Re: [Samba] Samba4 member of an another « Samba4 » domain
On 04/08/2013 06:01 PM, François Lafont wrote: Thank you Matthieu for your answer. Le 08/04/2013 01:37, Matthieu Patou a écrit : 1) First attempt to join the domain in the member server root@member~# samba-tool domain join chezmoi.priv member -U administrator --realm=chezmoi.priv Password for [CHEZMOI\administrator]: Joined domain CHEZMOI (S-1-5-21-3370545617-3166960116-3193249687) root@member~# ldconfig root@member~# smbd nmbd And now impossible to run winbindd. --- root@member~# winbindd -i -d 10 [...] pack_tdc_domains: Packing 2 trusted domains pack_tdc_domains: Packing domain BUILTIN () pack_tdc_domains: Packing domain WHEEZY-2 () idmap config WHEEZY-2 : range = not defined Added domain WHEEZY-2 S-1-5-21-210096926-4033722923-1792459932 Could not fetch our SID - did we join? unable to initialize domain list --- Hum, interesting, would be worth to check that from a clean setup you have this issue again and again. I have 2 virtualbox snapshots of Debian Wheezy with a Samba 4.0.4 installation in /usr/local/samba/. And I have the problem each time. Let me explain you what I have done exactly. In the DC server *and* in the MEMBER server (both in static IP), I have done this: --- apt-get update apt-get dist-upgrade apt-get install build-essential libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dev python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils libtool xsltproc libpam0g-dev attr acl psmisc ntp libtalloc2 libtalloc-dev vi /etc/fstab # I add the acl and user_xattr options for / partition mount -o remount / cd /usr/local/src/ wget https://ftp.samba.org/pub/ldb/ldb-1.1.15.tar.gz tar -zxvf ldb-1.1.15.tar.gz wget http://ftp.samba.org/pub/samba/samba-4.0.4.tar.gz tar -zxvf samba-4.0.4.tar.gz cd /usr/local/src/ldb-1.1.15/ ./configure make make install cd /usr/local/src/samba-4.0.4 ./configure make make install echo 'export PATH=/usr/local/samba/bin/:/usr/local/samba/sbin/:$PATH' ~/.bashrc halt --- Couic ! Snapshot of the DC server and snapshot of the MEMBER server. :-) Then, in the DC server, I have done: --- samba-tool domain provision # I keep the default answers each time, seems to work fine # 192.168.0.21 = IP of DC server which are DNS server (internal DNS) echo nameserver 192.168.0.21 /etc/resolv.conf ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 vi /etc/nsswitch.conf # add winbind for passwd and group ldconfig samba --- Just for information, here is the smb.conf on the DC server after this commands: --- # Global parameters [global] workgroup = CHEZMOI realm = CHEZMOI.PRIV netbios name = WHEEZY-SERVER server role = active directory domain controller dns forwarder = 212.27.40.241 [netlogon] path = /usr/local/samba/var/locks/sysvol/chezmoi.priv/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No --- In the MEMBER server, I have done: --- echo nameserver 192.168.0.21 /etc/resolv.conf samba-tool domain join chezmoi.priv MEMBER -U administrator --realm=CHEZMOI.PRIV # seems to work fine ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 vi /etc/nsswitch.conf # add winbind for passwd and group ldconfig vi /usr/local/samba/etc/smb.conf # see below smbd nmbd winbindd -i -d 10 --- And Boum ! I have the same error which I have described in my previous message. The winbindd command is stopped. Just for information, here is the smb.conf in the MEMBER server: --- [global] workgroup = CHEZMOI security = ADS realm = CHEZMOI.PRIV encrypt passwords = yes idmap config *:backend = tdb idmap config *:range = 70001-8 idmap config CHEZMOI:backend = ad idmap config CHEZMOI:schema_mode = rfc2307 idmap config CHEZMOI:range = 500-4 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes --- Do I have forgotten one step ? Are you sure that the two host have a different name as you are creating everything from the same base ? Also could you do a net join -d 10 and attach the secrets.tdb after the first join ? 2) Second attempt to join the domain in the member server. It's better but It
[Samba] (D)DNS Updates with GNU/Linux clients in a samba 4 AD environment (BIND_DLZ)
Hi ! I bounce on the Mr Sloop's post ([Samba] DDNS / DHCPd Internal DNS or BIND_DLZ) to ask what's the easiest way to allow Linux clients to update themself their DNS record in the Samba4 AD server (with BIND_DLZ Dns server). It works well with windows clients, but with Linux clients joined to the domain, with a valid Kerberos ticket, the client receive a error ERROR_DNS_INVALID_MESSAGE and the famous DNS update failed! message. Is there a hack ? Thanks in advance. -- Olivier Le 08/04/2013 20:00, samba-requ...@lists.samba.org a écrit : Summary: If your clients are Windows clients, just leave things as is... they will handle updating DNS records in EITHER the internal DNS or BIND_DLZ server without any special hacks or scripts to handle it. If you have a large mix of clients and need the non-windows clients to update DNS via DHCPD, then using the script found in the following link might be useful. http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] (D)DNS Updates with GNU/Linux clients in a samba 4 AD environment (BIND_DLZ)
Am 09.04.2013 10:09, schrieb Olivier BILHAUT: Hi ! I bounce on the Mr Sloop's post ([Samba] DDNS / DHCPd Internal DNS or BIND_DLZ) to ask what's the easiest way to allow Linux clients to update themself their DNS record in the Samba4 AD server (with BIND_DLZ Dns server). It works well with windows clients, but with Linux clients joined to the domain, with a valid Kerberos ticket, the client receive a error ERROR_DNS_INVALID_MESSAGE and the famous DNS update failed! message. Is there a hack ? Thanks in advance. -- Olivier Le 08/04/2013 20:00, samba-requ...@lists.samba.org a écrit : Summary: If your clients are Windows clients, just leave things as is... they will handle updating DNS records in EITHER the internal DNS or BIND_DLZ server without any special hacks or scripts to handle it. If you have a large mix of clients and need the non-windows clients to update DNS via DHCPD, then using the script found in the following link might be useful. http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/ Hi Oliver, I am using the modified by Charles Tryon which you find here: http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/ To prevent those DNS update failures I have split my IP range into several smaller pieces and made sure that Windows machines, which do their own DNS updates, get IPs from a different IP range than other machines (Linux, Android, IP-Phones ...). I also changed the script a little to prevent ddns updates by the DHCP daemon for the Windows PCs. In our case this is not a problem as our Windows PCs have distinct names and I could easily create classes in dhcpd.conf using those names. best regards Andreas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] [Announce] Samba 4.0.5 Available for Download
