[Samba] Samba OpenLDAP Domain issue
Hello Team, I am using samba 3.6.3 in ubuntu as file server and also I have a domain controller in my organization both are different servers. I am able to register SAMBA as domain controller successfully, and I could see SAMBA Domain with SID populated in my OpenLDAP. But my problem is when I configure samba as file server. SAMBA is pulling the host name and registering to OpenLDAP as domain. Example My Domain name is test. My file server host name is fileserver01 I could see test and fileserver01 in my openldap with SID. why this is happening, since this is just configured as file server. and also I do not have winbind configured in my file server. below are my configuration details. [global] workgroup = test server string = %h server (Samba, Ubuntu) wins server = 192.168.1.2 dns proxy = no name resolve order = lmhosts host wins bcast disable spoolss = no spoolss : architecture = Windows x64 log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d security = user encrypt passwords = true passdb backend = ldapsam:ldap://servername ldap suffix = dc=aa,dc=bb,dc=com ldap user suffix = ou=People ldap group suffix = ou=Groups ldap machine suffix = ou=Computers ldap idmap suffix = ou=Idmap ldap admin dn = cn=admin,dc=aa,dc=bb,dc=com ldap ssl = no map to guest = bad user domain logons = yes load printers = yes printing = cups printcap name = cups socket options = TCP_NODELAY domain master = no usershare allow guests = yes [homes] create mask = 0700 directory mask = 0700 browseable = no comment = Home Directories valid users = %S writable = yes available = no [printers] comment = All Printers public = yes printable = yes path = /var/spool/samba # Windows clients look for this share name as a source of downloadable # printer drivers [print$] comment = Printer Drivers writeable = yes public = yes path = /var/lib/samba/printers write list = root,@Onsite-Admins [iMigrate] force create mode = 770 valid users = @Onsite-Admins create mode = 770 path = /data/imigrate write list = @Onsite-Admins force directory mode = 770 directory mode = 770 -- *Thanks Regards, 25dollarTech Team https://sites.google.com/site/25dollartech/* *Email: 25dollartechh...@gmail.com* -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba OpenLDAP Domain issue
Hello Team, I am using samba 3.6.3 in ubuntu as file server and also I have a domain controller in my organization both are different servers. I am able to register SAMBA as domain controller successfully, and I could see SAMBA Domain with SID populated in my OpenLDAP. But my problem is when I configure samba as file server. SAMBA is pulling the host name and registering to OpenLDAP as domain. Example My Domain name is test. My file server host name is fileserver01 I could see test and fileserver01 in my openldap with SID. why this is happening, since this is just configured as file server. and also I do not have winbind configured in my file server. below are my configuration details. [global] workgroup = test server string = %h server (Samba, Ubuntu) wins server = 192.168.1.2 dns proxy = no name resolve order = lmhosts host wins bcast disable spoolss = no spoolss : architecture = Windows x64 log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d security = user encrypt passwords = true passdb backend = ldapsam:ldap://servername ldap suffix = dc=aa,dc=bb,dc=com ldap user suffix = ou=People ldap group suffix = ou=Groups ldap machine suffix = ou=Computers ldap idmap suffix = ou=Idmap ldap admin dn = cn=admin,dc=aa,dc=bb,dc=com ldap ssl = no map to guest = bad user domain logons = yes load printers = yes printing = cups printcap name = cups socket options = TCP_NODELAY domain master = no usershare allow guests = yes [homes] create mask = 0700 directory mask = 0700 browseable = no comment = Home Directories valid users = %S writable = yes available = no [printers] comment = All Printers public = yes printable = yes path = /var/spool/samba # Windows clients look for this share name as a source of downloadable # printer drivers [print$] comment = Printer Drivers writeable = yes public = yes path = /var/lib/samba/printers write list = root,@Onsite-Admins [iMigrate] force create mode = 770 valid users = @Onsite-Admins create mode = 770 path = /data/imigrate write list = @Onsite-Admins force directory mode = 770 directory mode = 770 -- *Thanks Regards, 25dollarTech Team https://sites.google.com/site/25dollartech/* *Email: 25dollartechh...@gmail.com* -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 4 samba-tool user encrypted password
Hello
You cannnot currently do this via tools, but see
discussions on this list for examples of code that can set the magic
flags to allow this.
I m sorry but I dont find the magic code for injected {SSHA}password when I
create user ?
I extract user password from LDAP Zimbra for syncro with SAMBA4 AD ...
My english is realy poor ... I'm sorry !
Can you help me ?
Thank you
--
Ville de Gières
Bruno Defrance
technicien cartographe SIG / technicien informatique
Mairie de Gières
04 76 89 36 36
- Mail original -
De: Andrew Bartlett abart...@samba.org
À: sergio.conrad sergio.con...@laposte.net
Cc: samba@lists.samba.org
Envoyé: Mercredi 16 Janvier 2013 12:05:56
Objet: Re: [Samba] samba 4 samba-tool user encrypted password
On Wed, 2013-01-16 at 10:41 +0100, sergio.conrad wrote:
Hello,
thanks with the good job with samba 4.
I was wondering, is there a possibility to use an already encrypted password
like sambaNTPassword or {SSHA} encrypted password with samba-tool user
command ?
We need the plaintext because we need to make not only arcfour-hmac-md5
key (the unicodePwd, the NT hash), but also AES keys and (if configured)
DES keys.
You can set only the unicodePwd if you must, to the NT hash value, but
not a {SSHA} value. You cannnot currently do this via tools, but see
discussions on this list for examples of code that can set the magic
flags to allow this.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] DC Replication issue
Thanks for the reply. Unfortunately it turned out to be a firewall on the Samba server. Once disabled, everything worked as expected. Thanks, Doug Tanner From: Justin Clacherty [mailto:jus...@redfish.com.au] Sent: Fri 2/1/2013 12:37 AM To: Tanner, Douglas C CIV SPAWARSYSCEN-ATLANTIC, 58500; samba@lists.samba.org Subject: RE: DC Replication issue I've had a similar issue with replication working in the Windows to Samba direction but not Samba to Windows. Mine complains about the schema not being correct (even though it got it from Windows when it first joined). Haven't been able to get it working yet and then got side-tracked with actual work :-) I'm wondering if Samba is adding Unix services the schema and is trying to send that up to the Windows box during the schema replication. Given it's not the schema master it probably isn't allowed to so Windows ignores it, then ignores all other replication because of a schema mismatch. Justin. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba- boun...@lists.samba.org] On Behalf Of Tanner, Douglas C CIV SPAWARSYSCEN-ATLANTIC, 58500 Sent: Tuesday, 8 January 2013 6:53 AM To: samba@lists.samba.org Subject: Re: [Samba] DC Replication issue More information included. I am still unable to replicated data from my Samba4 DC to my Windows 2008 R2 AD DC. Any help would be greatly appreciated. C:\Windows\system32repadmin /showrepl Repadmin: running command /showrepl against full DC localhost Default-First-Site-Name\DODAGM2008R2 DSA Options: IS_GC Site Options: (none) DSA object GUID: e8f1e94c-3e5a-4422-aefb-bfe6f7260e6f DSA invocationID: e8f1e94c-3e5a-4422-aefb-bfe6f7260e6f Source: Default-First-Site-Name\RHEL6-WS *** 2 CONSECUTIVE FAILURES since 2013-01-07 15:39:14 Last error: 1722 (0x6ba): The RPC server is unavailable. Naming Context: CN=Schema,CN=Configuration,DC=dougt,DC=local,DC=spawar,DC=navy Source: Default-First-Site-Name\RHEL6-WS *** WARNING: KCC could not add this REPLICA LINK due to error. Naming Context: DC=dougt,DC=local,DC=spawar,DC=navy Source: Default-First-Site-Name\RHEL6-WS *** WARNING: KCC could not add this REPLICA LINK due to error. Naming Context: CN=Configuration,DC=dougt,DC=local,DC=spawar,DC=navy Source: Default-First-Site-Name\RHEL6-WS *** WARNING: KCC could not add this REPLICA LINK due to error. Thanks, Doug -Original Message- From: Tanner, Douglas C CIV SPAWARSYSCEN-ATLANTIC, 58500 Sent: Friday, January 04, 2013 2:47 PM To: 'samba@lists.samba.org' Subject: DC Replication issue Hello all. I have successfully joined a Samba 4 DC running RHEL6 to an existing Windows AD DC running on 2008 R2, with the exception that users created via the samba-tool are not replicating to the Windows AD DC. Replication is working from Windows to Samba. I'm sure this is probably an issue on the Windows side of the house, but I cannot find any errors in the logs. Has anyone else run into a similar issue? Thanks, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Share for Windows app and dbf and cdx files
I need to set up a samba share for a Windows App, this app is uncompressed in a share and includes, .exe .dll, cdx, dbf, and fpt files, and can be executed from a windows client by just clicking the exe file, I have read this http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/locking.html, but I would like to see a working example for sharing this type of files in a samba share, and also and example for a mdb database share that is accessed by several users at once thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 with existing DNS server
How can I configure samba4 DNS if I have a working dns server in the same server where samba4 will be working or in another server? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba: Debugging
Samba, I think Dustin Thomson from Canada is running Samba with Grub and Yellowface which has turned my face grubby and yellow with a white beard. I would like some Samba Debugging so that my eyebrows and face are not Masked for a Samba program. Can you keep me off of the Samba list, and unmask my face? David Detrich Iron River, MI USA Views From The Hill dustint.com/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba4 and existing DNS server
How can I configure samba4 to work with BIND9 DNS if I have a working dns server in the same server or a working DNS in another server with existing zones? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Groups not updating on 3.5.10 (centos) or 3.6.12 (enterprise samba)
Hello everybody,
we're trying to set-up Samba to share directories with Win users from
some Linux servers.
We've set up kerberos, gotten a ticket, joined the server to the domain,
we get correct users/groups from wbinfo and getent.
The problem lies in id: it does not update its user-group mappings
when they change on AD, even if wbinfo and getent get the changes.
