user script = /root/smbldap-tools-0.9.9/smbldap-useradd.cmd -a %u delete user script = /root/smbldap-tools-0.9.9/smbldap-userdel.cmd %u add group script = /root/smbldap-tools-0.9.9/smbldap-groupadd.cmd -p %g delete group script = /root/smbldap-tools-0.9.9/smbldap-groupdel.cmd %g add user to group script = /root/smbldap-tools-0.9.9/smbldap-groupmod.cmd -m %u %g delete user from group script = /root/smbldap-tools-0.9.9/smbldap-groupmod.cmd -x %u %g set primary group script = /root/smbldap-tools-0.9.9/smbldap-usermod.cmd -g %g %u add machine script = /root/smbldap-tools-0.9.9/smbldap-useradd.cmd -i -t 0 %u domain logons = Yes preferred master = Yes domain master = Yes wins support = Yes ldap admin dn = cn=Manager,dc=rtsbrasil,dc=com,dc=br ldap delete dn = Yes ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap machine suffix = ou=Computers ldap passwd sync = yes ldap suffix = dc=rtsbrasil,dc=com,dc=br ldap ssl = no ldap user suffix = ou=Users panic action = /usr/share/samba/panic-action %d idmap config * : backend = tdb smbldap.conf: SID=S-1-5-21-2940977410-1091208426-162815782 sambaDomain=RTS masterLDAP=localhost masterPort=389 ldapTLS=0 ldapSSL=0 verify=none cafile=/etc/ssl/certs/cacert.pem suffix=dc=rtsbrasil,dc=com,dc=br usersdn=ou=Users,${suffix} computersdn=ou=Computers,${suffix} groupsdn=ou=Groups,${suffix} idmapdn=ou=Idmap,${suffix} sambaUnixIdPooldn=sambaDomainName=${sambaDomain},${suffix} scope=sub hash_encrypt=SSHA crypt_salt_format=%s userLoginShell=/bin/bash userHome=/home/%U userHomeDirectoryMode=700 userGecos=System User defaultUserGid=513 defaultComputerGid=515 skeletonDir=/etc/skel defaultMaxPasswordAge=45 userSmbHome=\\D0-SMBDOM\%U userProfile=\\D0-SMBDOM\profiles\%U userHomeDrive=H: userScript=logon.bat mailDomain=itfor.it with_smbpasswd=0 smbpasswd=/usr/bin/smbpasswd with_slappasswd=0 slappasswd=/usr/sbin/slappasswd samba's log: [2012/10/08 21:54:37.044857, 0] rpc_server/srv_pipe.c:1254(api_pipe_bind_auth3) Auth failed (NT_STATUS_NO_SUCH_USER) [2012/10/08 21:54:37.115070, 0] rpc_server/netlogon/srv_netlog_nt.c:931(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: no challenge sent to client PROJETOS [2012/10/08 21:54:37.146424, 0] rpc_server/srv_pipe.c:1254(api_pipe_bind_auth3) Auth failed (NT_STATUS_NO_SUCH_USER) Use of qw(...) as parentheses is deprecated at /usr/share/perl5/smbldap_tools.pm line 1423, DATA line 522. Use of uninitialized value $pass in string ne at /root/smbldap-tools-0.9.9/smbldap-useradd.cmd line 349. Use of uninitialized value $pass2 in string ne at /root/smbldap-tools-0.9.9/smbldap-useradd.cmd line 349. slapd's log: Oct 8 21:54:29 sambaserver slapd[2572]: conn=1000 op=315 SRCH base= scope=2 deref=0 filter=(objectClass=sambaTrustedDomainPassword) Oct 8 21:54:29 sambaserver slapd[2572]: conn=1000 op=315 SRCH attr=sambaDomainName sambaSID Oct 8 21:54:29 sambaserver slapd[2572]: conn=1000 op=315 SEARCH RESULT
Re: [Samba] Cannot make Windows join Samba domain
Do you have an /etc/ldap.conf or /etc/pam_ldap.conf file? On Oct 9, 2012, at 7:43 AM, Celio Cidral Jr ccid...@gmail.com wrote: Hi Michael, thanks for the reply. I'm not sure if I have correctly checked the things you asked. I've installed Samba via apt-get, and I had to compile OpenLDAP by hand (I failed miserably trying to make it work from the apt packages). The NSLCD and SSSD packages are not installed, and there is no occurrence of nslcd nor sssd under the /usr directory. Regarding the scope filter, the only configuration I found (that I think is related to scope) is the following line from the smbldap.conf file: scope=sub Célio Em 08/10/2012, às 23:25, Michael Starling mlstarlin...@hotmail.com escreveu: I'm curious as to what modules you're using for NSS lookups? SSSD, or NSLCD and pam_ldap? I'd make sure you aren't using scope filters as this has caused me similar headaches in the past. On Oct 8, 2012, at 9:04 PM, Celio Cidral Jr ccid...@gmail.com wrote: Hi, I'm having an issue trying to make a Windows machine sambaserveroin a Samba domain. Samba is running with LDAP backend (OpenLDAP). When I try to join the domain, Windows says that the machine account does not exist. The machine account, however, is successfully created in the LDAP directory after the join fails. When I try to join again, Windows says that the account already exists. Has anyone here already experienced such problem? This is a fresh install of Samba + OpenLDAP. I already ran smbldap-populate, all initial accounts and groups are present in the database. Some info: OpenLDAP 2.4.32 Samba 3.6.3-2ubuntu2.3 (amb64) smb.conf: [global] workgroup = RTS server string = %h map to guest = Bad User passdb backend = ldapsam:ldap://127.0.0.1 passwd program = /usr/sbin/smbldap-passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 add user script = /root/smbldap-tools-0.9.9/smbldap-useradd.cmd -a %u delete user script = /root/smbldap-tools-0.9.9/smbldap-userdel.cmd %u add group script = /root/smbldap-tools-0.9.9/smbldap-groupadd.cmd -p %g delete group script = /root/smbldap-tools-0.9.9/smbldap-groupdel.cmd %g add user to group script = /root/smbldap-tools-0.9.9/smbldap-groupmod.cmd -m %u %g delete user from group script = /root/smbldap-tools-0.9.9/smbldap-groupmod.cmd -x %u %g set primary group script = /root/smbldap-tools-0.9.9/smbldap-usermod.cmd -g %g %u add machine script = /root/smbldap-tools-0.9.9/smbldap-useradd.cmd -i -t 0 %u domain logons = Yes preferred master = Yes domain master = Yes wins support = Yes ldap admin dn = cn=Manager,dc=rtsbrasil,dc=com,dc=br ldap delete dn = Yes ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap machine suffix = ou=Computers ldap passwd sync = yes ldap suffix = dc=rtsbrasil,dc=com,dc=br ldap ssl = no ldap user suffix = ou=Users panic action = /usr/share/samba/panic-action %d idmap config * : backend = tdb smbldap.conf: SID=S-1-5-21-2940977410-1091208426-162815782 sambaDomain=RTS masterLDAP=localhost masterPort=389 ldapTLS=0 ldapSSL=0 verify=none cafile=/etc/ssl/certs/cacert.pem suffix=dc=rtsbrasil,dc=com,dc=br usersdn=ou=Users,${suffix} computersdn=ou=Computers,${suffix} groupsdn=ou=Groups,${suffix} idmapdn=ou=Idmap,${suffix} sambaUnixIdPooldn=sambaDomainName=${sambaDomain},${suffix} scope=sub hash_encrypt=SSHA crypt_salt_format=%s userLoginShell=/bin/bash userHome=/home/%U userHomeDirectoryMode=700 userGecos=System User defaultUserGid=513 defaultComputerGid=515 skeletonDir=/etc/skel defaultMaxPasswordAge=45 userSmbHome=\\D0-SMBDOM\%U userProfile=\\D0-SMBDOM\profiles\%U userHomeDrive=H: userScript=logon.bat mailDomain=itfor.it with_smbpasswd=0 smbpasswd=/usr/bin/smbpasswd with_slappasswd=0 slappasswd=/usr/sbin/slappasswd samba's log: [2012/10/08 21:54:37.044857, 0] rpc_server/srv_pipe.c:1254(api_pipe_bind_auth3) Auth failed (NT_STATUS_NO_SUCH_USER) [2012/10/08 21:54:37.115070, 0] rpc_server/netlogon/srv_netlog_nt.c:931(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: no challenge sent to client PROJETOS [2012/10/08 21:54:37.146424, 0] rpc_server/srv_pipe.c:1254(api_pipe_bind_auth3) Auth failed (NT_STATUS_NO_SUCH_USER) Use of qw(...) as parentheses is deprecated at /usr/share/perl5/smbldap_tools.pm line 1423, DATA line 522. Use of uninitialized value $pass in string ne at /root/smbldap-tools-0.9.9/smbldap-useradd.cmd line 349. Use of uninitialized value $pass2 in string ne at /root/smbldap-tools-0.9.9/smbldap-useradd.cmd line 349. slapd's log: Oct 8 21:54:29 sambaserver slapd[2572]: conn=1000 op=315 SRCH base= scope=2 deref=0 filter=(objectClass=sambaTrustedDomainPassword) Oct 8 21:54:29 sambaserver slapd[2572]: conn=1000
[Samba] kvno problem when accessing bdc as \\domain.com
Hi! I have a samba4 domain with two r/w directory controllers. DNS is set up so that domain.com name adresses both servers for redundancy. But workstaions can't contact second server with address \\domain.com becuse the kvno is different that first servers kvno and when using \\domain.com address the kvno seems to be always first servers kvno. Can I somehow increase the second servers kvno or is there other solutions Hannu -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Internal DNS stops forwarding
Happened again with rc2 but found that at the same time this error shows every second: [2012/10/05 09:01:39, 0] ../source4/smbd/process_single.c:56(single_accept_connection) single_accept_connection: accept: NT_STATUS_TOO_MANY_OPENED_FILES root@ad:~# netstat -anp | grep 53|grep samba|wc -l 1003 I think this is the direct cause of the too many open files error. https://bugzilla.samba.org/show_bug.cgi?id=8878 In a nutshell I suspect that our server sends forward requests to the forwarder that are never answered and the connections piles up, once we reached the limit (1024 ?) the server didn't accept any new connections. Seems likely. I think it is. Because all the connections I see when the error occurs are related to the forwarder I declared in smb.conf. The number of connections keeps growing again until the error appears. So I have to restart samba. And, yes, lsof, shows that all connections but 2 are related to the forwarder. Cheers, Felix. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Cannot make Windows join Samba domain