= Well it takes a certain kind of girl to wear a backless dress with a Beretta 70 strapped to her thigh. James Bond, Skyfall = Release Announcements - This is is the latest stable release of Samba 4.0. Major enhancements in Samba 4.0.5 include: o Fix large reads/writes from some Linux clients (bug #9706). o Add 'samba-tool dbcheck --reset-well-known-acls' (bugs #9740 and #9267). Changes since 4.0.4: o Michael Adam ob...@samba.org * BUG 9617: libnss-winbindd does not provide pass struct for groups mapped with ID_TYPE_BOTH and vice versa. * BUG 9653: idmap_autorid: Fix freeing of non-talloced memory. * BUG 9711: s4:winbindd: Do not drop the workgroup name in the getgrnam, getgrent and getgrgid calls. o Jeremy Allison j...@samba.org * BUG 9130: Certain xattrs cause Windows error 0x800700FF. * BUG 9519: Samba returns unexpected error on SMB posix open. * BUG 9642: Fix the build of vfs_afsacl. * BUG 9695: Backport tevent changes to bring library to version 0.9.18. * BUG 9706: Fix large reads/writes from some Linux clients. * BUG 9724: is_encrypted_packet() function incorrectly used inside server. * BUG 9733: Fix 'smbcontrol close-share'. * BUG 9748: Remove unneeded fstat system call from hot read path. * BUG 9760: Fix incorrect parsing of SMB2 command codes. o Christian Ambach a...@samba.org * BUG 9643: Fix the build with --fake-kaserver. * BUG 9644: Fix compile of source3/lib/afs.c. * BUG 9669: Fix crash in 'net rpc join' against a Samba 3.0.33 PDC. o Timur Bakeyev ti...@freebsd.org * BUG 9666: Fix filtering of link-local addresses. o Andrew Bartlett abart...@samba.org * BUG 9663: 'make test' hangs. * BUG 9697: DsReplicaGetInfo fails due to sendto() EMSGSIZE error on UNIX domain socket. * BUG 9703: Fix build on solaris8: Do not force a specific perl on pod2man. * BUG 9717: Set LD_LIBRARY_PATH in install_with_python.sh. * BUG 9718: s4-idmap: Remove requirement that posixAccount or posixGroup be set for rfc2307. * BUG 9719: Allow forcing an override of an old @MODULES record. * BUG 9720: Do not print the admin password during 'samba-tool classicupgrade'. * BUG 9721: Make samba_upgradedns more robust (do not guess addresses when just changing roles). * BUG 9725: upgradeprovision and 'samba-tool dbcheck' patches for 4.0.NEXT. * BUG 9728: DO NOT install samba_upgradeprovision in 4.0.x. * BUG 9739: PIDL: Build fixes for hosts without CPP (Solaris 11). * BUG 9740: Add 'samba-tool dbcheck --reset-well-known-acls'. * BUG 9267: Can't delegate adding computers to domain. o Alexander Bokovoy a...@samba.org * BUG 9636: PIDL: Fix parsing linemarkers in preprocessor output. * BUG 9639: Rename internal subsystem pdb_ldap to pdb_ldapsam. o Ira Cooper i...@samba.org * BUG 9646: Make SMB2_GETINFO multi-volume aware. o David Disseldorp dd...@samba.org * BUG 9633: Recursive mget should continue on EPERM. o Landon Fuller land...@bikemonkey.org * BUG 9656: Work around FreeBSD's getaddrinfo() underscore issue. * BUG 9696: Remove incomplete samba_dnsupdate IPv6 link-local address check. * BUG 9697: Handle EMSGSIZE on UNIX domain sockets. o Björn Jacke b...@sernet.de * BUG 7825: Fix GNU ld version detection with old gcc releases. o Daniel Kobras d.kob...@science-computing.de * BUG 9039: Never try to map global SAM name. o Guenter Kukkukk ku...@samba.org * BUG 9701: Fix vfs_catia and update documentation. o Volker Lendecke v...@samba.org * BUG 9695: Backport tevent changes to bring library to version 0.9.18. * BUG 9727: Fix NULL pointer dereference. * BUG 9736: Change to smbd/dir.c code gives significant performance increases on large directory listings. o Stefan Metzmacher me...@samba.org * BUG 9557: Fix build on AIX. * BUG 9625: Reauth-capable client fails to access shares on Windows member. * BUG 9695: Backport tevent changes to bring library to version 0.9.18. * BUG 9706: Parameter is incorrect on Android. o Andreas Schneider a...@samba.org * BUG 9664: Fix correct linking of libreplace with cmdline-credentials. * BUG 9683: Fix several resource (fd) leaks. * BUG 9685: Fix a memory leak in spoolss rpc server. * BUG 9686: Fix a possible buffer overrun in pdb_smbpasswd. * BUG 9687: Fix several possible null pointer dereferences. * BUG 9723: Add a tool to migrate latin1 printing tdbs to registry. * BUG 9735: Fix Winbind separator in upn to username conversion. * BUG 9758: Don't leak the epm_Map policy
Re: [Samba] [PATCH] Force python for Samba on platforms with a too old installed python (eg RHEL 5.9)
pushed On 2013-04-08 at 18:59 +1000, Andrew Bartlett wrote: Phil, I've tried following your mails, and your trials, but got totally lost. So what I've done is write up a patch, which should address the one issue I've been able to distil out of this, which is that when Samba is built against something other than the default python, samba-tool segfaults. This happens because if we build and link against one library, but you run samba-tool with a different python, internal things go boom. This patch works for me on my Centos 5 box. As to all your trials building different versions of python, I can't really offer a solution - I've not seen those myself, and you really seem to have quite a mix of things going wrong here. I would suggest that if you do want to build a new AD DC, you should do so on a modern OS, where python just works. While I will certainly work (as this patch will help a lot with) to have install_with_python work for the AD DC, the intended purpose was simply to get enough of python going to run our build system for simpler file server installations, to allow a transition from the second (autoconf) build system. (And in that it has been quite successful). Please test these patches, hopefully they will resolve your issue. Finally, if you get odd build errors (such as the symlink error you got), then 'git clean -x -f -d' will blow away everything not nailed down in the git checkout. This tends to fix that kind of issue (such as happened when I moved our python code around in master and in v4-0-test for 4.0.5). Metze (or someone else on the team), Please review or push to master. Thanks, Andrew Bartlett pgpDtShSDA2gE.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] LDAP (Schemas,Users) to Samba4 migration
Thank you for support. OK. If one has 10 users, it goes by hand, but we have ca. 110 users. Maybe there for it an automatic solution? -- View this message in context: http://samba.2283325.n4.nabble.com/LDAP-Schemas-Users-to-Samba4-migration-tp4646168p4646470.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] SaMBa and Active Directory Functional Level