If we erase the /var/lib/samba/*.tdb cache the mappings get updated, but
I guess this should not be the case, they should update automagically.
A thing we've noticed is that net rpc info on all our DCs always
returns 1 as the sequence number.
We've tried this configuration with centos original rpms and with
EnterpriseSamba rpms for centos.
krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = AAA.LOC
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
# default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
# default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
AAA.LOC = {
kdc = addc01pl.aaa.loc
kdc = addc02pl.aaa.loc
admin_server = addc01pl.aaa.loc
default_domain = AAA.LOC
}
[AAA.LOC]
.aaa.loc = AAA.LOC
aaa.loc = AAA.LOC
lmhosts:
127.0.0.1localhost
192.168.0.250AAA
smb.conf:
[global]
workgroup = AAA
realm = AAA.LOC
netbios name = BBB
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
security = ads
domain master = no
idmap uid = 1-2
idmap gid = 1-2
#map untrusted to domain = yes
winbind use default domain = yes
client ntlmv2 auth = yes
interfaces = eth2 lo
bind interfaces only = yes
#log level = 3
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 60
password server = 192.168.0.250, 192.168.0.251
max protocol = SMB2
load printers = no
printing = bsd
printcap name = /dev/null
show add printer wizard = no
disable spoolss = yes
idmap cache time = 1
idmap negative cache time = 1
Thanks for all the help we can get! (we've been reading and trying lots
of things on forums/mailinglists, but to no avail).
--
Alessandro Giorgio Togna
Area Sistemi
Università degli Studi G.Marconi
diretto +39 06 37725445
centralino +39 06 377251
http://www.unimarconi.it
http://www.marconichannel.tv
http://www.marconistudios.it
___
AVVERTENZE AI SENSI DEL DLGS 196/2003
Le Informazioni contenute in questo messaggio di posta elettronica e/o nel/i
file/s allegato/i, sono da considerarsi strettamente riservate.
Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per
le finalità indicate nel messaggio stesso.
Qualora riceveste questo messaggio senza esserne il destinatario, Vi preghiamo
di darcene notizia via e-mail e di procedere alla distruzione
del messaggio stesso, cancellandolo dal Vostro sistema. Costituisce
comportamento contrario ai principi dettati dalla Legge il trattenere il
messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti,
copiarlo od utilizzarlo per finalità diverse.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
[Samba] configure with --with-ads failed get krb5 libs don't have all features required for Active Directory support error
Dear all,I get krb5 libs don't have all features required for Active Directory support errors when configure with --with-ads source3 code.as: [root@RedHatEL5 source3]# pwd /root/samba-4.0.2/source3 [root@RedHatEL5 source3]# ./configure --with-ads SAMBA VERSION: 4.0.2 checking build system type... i686-pc-linux-gnu checking host system type... i686-pc-linux-gnu checking target system type... i686-pc-linux-gnu LIBREPLACE_LOCATION_CHECKS: START LIBREPLACE_LOCATION_CHECKS: END LIBREPLACE_CC_CHECKS: START checking for gcc... gcc checking whether the C compiler works... yes checking for C compiler default output file name... a.out ... ... ... checking for krb5_addresses type... no checking for krb5_error_code krb5_enctype_to_string(krb5_context context, krb5_enctype enctype, char **str)... no checking for krb5_error_code krb5_enctype_to_string(krb5_enctype enctype, char *str, size_t len)... yes checking for krb5_principal_get_realm... no checking for krb5_princ_realm... yes checking for KRB5_PDU_NONE declaration... no checking for flags in krb5_creds... no configure: WARNING: krb5_get_init_creds_opt_alloc found in -lkrb5 configure: WARNING: krb5_principal_compare_any_realm not found in -lkrb5 configure: WARNING: gss_wrap_iov not found in -lgssapi configure: WARNING: need either gss_get_name_attribute or gsskrb5_extract_authz_data_from_sec_context and gss_inquire_sec_context_by_oid in -lgssapi for PAC support configure: error: krb5 libs don't have all features required for Active Directory support the attachment is config.log Any help appreciated thanks-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] ?????? configure with --with-ads failed get krb5 libs don't have allfeatures required for Active Directory support error
thanks very much for answer. I think if I just want to build file server of samba4, it should use the autoconf source3/ build system to build samba, is it right? do you mean if I want to use a system MIT kerberos, it require kerberos1.8 or above in source3? I found it can build samba-3.6.9/source3 wit MIT kerberos1.4. is it right? -- -- ??: abartletabart...@samba.org; : 2013??2??27??(??) 7:31 ??: 309554...@qq.com; : samba-technicalsamba-techni...@samba.org; sambasamba@lists.samba.org; : Re: configure with --with-ads failed get krb5 libs don't have allfeatures required for Active Directory support error On Wed, 2013-02-27 at 19:10 +0800, wrote: Dear all, I get krb5 libs don't have all features required for Active Directory support errors when configure with --with-ads source3 code. as: [root@RedHatEL5 source3]# pwd /root/samba-4.0.2/source3 [root@RedHatEL5 source3]# ./configure --with-ads SAMBA VERSION: 4.0.2 checking build system type... i686-pc-linux-gnu checking host system type... i686-pc-linux-gnu checking target system type... i686-pc-linux-gnu LIBREPLACE_LOCATION_CHECKS: START LIBREPLACE_LOCATION_CHECKS: END LIBREPLACE_CC_CHECKS: START checking for gcc... gcc checking whether the C compiler works... yes checking for C compiler default output file name... a.out ... ... ... checking for krb5_addresses type... no checking for krb5_error_code krb5_enctype_to_string(krb5_context context, krb5_enctype enctype, char **str)... no checking for krb5_error_code krb5_enctype_to_string(krb5_enctype enctype, char *str, size_t len)... yes checking for krb5_principal_get_realm... no checking for krb5_princ_realm... yes checking for KRB5_PDU_NONE declaration... no checking for flags in krb5_creds... no configure: WARNING: krb5_get_init_creds_opt_alloc found in -lkrb5 configure: WARNING: krb5_principal_compare_any_realm not found in -lkrb5 configure: WARNING: gss_wrap_iov not found in -lgssapi configure: WARNING: need either gss_get_name_attribute or gsskrb5_extract_authz_data_from_sec_context and gss_inquire_sec_context_by_oid in -lgssapi for PAC support configure: error: krb5 libs don't have all features required for Active Directory support the attachment is config.log Any help appreciated Why are you using the autoconf source3/ build system? Just build in the top level directory, and we will use our internal Heimdal kerberos. In any case, if you want to use a system MIT kerberos, we require 1.8 in source3 and 1.9 in the top level build. Earlier versions are not able to support our requirements, which is why we bundle a known working version of Heimdal. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org . -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] multiple dc's
Hello In our company we have 5 remote office, i'm trying to setup a replicated domain across this sites, using vpn, is multiple DCs soported? can i use the RODC option or is not yet implemented? I try top setup the replication between this servers but i'm starting to get several WERR_BADFILE error and now i get a WERR_DS_DRA_INTERNAL_ERROR Appreciate any help -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] DNS Replication Between Samba4 DCs
I have been able to successfully install and configure a primary DC with Ubuntu 12.04 and the samba4 package as well as configure and join a secondary DC to the primary. However, I cannot DNS entries to replicate from the primary to the secondary (I haven't tried the other way around but I would like that working as well). Both are using BIND9_DLZ. Is DNS replication even supported with this setup or do I have to use the SAMBA INTERNAL setting? -Andrew Hamilton Project Engineer www.facilityone.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 - PDC to DC file replication
Hi, I have built two samba4 boxes, one as a PDC and the as a DC, all working perfectly. If I create a user through the mmc snapin then turn off the PDC, I can still login to the domain using the DC which is great. The problem is their file permissions. I have assigned user and group rights using windows explorer to certain folders, i.e granted user1 full permissions to that folder The problem I have is trying to replicate the users data/files from PDC to DC whilst keeping the NTFS permissions that have been set. Rysnc doesnt seem to keep the ntfs permissions The reason for this is if the PDC goes down, user logs on using the DC and can access their files which have retained their files and permissions. Is there some way to achieve this? Any help appreciated. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] problem with adding printers to samba4 [solved]
On 02/28/2013 03:47 PM, Andrew Martin wrote: - Original Message - From: Chantal Rosmuller chan...@antenna.nl To: samba@lists.samba.org Sent: Thursday, February 28, 2013 7:53:44 AM Subject: Re: [Samba] problem with adding printers to samba4 [solved] I solved it myself, the rpm I installed was not compiled with cups support On 02/27/2013 02:56 PM, Chantal Rosmuller wrote: Hi, I have a problem setting up shared printers in samba4, I used the manual in https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Step_13:_Setup_a_Printer_share - I added a printer using cups - I added the printer en printer driver share as written in the wiki - I logged on as samba 4 administrator on a windows 7 client - I tried to add the printer On windows I get acces denied on the samba4 server in /var/log/samab4/log/smbd I get: Add printer for printer Ricoh Aficio MP 4000 PCL6 called and no smb.conf parameter addprinter command is defined. This parameter must exist for this call to succeed I thought the addprinter command was not available anymore for samba4? The server is a CentOS release 6.3 sama version: samba4-4.0.1 smb.conf: # Global parameters [global] workgroup =DOMAIN realm = domain.nl netbios name = PUPPETDEV01 server role = active directory domain controller dns forwarder = 172.19.1.12 [netlogon] path = /var/lib/samba4/sysvol//domain.nl/scripts read only = No [sysvol] path = /var/lib/samba4/sysvol/ read only = No [printers] comment = All Printers path = /var/lib/samba4/spool browseable = Yes read only = No printable = Yes [print$] comment = Point and Print Printer Drivers path = /var/lib/samba4/print read only = No Chantal, Can you elaborate a bit on how you have integrated CUPS into your samba4 environment? I have configured a samba4 DC and set up a separate CUPS server with samba3 to export the printer share. In samba4, where/how do you set up the printers? Is there a way to push them out to domain computers using Group Policy? Thanks, Andrew Sure, I compiled samba 4 with cups support enabled and configured it as a DC. Then I installed cups with yum. Added a printer in the cups webinterface. I added this to smb.conf: [printers] comment = All Printers path = /var/lib/samba4/spool browseable = Yes read only = No printable = Yes [print$] comment = Point and Print Printer Drivers path = /var/lib/samba4/print read only = No created the spool and chmodded it to 1777 created the printer driver directory Now I am not quite sure whether I added the following as I do not have acces to the server right now. But I might have added to the global section in smb.conf: load printers = yes printing = cups then I joined a windows 7 pc to the domain, went to \\servername\ and there is was, the new printer So it was actually exactly like the wiki said As for your group policy question, I don't know. If I find out I'll post it. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] smbclient socket options