Fixed! In the add machine script I replaced the -i argument with -W. Don't know why it does not work with -i (trust machine account). Now the machine fails to join the domain in the first attempt (same error message), but in the second attempt it joins successfully. The problem now is that the machine cannot list the domain's users/groups without asking for the root credentials, but that's another story. Thanks, Célio. Em 09/10/2012, às 08:47, Michael Starling mlstarlin...@hotmail.com escreveu: Do you have an /etc/ldap.conf or /etc/pam_ldap.conf file? On Oct 9, 2012, at 7:43 AM, Celio Cidral Jr ccid...@gmail.com wrote: Hi Michael, thanks for the reply. I'm not sure if I have correctly checked the things you asked. I've installed Samba via apt-get, and I had to compile OpenLDAP by hand (I failed miserably trying to make it work from the apt packages). The NSLCD and SSSD packages are not installed, and there is no occurrence of nslcd nor sssd under the /usr directory. Regarding the scope filter, the only configuration I found (that I think is related to scope) is the following line from the smbldap.conf file: scope=sub Célio Em 08/10/2012, às 23:25, Michael Starling mlstarlin...@hotmail.com escreveu: I'm curious as to what modules you're using for NSS lookups? SSSD, or NSLCD and pam_ldap? I'd make sure you aren't using scope filters as this has caused me similar headaches in the past. On Oct 8, 2012, at 9:04 PM, Celio Cidral Jr ccid...@gmail.com wrote: Hi, I'm having an issue trying to make a Windows machine sambaserveroin a Samba domain. Samba is running with LDAP backend (OpenLDAP). When I try to join the domain, Windows says that the machine account does not exist. The machine account, however, is successfully created in the LDAP directory after the join fails. When I try to join again, Windows says that the account already exists. Has anyone here already experienced such problem? This is a fresh install of Samba + OpenLDAP. I already ran smbldap-populate, all initial accounts and groups are present in the database. Some info: OpenLDAP 2.4.32 Samba 3.6.3-2ubuntu2.3 (amb64) smb.conf: [global] workgroup = RTS server string = %h map to guest = Bad User passdb backend = ldapsam:ldap://127.0.0.1 passwd program = /usr/sbin/smbldap-passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 add user script = /root/smbldap-tools-0.9.9/smbldap-useradd.cmd -a %u delete user script = /root/smbldap-tools-0.9.9/smbldap-userdel.cmd %u add group script = /root/smbldap-tools-0.9.9/smbldap-groupadd.cmd -p %g delete group script = /root/smbldap-tools-0.9.9/smbldap-groupdel.cmd %g add user to group script = /root/smbldap-tools-0.9.9/smbldap-groupmod.cmd -m %u %g delete user from group script = /root/smbldap-tools-0.9.9/smbldap-groupmod.cmd -x %u %g set primary group script = /root/smbldap-tools-0.9.9/smbldap-usermod.cmd -g %g %u add machine script = /root/smbldap-tools-0.9.9/smbldap-useradd.cmd -i -t 0 %u domain logons = Yes preferred master = Yes domain master = Yes wins support = Yes ldap admin dn = cn=Manager,dc=rtsbrasil,dc=com,dc=br ldap delete dn = Yes ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap machine suffix = ou=Computers ldap passwd sync = yes ldap suffix = dc=rtsbrasil,dc=com,dc=br ldap ssl = no ldap user suffix = ou=Users panic action = /usr/share/samba/panic-action %d idmap config * : backend = tdb smbldap.conf: SID=S-1-5-21-2940977410-1091208426-162815782 sambaDomain=RTS masterLDAP=localhost masterPort=389 ldapTLS=0 ldapSSL=0 verify=none cafile=/etc/ssl/certs/cacert.pem suffix=dc=rtsbrasil,dc=com,dc=br usersdn=ou=Users,${suffix} computersdn=ou=Computers,${suffix} groupsdn=ou=Groups,${suffix} idmapdn=ou=Idmap,${suffix} sambaUnixIdPooldn=sambaDomainName=${sambaDomain},${suffix} scope=sub hash_encrypt=SSHA crypt_salt_format=%s userLoginShell=/bin/bash userHome=/home/%U userHomeDirectoryMode=700 userGecos=System User defaultUserGid=513 defaultComputerGid=515 skeletonDir=/etc/skel defaultMaxPasswordAge=45 userSmbHome=\\D0-SMBDOM\%U userProfile=\\D0-SMBDOM\profiles\%U userHomeDrive=H: userScript=logon.bat mailDomain=itfor.it with_smbpasswd=0 smbpasswd=/usr/bin/smbpasswd with_slappasswd=0 slappasswd=/usr/sbin/slappasswd samba's log: [2012/10/08 21:54:37.044857, 0] rpc_server/srv_pipe.c:1254(api_pipe_bind_auth3) Auth failed (NT_STATUS_NO_SUCH_USER) [2012/10/08 21:54:37.115070, 0] rpc_server/netlogon/srv_netlog_nt.c:931(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: no challenge sent to client PROJETOS [2012/10/08 21:54:37.146424, 0] rpc_server/srv_pipe.c:1254(api_pipe_bind_auth3) Auth failed (NT_STATUS_NO_SUCH_USER) Use of qw(...) as
Re: [Samba] Samba4: Folder Redirection GPO not working with Windows 7
On 09/10/12 17:36, steve wrote: On 08/10/12 18:23, steve wrote: On 08/10/12 17:40, m...@matws.net wrote: samba-tool ntacl sysvolreset --use-s3fs Now no user can enter sysvol: getfacl sysvol/ # file: sysvol/ # owner: root # group: wheel # flags: s-- user::rwx user:root:rwx group::r-- group:wheel:r-- group:300:r-- group:301:r-- group:302:r-- mask::rwx other::--- Using wbinfo: 300 BUILTIN\Server Operators 4 301 NT AUTHORITY\SYSTEM 5 302 NT AUTHORITY\Authenticated Users 5 but Authenticated Users do not get read access. . . Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] 4.0 and Netapp filer ?
Hello Does anyone has tested to register a Netapp filer in a windows domain managed by a samba 4.0 server ? Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Name Resolve Order : parameter of smb.conf with testparm
Ok Matthieu, thanks again about your answer. The suggestion is to modify and correct this question on the URL: http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#NAMERESOLVEORDER Thanks, Marcio. 2012/10/9 Matthieu Patou m...@samba.org On 10/08/2012 02:38 PM, Marcio Oli wrote: Hi Matthieu Patou, the version that I'm using is Samba 3.5.10-116.el6_2. It was installed with rpm command. The OS is: Red Hat Enterprise Linux Server release 6.2 (Santiago) Linux [name of host] 2.6.32-131.6.1.el6.x86_64 #1 SMP Mon Jun 20 14:15:38 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux I suppose that you are using the version of redhat but I think that you should trust the output of testparm because it use the same code base as daemons for parsing and deducting default values. Also testparm by default won't show the values that are by default as lmhosts wins host bcast is the default it's not shown, use testparm -v to have the full list. Matthieu. -- Matthieu Patou Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- Marcio Oliveira. Tudo concorre para o bem daqueles que amam à Deus. (Rom 8,28) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba Digest, Vol 118, Issue 10
Pessoal, bom dia! Estarei de férias no período de 05/10 a 28/10, retornando no dia 29/10/2012. Na minha ausência as dúvidas poderão ser resolvidas pela seguinte equipe: Ricardo: Coordenação da equipe TI, e-mails e servidores – AMP e Inpacom - (011) 3616-1417 Igor: Gemma - AMP e Inpacom - (011) 3616-1438 Luciano e Vagner: Ginjo/ Silbra - Todos os sistemas - (011) 3659-3096 Robson: Indisa - Todos os sistemas - (019) 3765-6000 Essa é uma resposta automática. Até mais. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4: Folder Redirection GPO not working with Windows 7
Hello steve, Tue, Oct 09, 2012 at 05:54:48PM +0200, steve napsal(a): On 09/10/12 17:36, steve wrote: On 08/10/12 18:23, steve wrote: On 08/10/12 17:40, m...@matws.net wrote: samba-tool ntacl sysvolreset --use-s3fs Now no user can enter sysvol: getfacl sysvol/ # file: sysvol/ # owner: root # group: wheel # flags: s-- user::rwx user:root:rwx group::r-- group:wheel:r-- group:300:r-- group:301:r-- group:302:r-- mask::rwx other::--- Using wbinfo: 300 BUILTIN\Server Operators 4 301 NT AUTHORITY\SYSTEM 5 302 NT AUTHORITY\Authenticated Users 5 but Authenticated Users do not get read access. . . maybe I'm wrong but in unix world you need x bit to be able to go into the directory. Luf -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] How can I switch from internal dns server to bind9
I provisioned using the defaults. So now I'm using the internal DNS server. Since I've been having some issues with it (see Internal dns server stops forwarding) I would like to change to bind9, but now I don't have the files samba4 creates to use with it because I started using the internal dns server. How can I switch from internal dns server to bind9??? Cheers, Felix. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] using samba similar to windows shares
Hi, I would like to share a main folder (main) with everyone but have different access rights to a subfolder of main (subfolder) with 2 groups. Is it possible that this can be done with samba? Regards LC -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] using samba similar to windows shares
You can have the share permissions granting access to everyone , and then use file system permissions to limit the access to the appropriate groups for each folder. This is the same approach you would use with a real Windows server. On 10/09/12 16:17, 鱼 wrote: Hi, I would like to share a main folder (main) with everyone but have different access rights to a subfolder of main (subfolder) with 2 groups. Is it possible that this can be done with samba? Regards LC -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] using samba similar to windows shares
On 09/10/12 04:17 PM, 鱼 wrote: Hi, I would like to share a main folder (main) with everyone but have different access rights to a subfolder of main (subfolder) with 2 groups. Is it possible that this can be done with samba? Regards LC You do it the same way that you do it on a Windows server. Share the main folder then use Windows Explorer to set up ACLs for the subfolder. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How can I switch from internal dns server to bind9