Hi all, We have an Active Directory domain with two Windows Server 2008 R2 domain controllers, but our domain functional level is still Windows Server 2003. We would like to raise the functional level to Windows Server 2008 R2, but due to the age of some of our SaMBa installations, I would like to know which is the earliest version of SaMBa which supported Active Directory at the Windows Server 2008 R2 functional level. Raising the functional level is irreversible, and one of the SaMBa installations is on a SUN (now Oracle) server running a version of SaMBa (3.6.8) which is unlikely to be upgraded anytime soon; so if it turns out to be incompatible, we will be in deep trouble. Thank you for your help. Yours, David del Campo -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] NTP doesnt work for Win2000 clients + Samba 4.0.4 (see tcpdump)
Hi all, I am using Samba 4.0.4 as AD DC on my test environment and realized that all my W2k clients (default installation, no special setups made on the clients) cannot receive the correct time of my samba 4.0.4 AD domain controller. Windows XP and 7 work fine though. The problem occurs at three W2k test clients I tried with. The default behavior of Windows clients is to use the update type Nt5DS which means, that the client tries to get the time of its domain controller. Unfortunately this fails for my W2k clients in conjunction with Samba 4.0.4 and also an error in event log appears, that says that the time couldnt be retrieved of my samba4 server mysmb4srv.ad.mycompany.com. As soon as I execute on win2000 clients cmd prompt net time /setsntp:mysmb4srv.ad.mycompany.com it works. This command causes the registry entries under HKLM\System\Current Control Set\Services\W32Time\Parameters to change the default behavior from type=Nt5DS to type=NTP and adds a line NTP server=mysmb4srv.ad.mycompany.com. With this setting the time sync works fine as soon as I restart the Windows Time Service. I have logged the received ntp packets at samba4's side: Issue: Win2000 clients cannot update time through NTP of my samba 4.0.4 server which is installed and configured like shown on the Samba4 HowTo (+NTP HowTo). Seems that the Nt5DS discovery mode on win2000 clients doesnt interact fine with samba4 ??? Here are the tcpdump -vv udp port 123 logs Win2000 Client, set to default behavior (type=Nt5DS) 1st run: 08:46:21.067456 IP (tos 0x0, ttl 128, id 4794, offset 0, flags [none], proto UDP (17), length 76) smb4testw2k.dhcp.mycompany.com.1856 r4dv3ld002.mycompany.com.ntp: [udp sum ok] NTPv2, length 48 Client, Leap indicator: (0), Stratum 0 (unspecified), poll 11s, precision 0 Root Delay: 0.00, Root dispersion: 0.00, Reference-ID: (unspec) Reference Timestamp: 0.0 Originator Timestamp: 0.0 Receive Timestamp:0.0 Transmit Timestamp: 3574467978.43589 (2013/04/09 05:46:18) Originator - Receive Timestamp: 0.0 Originator - Transmit Timestamp: 3574467978.43589 (2013/04/09 05:46:18) 08:46:21.067659 IP (tos 0xc0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 76) r4dv3ld002.mycompany.com.ntp smb4testw2k.dhcp.mycompany.com.1856: [bad udp cksum 9981!] NTPv2, length 48 Server, Leap indicator: (0), Stratum 11 (secondary reference), poll 11s , precision -18 Root Delay: 0.00, Root dispersion: 0.011169, Reference-ID: 127.127.1 .0 Reference Timestamp: 3574478764.256589680 (2013/04/09 08:46:04) Originator Timestamp: 3574467978.43589 (2013/04/09 05:46:18) Receive Timestamp:3574478781.067456305 (2013/04/09 08:46:21) Transmit Timestamp: 3574478781.067631855 (2013/04/09 08:46:21) Originator - Receive Timestamp: +10802.631456315 Originator - Transmit Timestamp: +10802.631631851 Win2000 Client, set to default behavior (type=Nt5DS) 2nd run (to have one more log): 08:56:24.490199 IP (tos 0x0, ttl 128, id 4847, offset 0, flags [none], proto UDP (17), length 76) smb4testw2k.dhcp.mycompany.com.msnp r4dv3ld002.mycompany.com.ntp: [udp sum ok] NTPv2, length 48 Client, Leap indicator: (0), Stratum 0 (unspecified), poll 11s, precisi on 0 Root Delay: 0.00, Root dispersion: 0.00, Reference-ID: (unspec) Reference Timestamp: 0.0 Originator Timestamp: 0.0 Receive Timestamp:0.0 Transmit Timestamp: 3574468581.23295 (2013/04/09 05:56:21) Originator - Receive Timestamp: 0.0 Originator - Transmit Timestamp: 3574468581.23295 (2013/04/09 05 :56:21) 08:56:24.490414 IP (tos 0xc0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17) , length 76) r4dv3ld002.mycompany.com.ntp smb4testw2k.dhcp.mycompany.com.msnp: [bad udp cksum bd60!] NTPv2, length 48 Server, Leap indicator: (0), Stratum 11 (secondary reference), poll 11s , precision -18 Root Delay: 0.00, Root dispersion: 0.011581, Reference-ID: 127.127.1 .0 Reference Timestamp: 3574479340.256625980 (2013/04/09 08:55:40) Originator Timestamp: 3574468581.23295 (2013/04/09 05:56:21) Receive Timestamp:3574479384.490199267 (2013/04/09 08:56:24) Transmit Timestamp: 3574479384.490376532 (2013/04/09 08:56:24) Originator - Receive Timestamp: +10803.257199257 Originator - Transmit Timestamp: +10803.257376521 Win2000 Client, executed on cmd prompt net time /setsntp:mysmb4srv.ad.mycompany.com which puts the NTP client of the w2k machine into type=NTP instead of Nt5DS: --- 08:48:32.330828 IP (tos 0x0, ttl 128, id 4811, offset 0, flags [none], proto UDP (17), length 96) smb4testw2k.dhcp.mycompany.com.1861 r4dv3ld002.mycompany.com.ntp: [udp sum ok] NTPv2, length 68 Client, Leap indicator:
Re: [Samba] NTP doesnt work for Win2000 clients + Samba 4.0.4 (see tcpdump)
iM I am using Samba 4.0.4 as AD DC on my test environment and iM realized that all my W2k clients (default installation, no special iM setups made on the clients) cannot receive the correct time of my iM samba 4.0.4 AD domain controller. Windows XP and 7 work fine iM though. The problem occurs at three W2k test clients I tried with. iM The default behavior of Windows clients is to use the update type iM Nt5DS which means, that the client tries to get the time of its iM domain controller. Unfortunately this fails for my W2k clients in iM conjunction with Samba 4.0.4 and also an error in event log iM appears, that says that the time couldnt be retrieved of my samba4 iM server mysmb4srv.ad.mycompany.com. iM As soon as I execute on win2000 clients cmd prompt net time iM /setsntp:mysmb4srv.ad.mycompany.com it works. This command causes iM the registry entries under HKLM\System\Current Control iM Set\Services\W32Time\Parameters to change the default behavior iM from type=Nt5DS to type=NTP and adds a line NTP iM server=mysmb4srv.ad.mycompany.com. With this setting the time iM sync works fine as soon as I restart the Windows Time Service. I iM have logged the received ntp packets at samba4's side: iM Issue: Win2000 clients cannot update time through NTP of my samba 4.0.4 server which is installed iM and configured like shown on the Samba4 HowTo (+NTP HowTo). Seems that the Nt5DS discovery mode iM on win2000 clients doesnt interact fine with samba4 ??? Here are iM the tcpdump -vv udp port 123 logs I'm sure someone will give you more data, but W2000 was completely out of maintenance mode, what, two+ years ago? Making changes to the registry so it will use NTP for time updates is fairly easy - which will make it compatible with the AD server. It would seem, to me at least, a bad use of resources to trouble-shoot/fix a Win2000 problem when there are work-around's and when Win2000 is not supported any more, and has multiple unpatched vulnerabilities. Just my opinion of course. -Greg -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] missing libgnutls.so.26