Hi, smbclient -N -L 172.22.27.10 -O keepalive=10 Not working client anyway wait long time, how use keepalive for notexisten services or filtered? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4
Hi, In /usr/local/samba/var/, I created the directory profiles to receive the users roaming profiles. or /usr/local/samba/profiles has owner root and group staff. I created a user control by user1 samba-tool user add user1 I created user1 directory under /usr/local/samba/profiles for I /usr/local/samba/profiles/user1 How do you have fornot owner root but the owner user1 How do you have for not the group staff but the group Domain Users Since the following does not work: chown user1: Domain Users / usr/local/samba/profiles/user1. Other question : I will also ask you questions about the internal DNS SAMBA 4, I managed to add type RECORD A, NS, CNAME, but I still do not know how it adds RECORD SOA ? David -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind: how to fix uid/SID mapping following migration to a new DC
Did you ever get a resolution to your issue with UIDs not matching? I have the same problem and I cannot for the life of me get my UIDs to come from Active Directory. If you did solve it with using the idmap config DOMAIN : backend = ad would you be so kind as to share? I am only able to get idmap config * : backend = tdb to work. I have never been able to get UIDs for particular domain to work. Onlly the * seems to 'hit' Thanks, Brian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Server 2012 Encrypted Shares
Hello Samba folks! Server 2012 has an option to enable in-transit data encryption with Windows 8 clients using SMB 3.0. ( http://blogs.technet.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-47-85-metablogapi/2313.clip_5F00_image00111_5F00_757A262D.jpg ) I ran across a presentation from Michael Adam where he mentioned that the SMB 3.0 implementation in Samba 4 supports new crypto (sign/encrypt). Not sure that means what I want it to but I remain hopeful. :-) ( http://www.snia.org/sites/default/files2/SDC2012/presentations/SMB2-3/MichaelAdam-Status-smb3-samba-presentation.pdf ) In all my efforts, I can't seem to get this to work in the lab. Does Samba 4 support SMB 3.0 encrypted shares? This would include either where the Samba server is serving out an encrypted share as the file server or as a client connecting to a Server 2012 encrypted share. Many thanks! Cory -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] smbclient socket options
Hi, smbclient -N -L 172.22.27.10 -O keepalive=10 Not working client anyway wait long time, how use keepalive for notexisten services or filtered? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Quick regtree question
Hi all; Shot in the dark here, but I am attempting to use regtree and I've noticed that it seems to simply dump the entire registry even if a location is specified (i.e. HKEY_LOCAL_MACHINE\SOFTWARE) - is this how it is intended to work or am I simply 'doing it wrong'. Thanks for any light anyone might be able to provide! DEAN WILLIAMS / Block 64 phone: +1 (416) 436-8518 web: www.block64.com (http://www.block64.com/) twitter: @block64corp (http://www.twitter.com/block64corp) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] RHEL/CentOS 6.4 conflict with Samba 3.6.12
We are currently testing the update to RHEL/CentOS 6.4 on a system running the SerNet rpms for Samba 3.6. It appears there is a conflict with the Kerberos update in 6.4 and the libsmbclient in the SerNet 3.6.12 rpms. --- Package krb5-libs.x86_64 0:1.9-33.el6_3.3 will be updated -- Processing Conflict: krb5-libs-1.10.3-10.el6.x86_64 conflicts libsmbclient 3.5.10-124 -- Finished Dependency Resolution Error: krb5-libs conflicts with libsmbclient0 You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest RPM shows: Package name libsmbclient0 Update system YUM Package description SerNet Samba client library Current state Running latest 3.6.12-44.el6 Installed version 3.6.12-44.el6 Available version 3.6.12-44.el6 Installation source Sernet-samba It appears an update to the SerNet rpm is necessary to resolve this issue or am I missing something obvious? Best regards, Fred Fred Kienker fkien...@at4b.com P: 770.518.6166 AT4B 5261 Sunset Trail Marietta, GA 30068 Advanced Technologies for Business This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Error in DRS Showrepl
It is !! Thanks !! But what about that : From DC2 I run samba-tool drs showrepl DC1 Failed to bind to uuid e3514235-4b06-11d1-ab04-**00c04fc2dcd2 for e3514235-4b06-11d1-ab04-**00c04fc2dcd2 at ncacn_ip_tcp:DC1[**1024,seal] NT_STATUS_UNSUCCESSFUL ERROR(class 'samba.drs_utils.drsException'**): DRS connection to DC1 failed - drsException: DRS connection to DC1 failed: (-1073741823, 'Undetermined error') File /samba/lib/python2.6/site-**packages/samba/netcmd/drs.py, line 39, in drsuapi_connect (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drsuapi_connect(ctx.**server, ctx.lp, ctx.creds) File /samba/lib/python2.6/site-**packages/samba/drs_utils.py, line 54, in drsuapi_connect raise drsException(DRS connection to %s failed: %s % (server, e)) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Moving user account to new filesystem
Good day, I have had samba (3.0.33) working for some time on my Redhat Enterprise 5.1 workstation. I recently had to move one of my user's home directory to a different filesystem. I changed everything in Samba appropriately, but I can't map his home directory to Windows anymore. I have restarted the smb service and reset his password. It acts like the password is incorrect, bringing up the login window repeatedly after attempting the authentication. Any ideas would be greatly appreciated! Gabrielle Snyder -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] S4 : trusting NT4 domain
2013-03-16
Thread
DDT 67/SG/MGI/CI (Cellule informatique) emis par BOTZ Franck (Informaticien) - DDT 67/SG/MGI/CI
Hi ! I want to trust a 2003 domain on my S4 PDC The final is to access shares on 2003 domain How do i do this ? Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Installation Samba on RHEL6.4
Hallo First i try to install samba 3.5.21 on RHEL 6.4 Im getting the message: Loaded plugins: kabi, product-id, refresh-packagekit, rhnplugin, security, subscription-manager This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. This system is receiving updates from RHN Classic or RHN Satellite. Loading support for Red Hat kernel ABI Setting up Install Process Resolving Dependencies -- Running transaction check --- Package samba.x86_64 0:3.6.9-151.el6 will be obsoleted --- Package samba3.x86_64 0:3.5.21-44.el6 will be obsoleting -- Processing Dependency: samba3-client for package: samba3-3.5.21-44.el6.x86_64 -- Running transaction check --- Package samba-common.x86_64 0:3.6.9-151.el6 will be obsoleted -- Processing Dependency: samba-common = 3.6.9-151.el6 for package: samba-winbind-3.6.9-151.el6.x86_64 --- Package samba3-client.x86_64 0:3.5.21-44.el6 will be obsoleting -- Processing Dependency: libwbclient.so.0()(64bit) for package: samba3-client-3.5.21-44.el6.x86_64 -- Running transaction check --- Package libwbclient0.x86_64 0:3.5.21-44.el6 will be installed --- Package samba-winbind.x86_64 0:3.6.9-151.el6 will be obsoleted --- Package samba-winbind-clients.x86_64 0:3.6.9-151.el6 will be obsoleted -- Processing Dependency: samba-winbind-clients = 3.6.9-151.el6 for package: libsmbclient-3.6.9-151.el6.x86_64 --- Package samba3-winbind.x86_64 0:3.5.21-44.el6 will be obsoleting -- Running transaction check --- Package libsmbclient.x86_64 0:3.6.9-151.el6 will be obsoleted --- Package libsmbclient0.x86_64 0:3.5.21-44.el6 will be obsoleting -- Processing Conflict: krb5-libs-1.10.3-10.el6.x86_64 conflicts libsmbclient 3.5.10-124 -- Finished Dependency Resolution Error: krb5-libs conflicts with libsmbclient0-3.5.21-44.el6.x86_64 You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest Can help me sombody Johann Fock -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Strange corruption problem of Win7
Hello, I am running Samba 4.0.1 as AD DC. I have configured GPOs for redirecting folders (Application Data, Documents etc.). Yesterday, there was a strange problem. The network switch suddenly went kaput and all machines lost connection to the DC. Users logged off and when they are trying to start machine today, Windows 7 can not start. Few of the machines had restore points for day before yesterday and they could be restored. All others are in the need of re-installation. Has anyone faced such kind of problem earlier? Could it be related to redirecting the AppData(Roaming) folder? Let me know if more information is required. Thanks regards, Nishant -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba4 as DC problems
Hi! Please help to resolve some isssues. I'm running Samba DC Version
4.1.0pre1-GIT-229d934 on Debian 6 (and i'm not familiar with linux at all).
Almost all primary services working good, users can authenticate by DC,
workstations applying policy, file services running perfect, but i can't setup
DNS dynamic updates.
I'm runnning Bind 9.9.2
Код:
named -V
BIND 9.9.2 built with '--prefix=/usr' '--sysconfdir=/etc'
'--localstatedir=/var' '--mandir=/usr/share/man' '--enable-threads'
'--with-libtool'
using OpenSSL version: OpenSSL 0.9.8o 01 Jun 2010 using libxml2 version: 2.7.8.