On 10/9/12, fe...@epepm.cupet.cu fe...@epepm.cupet.cu wrote: How can I switch from internal dns server to bind9??? Add into [global] section of smb.conf server services = -dns. Configure Bind (see named.* files which comes with samba) to use dlz plugin or good old plain files (requires basic zone definition). -- I guess it's not that easy. First, I added by hand the file named.conf to /usr/local/samba/private. Second the dlz complains: Failed to connect to /usr/local/samba/private/dns/sam.ldb and there is no such directory, instead sam.ldb is directly under /usr/local/samba/private/ any ideas?? Cheers, Felix. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How can I switch from internal dns server to bind9
On Tue, 2012-10-09 at 17:18 -0400, fe...@epepm.cupet.cu wrote: On 10/9/12, fe...@epepm.cupet.cu fe...@epepm.cupet.cu wrote: How can I switch from internal dns server to bind9??? Add into [global] section of smb.conf server services = -dns. Configure Bind (see named.* files which comes with samba) to use dlz plugin or good old plain files (requires basic zone definition). -- I guess it's not that easy. First, I added by hand the file named.conf to /usr/local/samba/private. Second the dlz complains: Failed to connect to /usr/local/samba/private/dns/sam.ldb and there is no such directory, instead sam.ldb is directly under /usr/local/samba/private/ Run samba_upgradedns to create the extra files and the account. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba ports
Anybody could help me with this entries in my machines logs: [2012/10/09 14:59:33.092831, 0] lib/util_sock.c:474(read_fd_with_timeout) [2012/10/09 14:59:33.093013, 0] lib/util_sock.c:1441(get_peer_addr_internal) getpeername failed. Error was Ponto final de transporte não está conectado (some logs in portuguese, so the translation is so so: Error was transport endpoint is not connected) read_fd_with_timeout: client 0.0.0.0 read error = Conexão fechada pela outra ponta.( ...: connection closed by other peer) Why this appears frequently? I had already heard that this is a problem with a connection about the windows clients. Is this true? In my smb.conf: smb ports = 139 445 Thanks, -- Marcio Oliveira. Tudo concorre para o bem daqueles que amam à Deus. (Rom 8,28) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] kvno problem when accessing bdc as \\domain.com
On Tue, 2012-10-09 at 14:38 +0300, Hannu Tikka wrote: Hi! I have a samba4 domain with two r/w directory controllers. DNS is set up so that domain.com name adresses both servers for redundancy. But workstaions can't contact second server with address \\domain.com becuse the kvno is different that first servers kvno and when using \\domain.com address the kvno seems to be always first servers kvno. Can I somehow increase the second servers kvno or is there other solutions You have to access each server by name. Even if the kvno was identical, the kerberos key would be different. There is a special case used for sysvol shares, but all it does is redirect the user to the right server. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba ports
On Tue, 2012-10-09 at 19:06 -0300, Marcio Oli wrote: Anybody could help me with this entries in my machines logs: [2012/10/09 14:59:33.092831, 0] lib/util_sock.c:474(read_fd_with_timeout) [2012/10/09 14:59:33.093013, 0] lib/util_sock.c:1441(get_peer_addr_internal) getpeername failed. Error was Ponto final de transporte não está conectado (some logs in portuguese, so the translation is so so: Error was transport endpoint is not connected) read_fd_with_timeout: client 0.0.0.0 read error = Conexão fechada pela outra ponta.( ...: connection closed by other peer) Why this appears frequently? I had already heard that this is a problem with a connection about the windows clients. Is this true? In my smb.conf: smb ports = 139 445 We have since made this message less prominent. The windows client will connect to both ports, and then drop one connection. It is harmless. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] SAMBA4 POSIX ACL not working
Hello, does any one succeed to share acl with samba4? I installed the new release of samba4 from git. and trying to apply acl on shared folders from win7 but it is just not functionning: for instance I just created the folder foldertest and trying to set permission deny on everyone and it gives trhe below error: [2012/10/10 03:19:56.221168, 0] ../source3/smbd/posix_acls.c:1898(add_current_ace_to_acl) add_current_ace_to_acl: malformed ACL in file ACL ! Deny entry after Allow entry. Failing to set on file foldertest. also whatever I do I only get the below errors? [2012/10/10 02:39:22.008985, 0] ../source3/smbd/posix_acls.c:1898(add_current_ace_to_acl) add_current_ace_to_acl: malformed ACL in file ACL ! Deny entry after Allow entry. Failing to set on file test. [2012/10/10 02:41:47.861209, 0] ../source3/modules/vfs_posixacl.c:351(smb_acl_to_posix) smb_acl_to_posix: ACL group:users:--- other::--- user::rwx group::--- group:317:rwx user:root:rwx group:users:--- mask::rwx is invalid for set (Success) [2012/10/10 02:42:01.876497, 0] ../source3/modules/vfs_posixacl.c:351(smb_acl_to_posix) smb_acl_to_posix: ACL group:users:--- other::--- user::rwx group::--- group:317:rwx user:root:rwx group:users:--- mask::rwx is invalid for set (Success) [2012/10/10 02:52:51.475171, 0] ../source3/modules/vfs_posixacl.c:351(smb_acl_to_posix) smb_acl_to_posix: ACL group:users:--- other::--- user::rwx group::--- group:317:r-x user:root:rwx group:users:--- mask::rwx is invalid for set (Success) [2012/10/10 02:53:59.949092, 0] ../source3/modules/vfs_posixacl.c:351(smb_acl_to_posix) smb_acl_to_posix: ACL group:users:--- other::--- user::rwx group::--- group:317:r-x user:root:rwx group:users:--- group:318:r-x mask::rwx is invalid for set (No such file or directory) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SAMBA4 POSIX ACL not working
On Wed, Oct 10, 2012 at 12:24:24AM +0100, Innocent Yevide wrote: Hello, does any one succeed to share acl with samba4? I installed the new release of samba4 from git. and trying to apply acl on shared folders from win7 but it is just not functionning: for instance I just created the folder foldertest and trying to set permission deny on everyone and it gives trhe below error: [2012/10/10 03:19:56.221168, 0] ../source3/smbd/posix_acls.c:1898(add_current_ace_to_acl) add_current_ace_to_acl: malformed ACL in file ACL ! Deny entry after Allow entry. Failing to set on file foldertest. also whatever I do I only get the below errors? Log a bug at bugzilla.samba.org please and then attach a wireshark trace from the client and also a debug level 10 log from the server whilst setting an ACL that gets this message. That will help us track down the problem. Thanks ! Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] ANNOUNCE: cifs-utils release 5.6 is ready for download
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Time for another cifs-utils release! Nothing terribly earth shattering here. Some distros (like Fedora) are moving krb5 credcaches out of /tmp by default. Users of these distros will definitely want to upgrade. Highlights: * Fixes for mounting with '/' in usernames with sec=krb5 * Support for DIR: type krb5 ccaches * support for nofail option in mount.cifs webpage:https://wiki.samba.org/index.php/LinuxCIFS_utils tarball:ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/ git:git://git.samba.org/cifs-utils.git gitweb: http://git.samba.org/?p=cifs-utils.git;a=summary Detailed list of changes since 5.6: commit 692842e34c1f2fcc84b6b64136f5e28dd7062f46 Author: Jeff Layton jlay...@samba.org Date: Tue Aug 7 11:06:41 2012 -0400 autoconf: set version to 5.6.1 for interim builds Signed-off-by: Jeff Layton jlay...@samba.org commit 569cfcb3a467dfdf967a36ed6f7896559edab2ba Author: Jeff Layton jlay...@samba.org Date: Tue Aug 7 11:11:26 2012 -0400 mount.cifs: deprecate the DOMAIN/username%password username syntax mount.cifs has in the past allowed users to specify a username using the above syntax, which would populate the domain and password fields with the different pieces. Unfortunately, there are cases where it is legit to have a '/' in a username. krb5 SPNs generally contain a '/' and we have no clear way to distinguish between the two. I don't see any real value in keeping that syntax allowed. It's no easier than specifying pass= and domain= on the command line. Ditto for credential files. Begin the transition away from that syntax by adding a warning message that support for it will be removed in 5.9. Signed-off-by: Jeff Layton jlay...@samba.org commit 3a965467611637ca05bcd55460ff69fec6ad8be7 Author: Jeff Layton jlay...@samba.org Date: Tue Aug 7 11:52:15 2012 -0400 mount.cifs: handle username= differently depending on sec= option This patch is intended as a temporary workaround for krb5 users that need to specify usernames with '/' in them. I intend to remove this hack from mount.cifs once the legacy username handling code is removed. The idea here is to save off the raw username string while we're parsing options. If the mount options specify sec=krb5 or sec=krb5i then we'll not do the legacy username parsing and will instead just pass in the username string as-is. Obviously, this is a nasty hack and we don't really want to carry this in perpetuity, so this can go away once the legacy username parsing has gone away. Signed-off-by: Jeff Layton jlay...