On Mon, 2013-04-08 at 20:25 -0700, Phil Quesinberry wrote: Hi Andrew, Many, many thanks and sorry about that... I was somewhat lost while writing the post myself, I was trying to distill all of the different things I had tried down into useful information but I somehow missed the mark. After I had posted the message, I manually did a configure of Samba's private copy of Python and then did a make uninstall to let it do some housecleaning. After doing that, I was then able to compile Samba successfully without passing any flags but I'm still getting a libgnutls error when attempting to execute pdbedit and the same error as before with samba-tool. I pulled down and applied your patch against master but it didn't seem to have any effect. I did another build with the install_with_python script but am still getting the same errors: [root@Server1 samba4]# pdbedit pdbedit: error while loading shared libraries: libgnutls.so.26: cannot open shared object file: No such file or directory [root@Server1 samba4]# samba-tool Traceback (most recent call last): File /usr/local/samba/bin/samba-tool, line 33, in module from samba.netcmd.main import cmd_sambatool File /usr/local/samba/lib/python2.6/site-packages/samba/__init__.py, line 50, in module from samba._ldb import Ldb as _Ldb ImportError: libgnutls.so.26: cannot open shared object file: No such file or directory Between building Samba and running it you have removed libgnutls. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 LDAP NTLM password nightly injection
Ok this works: #!/usr/bin/env python import sys sys.path.insert(0, /usr/local/samba/lib64/python2.6/site-packages) sys.path.insert(1, /usr/local/samba/lib/python2.6/site-packages) from samba import Ldb, registry from samba.param import LoadParm from samba.provision import provision, FILL_FULL, ProvisioningError, setsysvolacl from samba.samba3 import passdb from samba.samba3 import param as s3param from samba.dcerpc import lsa, samr, security from samba.dcerpc.security import dom_sid from samba.credentials import Credentials from samba import dsdb from samba.ndr import ndr_pack from samba import unix2nttime # Convert Hex to Byte string def HexToByte( hexStr ): bytes = [] hexStr = ''.join( hexStr.split( ) ) for i in range(0, len(hexStr), 2): bytes.append( chr( int (hexStr[i:i+2], 16 ) ) ) return ''.join( bytes ) # Connect to samba4 backend new_lp_ctx = s3param.get_context() new_lp_ctx.load(/usr/local/samba/etc/smb.conf) new_lp_ctx.set(private dir, /usr/local/samba/private) s4_passdb = passdb.PDB(new_lp_ctx.get(passdb backend)) # Change testuser password new_userdata = s4_passdb.getsampwnam(testuser) new_userdata.nt_passwd = HexToByte(878D8014606CDA29677A44EFA1353FC7) new_userdata.lanman_passwd = HexToByte(552902031BEDE9EFAAD3B435B51404EE) s4_passdb.update_sam_account(new_userdata) I was missing some module paths and the extra info for connecting to the LDB database... Now I just have to generalize this procedure so that I can update the passwords every night like I do with Samba3-LDAP. Andrew, thanks for the pointers. I'm posting this in case it can help someone else. - Original Message - From: Luc Lalonde luc.lalo...@polymtl.ca To: Andrew Bartlett abart...@samba.org Cc: samba@lists.samba.org Sent: Wednesday, March 27, 2013 7:38:05 PM GMT -05:00 US/Canada Eastern Subject: Re: [Samba] Samba 4 LDAP NTLM password nightly injection Hello Andrew, How would I convert the below base16 strings into raw bytes acceptable to this routine? We presently inject the NTLM passwords directly into our LDAP database for Samba3. Also, I can't seem to figure out the argument values for 'passdb.PDB'. I tried 'ldb', 'samba_dsdb'. Thanks for your help! On 2013-03-27, at 6:18 PM, Andrew Bartlett abart...@samba.org wrote: On Tue, 2013-03-26 at 11:10 -0400, Luc Lalonde wrote: Hello Andrew, I'm finally diving into this project... First off, my sysadmin stuff is mostly in Perl. So my Python is rudimentary at best. Here we go anyway... I've looked at the 'upgrade.py' but I can't seem to figure out how to connect to the Samba4 passwd database. In the script I see these lines: ### # Connect to samba4 backend s4_passdb = passdb.PDB(new_lp_ctx.get(passdb backend)) I would appreciate a hint on how to connect to the database please. Where is the 'passdb' object referenced from? Once that's done, from what I understand, I should be able to change the passwords directly: ### # Change foo-user password admin_userdata = s4_passdb.getsampwnam(foo-user) admin_userdata.nt_passwd = 878D8014606CDA29677A44EFA1353FC7 admin_userdata.lanman_passwd = 552902031BEDE9EFAAD3B435B51404EE s4_passdb.update_sam_account(admin_userdata) ### Sort of. Those values are not base16 strings, but raw bytes, but otherwise that looks pretty much right at a first glance. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Luc Lalonde, analyste - Département de génie informatique: École polytechnique de Montréal (514) 340-4711 x5049 luc.lalo...@polymtl.ca - -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Wrong local DNS responses from samba4
Hello, Am 09.04.2013 02:09, schrieb Nick Semenkovich: As an example: router/dhcp/upstream DNS is at 192.168.0.1 samba4 is at 192.168.0.2 aio1.corp.example.com is at 192.168.0.171 (and has been for 48+ hours) [ask upstream router/DHCP for the IP] $ dig +short @192.168.0.1 aio1.corp.example.com 192.168.0.171 ^^ correct ^^ [ask samba4 for the IP] $ dig +short @192.168.0.2 aio1.corp.example.com 192.168.0.168 ^^ wrong ^^ - If you look into the zone via the windows DNS snap-in - do you see the correct IP for this record there? - If you comment out the 'dns forwarder' line in smb.conf (+ restart samba), what does $ dig +short @192.168.0.2 aio1.corp.example.com tells you now? - Does the following output shows you the correct IP for this record? $ samba-tool dns query 192.168.0.2 corp.example.com aio1 ALL Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Anonymous Samba share across subnets (without WINS?)