My named.conf is next:
Код:
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
key rndc-key {
algorithm hmac-md5;
secret gxFSRw6DE1rJZziIPZP71Q==;
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { rndc-key; };
};
include /etc/bind/named.conf.options;
#include /etc/bind/named.conf.default-zones;
include /usr/local/samba/private/named.conf;
#include /usr/local/samba/private/dns_update_list;
logging {
};
Код:
options {
directory /var/cache/bind;
tkey-gssapi-keytab /usr/local/samba/private/dns.keytab;
# tkey-gssapi-credential DNS/EM.ORG;
tkey-domain EM.ORG;
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders {
172.29.78.11;
172.29.78.4;
};
auth-nxdomain no;# conform to RFC1035
listen-on-v6 { any; };
};
When i'm uncomment #tkey-gssapi-credential DNS/EM.ORG;
Bind9 failed to start and logging next:
Код:
Jan 31 11:12:05 EM-DC named[3396]: configuring TKEY: failure
Jan 31 11:12:05 EM-DC named[3396]: loading configuration: failure
Jan 31 11:12:05 EM-DC named[3396]: exiting (due to fatal error)
and
Код:
Jan 31 09:25:27 EM-DC named[1481]: samba_dlz: starting transaction on zone
em.org
Jan 31 09:25:27 EM-DC named[1481]: client 192.168.7.22#64036: update
'em.org/IN' denied
Jan 31 09:25:27 EM-DC named[1481]: samba_dlz: cancelling transaction on zone
em.org
Jan 31 09:25:48 EM-DC named[1481]: samba_dlz: starting transaction on zone
em.org
Jan 31 09:25:48 EM-DC named[1481]: client 192.168.7.20#61429: update
'em.org/IN' denied
Jan 31 09:25:48 EM-DC named[1481]: samba_dlz: cancelling transaction on zone
em.org
Jan 31 09:25:48 EM-DC named[1481]: client 192.168.7.20#55001: request has
invalid signature: TSIG 1136-ms-7.1-52ef.9f4ed036-6b6f-11e2-31a7-8c89a5ffcfe7:
t$
Jan 31 09:26:53 EM-DC named[1481]: samba_dlz: starting transaction on zone
em.org
Jan 31 09:26:53 EM-DC named[1481]: client 192.168.7.13#60999: update
'em.org/IN' denied
Jan 31 09:26:53 EM-DC named[1481]: samba_dlz: cancelling transaction on zone
em.org
Second question is about randomly appearing in the log message:
Код:
Jan 31 09:29:34 EM-DC smbd[2029]: [2013/01/31 09:29:34.640810, 0]
../source4/lib/messaging/messaging.c:633(imessaging_init)
Jan 31 09:29:34 EM-DC smbd[2029]: Unable to setup messaging listener for
'/usr/local/samba/private/smbd.tmp/msg/msg.2029.2':NT_STATUS_ACCESS_DENIED
Jan 31 09:29:34 EM-DC smbd[2029]: [2013/01/31 09:29:34.641125, 0]
../source3/rpc_server/dcesrv_auth_generic.c:40(auth_generic_server_authtype_start)
Jan 31 09:29:34 EM-DC smbd[2029]:
../source3/rpc_server/dcesrv_auth_generic.c:40: auth_generic_prepare failed:
NT_STATUS_INVALID_SERVER_STATE
Jan 31 09:29:34 EM-DC smbd[2029]: [2013/01/31 09:29:34.641266, 0]
../source3/rpc_server/srv_pipe.c:555(pipe_auth_generic_bind)
Jan 31 09:29:34 EM-DC smbd[2029]: ../source3/rpc_server/srv_pipe.c:555:
auth_generic_server_authtype_start failed: NT_STATUS_INVALID_SERVER_STATE
Please help! how can i fix this?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 Compile Error
Hello,
I am trying to compile Samba4 on RHEL 5.3 which didn't have Python on it. I've
downloaded Python-2.6.5.tar from http://ftp.samba.org/pub/tridge/python/. I
get the following error during the compile :
..
...
[3285/3758] Compiling lib/krb5_wrap/enctype_convert.c
[3286/3758] Linking default/lib/util/libutil_setid.so
[3287/3758] Linking default/lib/talloc/libtalloc.so
[3288/3758] Linking default/lib/talloc/libpytalloc-util.so
/usr/bin/ld: /usr/local/lib/libpython2.6.a(cobject.o): relocation R_X86_64_32S
against `PyCObject_Type' can not be used when making a shared object; recompile
with -fPIC
/usr/local/lib/libpython2.6.a: could not read symbols: Bad value
collect2: ld returned 1 exit status
Waf: Leaving directory `/install/samba-4.0.3/bin'
Build failed: - task failed (err #1):
{task: cc_link pytalloc_util_5.o - libpytalloc-util.so}
I'll appreciate any suggestions. Thanks
Oner Olcerel
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4.0.3 on CentOS 6.3 as PDC.
Any help here? I have included all of the output of the suggested diags that Thomas said I should run, but I admit that I'm not sure what I'm looking for, as I'm not familiar with RPC functionality on Linux. Something is not working with RPC on my Samba 4.0.3 server. (FWIW, it doesn't work with IPTables stopped either.) On Mon, Feb 25, 2013 at 2:21 PM, Mike Stroven wrote: I finally have everything working that can be verified from the server command line. Running Bind9.8 with DLZ support. Verified Kerberos 5 running. Now attempting to join Windows XP machines to the domain, and am getting an error: The RPC server is unavailable. Any pointers? On Mon, Feb 25, 2013 at 6:55 PM, Thomas Simmons wrote: You're likely to get more support on the user's list (samba@lists.samba.org). If you're certain everything is working on the server and the client network config is correct (you have the DC's IP as the primary DNS server), then my first guess would be iptables or selinux. If you need further assistance, output from the following commands would be useful: # test samba [root@grumpy ~]# /usr/local/samba/bin/smbclient //grumpy/netlogon -UAdministrator%'**' -c ls Domain=[TROY] OS=[Unix] Server=[Samba 4.0.3] . D0 Mon Feb 25 09:53:33 2013 .. D0 Fri Feb 22 17:09:24 2013 40757 blocks of size 131072. 20332 blocks available # test kerberos [root@grumpy ~]# kinit administra...@visole-energy.com Password for administra...@visole-energy.com: Warning: Your password will expire in 41 days on Mon Apr 8 18:14:03 2013 # check iptables [root@grumpy ~]# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/00.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/00.0.0.0/0 ACCEPT all -- 0.0.0.0/00.0.0.0/0 ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:22 /* SSH */ ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:53 /* DNS */ ACCEPT udp -- 0.0.0.0/00.0.0.0/0 state NEW udp dpt:53 /* DNS UDP */ ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:80 /* HTTP */ ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:88 /* Kerberos */ ACCEPT udp -- 0.0.0.0/00.0.0.0/0 state NEW udp dpt:123 /* NTP */ ACCEPT udp -- 0.0.0.0/00.0.0.0/0 state NEW udp dpt:135 /* RPC UDP */ ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:135 /* RPC TCP */ ACCEPT udp -- 0.0.0.0/00.0.0.0/0 state NEW udp dpt:138 /* NetBIOS Netlogon and Browsing */ ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:139 /* NetBIOS Session */ ACCEPT udp -- 0.0.0.0/00.0.0.0/0 state NEW udp dpt:389 /* LDAP UDP */ ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:443 /* HTTPS */ ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:445 /* SMB CIFS */ ACCEPT udp -- 0.0.0.0/00.0.0.0/0 state NEW udp dpt:445 /* SMB CIFS UDP */ ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:464 /* Kerberos Password Management */ ACCEPT udp -- 0.0.0.0/00.0.0.0/0 state NEW udp dpt:464 /* Kerberos Password Management UDP */ ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:636 /* LDAP SSL */ ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:3268 /* LDAP Global Catalog */ ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:3269 /* LDAP Global Catalog SSL */ ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:1 /* Webmin */ REJECT all -- 0.0.0.0/00.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- 0.0.0.0/00.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination # check selinux root@grumpy ~]# sestatus SELinux status: disabled # netstat output [root@grumpy ~]# netstat -anp Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp0 0 0.0.0.0:32690.0.0.0:* LISTEN 1114/samba tcp0 0 0.0.0.0:389 0.0.0.0:* LISTEN 1114/samba
Re: [Samba] Synchronising password of some AD users with an external LDAP?
There is a way to sync passwords. It's not perfect but it works if you can live with passwords stored as reversible encryption in samba4. 1. Allow clear text password by using samba-tools 2. Enable reversible encryption on each user (can be done with ms ad tool) 3. Make a query and use samba python lib to decode the attribute that holds the password. I made a python script just for this that I use to sync passwords to google apps. The downside is that the passwords are in clear text but my network is well secured so I'm fine with that. And the script has to run as a daemon or in cron. But it works. If you are interested I can share my script when I'm back at the office. Skickat från min iPhone 26 feb 2013 kl. 17:30 skrev Gregory Sloop gr...@sloop.net: PLJJ I know that if I were running a Windows AD, I could most likely PLJJ accomplish what I want with--if nothing else--the 389 DS by using PLJJ DS-provided Password Sync Service (see PLJJ https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Windows_Sync-Configuring_Windows_Sync.html PLJJ for more information). This is way over my head, in terms of expertise - but since the AD should function identically to the Windows AD setup, it may well work just fine, even though the back-end isn't a Windows AD box, but a Samba4 AD. PLJJ Read the guide on the page that I linked. The said Password Sync Service PLJJ is a Windows application. It installs a new password filtering DLL and a PLJJ system service to a Windows DC. PLJJ Samba, on the other hand, hardly runs on Windows. And even if it can be PLJJ run (by compiling under Cygwin, perhaps?) it would be rather pointless. Sorry, I missed that - I did do a very cursory scan and didn't see anything Windows specific. Guess that's what happens when you scan a little too quickly/lightly. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 as domain member and file server
Hi guys, I'm having trouble setting up my file server running Samba 4 (4.0.3). I had no problem joining the domain (also a Samba 4 (4.0.3) with AD) but I can't get the ACL to work properly. I'm sure my settings are wrong and hoping for some help. When I try to set a user permission I get this error: setfacl -m u:administrator:rwx test3.txt setfacl: test3.txt: Malformed access ACL `user::rw-,group::r--,group:adm:rwx,mask::rwx,other::r--,user:4294967295:rwx': Missing or wrong entry at entry 6 Byt when I try to set a group I don't get any error, but the settings does not stick: root@sto-file01:/var/files# setfacl -m g:domain users:rwx test3.txt root@sto-file01:/var/files# getfacl test3.txt # file: test3.txt # owner: root # group: root user::rw- group::r-- group:adm:rwx mask::rwx other::r-- My smb.conf: # Global parameters [global] workgroup = CORP realm = corp.lo netbios name = STO-FILE01 security = ADS encrypt passwords = Yes map untrusted to domain = Yes idmap backend = ad winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nss info = rfc2307 idmap config corp:range = 1000-20 idmap config corp:schema_mode = rfc2307 idmap config corp:backend = ad create mask = 0777 directory mask = 0777 [files] path = /var/files read only = No Wbinfo: wbinfo -i jjn jjn:*:4294967295:4294967295:Johan Johansson:/home/CORP/jjn:/bin/false getfacl: getfacl test3.txt # file: test3.txt # owner: root # group: root user::rw- group::r-- group:adm:rwx mask::rwx other::r-- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] vasprintf error when starting Samba
I have installed Samba 3.0.14 on a SCO unix 5.0.7 system. I installed this version as it was the only compiled version I have and I have installed it without problems on a SCO 5.0.6 system. When I run S99smbd start, I get the following error. Smbd start binder error symbol not found vasprintf I've searched the web and found nothing that was helpful. Thanks for any help you can provide. Jim -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba DC join fails - IPv4/IPv6 issue
Hi list,
I just tried to add a second DC to an existing Samba4 domain using samba-tool
(both hosts run latest samba4 git version).