@samba.org commit 377898e63a8689b0e8c5c656ce9cfa98223cf74b Author: Jeff Layton jlay...@samba.org Date: Tue Aug 21 15:18:54 2012 -0400 cifs-utils: fix up references to getcifsacl and setcifsacl files When I moved the manpages for this to section 1, I missed some references to them. Also, get rid of the unneeded clean-local-aclprogs makefile target. Signed-off-by: Jeff Layton jlay...@samba.org commit d006986221b7f1aad50e894851dc573650b7611c Author: Nalin Dahyabhai na...@redhat.com Date: Thu Aug 23 11:14:45 2012 -0400 cifs.upcall: also consider DIR:-type ccaches If we encounter a subdirectory while scanning a directory for a user's ccache, check if it's a DIR ccache. Otherwise, continue as before, checking if it's a FILE ccache if it looks like a regular file. commit ca0894e40480a9115c6bad670149b075646ead2c Author: Nalin Dahyabhai na...@redhat.com Date: Thu Aug 23 11:14:56 2012 -0400 cifs.upcall: scan /run/user/${UID} for ccaches, too When scanning for credential caches, check the user's directory under /run/user first, then fall back to /tmp as we have previously. Because we now call find_krb5_cc() twice (once for each directory), we move its state to be outside of the function. We also add a substitution mechanism to make the process of resolving the location of the user's home directory before searching it a bit more explicable. commit 72bce53289d939c3539b7d3cb957b748a4b1d2ec Author: Jeff Layton jlay...@samba.org Date: Thu Aug 23 07:46:40 2012 -0400 cifs.upcall: use strncmp in scandir filter function We want to require that the filename begins with the correct string, not just that it contains it somewhere. Signed-off-by: Jeff Layton jlay...@samba.org commit a0bf123541ec6fd53948f41f17c9dba5d6a43648 Author: Jeff Layton jlay...@samba.org Date: Thu Aug 23 10:18:02 2012 -0400 mount.cifs: silence compiler warnings about ignoring return code In this case we explicitly don't care what these functions return, so declare a couple of unused variables to catch the results. Signed-off-by: Jeff Layton jlay...@samba.org commit 82f93c44343f281ce61f547ff8f9e5f79945cb20 Author: Jeff Layton
Re: [Samba] ANNOUNCE: cifs-utils release *5.7* is ready for download
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 9 Oct 2012 20:51:21 -0400 Jeff Layton jlay...@samba.org wrote: Hash: SHA1 Time for another cifs-utils release! Nothing terribly earth shattering here. Some distros (like Fedora) are moving krb5 credcaches out of /tmp by default. Users of these distros will definitely want to upgrade. Highlights: * Fixes for mounting with '/' in usernames with sec=krb5 * Support for DIR: type krb5 ccaches * support for nofail option in mount.cifs webpage:https://wiki.samba.org/index.php/LinuxCIFS_utils tarball:ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/ git:git://git.samba.org/cifs-utils.git gitweb: http://git.samba.org/?p=cifs-utils.git;a=summary Detailed list of changes since 5.6: commit 692842e34c1f2fcc84b6b64136f5e28dd7062f46 Author: Jeff Layton jlay...@samba.org Date: Tue Aug 7 11:06:41 2012 -0400 autoconf: set version to 5.6.1 for interim builds Signed-off-by: Jeff Layton jlay...@samba.org commit 569cfcb3a467dfdf967a36ed6f7896559edab2ba Author: Jeff Layton jlay...@samba.org Date: Tue Aug 7 11:11:26 2012 -0400 mount.cifs: deprecate the DOMAIN/username%password username syntax mount.cifs has in the past allowed users to specify a username using the above syntax, which would populate the domain and password fields with the different pieces. Unfortunately, there are cases where it is legit to have a '/' in a username. krb5 SPNs generally contain a '/' and we have no clear way to distinguish between the two. I don't see any real value in keeping that syntax allowed. It's no easier than specifying pass= and domain= on the command line. Ditto for credential files. Begin the transition away from that syntax by adding a warning message that support for it will be removed in 5.9. Signed-off-by: Jeff Layton jlay...@samba.org commit 3a965467611637ca05bcd55460ff69fec6ad8be7 Author: Jeff Layton jlay...@samba.org Date: Tue Aug 7 11:52:15 2012 -0400 mount.cifs: handle username= differently depending on sec= option This patch is intended as a temporary workaround for krb5 users that need to specify usernames with '/' in them. I intend to remove this hack from mount.cifs once the legacy username handling code is removed. The idea here is to save off the raw username string while we're parsing options. If the mount options specify sec=krb5 or sec=krb5i then we'll not do the legacy username parsing and will instead just pass in the username string as-is. Obviously, this is a nasty hack and we don't really want to carry this in perpetuity, so this can go away once the legacy username parsing has gone away. Signed-off-by: Jeff Layton jlay...@samba.org commit 377898e63a8689b0e8c5c656ce9cfa98223cf74b Author: Jeff Layton jlay...@samba.org Date: Tue Aug 21 15:18:54 2012 -0400 cifs-utils: fix up references to getcifsacl and setcifsacl files When I moved the manpages for this to section 1, I missed some references to them. Also, get rid of the unneeded clean-local-aclprogs makefile target. Signed-off-by: Jeff Layton jlay...@samba.org commit d006986221b7f1aad50e894851dc573650b7611c Author: Nalin Dahyabhai na...@redhat.com Date: Thu Aug 23 11:14:45 2012 -0400 cifs.upcall: also consider DIR:-type ccaches If we encounter a subdirectory while scanning a directory for a user's ccache, check if it's a DIR ccache. Otherwise, continue as before, checking if it's a FILE ccache if it looks like a regular file. commit ca0894e40480a9115c6bad670149b075646ead2c Author: Nalin Dahyabhai na...@redhat.com Date: Thu Aug 23 11:14:56 2012 -0400 cifs.upcall: scan /run/user/${UID} for ccaches, too When scanning for credential caches, check the user's directory under /run/user first, then fall back to /tmp as we have previously. Because we now call find_krb5_cc() twice (once for each directory), we move its state to be outside of the function. We also add a substitution mechanism to make the process of resolving the location of the user's home directory before searching it a bit more explicable. commit 72bce53289d939c3539b7d3cb957b748a4b1d2ec Author: Jeff Layton jlay...@samba.org Date: Thu Aug 23 07:46:40 2012 -0400 cifs.upcall: use strncmp in scandir filter function We want to require that the filename begins with the correct string, not just that it contains it somewhere. Signed-off-by: Jeff Layton jlay...@samba.org commit a0bf123541ec6fd53948f41f17c9dba5d6a43648 Author: Jeff Layton jlay...@samba.org Date: Thu Aug 23 10:18:02 2012 -0400 mount.cifs: silence compiler warnings about ignoring return code In this case we explicitly don't care what these
[Samba] samba4, classicupgrade: set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_OWNER
Hello, I'm testing samba4. I've setup a small samba3+ldap pdc, and then I tried a classicupgrade, but I can't pass step 4 of the howto. ubuntu@samba4:~/samba4$ /usr/local/samba/sbin/samba -V Version 4.1.0pre1-GIT-899cdc4 ubuntu@samba4:~/samba4$ sudo /usr/local/samba/bin/samba-tool domain classicupgrade --realm=example.com --dbdir=/root/samba /root/samba/smb.conf Reading smb.conf Provisioning Exporting account policy Exporting groups Exporting users Skipping wellknown rid=500 (for username=Administrator) Skipping wellknown rid=501 (for username=nobody) Demoting BDC account trust for samba3, this DC must be elevated to an AD DC using 'samba-tool domain promote' Next rid = 1009 Exporting posix attributes Reading WINS database Cannot open wins database, Ignoring: [Errno 2] No such file or directory: '/root/samba/wins.dat' Looking up IPv4 addresses Looking up IPv6 addresses No IPv6 address will be assigned Setting up share.ldb Setting up secrets.ldb Setting up the registry Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema Adding DomainDN: DC=example,DC=com Adding configuration container Setting up sam.ldb schema Setting up sam.ldb configuration data Setting up display specifiers Adding users container Modifying users container Adding computers container Modifying computers container Setting up sam.ldb data Setting up well known security principals Setting up sam.ldb users and groups Setting up self join Setting acl on sysvol skipped Adding DNS accounts Creating CN=MicrosoftDNS,CN=System,DC=example,DC=com Creating DomainDnsZones and ForestDnsZones partitions Populating DomainDnsZones and ForestDnsZones partitions Setting up sam.ldb rootDSE marking as synchronized Fixing provision GUIDs A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf Setting up fake yp server settings Once the above files are installed, your Samba4 server will be ready to use Admin password:,mlY44K(WDG(O7a_-.6M@E Server Role: active directory domain controller Hostname: samba4 NetBIOS Domain:EXAMPLE DNS Domain:example.com DOMAIN SID:S-1-5-21-831389399-4071795767-414191908 A phpLDAPadmin configuration file suitable for administering the Samba 4 LDAP server has been created in /usr/local/samba/private/phpldapadmin-config.php. Importing WINS database Importing Account policy Importing idmap database Cannot open idmap database, Ignoring: [Errno 2] No such file or directory Importing groups Group already exists sid=S-1-5-21-831389399-4071795767-414191908-513, groupname=Domain Users existing_groupname=Domain Users, Ignoring. Group already exists sid=S-1-5-21-831389399-4071795767-414191908-512, groupname=Domain Admins existing_groupname=Domain