I'm trying to replace an old Windows 2000 server that is current set up with a number of open anonymous shares used by a legacy application that must remain in production for a few more years. I spent a few hours trying to create anonymous shares on a 2008 R2 box but gave up. My next idea was to use Samba to create an anonymous share, and following this quick-n-dirty HowTo: http://www.debuntu.org/samba-how-to-share-files-for-your-lan-without-userpassword/, I set up a Lucid Lynx box with samba (3.4.7~dfsg-1ubuntu3.10) to do just that. Works great... as long as you're on the same subnet as the Samba server. So our subnets are roughly set up thusly: * 172.21.11.0/24 - Linux servers * 172.21.110.0/24 - Test PCs (Win7 x64) * 172.18.224.0/20 - Production PCs (Win7 x64) * 204.133.165.0/24 (treated as an internal network, don't ask) - Old server subnet And the specific machines I'll be discussing are: * 172.21.11.24 - Samba server (wrc-deploy) * 172.21.110.68 - My test PC (Win7 x64) * 204.133.165.24 - Old Windows 2000 server So from another Linux server, on the same subnet (broadcast domain), I can do the following without a problem: jheese@wrc-aptcache1:~$ smbclient -NL wrc-deploy Domain=[WELDCORCC] OS=[Unix] Server=[Samba 3.4.7] Sharename Type Comment - --- APS Disk APS share CARSBIN Disk CARSBIN share CARSPROJDisk CARSPROJ share CivilDocs Disk CivilDocs share DA_CrystalEase Disk DA_CrystalEase share RMSDist Disk RMSDist share RMSDistTRN Disk RMSDistTRN share RMSToolsDisk RMSTools share TibCAD Disk TibCAD share IPC$IPC IPC Service (wrc-deploy) Domain=[WELDCORCC] OS=[Unix] Server=[Samba 3.4.7] Server Comment ---- WorkgroupMaster ---- WORKGROUPWRC-DEPLOY jheese@wrc-aptcache1:~$ smbclient -N //wrc-deploy/RMSDist Domain=[WELDCORCC] OS=[Unix] Server=[Samba 3.4.7] Server not using user level security and no password supplied. smb: \ ls . D0 Mon Mar 25 15:44:53 2013 .. D0 Mon Mar 25 15:24:20 2013 testA0 Mon Mar 25 15:45:01 2013 60617 blocks of size 262144. 49484 blocks available smb: \ q jheese@wrc-aptcache1:~$ Great! However, from my Windows test PC on the 172.21.110.0/24 subnet, if I try to browse to \\wrc-deploy or \\wrc-deploy\RMSDist, say, I get The account is not authorized to log in from this station. However, and I think this is key, I can browse to \\172.21.11.24 and \\172.21.11.24\RMSDist without a problem... DNS is absolutely working properly, and I can ping, telnet, etc. to the name wrc-deploy from my test PC without a problem. Also, I know that it's not the old NTLM/LM security options because I can hit the old Windows 2000 server's shares from my test PC without a problem, and it's on the old server subnet, 204.133.165.0/24. To my knowledge, no WINS server has ever been configured on this network, nor do we have any broadcast forwarding configured on our routers to make the old server's shares browse properly. I've Googled the crap out of this, including the specific error message, seeing about using Samba 4.x to do this instead of Samba 3.x, whether WINS is necessary (I'd really like to not have to go this route if possible), and everything else, but I can't find anyone else in this same situation. So, can anyone please suggest ways to make this work. I don't care how it's done, but the requirements are: * Anonymous CIFS shares * Works by name across subnets * Without a WINS server on each subnet (we have way too many subnets, some in weird places) * (Preferably) Without WINS altogether Let me know if you need any specific information as far as config files, versions, or diagrams. Thanks in advance! Jon Heese Systems Administrator Weld County Computer Services ACS Government Systems, Inc., A Xerox Company tel: 970-304-6570 x2552 jhe...@co.weld.co.us Confidentiality Notice: This electronic transmission and any attached documents or other writings are intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. If you have received this communication in error, please immediately notify sender by return e-mail and destroy the communication. Any disclosure, copying, distribution or the taking of any action concerning the contents of this communication or any attachments by anyone other than the named recipient is strictly prohibited. -- To unsubscribe from this list go to the following URL and read the
[Samba] classic upgrade sort of succeeds but really fails - Advice?