But the join failed, complaining about being unable to find a writeable DC:
root@elektron:~# /opt/samba4/bin/samba-tool domain join linex.r00t.la DC
Finding a writeable DC for domain 'linex.r00t.la'
ERROR(exception): uncaught exception - Failed to find a writeable DC for domain
'linex.r00t.la'
File /opt/samba4/lib/python2.7/site-packages/samba/netcmd/__init__.py, line
175, in _run
return self.run(*args, **kwargs)
File /opt/samba4/lib/python2.7/site-packages/samba/netcmd/domain.py, line
552, in run
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
File /opt/samba4/lib/python2.7/site-packages/samba/join.py, line 1082, in
join_DC
machinepass, use_ntvfs, dns_backend, promote_existing)
File /opt/samba4/lib/python2.7/site-packages/samba/join.py, line 73, in
__init__
ctx.server = ctx.find_dc(domain)
File /opt/samba4/lib/python2.7/site-packages/samba/join.py, line 246, in
find_dc
raise Exception(Failed to find a writeable DC for domain '%s' % domain)
Looking a little closer, I think the problem is IPv4/IPv6 related:
The existing DC has both IPv4 and IPv6 address (and both are available
via Samba4's internal DNS.
Unfortunately even if the client is configured without IPv6 address (see
further down below) samba-tool still tries to address the DC's LDAP
server via IPv6 - and fails miserably:
root@elektron:~# strace -f -e trace=network /opt/samba4/bin/samba-tool domain
join linex.r00t.la DC
...
[pid 1640] socket(PF_INET, SOCK_DGRAM|SOCK_NONBLOCK, IPPROTO_IP) = 5
[pid 1640] connect(5, {sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr(192.168.1.6)}, 16) = 0
[pid 1640] send(5, NQ\1\0\0\1\0\0\0\0\0\0\5venus\5linex\4r00t\2la..., 37,
MSG_NOSIGNAL) = 37
[pid 1640] recvfrom(5,
NQ\205\200\0\1\0\1\0\0\0\0\5venus\5linex\4r00t\2la..., 1500, 0,
{sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr(192.168.1.6)},
[16]) = 53
Process 1635 suspended
[pid 1640] +++ killed by SIGKILL +++
Process 1635 resumed
--- SIGCHLD (Child exited) @ 0 (0) ---
socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP) = 5
setsockopt(5, SOL_IPV6, IPV6_V6ONLY, [1], 4) = 0
connect(5, {sa_family=AF_INET6, sin6_port=htons(389), inet_pton(AF_INET6,
2001:::::2, sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) =
-1 ENETUNREACH (Network is unreachable)
ERROR(exception): uncaught exception - Failed to find a writeable DC for domain
'linex.r00t.la'
File /opt/samba4/lib/python2.7/site-packages/samba/netcmd/__init__.py, line
175, in _run
return self.run(*args, **kwargs)
File /opt/samba4/lib/python2.7/site-packages/samba/netcmd/domain.py, line
552, in run
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
File /opt/samba4/lib/python2.7/site-packages/samba/join.py, line 1082, in
join_DC
machinepass, use_ntvfs, dns_backend, promote_existing)
File /opt/samba4/lib/python2.7/site-packages/samba/join.py, line 73, in
__init__
ctx.server = ctx.find_dc(domain)
File /opt/samba4/lib/python2.7/site-packages/samba/join.py, line 246, in
find_dc
raise Exception(Failed to find a writeable DC for domain '%s' % domain)
root@elektron:~# ip a s
1: lo: LOOPBACK,UP,LOWER_UP mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast state UP
qlen 1000
link/ether 08:00:27:9e:df:48 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.10/24 brd 192.168.1.255 scope global eth0
Maybe someone could fix this?
Thanx,
Marcel
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4.0.3 Configure problem
Hi, I get the following when tring to run ./configure on the source: Traceback (most recent call last): File ./buildtools/bin/waf, line 75, in module import Scripting File /root/src/samba-4.0.3/buildtools/wafadmin/Scripting.py, line 146 except Utils.WafError, e: Any idea what is causing this? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] There are no currently logon servers available when mappingwith net use
Hi TMason, thanks about the quickly answer. All my servers are over red hat (I'll confirm correct version next monday) with static IP addresses. And the network has DHCP and DNS over red hat too. DHCP sends the wins server; that in this case is the PDC; to all users' workstations. I'm available to give more informations about my environment in order to we solve this issue. Thanks, Marcio. 2013/3/15 TMason c.koe...@live.com Marcio Oli wrote in message news:CANpJy9WD=CLxbB=BQhgS==** 1mt-rkTXT0hVMi6muymZ5RKXMktg@**mail.gmail.com... Hi people, I have a problem and I need so much of your help. I have a login script in \\server1\netlogon\script.bat (on my PDC and BDC) that runs net use commands to map some shares in time of the logon. This login tries to map share in another server (samba member of domain \\server2). So, I put the result at a log and appears these lines: System error 1311 has occurred. There are currently no logon servers available to service the logon request. This is a recurrent problem, but neither always this happens. Sometimes, everything is wonderful and works very well mapping all shares, but is unstable. --**--** Windows clients have this problem regardless of the type of PDC/BDC you have (Windows or Samba). The problem is that Windows is generally ready to let people log in before all of the network services are ready and as such people can't log in. Are your servers on static IPs? Also, what kind of DNS/DHCP server do you have? This will help in troubleshooting. TMason -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- Marcio Oliveira. Tudo concorre para o bem daqueles que amam à Deus. (Rom 8,28) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Strange nslcd error with ldap database
Greetings, I've got a S4 DC joined to a Windows 2008 R2 DC. I'm using the s4bind scripts to add uidNumber/gidNumber/etc entries to LDAP, and I've got nss-pam-ldap installed on the S4 server. I had this working back in December, but since installing the latest stable build, getent passwd is throwing this error, [8b4567] passwd=myuser passwd entry CN=myuser,CN=Users,DC=...,DC=...,DC=... does not contain uidNumber value Interestingly, after creating a user on the linux side, if I point nslcd at the Windows DC, it retrieves the ldap entry just fine. I get nothing from the S4 server. I've done ldbsearch on the local ldap database and uidNumber is definitely there. I'm not sure if there's really something else going on, but I'm at a loss of what to do. I don't think it's a Kerberos issue, because it authenticates fine. It's not my local nslcd client, because I can connect to the Windows DC (via getent passwd) which has the same replicated database and it displays the user data. Has anyone experienced this? Thanks The information in this communication is intended solely for the individual or entity to whom it is addressed. It may contain confidential or legally privileged information. If you are not the intended recipient, any disclosure, copying, distribution or reliance on the contents of this information is strictly prohibited, and may be unlawful. If you have received this communication in error, please notify us immediately by responding to the sender of this email, and then delete it from your system. Taylor University is not liable for the inaccurate or improper transmission of the information contained in this communication or for any delay in its receipt. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Strange nslcd error with ldap database
I wanted to add that it appears nslcd is incapable of seeing any of the posixAccount attributes from the Samba LDAP server. It balks at unixHomeDirectory, uidNumber, and gidNumber. However, if I do: map uidNumber codePage (or some other random AD attribute) map gidNumber codePage It displays the user in getent (with the wrong uid and gid, obviously). What gives? Is there some permission issue with those entries? I can do ldapsearch and see them just fine. I even added administrator credentials to nslcd and I still get the issue. Oddly enough, if I point nslcd at the windows DCs, it works great. Argh. From: Bethel, Zach Sent: Thursday, January 31, 2013 4:31 PM To: samba@lists.samba.org Subject: Strange nslcd error with ldap database Greetings, I've got a S4 DC joined to a Windows 2008 R2 DC. I'm using the s4bind scripts to add uidNumber/gidNumber/etc entries to LDAP, and I've got nss-pam-ldap installed on the S4 server. I had this working back in December, but since installing the latest stable build, getent passwd is throwing this error, [8b4567] passwd=myuser passwd entry CN=myuser,CN=Users,DC=...,DC=...,DC=... does not contain uidNumber value Interestingly, after creating a user on the linux side, if I point nslcd at the Windows DC, it retrieves the ldap entry just fine. I get nothing from the S4 server. I've done ldbsearch on the local ldap database and uidNumber is definitely there. I'm not sure if there's really something else going on, but I'm at a loss of what to do. I don't think it's a Kerberos issue, because it authenticates fine. It's not my local nslcd client, because I can connect to the Windows DC (via getent passwd) which has the same replicated database and it displays the user data. Has anyone experienced this? Thanks The information in this communication is intended solely for the individual or entity to whom it is addressed. It may contain confidential or legally privileged information. If you are not the intended recipient, any disclosure, copying, distribution or reliance on the contents of this information is strictly prohibited, and may be unlawful. If you have received this communication in error, please notify us immediately by responding to the sender of this email, and then delete it from your system. Taylor University is not liable for the inaccurate or improper transmission of the information contained in this communication or for any delay in its receipt. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 4.0.3 classicupgrade - Error converting string to value for line: CurrentVersion