Admins, Ignoring. Group already exists sid=S-1-5-21-831389399-4071795767-414191908-514, groupname=Domain Guests existing_groupname=Domain Guests, Ignoring. Group already exists sid=S-1-5-32-544, groupname=Administrators existing_groupname=Administrators, Ignoring. Group already exists sid=S-1-5-32-545, groupname=Users existing_groupname=Users, Ignoring. Group already exists sid=S-1-5-32-546, groupname=Guests existing_groupname=Guests, Ignoring. Importing users Adding users to groups set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_OWNER. ERROR(runtime): uncaught exception - (-1073741734, 'NT_STATUS_INVALID_OWNER') File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py, line 170, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py, line 1321, in run useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs) File /usr/local/samba/lib/python2.7/site-packages/samba/upgrade.py, line 913, in upgrade_from_samba3 result.names.domaindn, result.lp, use_ntvfs) File /usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py, line 1468, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs) File /usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py, line 1405, in set_gpos_acl str(domainsid), use_ntvfs) File /usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py, line 1369, in set_dir_acl setntacl(lp, path, acl, domsid, use_ntvfs=use_ntvfs) File /usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py, line 108, in setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd) ubuntu@samba4:~/samba4$ sudo testparm /root/samba/smb.conf [global] workgroup = EXAMPLE passdb backend = ldapsam:ldap://localhost/ domain logons = Yes os level = 33 preferred master = Yes domain master = Yes ldap admin dn =
Re: [Samba] Internal DNS stops forwarding
On 10/09/2012 06:13 AM, fe...@epepm.cupet.cu wrote: Happened again with rc2 but found that at the same time this error shows every second: [2012/10/05 09:01:39, 0] ../source4/smbd/process_single.c:56(single_accept_connection) single_accept_connection: accept: NT_STATUS_TOO_MANY_OPENED_FILES root@ad:~# netstat -anp | grep 53|grep samba|wc -l 1003 I think this is the direct cause of the too many open files error. https://bugzilla.samba.org/show_bug.cgi?id=8878 In a nutshell I suspect that our server sends forward requests to the forwarder that are never answered and the connections piles up, once we reached the limit (1024 ?) the server didn't accept any new connections. Seems likely. I think it is. Because all the connections I see when the error occurs are related to the forwarder I declared in smb.conf. The number of connections keeps growing again until the error appears. So I have to restart samba. And, yes, lsof, shows that all connections but 2 are related to the forwarder. Can you provide the list of open files still ? Also bumping the number of openfile (ulimit -n 65000 in the startup script) should be an acceptable workaround. Matthieu -- Matthieu Patou Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] kvno problem when accessing bdc as \\domain.com
So the \\domain.com\sysvol should work? On Tue, 2012-10-09 at 14:38 +0300, Hannu Tikka wrote: Hi! I have a samba4 domain with two r/w directory controllers. DNS is set up so that domain.com name adresses both servers for redundancy. But workstaions can't contact second server with address \\domain.com becuse the kvno is different that first servers kvno and when using \\domain.com address the kvno seems to be always first servers kvno. Can I somehow increase the second servers kvno or is there other solutions You have to access each server by name. Even if the kvno was identical, the kerberos key would be different. There is a special case used for sysvol shares, but all it does is redirect the user to the right server. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] change mandatory profile owner to Administrators
Hello install samba4beta8. Problem : *can`t change mandatory profile owner to Administrators and see This error: this security ID may not be assigned as the owner of this object administrators * now my mandatory profile not work ! How do I solve this problem? thanks a lot -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] remove IP from DNS ldb
Hello install samba4beta8 white bind 9.9.1 and internal samba DNS DB on server white tow IP, then remove one of IPs. Users can not connect to the server or to communicate with a server takes . Because, Removed IP in response to client requests are sent ! How to remove not use IP from samba dns DB by Samba Tools ? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] kvno problem when accessing bdc as \\domain.com
On 10/09/2012 09:58 PM, Hannu Tikka wrote: So the \\domain.com\sysvol should work? Exact It's because we have domain DFS implemented for sysvol and netlogon shares. What is happening behind the scene when a Windows client tries to connect to \\domain.com\sysvol is that one of the DC will instruct the client that it support DFS and client and server will enter into a DFS resolution exchange where at the end the client get a list of server holding the sysvol share (ie. \\dc1.domain.com\sysvol, \\dc2.domain.com\sysvol) then the client request a kerberos ticket for one of the DC and the usual connection takes place. Matthieu. On Tue, 2012-10-09 at 14:38 +0300, Hannu Tikka wrote: Hi! I have a samba4 domain with two r/w directory controllers. DNS is set up so that domain.com name adresses both servers for redundancy. But workstaions can't contact second server with address \\domain.com becuse the kvno is different that first servers kvno and when using \\domain.com address the kvno seems to be always first servers kvno. Can I somehow increase the second servers kvno or is there other solutions You have to access each server by name. Even if the kvno was identical, the kerberos key would be different. There is a special case used for sysvol shares, but all it does is redirect the user to the right server. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- Matthieu Patou Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Internal DNS stops forwarding
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 2012-10-09 15:13, fe...@epepm.cupet.cu wrote: Hi Felix, I think it is. Because all the connections I see when the error occurs are related to the forwarder I declared in smb.conf. The number of connections keeps growing again until the error appears. So I have to restart samba. And, yes, lsof, shows that all connections but 2 are related to the forwarder. An interesting question of course is why your forwarder never answers the requests from the internal DNS server. Is it set up correctly? I agree we really need to fix the timeout, but even then your DNS setup would be broken if the forwarder never answers to queries. Cheers, Kai - -- Kai Blin Worldforge developer http://www.worldforge.org/ Wine developer http://wiki.winehq.org/KaiBlin Samba team member http://www.samba.org/samba/team/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlB1DJYACgkQEKXX/bF2FpSfqgCcDxrlGPLFYrnY5e4coGOiqZDl /+8An1jOxoJZFxmsNWMlEMs8rOHDL1Bi =8dz/ -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch v3-6-test updated
The branch, v3-6-test has been updated via 493f3a0 s3: Add two tests a CLEAR_IF_FIRST crash via 15a3dfb tdb: Make tdb robust against improper CLEAR_IF_FIRST restart via e7e86fc tdb: Make robust against shrinking tdbs from ac7d976 When setting a non-default ACL, don't forget to apply masks to SMB_ACL_USER and SMB_ACL_GROUP entries. (cherry picked from commit 6575d1d34fee45c7a965c7c9641cc52b566a9e7f) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test - Log - commit 493f3a0e84a4bbeb8bac68dc28988c54b1619317 Author: Volker Lendecke v...@samba.org Date: Mon Oct 8 12:25:49 2012 -0700 s3: Add two tests a CLEAR_IF_FIRST crash The last 3 patches address bug #9268 - Make tdb robust against improper CLEAR_IF_FIRST restart. commit 15a3dfbc15de1e214e9aee57d7d83de60fe747bd Author: Volker Lendecke v...@samba.org Date: Mon Oct 8 12:02:43 2012 -0700 tdb: Make tdb robust against improper CLEAR_IF_FIRST restart When winbind is restarted, there is a potential crash in tdb. Following situation: We are in a cluster with ctdb. A winbind child hangs in a request to the DC. Cluster monitoring decides the node has a problem. Cluster monitoring decides to kill ctdbd. winbind child still hangs in a RPC request. winbind parent figures that ctdb is dead and immediately commits suicide. winbind parent is restarted by cluster management, overwriting gencache.tdb with CLEAR_IF_FIRST. The CLEAR_IF_FIRST logic as implemented now will not see that a child still has the tdb open, only the parent holds the ACTIVE_LOCK due to performance reasons. During the CLEAR_IF_FIRST logic is done, there is a very small window where we ftruncate(tfd, 0) the file and re-write a proper header without a lock. When during this small window the winbind child comes back, wanting to store something into gencache.tdb, that winbind child will crash with a SIGBUS. Sounds unlikely? See: [2012/09/29 07:02:31.871607, 0] lib/util.c:1183(smb_panic) PANIC (pid 1814517): internal error [2012/09/29 07:02:31.877596, 0] lib/util.c:1287(log_stack_trace) BACKTRACE: 35 stack frames: #0 winbindd(log_stack_trace+0x1a) [0x7feb7d4ca18a] #1 winbindd(smb_panic+0x2b) [0x7feb7d4ca25b] #2 winbindd(+0x1a3cc4) [0x7feb7d4bacc4] #3 /lib64/libc.so.6(+0x32900) [0x7feb7a929900] #4 /lib64/libc.so.6(memcpy+0x35) [0x7feb7a97f355] #5 /usr/lib64/libtdb.so.1(+0x6e76) [0x7feb7b0b0e76] #6 /usr/lib64/libtdb.so.1(+0x3d37) [0x7feb7b0add37] #7 /usr/lib64/libtdb.so.1(+0x863d) [0x7feb7b0b263d] #8 /usr/lib64/libtdb.so.1(+0x8700) [0x7feb7b0b2700] #9 /usr/lib64/libtdb.so.1(+0x2505) [0x7feb7b0ac505] #10 /usr/lib64/libtdb.so.1(+0x25b7) [0x7feb7b0ac5b7] #11 /usr/lib64/libtdb.so.1(tdb_fetch+0x13) [0x7feb7b0ac633] #12 winbindd(gencache_set_data_blob+0x259) [0x7feb7d4d8449] #13 winbindd(gencache_set+0x53) [0x7feb7d4d85b3] #14 winbindd(gencache_del+0x5e) [0x7feb7d4d879e] #15 winbindd(saf_delete+0x93) [0x7feb7d54b693] #16 winbindd(+0xe507e) [0x7feb7d3fc07e] #17 winbindd(+0xe85e5) [0x7feb7d3ff5e5] #18 winbindd(+0xe65be) [0x7feb7d3fd5be] #19 winbindd(+0xe7562) [0x7feb7d3fe562] #20 winbindd(init_dc_connection+0x2e) [0x7feb7d3fe5be] #21 winbindd(+0xe75d9) [0x7feb7d3fe5d9] #22 winbindd(cm_connect_netlogon+0x58) [0x7feb7d3fe658] #23 winbindd(_wbint_PingDc+0x61) [0x7feb7d410991] #24 winbindd(+0x103175) [0x7feb7d41a175] #25 winbindd(winbindd_dual_ndrcmd+0xb7) [0x7feb7d4107d7] #26 winbindd(+0xf8609) [0x7feb7d40f609] #27 winbindd(+0xf9075) [0x7feb7d410075] #28 winbindd(tevent_common_loop_immediate+0xe8) [0x7feb7d4db198] #29 winbindd(run_events_poll+0x3c) [0x7feb7d4d93fc] #30 winbindd(+0x1c2b52) [0x7feb7d4d9b52] #31 winbindd(_tevent_loop_once+0x90) [0x7feb7d4d9f60] #32 winbindd(main+0x7b3) [0x7feb7d3e7aa3] #33 /lib64/libc.so.6(__libc_start_main+0xfd) [0x7feb7a915cdd] #34 winbindd(+0xce2a9) [0x7feb7d3e52a9] This is in a winbind child, logfiles surrounding indicate the parent was restarted. This patch takes all chain locks around the CLEAR_IF_FIRST introduced tdb_new_database. commit e7e86fcb929e7b8e7d879349d5f7f9422126a3a2 Author: Rusty Russell ru...@rustcorp.com.au Date: Mon Oct 8 11:56:47 2012 -0700 tdb: Make robust against shrinking tdbs When probing for a size change (eg. just before tdb_expand, tdb_check, tdb_rescue) we call tdb_oob(tdb, tdb-map_size, 1, 1). Unfortunately this does nothing if the tdb has actually shrunk, which as Volker
[SCM] Samba Shared Repository - branch v3-6-test updated
The branch, v3-6-test has been updated via aecb5a6 s3fs-printing: Fix RAW printing for normal users. from 493f3a0 s3: Add two tests a CLEAR_IF_FIRST crash http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test - Log - commit aecb5a61a378bdfa97cf621f408c9921c6e042ad Author: Andreas Schneider a...@samba.org Date: Mon Oct 8 12:32:49 2012 +0200 s3fs-printing: Fix RAW printing for normal users. This fixes bug #8769. Signed-off-by: Andreas Schneider a...@samba.org --- Summary of changes: source3/printing/printspoolss.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/printing/printspoolss.c b/source3/printing/printspoolss.c index 23464d5..b3ca287 100644 --- a/source3/printing/printspoolss.c +++ b/source3/printing/printspoolss.c @@ -144,7 +144,7 @@ NTSTATUS print_spool_open(files_struct *fsp, status = dcerpc_spoolss_OpenPrinter(b, pf, pf-svcname, RAW, devmode_ctr, - SEC_FLAG_MAXIMUM_ALLOWED, + PRINTER_ACCESS_USE, pf-handle, werr); if (!NT_STATUS_IS_OK(status)) { goto done; -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v3-6-test updated
The branch, v3-6-test has been updated via 1bc9a20 Correct fix for bug #9222 - smbd ignores the server signing = no setting for SMB2. from aecb5a6 s3fs-printing: Fix RAW printing for normal users. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test - Log - commit 1bc9a208337b50e5ee566060799b3b17d8ed95e3 Author: Jeremy Allison j...@samba.org Date: Wed Oct 3 12:58:00 2012 -0700 Correct fix for bug #9222 - smbd ignores the server signing = no setting for SMB2. Signing cannot be disabled for SMB2 by design, so fix the documentation instead. Autobuild-User(master): Jeremy Allison j...@samba.org Autobuild-Date(master): Wed Oct 3 23:47:23 CEST 2012 on sn-devel-104 (cherry picked from commit fe38a93c71d0adc0be1d43b438ac3b54eaf4ba53) --- Summary of changes: docs-xml/smbdotconf/security/serversigning.xml | 17 +++-- 1 files changed, 11 insertions(+), 6 deletions(-) Changeset truncated at 500 lines: diff --git a/docs-xml/smbdotconf/security/serversigning.xml b/docs-xml/smbdotconf/security/serversigning.xml index ea21a2c..0aced5d 100644 --- a/docs-xml/smbdotconf/security/serversigning.xml +++ b/docs-xml/smbdotconf/security/serversigning.xml @@ -5,14 +5,19 @@ xmlns:samba=http://www.samba.org/samba/DTD/samba-doc; description -paraThis controls whether the client is allowed or required to use SMB signing. Possible values -are emphasisauto/emphasis, emphasismandatory/emphasis -and emphasisdisabled/emphasis. +paraThis controls whether the client is allowed or required to use SMB1 and SMB2 signing. Possible values +are emphasisauto/emphasis, emphasismandatory/emphasis +and emphasisdisabled/emphasis. /para -paraWhen set to auto, SMB signing is offered, but not enforced. -When set to mandatory, SMB signing is required and if set - to disabled, SMB signing is not offered either./para +paraWhen set to auto, SMB1 signing is offered, but not enforced. +When set to mandatory, SMB1 signing is required and if set +to disabled, SMB signing is not offered either./para + +paraFor the SMB2 protocol, by design, signing cannot be disabled. In the case +where SMB2 is negotiated, if this parameter is set to emphasisdisabled/emphasis, +it will be treated as emphasisauto/emphasis. Setting it to emphasismandatory/emphasis +will still require SMB2 clients to use signing./para /description value type=defaultDisabled/value -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v3-6-test updated
The branch, v3-6-test has been updated via 6b4169a libreplace: Bug 8107, Fix poll replacement to become a msleep replacement via 757dc4d replace: add some includes for poll.h from 1bc9a20 Correct fix for bug #9222 - smbd ignores the server signing = no setting for SMB2. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test - Log - commit 6b4169a75fb3180dec1f57b0eb39312ca82cd1ac Author: Joachim Schmitz schm...@hp.com Date: Mon Sep 17 05:26:31 2012 -0700 libreplace: Bug 8107, Fix poll replacement to become a msleep replacement Signed-off-by: Jeremy Allison j...@samba.org (cherry picked from commit 7542b63188f7e73588c9abb40e36a910c87bc534) commit 757dc4d753275d42b8dbf2710290b3dbfb9f3cda Author: Björn Jacke b...@sernet.de Date: Sun Sep 16 02:21:39 2012 +0200 replace: add some includes for poll.h See bug #8107 Autobuild-User(master): Björn Jacke b...@sernet.de Autobuild-Date(master): Sun Sep 16 04:05:08 CEST 2012 on sn-devel-104 (cherry picked from commit 520c9b0b0ae33e6e8fb78034cfff685f5491aab3) (cherry picked from commit ea96d79e21a549204a7f64307059ea877bfb9fd5) --- Summary of changes: lib/replace/poll.c |8 +++- 1 files changed, 7 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/lib/replace/poll.c b/lib/replace/poll.c index e41548d..1105617 100644 --- a/lib/replace/poll.c +++ b/lib/replace/poll.c @@ -30,6 +30,12 @@ #include replace.h #include system/select.h +#ifdef HAVE_SYS_TIME_H +#include sys/time.h +#endif +#ifdef HAVE_SYS_IOCTL_H +#include sys/ioctl.h +#endif int rep_poll(struct pollfd *fds, nfds_t nfds, int timeout) @@ -40,7 +46,7 @@ int rep_poll(struct pollfd *fds, nfds_t nfds, int timeout) int rc; nfds_t i; - if (fds == NULL) { + if ((fds == NULL) (nfds != 0)) { errno = EFAULT; return -1; } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-0-test updated
The branch, v4-0-test has been updated via a6a95d8 libreplace: Bug 8107, Fix poll replacement to become a msleep replacement via 4dbf408 replace: add some includes for poll.h via 26e9783 pam_winbind: match more return codes when wbcGetPwnam has failed. via fbeda97 Correct fix for bug #9222 - smbd ignores the server signing = no setting for SMB2. via 6a8b5fe s3fs-printing: Fix RAW printing for normal users. via 938b037 s3: Add two tests a CLEAR_IF_FIRST crash via 4c968fc tdb: Make tdb robust against improper CLEAR_IF_FIRST restart via cb2f7c9 tdb: Make robust against shrinking tdbs from 566e450 s4-dns: fix a warning http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test - Log - commit a6a95d8636303d56d468511bddc05ac0c069b963 Author: Joachim Schmitz schm...@hp.com Date: Mon Sep 17 05:26:31 2012 -0700 libreplace: Bug 8107, Fix poll replacement to become a msleep replacement Signed-off-by: Jeremy Allison j...@samba.org (cherry picked from commit 7542b63188f7e73588c9abb40e36a910c87bc534) Autobuild-User(v4-0-test): Karolin Seeger ksee...@samba.org Autobuild-Date(v4-0-test): Tue Oct 9 12:14:55 CEST 2012 on sn-devel-104 commit 4dbf40814d59c81af2501c5a789d2359af45c498 Author: Björn Jacke b...@sernet.de Date: Sun Sep 16 02:21:39 2012 +0200 replace: add some includes for poll.h See bug #8107 Autobuild-User(master): Björn Jacke b...@sernet.de Autobuild-Date(master): Sun Sep 16 04:05:08 CEST 2012 on sn-devel-104 (cherry picked from commit 520c9b0b0ae33e6e8fb78034cfff685f5491aab3) (cherry picked from commit ea96d79e21a549204a7f64307059ea877bfb9fd5) commit 26e97836a589cb51ff71a5214bbe97c2c1ba7c03 Author: Günther Deschner g...@samba.org Date: Wed Sep 19 10:59:50 2012 +0200 pam_winbind: match more return codes when wbcGetPwnam has failed. This is required to properly return PAM_USER_UNKNOWN in case winbind had a problem. Guenther Autobuild-User(master): Günther Deschner g...@samba.org Autobuild-Date(master): Wed Sep 19 15:06:10 CEST 2012 on sn-devel-104 (cherry picked from commit 98d90c02f0961d173bebb9901c7ad0819827f96e) Fix bug #9177 - pam_winbind's pm_sm_acct_mgmt needs to return PAM_USER_UNKNOWN. commit fbeda97a2ebcdd4dab5871958ee0e76778530dc8 Author: Jeremy Allison j...