Hi, I am stuck in a bad place and I'm not sure where to go next. I'd sure appreciate some advice or direct help in troubleshooting this problem. If I can provide additional information I'd be happy to send it along privately. Some logs are very large - like the debuglevel 10 classicupgrade output is about 160MB. But there is Dropbox, right? I've included what I could think of below but I'm sure I checked things that I forgot to include. It's a much longer message than I expected so your indulgence and attention is especially appreciated. I have a samba 3 server that has been upgraded several times over many years and has accumulated a lot of cruft. The goal is to do a successful classic upgrade to samba 4 v4.0.4. The samba 3 server was copied and upgraded from a RHEL5 to a centos6 server on a private network for this exercise. I virtualized 2 existing windows XP workstations to use for testing. I setup their DNS to point to the test samba4 server. In prep for using classic-upgrade I went through and removed accounts that reported bad information (bad gid, no unix account). Cut down the number of users considerably. A predecessor decided to make all unix accounts samba logins including lp, news, uucp, etc. these were all removed, though root was left, of course. And I removed /var/lib/samba/wins.dat. The classic upgrade complained about some missing groups and I was generally able to add groups for the domain gid's it complained about. The samba-tools domain classicupgrade appeared to go through but when I made sure that bind, smb, nmb and windbind were all shut down and started /usr/local/samba/sbin/samba. The domain was visible to clients in windows explorer, already joined workstations could login but not load their roaming profiles. The domain controller was not visible and could not be directly addressed by using \\themissingservername. In investigating it looks like sysvol is setup in smb.conf, and ADMIN$ and IPC$ are setup in private/share.ldb I checked and it appears all the users got successfully imported. It is parsing the samba3 smb.conf, but does not create shares in the samba4 smb.conf The samba-tool command I used for classicupgrade is: /usr/local/samba/bin/samba-tool domain classicupgrade --dbdir=/var/lib/samba --dns-backend=SAMBA_INTERNAL --use-xattrs=yes --realm=mydomain.local /etc/samba/smb.conf Let's call the server myserverl. The generated smb.conf does not have any of the shares many from the samba3 server setup. Here it is sanitized: ** [global] workgroup = MYDOMAIN realm = mydomain.local netbios name = MYSERVER server role = active directory domain controller idmap_ldb:use rfc2307 = yes dns forwarder = 208.67.222.222 [netlogon] path = /usr/local/samba/var/locks/sysvol/mydomain.local/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No ** I start the domain with /usr/local/samba/sbin/samba -I -M single -d2 When I try to login I get the following output repeating: idmapping sid_to_xid failed for id[1]=S-1-5-21-1509466807-1292110410-277592076-515: NT_STATUS_NONE_MAPPED idmapping sid_to_xid failed for id[3]=S-1-1-0: NT_STATUS_NONE_MAPPED idmapping sid_to_xid failed for id[4]=S-1-5-2: NT_STATUS_NONE_MAPPED idmapping sid_to_xid failed for id[5]=S-1-5-11: NT_STATUS_NONE_MAPPED idmapping sid_to_xid failed for id[3]=S-1-5-21-1509466807-1292110410-277592076-572: NT_STATUS_NONE_MAPPED idmapping sid_to_xid failed for id[4]=S-1-1-0: NT_STATUS_NONE_MAPPED idmapping sid_to_xid failed for id[5]=S-1-5-2: NT_STATUS_NONE_MAPPED idmapping sid_to_xid failed for id[6]=S-1-5-11: NT_STATUS_NONE_MAPPED I have been generally successful at mapping domain sids (S-1-5-21-domain sid-rid in the old samba3 config then re-running the classicupgrade after removing the samb4 smb.conf. When I try to map the Everyone and other two SID's in the list classicupgrade fails pretty miserably at the end. I use the samba3 net grouplist function for the above. When logged into an xp workstation already joined to the samba3 domain I can see my and other workstations in the domain but not the server. I get the following errors in the workstation application system log: ** Event Type: Error Event Source: AutoEnrollment Event Category: None Event ID: 15 Date: 4/9/2013 Time: 9:19:59 AM User: N/A Computer: ACCT1 Description: Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted. Enrollment will not be performed. ** Followed by ** Event Type: Error Event Source: Userenv Event Category: None Event ID: 1053 Date: 4/9/2013 Time: 9:22:22 AM User: NT AUTHORITY\SYSTEM Computer: ACCT1 Description: Windows cannot determine the user or
Re: [Samba] Anonymous Samba share across subnets (without WINS?)
On Tue, Apr 9, 2013 at 1:00 PM, Jon Heese jhe...@co.weld.co.us wrote: My next idea was to use Samba to create an anonymous share, and following this quick-n-dirty HowTo: http://www.debuntu.org/samba-how-to-share-files-for-your-lan-without-userpassword/, I set up a Lucid Lynx box with samba (3.4.7~dfsg-1ubuntu3.10) to do just that. See my blog post here: http://blog.realcomputerguy.com/2010/12/samba-and-guest-shares-with-security.html -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Anonymous Samba share across subnets (without WINS?)
Awesome! That totally worked! Thanks so much for your help! Jon Heese Systems Administrator Weld County Computer Services ACS Government Systems, Inc., A Xerox Company tel: 970-304-6570 x2552 jhe...@co.weld.co.us Confidentiality Notice: This electronic transmission and any attached documents or other writings are intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. If you have received this communication in error, please immediately notify sender by return e-mail and destroy the communication. Any disclosure, copying, distribution or the taking of any action concerning the contents of this communication or any attachments by anyone other than the named recipient is strictly prohibited. -Original Message- From: Chris Smith [mailto:smb...@chrissmith.org] Sent: Tuesday, April 09, 2013 12:04 PM To: Jon Heese Cc: samba@lists.samba.org Subject: Re: [Samba] Anonymous Samba share across subnets (without WINS?) On Tue, Apr 9, 2013 at 1:00 PM, Jon Heese jhe...@co.weld.co.us wrote: My next idea was to use Samba to create an anonymous share, and following this quick-n-dirty HowTo: https://console.mxlogic.com/redir/?1sKyYNsQsICSmkTXzD4Po093O3s9JY01OCGAdbAWC2YWBW4ZzVtSh_QbKRynblrynfS1sNapeHsOXtfyJJa6aNgMTvANOoVcsCej76XCNclfBioaz-DHHdP-95IJOVJCXbNJ5BNZZCXzX1JNwS2_id41Fr6dl8qqnjh08gH0IHlKxEw6dl8qq8a4ZzVEwSQqQEq8adA0rgQg6ywNapeHsPh00Eq31wAqajs_3VUIvIE6QjqpJ6ZS6rIeef6YDCnaos8, I set up a Lucid Lynx box with samba (3.4.7~dfsg-1ubuntu3.10) to do just that. See my blog post here: https://console.mxlogic.com/redir/?bBQnCbCzBASOOC_ssUCr01A3WAuz-DHHdP-95IJO-9ThLyaukRkxFvo85ObvQCnEjSfQbC9j9BWvpKcFBK1NK_9zANOoVcsCedTdyoGvaAMl7ZfnmrDYibprBPrdSnzqbbzXXdT7S3rz1I5-Aq83iScqGgQQKCy0gxm1pmHt3h0cqGgQQgk9X7Ph1JERFgQgkr80SxEwd51ykOtmVCy01gQ6318QkCV-7PNo_pgdFCQPqdXIcTossudUWMI -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] LDAP (Schemas,Users) to Samba4 migration