Hello everyone, I'm trying to migrate from samba3 to samba4 (4.0.3 installed from source in a debian squeeze 6.0.6) And I'm getting this error: Setting up the registry convert_string_talloc: Conversion not supported. Error converting string to value for line: CurrentVersion I found this thread in internet about this http://samba.2283325.n4.nabble.com/Samba4-domain-classicupgrade-quot-conversion-not-supported-quot-td4642316.html but couldn't solve my problem since I deleted every tdb and left only secrets.tdb and still gives that error. Any help appreciated Thanks! Marcos. -- complete output -- root@vs002:~# /usr/local/samba/bin/samba-tool domain classicupgrade --dbdir=samba --use-xattrs=yes --realm=sadom.spel.com samba/smb.conf Reading smb.conf WARNING: The idmap backend option is deprecated WARNING: The idmap uid option is deprecated WARNING: The idmap gid option is deprecated WARNING: Ignoring invalid value 'cups' for parameter 'printing' Provisioning Exporting account policy Exporting groups Exporting users Fixing account c062$ which had both ACB_NORMAL (U) and ACB_WSTRUST (W) set. Account will be marked as ACB_WSTRUST (W), i.e. as a domain member Fixing account c061$ which had both ACB_NORMAL (U) and ACB_WSTRUST (W) set. Account will be marked as ACB_WSTRUST (W), i.e. as a domain member Ignoring group memberships of 'c065$' S-1-5-21-2959502491-3316882024-2455323705-3438: Unable to enumerate group memberships, (-1073741596,NT_STATUS_INTERNAL_DB_CORRUPTION) Skipping wellknown rid=500 (for username=root) Ignoring group memberships of 'c047$' S-1-5-21-2959502491-3316882024-2455323705-3000: Unable to enumerate group memberships, (-1073741596,NT_STATUS_INTERNAL_DB_CORRUPTION) Ignoring group memberships of 'c049$' S-1-5-21-2959502491-3316882024-2455323705-5008: Unable to enumerate group memberships, (-1073741596,NT_STATUS_INTERNAL_DB_CORRUPTION) Ignoring group memberships of 'c005$' S-1-5-21-2959502491-3316882024-2455323705-5012: Unable to enumerate group memberships, (-1073741596,NT_STATUS_INTERNAL_DB_CORRUPTION) Ignoring group memberships of 'c050$' S-1-5-21-2959502491-3316882024-2455323705-5092: Unable to enumerate group memberships, (-1073741596,NT_STATUS_INTERNAL_DB_CORRUPTION) Ignoring group memberships of 'c006$' S-1-5-21-2959502491-3316882024-2455323705-5094: Unable to enumerate group memberships, (-1073741596,NT_STATUS_INTERNAL_DB_CORRUPTION) Ignoring group memberships of 'c036$' S-1-5-21-2959502491-3316882024-2455323705-5096: Unable to enumerate group memberships, (-1073741596,NT_STATUS_INTERNAL_DB_CORRUPTION) Next rid = 5505 Exporting posix attributes Reading WINS database Looking up IPv4 addresses Looking up IPv6 addresses No IPv6 address will be assigned Setting up share.ldb Setting up secrets.ldb Setting up the registry convert_string_talloc: Conversion not supported. Error converting string to value for line: CurrentVersion ERROR(runtime): uncaught exception - (31, 'WERR_GENERAL_FAILURE') File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py, line 1318, in run useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs) File /usr/local/samba/lib/python2.7/site-packages/samba/upgrade.py, line 841, in upgrade_from_samba3 use_ntvfs=use_ntvfs, skip_sysvolacl=True) File /usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py, line 2099, in provision setup_registry(paths.hklm, session_info, lp=lp) File /usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py, line 1001, in setup_registry reg.diff_apply(provision_reg) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] smbclient using smb2 protocol linux-2-linux share
Trying to get a linux samba file server using samba 4.0.3 (compiled on the machine) running on ubuntu 3.8rc6 kernel to share out and negotiate with a linux client running the same kernel and smbd compiled from 4.0.3 samba source. Using wireshark to view the negotiations, I only see NT LM 0.12 (SMB v. 1). Tried forcing the file server via min protocol = SMB2 in the /usr/local/samba/etc/smb.conf and keep getting this error: mount error(95): Operation not supported I try to mount that share in Windows 7 and it works, even negotiates at SMB2.1. How can I get a linux client to mount a linux samba share using protocol SMB2.1? -- View this message in context: http://samba.2283325.n4.nabble.com/smbclient-using-smb2-protocol-linux-2-linux-share-tp4643834.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba3.5 + OpenLDAP config/install problem
System Summary: centos 6.2 samba 3.5 smbldap-tools 0.9.6 openldap 2.4.23 Hello, I am installing smb 3.5 on a CentOS 6.2 host using smbldap-tools. I've previously installed a similar configuration on RHEL4 using smb 3.0 but CentOS now uses nss-pam-ldapd and nslcd instead of nss_ldap, so the configurations cannot be moved straight across. Currently, when I attempt to connect to an smb share with a valid ldap user and group on this host, I get tree connect failed: NT_STATUS_ACCESS_DENIED The LDAP server is currently serving as the directory server for the existing Samba3.0 server. I can connect to the identical share on that server as that user, so I know the user and group are okay. With log level 2, I get: [2013/02/11 17:11:00.701864, 2] lib/smbldap.c:950(smbldap_open_connection) smbldap_open_connection: connection opened [2013/02/11 17:11:00.704794, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap) init_sam_from_ldap: Entry found for user: wmodes [2013/02/11 17:11:00.735092, 2] auth/auth.c:304(check_ntlm_password) check_ntlm_password: authentication for user [wmodes] - [wmodes] - [wmodes] succeeded [2013/02/11 17:11:00.735608, 1] passdb/pdb_ldap.c:2569(ldapsam_getgroup) ldapsam_getgroup: Duplicate entries for filter ((objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-544)): count=2 [2013/02/11 17:11:00.736254, 1] passdb/pdb_ldap.c:2569(ldapsam_getgroup) ldapsam_getgroup: Duplicate entries for filter ((objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-544)): count=2 [2013/02/11 17:11:00.740024, 2] lib/access.c:409(check_access) Allowed connection from :::128.114.163.34 (:::128.114.163.34) [2013/02/11 17:11:00.741041, 2] lib/access.c:409(check_access) Allowed connection from :::128.114.163.34 (:::128.114.163.34) [2013/02/11 17:11:00.742383, 2] passdb/pdb_ldap.c:2446(init_group_from_ldap) init_group_from_ldap: Entry found for group: 30001 [2013/02/11 17:11:00.743305, 2] passdb/pdb_ldap.c:2446(init_group_from_ldap) init_group_from_ldap: Entry found for group: 30034 [2013/02/11 17:11:00.744600, 2] passdb/pdb_ldap.c:2446(init_group_from_ldap) init_group_from_ldap: Entry found for group: 1001 [2013/02/11 17:11:00.745181, 2] smbd/service.c:598(create_connection_server_info) user 'wmodes' (from session setup) not permitted to access this share (cns) [2013/02/11 17:11:00.745225, 1] smbd/service.c:678(make_connection_snum) create_connection_server_info failed: NT_STATUS_ACCESS_DENIED It seems like I was auth'd okay, my group was okay, but still it failed. Here we are again at log level 3: [root@edgar2 samba]# tail -n 0 -f log.smbd [2013/02/11 17:40:43.095215, 3] smbd/process.c:1489(process_smb) Transaction 1 of length 166 (0 toread) [2013/02/11 17:40:43.095284, 3] smbd/process.c:1298(switch_message) switch message SMBsesssetupX (pid 14343) conn 0x0 [2013/02/11 17:40:43.095299, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2013/02/11 17:40:43.095325, 3] smbd/sesssetup.c:1458(reply_sesssetup_and_X) wct=12 flg2=0xc801 [2013/02/11 17:40:43.095342, 3] smbd/sesssetup.c:1212(reply_sesssetup_and_X_spnego) Doing spnego session setup [2013/02/11 17:40:43.095364, 3] smbd/sesssetup.c:1254(reply_sesssetup_and_X_spnego) NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[] [2013/02/11 17:40:43.095405, 3] smbd/sesssetup.c:806(reply_spnego_negotiate) reply_spnego_negotiate: Got secblob of size 46 [2013/02/11 17:40:43.095463, 3] libsmb/ntlmssp.c:65(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0x60088215 [2013/02/11 17:40:43.096546, 3] smbd/process.c:1489(process_smb) Transaction 2 of length 266 (0 toread) [2013/02/11 17:40:43.096599, 3] smbd/process.c:1298(switch_message) switch message SMBsesssetupX (pid 14343) conn 0x0 [2013/02/11 17:40:43.096612, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2013/02/11 17:40:43.096628, 3] smbd/sesssetup.c:1458(reply_sesssetup_and_X) wct=12 flg2=0xc801 [2013/02/11 17:40:43.096644, 3] smbd/sesssetup.c:1212(reply_sesssetup_and_X_spnego) Doing spnego session setup [2013/02/11 17:40:43.096677, 3] smbd/sesssetup.c:1254(reply_sesssetup_and_X_spnego) NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[] [2013/02/11 17:40:43.096780, 3] libsmb/ntlmssp.c:747(ntlmssp_server_auth) Got user=[wmodes] domain=[MYGROUP] workstation=[MONITOR] len1=24 len2=24 [2013/02/11 17:40:43.096829, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2013/02/11 17:40:43.096852, 3] smbd/uid.c:429(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2013/02/11 17:40:43.096870, 3]
Re: [Samba] Samba Server Under Microsoft Windows Network
I am having a somewhat similar problem and would appreciate anyone's help. System: Newly installed Fedora 18 Installed Samba Client in order to use a shared printer on another Linux box. This worked great once the client was installed. Want to use the F18 box as a simple file server. Tried to configure smb.conf and set up the shares I wanted.Could not see the F18 box at all from any other boxes on my network. Added netbios name to the smb.conf and no change. Started nmbd -D and now can see the correctly named F18 box from other computers, but cannot access any of the shares. Shares can be accessed from the Browse Network feature within the F18 box and look to be correctly set up. How do I enable the F18 box to share the folders below just the name to other computers? On a Win7 PC I get an Error code: 0x80070035, The network path was not found. I can, however, ping the F18 box by name with no problem. Any assistance would be greatly appreciated! Best, Bruce -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] S4 Cannot Unlock Account