@samba.org Date: Wed Oct 3 12:58:00 2012 -0700 Correct fix for bug #9222 - smbd ignores the server signing = no setting for SMB2. Signing cannot be disabled for SMB2 by design, so fix the documentation instead. Autobuild-User(master): Jeremy Allison j...@samba.org Autobuild-Date(master): Wed Oct 3 23:47:23 CEST 2012 on sn-devel-104 (cherry picked from commit fe38a93c71d0adc0be1d43b438ac3b54eaf4ba53) commit 6a8b5fe4695f17aa52b72c05385bee2d35926720 Author: Andreas Schneider a...@samba.org Date: Mon Oct 8 12:32:49 2012 +0200 s3fs-printing: Fix RAW printing for normal users. This fixes bug #8769. Signed-off-by: Andreas Schneider a...@samba.org commit 938b037795608cd055026af7d8d8459263451551 Author: Volker Lendecke v...@samba.org Date: Tue Oct 2 15:44:41 2012 +0200 s3: Add two tests a CLEAR_IF_FIRST crash Autobuild-User(master): Volker Lendecke v...@samba.org Autobuild-Date(master): Sat Oct 6 17:16:39 CEST 2012 on sn-devel-104 Signed-off-by: Jeremy Allison j...@samba.org The last 3 patches address bug #9268 - Make tdb robust against improper CLEAR_IF_FIRST restart. commit 4c968fcc93e412f7a896737f5048daa8976bf8cb Author: Volker Lendecke v...@samba.org Date: Tue Oct 2 15:26:14 2012 +0200 tdb: Make tdb robust against improper CLEAR_IF_FIRST restart When winbind is restarted, there is a potential crash in tdb. Following situation: We are in a cluster with ctdb. A winbind child hangs in a request to the DC. Cluster monitoring decides the node has a problem. Cluster monitoring decides to kill ctdbd. winbind child still hangs in a RPC request. winbind parent figures that ctdb is dead and immediately commits suicide. winbind parent is restarted by cluster management, overwriting gencache.tdb with CLEAR_IF_FIRST. The CLEAR_IF_FIRST logic as implemented now will not see that a child still has the tdb open, only the parent holds the ACTIVE_LOCK due to performance reasons. During the CLEAR_IF_FIRST logic is done, there is a very small window where we ftruncate(tfd, 0) the file and re-write a proper header without a lock. When during this small window the winbind child comes back, wanting to store something into gencache.tdb, that winbind child will crash with a SIGBUS. Sounds unlikely? See: [2012/09/29 07:02:31.871607, 0] lib/util.c:1183(smb_panic) PANIC (pid 1814517): internal error [2012/09/29
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 1c35c22 s3: Pass down smb_filename to smbacl4_fill_ace4 from e65a24b s4-rpc: dnsserver: Ignore DNS zones that are not used by RPC dnsserver http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 1c35c22e62253835e1c82fd44fe8532f6e79dbb9 Author: Volker Lendecke v...@samba.org Date: Tue Oct 9 09:41:41 2012 +0200 s3: Pass down smb_filename to smbacl4_fill_ace4 A full fsp is a bit overkill here Autobuild-User(master): Volker Lendecke v...@samba.org Autobuild-Date(master): Tue Oct 9 13:38:49 CEST 2012 on sn-devel-104 --- Summary of changes: source3/modules/nfs4_acls.c | 12 ++-- 1 files changed, 6 insertions(+), 6 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c index b4fd514..05f90f7 100644 --- a/source3/modules/nfs4_acls.c +++ b/source3/modules/nfs4_acls.c @@ -574,7 +574,7 @@ static SMB_ACE4PROP_T *smbacl4_find_equal_special( static bool smbacl4_fill_ace4( TALLOC_CTX *mem_ctx, - const files_struct *fsp, + const struct smb_filename *filename, smbacl4_vfs_params *params, uid_t ownerUID, gid_t ownerGID, @@ -582,7 +582,6 @@ static bool smbacl4_fill_ace4( SMB_ACE4PROP_T *ace_v4 /* output */ ) { - const char *filename = fsp-fsp_name-base_name; DEBUG(10, (got ace for %s\n, sid_string_dbg(ace_nt-trustee))); memset(ace_v4, 0, sizeof(SMB_ACE4PROP_T)); @@ -594,8 +593,8 @@ static bool smbacl4_fill_ace4( ace_nt-flags); /* remove inheritance flags on files */ - if (VALID_STAT(fsp-fsp_name-st) - !S_ISDIR(fsp-fsp_name-st.st_ex_mode)) { + if (VALID_STAT(filename-st) + !S_ISDIR(filename-st.st_ex_mode)) { DEBUG(10, (Removing inheritance flags from a file\n)); ace_v4-aceFlags = ~(SMB_ACE4_FILE_INHERIT_ACE| SMB_ACE4_DIRECTORY_INHERIT_ACE| @@ -641,7 +640,8 @@ static bool smbacl4_fill_ace4( } } else { DEBUG(1, (nfs4_acls.c: file [%s]: could not - convert %s to uid or gid\n, filename, + convert %s to uid or gid\n, + filename-base_name, sid_string_dbg(ace_nt-trustee))); return False; } @@ -707,7 +707,7 @@ static SMB4ACL_T *smbacl4_win2nfs4( SMB_ACE4PROP_T ace_v4; booladdNewACE = True; - if (!smbacl4_fill_ace4(mem_ctx, fsp, pparams, + if (!smbacl4_fill_ace4(mem_ctx, fsp-fsp_name, pparams, ownerUID, ownerGID, dacl-aces + i, ace_v4)) { DEBUG(3, (Could not fill ace for file %s, SID %s\n, -- Samba Shared Repository
[SCM] CTDB repository - branch master updated - ctdb-1.13-276-gc4f5a58
The branch, master has been updated via c4f5a58471b206e2287c7958c7f29c1f1c0626ac (commit) via 06dfd13604d08910e07cbf927c338d7b9fce9a2f (commit) from 212298279557a2833ef0f81809b4a5cdac72ca02 (commit) http://gitweb.samba.org/?p=ctdb.git;a=shortlog;h=master - Log - commit c4f5a58471b206e2287c7958c7f29c1f1c0626ac Author: Volker Lendecke v...@samba.org Date: Tue Oct 9 11:39:58 2012 +0200 Correct include for ctdb_protocol.h With an old ctdb_protocol.h installed under /usr/local, ctdb will not compile because the form of include will find the header under /usr/local commit 06dfd13604d08910e07cbf927c338d7b9fce9a2f Author: Amitay Isaacs ami...@gmail.com Date: Thu Sep 20 17:10:34 2012 +1000 Revert when creating/adding a public ip, set the initial interface to be the first interface specified This reverts commit 4308935ba48ac7a29e7523315acf580019715f0f. This fixes 16_ctdb_config_add_ip.sh test when run against local daemons. When running against local daemons, if the interface is assigned as soon as an IP is added, then takeover would never assign this IP address. Signed-off-by: Amitay Isaacs ami...@gmail.com --- Summary of changes: include/ctdb_client.h |2 +- server/ctdb_takeover.c |3 --- 2 files changed, 1 insertions(+), 4 deletions(-) Changeset truncated at 500 lines: diff --git a/include/ctdb_client.h b/include/ctdb_client.h index c14a395..9f0589f 100644 --- a/include/ctdb_client.h +++ b/include/ctdb_client.h @@ -19,7 +19,7 @@ #ifndef _CTDB_CLIENT_H #define _CTDB_CLIENT_H -#include ctdb_protocol.h +#include ctdb_protocol.h enum control_state {CTDB_CONTROL_WAIT, CTDB_CONTROL_DONE, CTDB_CONTROL_ERROR, CTDB_CONTROL_TIMEOUT}; diff --git a/server/ctdb_takeover.c b/server/ctdb_takeover.c index 40bf4bc..775bb06 100644 --- a/server/ctdb_takeover.c +++ b/server/ctdb_takeover.c @@ -956,9 +956,6 @@ static int ctdb_add_public_address(struct ctdb_context *ctdb, talloc_free(vnn); return -1; } - if (i == 0) { - vnn-iface = ctdb_find_iface(ctdb, vnn-ifaces[i]); - } } DLIST_ADD(ctdb-vnn, vnn); -- CTDB repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 2f0753b samba-tool: skip chown in sysvolreset when it would fail on a GID from 1c35c22 s3: Pass down smb_filename to smbacl4_fill_ace4 http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 2f0753b456c4d9b4eb52f128a83c8ba19adde160 Author: Andrew Bartlett abart...@samba.org Date: Fri Oct 5 10:19:17 2012 +1000 samba-tool: skip chown in sysvolreset when it would fail on a GID This skips the chown of the files if (for example) the domain Admins group were to own the file and not be able to because the group maps only to a GID. This essentially papers over the problem, but may be enough to get us past the Samba 4.0 release. Andrew Bartlett Autobuild-User(master): Andrew Bartlett abart...@samba.org Autobuild-Date(master): Tue Oct 9 15:24:44 CEST 2012 on sn-devel-104 --- Summary of changes: source4/scripting/python/samba/ntacls.py | 37 ++- .../scripting/python/samba/provision/__init__.py | 24 +++-- 2 files changed, 48 insertions(+), 13 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/scripting/python/samba/ntacls.py b/source4/scripting/python/samba/ntacls.py index 2108a64..44cbbe9 100644 --- a/source4/scripting/python/samba/ntacls.py +++ b/source4/scripting/python/samba/ntacls.py @@ -21,7 +21,7 @@ import os import samba.xattr_native, samba.xattr_tdb, samba.posix_eadb -from samba.dcerpc import security, xattr +from samba.dcerpc import security, xattr, idmap from samba.ndr import ndr_pack, ndr_unpack from samba.samba3 import smbd @@ -82,10 +82,43 @@ def getntacl(lp, file, backend=None, eadbfile=None, direct_db_access=True): return smbd.get_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL) -def setntacl(lp, file, sddl, domsid, backend=None, eadbfile=None, use_ntvfs=True): +def setntacl(lp, file, sddl, domsid, backend=None, eadbfile=None, use_ntvfs=True, skip_invalid_chown=False, passdb=None): sid = security.dom_sid(domsid) sd = security.descriptor.from_sddl(sddl, sid) +if not use_ntvfs and skip_invalid_chown: +# Check if the owner can be resolved as a UID +(owner_id, owner_type) = passdb.sid_to_id(sd.owner_sid) +if ((owner_type != idmap.ID_TYPE_UID) and (owner_type != idmap.ID_TYPE_BOTH)): +# Check if this particular owner SID was domain admins, +# because we special-case this as mapping to +# 'administrator' instead. +if sd.owner_sid == security.dom_sid(%s-%d % (domsid, security.DOMAIN_RID_ADMINS)): +administrator = security.dom_sid(%s-%d % (domsid, security.DOMAIN_RID_ADMINISTRATOR)) +(admin_id, admin_type) = passdb.sid_to_id(administrator) + +# Confirm we have a UID for administrator +if ((admin_type == idmap.ID_TYPE_UID) or (admin_type == idmap.ID_TYPE_BOTH)): + +# Set it, changing the owner to 'administrator' rather than domain admins +sd2 = security.descriptor.from_sddl(sddl, sid) +sd2.owner_sid = administrator + +smbd.set_nt_acl(file, security.SECINFO_OWNER |security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd2) + +# and then set an NTVFS ACL (which does not set the posix ACL) to pretend the owner really was set +use_ntvfs = True +else: +raise XattrBackendError(Unable to find UID for domain administrator %s, got id %d of type %d % (administrator, admin_id, admin_type)) +else: +# For all other owning users, reset the owner to root +# and then set the ACL without changing the owner +# +# This won't work in test environments, as it tries a real (rather than xattr-based fake) chown + +os.chown(file, 0, 0) +smbd.set_nt_acl(file, security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd) + if use_ntvfs: (backend_obj, dbname) = checkset_backend(lp, backend, eadbfile) ntacl = xattr.NTACL() diff --git a/source4/scripting/python/samba/provision/__init__.py b/source4/scripting/python/samba/provision/__init__.py index d5d57d2..9966192 100644 --- a/source4/scripting/python/samba/provision/__init__.py +++ b/source4/scripting/python/samba/provision/__init__.py @@ -1365,18 +1365,18 @@ SYSVOL_ACL = O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI POLICIES_ACL = O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001301bf;;;PA) -def