2013-04-09 14:56 keltezéssel, alxgrb írta: Thank you for support. OK. If one has 10 users, it goes by hand, but we have ca. 110 users. Maybe there for it an automatic solution? -- View this message in context: http://samba.2283325.n4.nabble.com/LDAP-Schemas-Users-to-Samba4-migration-tp4646168p4646470.html Sent from the Samba - General mailing list archive at Nabble.com. The problem is: If you have users with only posixAccount (or similar) objectClasses (without samba 3.x aka classic attributes) you could add them by an ldapsearch ldbadd based script, but you won't be able to transfer the passwords, as OpenLDAP (with posixAccount and similar objectClasses) uses a differently encrypted userPassword attribute, than Samba as an AD controller (kerberos keys) can use. As the passwords are one way encrypted without having an NTPassword attribute (which correspond to a arcfour-hmac-md5 enctype) you will lose the password during //migration. Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] missing libgnutls.so.26
Could it be that he has some kind of mess with LD_LIBRARY_PATH. Maybe at compile time, Samba was able to find everything it's needed but then, at run time, it can't find the needed libraries despite they're installed somewhere. I'm saying that because I'm pretty sure this happened to me O:-) 2013/4/9 Andrew Bartlett abart...@samba.org On Mon, 2013-04-08 at 20:25 -0700, Phil Quesinberry wrote: Hi Andrew, Many, many thanks and sorry about that... I was somewhat lost while writing the post myself, I was trying to distill all of the different things I had tried down into useful information but I somehow missed the mark. After I had posted the message, I manually did a configure of Samba's private copy of Python and then did a make uninstall to let it do some housecleaning. After doing that, I was then able to compile Samba successfully without passing any flags but I'm still getting a libgnutls error when attempting to execute pdbedit and the same error as before with samba-tool. I pulled down and applied your patch against master but it didn't seem to have any effect. I did another build with the install_with_python script but am still getting the same errors: [root@Server1 samba4]# pdbedit pdbedit: error while loading shared libraries: libgnutls.so.26: cannot open shared object file: No such file or directory [root@Server1 samba4]# samba-tool Traceback (most recent call last): File /usr/local/samba/bin/samba-tool, line 33, in module from samba.netcmd.main import cmd_sambatool File /usr/local/samba/lib/python2.6/site-packages/samba/__init__.py, line 50, in module from samba._ldb import Ldb as _Ldb ImportError: libgnutls.so.26: cannot open shared object file: No such file or directory Between building Samba and running it you have removed libgnutls. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Linkedin profile (http://es.linkedin.com/in/lafdez) G+ profile (https://plus.google.com/u/0/115320207805121303027/about) Twitter (@lafdez @_lafdez_) Identi.ca (@lafdez) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] missing libgnutls.so.26
No I didn't do that... honest. I did a yum remove of python26 which also removes python26-devel and python26-libs and went around the system cleaning up leftover copies of the python 2.6 executable. After that I re-installed the above packages and pdbedit worked once again. Then I did a make uninstall of samba, make clean, git clean -d -f -x, removed the prefix directory (/usr/local/samba), re-patched and rebuilt it again with the install_with_python script. Once I did that, pdbedit gave me the gnutls error again. So I did a bit of looking around and one very interesting thing I noticed is that /usr/local/samba/lib no longer has the libgnutls files (prefix is /usr/local/samba). It has a bunch of other library files but significantly fewer than in the original lib directory. I have an old backup of that directory from a previous install so I was able to determine that they had been there once before. I'm not sure why the installer is no longer putting the files there. I didn't expect this to work but just as a test I tried copying those files over from my old backup of samba/lib and I then got a bunch of version not found errors like this when trying to run pdbedit: ... pdbedit: /usr/local/samba/lib/private/libsamdb-common.so: version `SAMBA_4.0.5_GIT_9EC44D4' not found (required by /usr/local/samba/lib/libsamba-credentials.so.0) pdbedit: /usr/local/samba/lib/private/libcliauth.so: version `SAMBA_4.0.5_GIT_9EC44D4' not found (required by /usr/local/samba/lib/libsamba-credentials.so.0) pdbedit: /usr/local/samba/lib/private/libldbsamba.so: version `SAMBA_4.0.5_GIT_9EC44D4' not found (required by /usr/local/samba/lib/libsamba-credentials.so.0) pdbedit: /usr/local/samba/lib/private/libauthkrb5.so: version `SAMBA_4.0.5_GIT_9EC44D4' not found (required by /usr/local/samba/lib/libsamba-credentials.so.0) pdbedit: /usr/local/samba/lib/private/libsamba-security.so: version `SAMBA_4.0.5_GIT_9EC44D4' not found (required by /usr/local/samba/lib/libndr-krb5pac.so.0) - Phil -- View this message in context: http://samba.2283325.n4.nabble.com/Re-Python-UCS2-vs-UCS4-issue-on-latest-git-ImportError-undefined-symbol-PyUnicodeUCS2-Decode-NOT-SOL-tp4646314p4646494.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Passwording a simple anonymous share
I have an embedded box (Yocto Project based linux distro) to which I'm adding Samba 3.6 (from OpenEmbedded). All I need it for is to provide one browsable file share that allows read/write access to anyone on the network. But I want it to be password protected. My best guess as to what goes into smb.conf is: [global] workgroup=WORKGROUP netbios name=MACHINE security=share [sharename] path=/sharedfiles force user=root read only=no I use root because it's currently the only user I've got on my embedded system. However, there is no password on the root account, because the only way to use the root account is to open the box and connect a keyboard and monitor to the motherboard inside, so security isn't an issue. The docs mention the smbpasswd command, but it's not clear what this actually does. Does it tell samba what password to demand from an external client who wishes to access a particular share? Or does it tell samba what password to use when accessing the underlying file system, so that an external client doesn't need to know the password? The question boils down to this: is there a way to add a password that a samba client has to provide, without passwording the underlying Linux user, or do I have to add another passworded user to the Linux user database in order to have a passworded share? -- Ciao, Paul D. DeRocco Paulmailto:pdero...@ix.netcom.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 member of an another « Samba4 » domain