You should be able to use samba-tool user enable Testuser2 or possibly samba-tool user setexpiry (add a --help for more info on how to use it). Good luck, Ricky On Tue, Feb 12, 2013 at 7:17 AM, Thomas Simmons twsn...@gmail.com wrote: On Mon, Feb 11, 2013 at 6:56 PM, Thomas Simmons twsn...@gmail.com wrote: I have come across a few accounts (out of 300+) that seem to be locked that will not unlock. These accounts were migrated from S3. Can someone advise - what am I missing here? I've reset the password several times via RSAT, checking the Unlock Account checkbox, which has not helped. Resetting the user's password via smbpasswd gives me: pdb_try_account_unlock: Account dmscott administratively locked out with no bad password time. Leaving locked out. When attempting to login to WinXP, Windows states the account is locked out and log.samba shows: Kerberos: ENC-TS Pre-authentication succeeded -- dmscott@DOMAIN using arcfour-hmac-md5 [2013/02/11 18:37:40, 4] ../source4/auth/sam.c:170(authsam_account_ok) authsam_account_ok: Checking SMB password for user dmscott@DOMAIN [2013/02/11 18:37:40, 2] ../source4/auth/sam.c:191(authsam_account_ok) authsam_account_ok: Account for user dmscott@DOMAIN was locked out. Here is an ldapsearch output. I'm not seeing where/why this account is locked. # extended LDIF # # LDAPv3 # base cn=Users,dc=internal,dc=domain,dc=com with scope subtree # filter: sAMAccountName=dmscott # requesting: ALL # # Duser M. Scott, Users, internal.domain.com dn: CN=Duser M. Scott,CN=Users,DC=internal,DC=domain,DC=com instanceType: 4 whenCreated: 20121229150147.0Z uSNCreated: 4317 objectGUID:: sQU6/um9x0+gN2VOHTpmbw== badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 objectSid:: AQUAAAUVL/+1+4rRK5lRjK88/Q4AAA== logonCount: 0 sAMAccountName: dmscott sAMAccountType: 805306368 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=internal,DC=domain,DC =com logonHours:: uidNumber: 1436 objectClass: top objectClass: posixAccount objectClass: person objectClass: organizationalPerson objectClass: user unixHomeDirectory: /home/dmscott gidNumber: 513 msSFU30NisDomain: domain memberOf: CN=VPN,CN=Users,DC=internal,DC=domain,DC=com mail: duser.m.sc...@domain.com userPrincipalName: dmsc...@internal.domain.com givenName: Duser initials: M sn: Scott displayName: Duser M. Scott cn: Duser M. Scott name: Duser M. Scott scriptPath: GCS.cmd lockoutTime: 0 loginShell: /bin/bash msDS-SupportedEncryptionTypes: 0 userAccountControl: 528 accountExpires: 0 pwdLastSet: 13005098906000 userParameters: IAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC AAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAUAAEABoACAA BAEMAdAB4AEMAZgBnAFAAcgBlAHMAZQBuAHQANTUxZTBiYjAYAAgAAQBDAHQAeABDAGYAZwBGAGwA YQBnAHMAMQAwMGUwMDAxMBIACAABAEMAdAB4AFMAaABhAGQAbwB3ADAxMDAwMDAwKgACAAEAQwB0A HgATQBpAG4ARQBuAGMAcgB5AHAAdABpAG8AbgBMAGUAdgBlAGwAMDA= whenChanged: 20130211233014.0Z uSNChanged: 8816 distinguishedName: CN=Duser M. Scott,CN=Users,DC=internal,DC=domain,DC=com # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 It seems that the problem for this user is the userAccountControl attribute having a value of 528 locks the account. Changing it to 512 (what most users are set to) unlocks the account. Is there any way to do this without directly modifying the LDAP entry? -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] smbclient using smb2 protocol linux-2-linux share
On Wed, Feb 06, 2013 at 01:41:56PM -0800, rmarquez wrote: Trying to get a linux samba file server using samba 4.0.3 (compiled on the machine) running on ubuntu 3.8rc6 kernel to share out and negotiate with a linux client running the same kernel and smbd compiled from 4.0.3 samba source. Using wireshark to view the negotiations, I only see NT LM 0.12 (SMB v. 1). Tried forcing the file server via min protocol = SMB2 in the /usr/local/samba/etc/smb.conf and keep getting this error: mount error(95): Operation not supported I try to mount that share in Windows 7 and it works, even negotiates at SMB2.1. How can I get a linux client to mount a linux samba share using protocol SMB2.1? This is not yet supported in CIFSFS although the Team is working on it. It's also not supported in smbclient either, again it's something we're working on (we have all the underlying plumbing for this). Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4.0.3 on CentOS 6.3 as PDC.
On Tue, Feb 26, 2013 at 8:23 AM, Mike Stroven mike.stro...@visole-energy.com wrote: Any help here? I have included all of the output of the suggested diags that Thomas said I should run, but I admit that I'm not sure what I'm looking for, as I'm not familiar with RPC functionality on Linux. Something is not working with RPC on my Samba 4.0.3 server. (FWIW, it doesn't work with IPTables stopped either.) On Mon, Feb 25, 2013 at 2:21 PM, Mike Stroven wrote: I finally have everything working that can be verified from the server command line. Running Bind9.8 with DLZ support. Verified Kerberos 5 running. Now attempting to join Windows XP machines to the domain, and am getting an error: The RPC server is unavailable. Any pointers? On Mon, Feb 25, 2013 at 6:55 PM, Thomas Simmons wrote: You're likely to get more support on the user's list ( samba@lists.samba.org). If you're certain everything is working on the server and the client network config is correct (you have the DC's IP as the primary DNS server), then my first guess would be iptables or selinux. If you need further assistance, output from the following commands would be useful: # test samba [root@grumpy ~]# /usr/local/samba/bin/smbclient //grumpy/netlogon -UAdministrator%'**' -c ls Domain=[TROY] OS=[Unix] Server=[Samba 4.0.3] . D0 Mon Feb 25 09:53:33 2013 .. D0 Fri Feb 22 17:09:24 2013 40757 blocks of size 131072. 20332 blocks available # test kerberos [root@grumpy ~]# kinit administra...@visole-energy.com Password for administra...@visole-energy.com: Warning: Your password will expire in 41 days on Mon Apr 8 18:14:03 2013 # check iptables [root@grumpy ~]# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/00.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/00.0.0.0/0 ACCEPT all -- 0.0.0.0/00.0.0.0/0 ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:22 /* SSH */ ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:53 /* DNS */ ACCEPT udp -- 0.0.0.0/00.0.0.0/0 state NEW udp dpt:53 /* DNS UDP */ ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:80 /* HTTP */ ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:88 /* Kerberos */ ACCEPT udp -- 0.0.0.0/00.0.0.0/0 state NEW udp dpt:123 /* NTP */ ACCEPT udp -- 0.0.0.0/00.0.0.0/0 state NEW udp dpt:135 /* RPC UDP */ ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:135 /* RPC TCP */ ACCEPT udp -- 0.0.0.0/00.0.0.0/0 state NEW udp dpt:138 /* NetBIOS Netlogon and Browsing */ ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:139 /* NetBIOS Session */ ACCEPT udp -- 0.0.0.0/00.0.0.0/0 state NEW udp dpt:389 /* LDAP UDP */ ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:443 /* HTTPS */ ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:445 /* SMB CIFS */ ACCEPT udp -- 0.0.0.0/00.0.0.0/0 state NEW udp dpt:445 /* SMB CIFS UDP */ ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:464 /* Kerberos Password Management */ ACCEPT udp -- 0.0.0.0/00.0.0.0/0 state NEW udp dpt:464 /* Kerberos Password Management UDP */ ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:636 /* LDAP SSL */ ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:3268 /* LDAP Global Catalog */ ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:3269 /* LDAP Global Catalog SSL */ ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:1 /* Webmin */ REJECT all -- 0.0.0.0/00.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- 0.0.0.0/00.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination # check selinux root@grumpy ~]# sestatus SELinux status: disabled # netstat output [root@grumpy ~]# netstat -anp Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp0 0 0.0.0.0:32690.0.0.0:* LISTEN 1114/samba tcp0 0 0.0.0.0:389 0.0.0.0:* LISTEN
[Samba] LDB integration with other services
Hi! We are implementing system that will be used for educational purposes. It consists of: Samba4 as AD DC and fileshare; dhcpd; moodle; postfix; RADIUS and some other services. We want to use common user database as authentication backend for all of these services. So we see two possible solutions: 1. Use LDB as authentication backend and configure all services to work with it. So we need to extend LDB' schema, can you give some advice about possibile solutions? Which services are supported by LDB and is this support permanent or not? 2. Use LDB as authentication backend only for Samba4 and LDAP as authentication backend with another services. In this case we'll need to organize merging users from LDAP to LDB. Are there some solutions for synchronization? Which of those is better? Is there any web interface for working with LDB's database? (for adding users, editing user information) Thank you. -- Regards, Andrii Melnyk NTUU KPI, FICT, ACTS System Administrator -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] multiple dc's
Christian, I believe Samba 4's RODC option is still not quite ready for production. We have 14 DC's across remote sites, a few of which are connected with VPN's. You will want to make sure there are no networking or firewall issues blocking connections between the servers. But it should work just fine. - Original Message - From: Cristian Saavedra cristiansaave...@gmail.com To: samba@lists.samba.org Sent: Saturday, March 2, 2013 5:27:45 PM Subject: [Samba] multiple dc's Hello In our company we have 5 remote office, i'm trying to setup a replicated domain across this sites, using vpn, is multiple DCs soported? can i use the RODC option or is not yet implemented? I try top setup the replication between this servers but i'm starting to get several WERR_BADFILE error and now i get a WERR_DS_DRA_INTERNAL_ERROR Appreciate any help -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Printers Sharing
Hi, Im running samba4.0.3. I added a new printer named HP via CUPS administration interface. I can see the printer as shared and I can print also, but what calls my attention is that on debugging information I keep getting the following constantly: winreg_create_printer: Skipping, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\HP already exists Below is my smb.conf parts: [printers] comment = All Printers path = /usr/local/samba/var/spool browseable = Yes read only = No printable = Yes [print$] comment = Point and Print Printer Drivers path = /usr/local/samba/var/print browseable = yes read only = yes guest ok = yes Is this already exists message normal? Thanks and regards, Fabian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Offline authentication issue: authentication / nss hangs