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 66018ea packaging: Add config for systemd-tmpfiles. from 2f0753b samba-tool: skip chown in sysvolreset when it would fail on a GID http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 66018ea4fbe290cad6aef54454c1f0703f0dff40 Author: Andreas Schneider a...@cryptomilk.org Date: Tue Oct 9 14:25:29 2012 +0200 packaging: Add config for systemd-tmpfiles. Autobuild-User(master): Andreas Schneider a...@cryptomilk.org Autobuild-Date(master): Tue Oct 9 17:10:53 CEST 2012 on sn-devel-104 --- Summary of changes: packaging/systemd/README | 14 ++ packaging/systemd/samba.conf.tmp |1 + 2 files changed, 15 insertions(+), 0 deletions(-) create mode 100644 packaging/systemd/README create mode 100644 packaging/systemd/samba.conf.tmp Changeset truncated at 500 lines: diff --git a/packaging/systemd/README b/packaging/systemd/README new file mode 100644 index 000..c185b2c --- /dev/null +++ b/packaging/systemd/README @@ -0,0 +1,14 @@ +With systemd the /run or /var/run are tmpfs filesystems. This means +the direcories required by samba need to be created during startup. +This can be done with a config file for tmpfiles, see samba.conf.tmp. +You need to copy this file to the directoy systemd-tmpfiles is looking +for its config files e.g.: + +install -d -m 0755 /etc/tmpfiles.d/ +install -m644 samba.conf.tmp /etc/tmpfiles.d/samba.conf + +If you're a packager don't forget to run the systemd-tmpfiles binary +in the script after samba has been installed. This makes sure the +directory exists and you can start samba directly after the installation. + +/usr/bin/systemd-tmpfiles --create /etc/tmpfiles.d/samba.conf diff --git a/packaging/systemd/samba.conf.tmp b/packaging/systemd/samba.conf.tmp new file mode 100644 index 000..8a29577 --- /dev/null +++ b/packaging/systemd/samba.conf.tmp @@ -0,0 +1 @@ +d /var/run/samba 755 root root -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via f88ab17 docs: Add '-V' to the list of options. via f9a4a9b samba-tool: Some more unifications... from 66018ea packaging: Add config for systemd-tmpfiles. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit f88ab17993e22a9c368017d54da437c057e371ca Author: Karolin Seeger ksee...@samba.org Date: Tue Oct 9 11:56:19 2012 +0200 docs: Add '-V' to the list of options. Karolin Autobuild-User(master): Karolin Seeger ksee...@samba.org Autobuild-Date(master): Tue Oct 9 18:53:12 CEST 2012 on sn-devel-104 commit f9a4a9bfe11c1551b490a0bd12fb6904b4a6542b Author: Karolin Seeger ksee...@samba.org Date: Tue Oct 9 11:53:21 2012 +0200 samba-tool: Some more unifications... in the usage message. Karolin --- Summary of changes: docs-xml/manpages/samba-tool.8.xml |2 +- .../scripting/python/samba/netcmd/delegation.py|2 +- source4/scripting/python/samba/netcmd/domain.py|2 +- source4/scripting/python/samba/netcmd/drs.py |2 +- source4/scripting/python/samba/netcmd/dsacl.py |2 +- source4/scripting/python/samba/netcmd/fsmo.py |2 +- source4/scripting/python/samba/netcmd/gpo.py |2 +- source4/scripting/python/samba/netcmd/group.py |2 +- source4/scripting/python/samba/netcmd/ldapcmp.py |2 +- source4/scripting/python/samba/netcmd/ntacl.py |2 +- source4/scripting/python/samba/netcmd/rodc.py |2 +- source4/scripting/python/samba/netcmd/sites.py |2 +- source4/scripting/python/samba/netcmd/spn.py |2 +- source4/scripting/python/samba/netcmd/time.py |2 +- source4/scripting/python/samba/netcmd/user.py |2 +- source4/scripting/python/samba/netcmd/vampire.py |2 +- 16 files changed, 16 insertions(+), 16 deletions(-) Changeset truncated at 500 lines: diff --git a/docs-xml/manpages/samba-tool.8.xml b/docs-xml/manpages/samba-tool.8.xml index c312ff0..a8f2afe 100644 --- a/docs-xml/manpages/samba-tool.8.xml +++ b/docs-xml/manpages/samba-tool.8.xml @@ -124,7 +124,7 @@ /varlistentry varlistentry - term--version/term + term-V|--version/term listitempara Display version number /para/listitem diff --git a/source4/scripting/python/samba/netcmd/delegation.py b/source4/scripting/python/samba/netcmd/delegation.py index 14182b2..47dffb0 100644 --- a/source4/scripting/python/samba/netcmd/delegation.py +++ b/source4/scripting/python/samba/netcmd/delegation.py @@ -253,7 +253,7 @@ class cmd_delegation_del_service(Command): class cmd_delegation(SuperCommand): -Delegation management +Delegation management. subcommands = {} subcommands[show] = cmd_delegation_show() diff --git a/source4/scripting/python/samba/netcmd/domain.py b/source4/scripting/python/samba/netcmd/domain.py index 67732b1..6e3f35a 100644 --- a/source4/scripting/python/samba/netcmd/domain.py +++ b/source4/scripting/python/samba/netcmd/domain.py @@ -1331,7 +1331,7 @@ class cmd_domain_samba3upgrade(cmd_domain_classicupgrade): class cmd_domain(SuperCommand): -Domain management +Domain management. subcommands = {} subcommands[demote] = cmd_domain_demote() diff --git a/source4/scripting/python/samba/netcmd/drs.py b/source4/scripting/python/samba/netcmd/drs.py index fc71b69..074b7af 100644 --- a/source4/scripting/python/samba/netcmd/drs.py +++ b/source4/scripting/python/samba/netcmd/drs.py @@ -501,7 +501,7 @@ class cmd_drs_options(Command): class cmd_drs(SuperCommand): -Directory Replication Services (DRS) management +Directory Replication Services (DRS) management. subcommands = {} subcommands[bind] = cmd_drs_bind() diff --git a/source4/scripting/python/samba/netcmd/dsacl.py b/source4/scripting/python/samba/netcmd/dsacl.py index 36b0938..28aa843 100644 --- a/source4/scripting/python/samba/netcmd/dsacl.py +++ b/source4/scripting/python/samba/netcmd/dsacl.py @@ -176,7 +176,7 @@ class cmd_dsacl_set(Command): class cmd_dsacl(SuperCommand): -DS ACLs manipulation +DS ACLs manipulation. subcommands = {} subcommands[set] = cmd_dsacl_set() diff --git a/source4/scripting/python/samba/netcmd/fsmo.py b/source4/scripting/python/samba/netcmd/fsmo.py index 71d9879..15d1d49 100644 --- a/source4/scripting/python/samba/netcmd/fsmo.py +++ b/source4/scripting/python/samba/netcmd/fsmo.py @@ -269,7 +269,7 @@ all=all of the above), class cmd_fsmo(SuperCommand): -Flexible Single Master Operations (FSMO) roles management +Flexible Single Master Operations (FSMO) roles management. subcommands = {} subcommands[seize] = cmd_fsmo_seize() diff --git a/source4/scripting/python/samba/netcmd/gpo.py
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 615951e Make sure the returned sd is on the right context, and if not it's always freed. via 5afabdc9 Move setting of psd-dacl-revision and protect against null SD's. from f88ab17 docs: Add '-V' to the list of options. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 615951e4e77353547d91fb217b1861877540bde7 Author: Jeremy Allison j...@samba.org Date: Tue Oct 9 12:46:57 2012 -0700 Make sure the returned sd is on the right context, and if not it's always freed. Autobuild-User(master): Jeremy Allison j...@samba.org Autobuild-Date(master): Tue Oct 9 23:35:50 CEST 2012 on sn-devel-104 commit 5afabdc976d5ba1fd21dcdede85657b618fb6b76 Author: Jeremy Allison j...@samba.org Date: Tue Oct 9 12:45:30 2012 -0700 Move setting of psd-dacl-revision and protect against null SD's. --- Summary of changes: source3/rpc_server/srvsvc/srv_srvsvc_nt.c | 10 +++--- 1 files changed, 7 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/rpc_server/srvsvc/srv_srvsvc_nt.c b/source3/rpc_server/srvsvc/srv_srvsvc_nt.c index 2d34b9b..982b0b4 100644 --- a/source3/rpc_server/srvsvc/srv_srvsvc_nt.c +++ b/source3/rpc_server/srvsvc/srv_srvsvc_nt.c @@ -2197,6 +2197,10 @@ WERROR _srvsvc_NetGetFileSecurity(struct pipes_struct *p, goto error_exit; } + if (psd psd-dacl) { + psd-dacl-revision = NT4_ACL_REVISION; + } + sd_size = ndr_size_security_descriptor(psd, 0); sd_buf = talloc_zero(p-mem_ctx, struct sec_desc_buf); @@ -2206,12 +2210,10 @@ WERROR _srvsvc_NetGetFileSecurity(struct pipes_struct *p, } sd_buf-sd_size = sd_size; - sd_buf-sd = psd; + sd_buf-sd = talloc_move(p-mem_ctx, psd); *r-out.sd_buf = sd_buf; - psd-dacl-revision = NT4_ACL_REVISION; - close_file(NULL, fsp, NORMAL_CLOSE); vfs_ChDir(conn, oldcwd); SMB_VFS_DISCONNECT(conn); @@ -2235,6 +2237,8 @@ error_exit: } done: + + TALLOC_FREE(psd); TALLOC_FREE(smb_fname); return werr; -- Samba Shared Repository