Hi, i am using winbind to get user/group information and authentication from a AD. It works well when the AD is fully reachable and when i'm not connected. Whenever i use a normal internet connection, name services and authenication need some 10 minutes to work and get stuck sometimes. I use opensuse 12.2 with samba 3.6.7. I have set: winbind offline logon = yes winbind refresh tickets = yes and i use the ad idmap backend. The AD is worldwide resolvable (DNS) but one cannot query or authenticate worldwide. Is there any setting to change timeout values? Is the DNS resolvability the cause? Another thing i noticed: The credential cache and/or the name service cache gets invalidated sometimes. Is it possible to change settings here? What causes a cache invalidation? Flo signature.asc Description: OpenPGP digital signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Registering external program for a specific named pipe
Hi everyone, I wish to implement a service on top of an smb named pipe. I go over the samba code and I have seen how to implement the service directly into samba code like the rpc echo server. I wish to do it differently. Is there a way for an external software to register into samba such as all smb messages on \PIPE\ABCDEF (as an example) get transmit directly to it ? If yes, Is there any documentation out that I missed ? Best regards, Jean-Daniel FISCHER -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] smbclient using smb2 protocol linux-2-linux share
On Sat, 16 Mar 2013 09:21:53 -0700 Jeremy Allison j...@samba.org wrote: On Wed, Feb 06, 2013 at 01:41:56PM -0800, rmarquez wrote: Trying to get a linux samba file server using samba 4.0.3 (compiled on the machine) running on ubuntu 3.8rc6 kernel to share out and negotiate with a linux client running the same kernel and smbd compiled from 4.0.3 samba source. Using wireshark to view the negotiations, I only see NT LM 0.12 (SMB v. 1). Tried forcing the file server via min protocol = SMB2 in the /usr/local/samba/etc/smb.conf and keep getting this error: mount error(95): Operation not supported I try to mount that share in Windows 7 and it works, even negotiates at SMB2.1. How can I get a linux client to mount a linux samba share using protocol SMB2.1? This is not yet supported in CIFSFS although the Team is working on it. It's also not supported in smbclient either, again it's something we're working on (we have all the underlying plumbing for this). Mounting with cifs.ko should work in current mainline kernels (3.8 and up?), but it's still pretty new and some things may not work exactly right. Try mounting with -o vers=2.1. -- Jeff Layton jlay...@samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba (3.6.12) - Different Home Directories for Different Users
On Fri, Mar 15, 2013 at 4:59 PM, TMason c.koe...@live.com wrote: What I would like to do now is have different /etc/skel directories for different groups. So, for example, if someone from the Finance department logs in one set of default settings are copied for that person but if someone from sales logs in another set of default settings are copied over for that user. How can I do this with Samba/Linux? Maybe you can use the group variable %G in the add user script as part of the skel name: -k /etc/skel%G and make sure you have a corresponding skeleton directory for each group. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] I don't want to require my users to authenticate to print
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi folks,
My ancient debian server was running some old version of samba. Any
machine in the network could connect to the LAN, find any of the
printers attached to the server, and print to their heart's content.
I've upgraded the OS on the server to Ubuntu 12.04LTS desktop 32-bit.
This distro comes with Samba 3.6. The file share is set up and working
just fine, but I'm having trouble with the printers.
What I want is to just share the printers in the LAN. I don't want any
authentication. Anyone on the LAN is inside the building, and they
have physical access to the printers anyway, so there is no point in
requiring a password to print; they could just connect their device
directly to the printer anyway, and print that way!
Is this possible? I had it working on the old version, but after many
hours of messing with it, I can't get it to work on the new one.
Any ideas are appreciated! Below find my entire smb.conf file. At the
end of it is the old smb.conf that worked on the old version.
Thanks in advance!
- --- Eric Wadsworth
- --
#
# Sample configuration file for the Samba suite for Debian GNU/Linux.
#
#
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options most of which
# are not shown in this example
#
# Some options that are often worth tuning have been included as
# commented-out examples in this file.
# - When such options are commented with ;, the proposed setting
#differs from the default Samba behaviour
# - When commented with #, the proposed setting is the default
#behaviour of Samba but the option is considered important
#enough to be mentioned here
#
# NOTE: Whenever you modify this file you should run the command
# testparm to check that you have not made any basic syntactic
# errors.
# A well-established practice is to name the original file
# smb.conf.master and create the real config file with
# testparm -s smb.conf.master smb.conf
# This minimizes the size of the really used smb.conf file
# which, according to the Samba Team, impacts performance
# However, use this with caution if your smb.conf file contains nested
# include statements. See Debian bug #483187 for a case
# where using a master file is not a good idea.
#
#=== Global Settings ===
[global]
## Browsing/Identification ###
# Change this to the workgroup/NT-domain name your Samba server will
part of
### Eric changed this from WORKGROUP
workgroup = AT
# server string is the equivalent of the NT Description field
server string = %h server (Samba, Ubuntu)
# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable its WINS
Server
# wins support = no
# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
; wins server = w.x.y.z
# This will prevent nmbd to search for NetBIOS names through DNS.
dns proxy = no
# What naming service and in what order should we use to resolve host
names
# to IP addresses
; name resolve order = lmhosts host wins bcast
Networking
# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP address/netmask;
# interface names are normally preferred
; interfaces = 127.0.0.0/8 eth0
### Eric added this line
interfaces = 127.0.0.0/8 eth1
# Only bind to the named interfaces and/or networks; you must use the
# 'interfaces' option above to use this.
# It is recommended that you enable this feature if your Samba machine is
# not protected by a firewall or is a firewall itself. However, this
# option cannot handle dynamic or non-broadcast interfaces correctly.
### Eric uncommented this line
bind interfaces only = yes
Debugging/Accounting
# This tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/log.%m
# Cap the size of the individual log files (in KiB).
max log size = 1000
# If you want Samba to only log through syslog then set the following
# parameter to 'yes'.
# syslog only = no
# We want Samba to log a minimum amount of information to syslog.
Everything
# should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log
# through syslog you should set the following parameter to something
higher.
syslog = 0
# Do something sensible when Samba crashes: mail the admin a backtrace
panic action = /usr/share/samba/panic-action %d
### Authentication ###
# security = user is always a good idea. This will require a Unix
account
# in this server for every user accessing the server. See
# /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/ServerType.html
# in the samba-doc package for details.
# security = user
# You may wish to use
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 1d15fc7 Fix bug #9724 - is_encrypted_packet() function incorrectly
used inside server.
from fd8b258 examples/libsmbclient: Cast mode_t to unsigned int for
GNU/Solaris build
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 1d15fc75a33b7368049876368f4b70c188bbd55e
Author: Jeremy Allison j...@samba.org
Date: Fri Mar 15 15:05:31 2013 -0700
Fix bug #9724 - is_encrypted_packet() function incorrectly used inside
server.
The is_encrypted_packet() function should only be used on the raw received
data
to determine if a packet came in encrypted. Once we're inside the SMB1
processing code in smbd/reply.c we should be looking at the
smb1request-encrypted field to determine if a packet was really encrypted
or
not.
Signed-off-by: Jeremy Allison j...@samba.org
Reviewed-by: Stefan Metzmacher me...@samba.org
Autobuild-User(master): Stefan Metzmacher me...@samba.org
Autobuild-Date(master): Sat Mar 16 12:44:44 CET 2013 on sn-devel-104
---
Summary of changes:
source3/smbd/reply.c |5 ++---
1 files changed, 2 insertions(+), 3 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 64c4fdb..2c31f15 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -3294,8 +3294,7 @@ void reply_readbraw(struct smb_request *req)
START_PROFILE(SMBreadbraw);
- if (srv_is_signing_active(sconn) ||
- is_encrypted_packet(sconn, req-inbuf)) {
+ if (srv_is_signing_active(sconn) || req-encrypted) {
exit_server_cleanly(reply_readbraw: SMB signing/sealing is
active -
raw reads/writes are disallowed.);
}
@@ -3698,7 +3697,7 @@ static void send_file_readX(connection_struct *conn,
struct smb_request *req,
*/
if (!req_is_in_chain(req)
- !is_encrypted_packet(req-sconn, req-inbuf)
+ !req-encrypted
(fsp-base_fsp == NULL)
(fsp-wcp == NULL)
lp_use_sendfile(SNUM(conn), req-sconn-smb1.signing_state) ) {
--
Samba Shared Repository