Le 09/04/2013 09:34, Matthieu Patou a écrit : Le 08/04/2013 01:37, Matthieu Patou a écrit : Then, in the DC server, I have done: --- samba-tool domain provision # I keep the default answers each time, seems to work fine # 192.168.0.21 = IP of DC server which are DNS server (internal DNS) echo nameserver 192.168.0.21 /etc/resolv.conf ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 vi /etc/nsswitch.conf # add winbind for passwd and group ldconfig samba --- [...] --- echo nameserver 192.168.0.21 /etc/resolv.conf samba-tool domain join chezmoi.priv MEMBER -U administrator --realm=CHEZMOI.PRIV # seems to work fine ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 vi /etc/nsswitch.conf # add winbind for passwd and group ldconfig vi /usr/local/samba/etc/smb.conf # see below smbd nmbd winbindd -i -d 10 --- And Boum ! I have the same error which I have described in my previous message. The winbindd command is stopped. [...] Are you sure that the two host have a different name as you are creating everything from the same base ? Yes I'm absolutely sure because the names of the 2 servers have been set *during* the installation with a netinstall CD : - hostname == wheezy-server for the DC server - hostname == wheezy-2 for the MEMBER server Also could you do a net join -d 10 and attach the secrets.tdb after the first join ? Yes, no problem. But, you suggest I use this command: net ads join -d 10 -U administrator I would like to understand. For join a member server in a domain (with a Samba4 DC), which command should I use: 1. net ads join -U administrator or 2. samba-tool domain join chezmoi.priv member -U administrator ? So, if I understand well, you ask me to try the first command (net ads join) with -d 10 option. Here: http://sisco.laf.free.fr/codes/samba4.zip you'll find the output of the join command in debug mode and the secrets.*db files (before and after the join, in the member server and in the dc server): - with the net ads join -U administrator -d 10 command - and with the samba-tool domain join chezmoi.priv MEMBER -U administrator command if so for the new user did you set the needed attributes ? I have just run: samba-tool user add test12 --random-password That's all. Which are the needed attributes? When you specify rfc2307 winbindd expect to use uidNumber and gidNumber in order to convert the SID to uid/gid, hence the error message. But is the rfc2307 option in smb.conf really mandatory? 1. For example, when I install a simple Samba4 DC like this: --- samba-tool domain provision # I keep the default answers each time echo nameserver 192.168.0.21 /etc/resolv.conf # The DNS is the DC himself ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 vi /etc/nsswitch.conf # add winbind for passwd and group ldconfig samba --- It seems to work fine. getent password, wbinfo -u, wbinfo -i user1, wbinfo -n=user1 are OK, yet there is no rfc2307 string in the default smb.conf file. 2. Another example. I have installed a member server like this (member of a Samba4 DC, I have no Windows server): --- vi /usr/local/samba/etc/smb.conf # see below for the smb.conf file vi /usr/local/samba/etc/smb.conf # The DC is the DNS server ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 vi /etc/nsswitch.conf # add winbind ldconfig net ads join -U administrator smbd nmbd winbindd --- with this smb.conf file: --- # No refer to rfc2307. [global] workgroup = CHEZMOI security = ADS realm = CHEZMOI.PRIV encrypt passwords = yes idmap config *:backend = tdb idmap config *:range = 70001-8 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes --- and the member server seems to work fine. If I create a user toto on the DC: samba-tool user add toto --random-password In the member, I have: root@member:~# wbinfo -i toto toto:*:70011:70001:toto:/home/CHEZMOI/toto:/bin/false root@member:~# wbinfo -n=toto S-1-5-21-1430849794-1775759099-2616264933-1112 SID_USER (1) The only problem that I see, it's with: root@member:~# wbinfo -u
[Samba] Internal DNS not running
After running the classicupgrade, configuring and starting krb5, starting the new samba4 server, I started looking at DNS. Nothing is listening on port 53, so I assume the internal DNS is not working. I have NOT specified the use of the BIND_DLZ plugin, so it should be using its internal dns server. Where should I start looking for a solution to this? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Internal DNS not running
What samba version are you using (samba -V) ? Also what is the output of samba-tool testparm -v --suppress-prompt | grep server services Ricky On Tue, Apr 9, 2013 at 6:34 PM, simon+sa...@matthews.eu wrote: After running the classicupgrade, configuring and starting krb5, starting the new samba4 server, I started looking at DNS. Nothing is listening on port 53, so I assume the internal DNS is not working. I have NOT specified the use of the BIND_DLZ plugin, so it should be using its internal dns server. Where should I start looking for a solution to this? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Internal DNS not running
On Tue, 9 Apr 2013, Ricky Nance wrote: What samba version are you using (samba -V) # samba -V Version 4.0.4 ? Also what is the output of samba-tool testparm -v --suppress-prompt | grep server services # samba-tool testparm -v --suppress-prompt | grep server services server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns Simon On Tue, Apr 9, 2013 at 6:34 PM, simon+sa...@matthews.eu wrote: After running the classicupgrade, configuring and starting krb5, starting the new samba4 server, I started looking at DNS. Nothing is listening on port 53, so I assume the internal DNS is not working. I have NOT specified the use of the BIND_DLZ plugin, so it should be using its internal dns server. Where should I start looking for a solution to this? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Internal DNS not running
That looks normal... Can you pastebin your log.samba... first mv or rm /usr/local/samba/var/log.samba, then restart samba, then pastebin log.samba. Also (with samba running) can you give us the output of ps ax | grep samba and the output of netstat -anp | grep LISTEN | grep samba Thanks, Ricky On Tue, Apr 9, 2013 at 7:22 PM, simon+sa...@matthews.eu wrote: On Tue, 9 Apr 2013, Ricky Nance wrote: What samba version are you using (samba -V) # samba -V Version 4.0.4 ? Also what is the output of samba-tool testparm -v --suppress-prompt | grep server services # samba-tool testparm -v --suppress-prompt | grep server services server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns Simon On Tue, Apr 9, 2013 at 6:34 PM, simon+sa...@matthews.eu wrote: After running the classicupgrade, configuring and starting krb5, starting the new samba4 server, I started looking at DNS. Nothing is listening on port 53, so I assume the internal DNS is not working. I have NOT specified the use of the BIND_DLZ plugin, so it should be using its internal dns server. Where should I start looking for a solution to this? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Internal DNS not running
Glad to hear :) Ricky On Tue, Apr 9, 2013 at 8:15 PM, Simon Matthews si...@matthews-family.org.uk wrote: On Tue, 9 Apr 2013, Ricky Nance wrote: That looks normal... Can you pastebin your log.samba... first mv or rm /usr/local/samba/var/log.**samba, then restart samba, then pastebin log.samba. Also (with samba running) can you give us the output of ps ax | grep samba and the output of netstat -anp | grep LISTEN | grep samba Thanks, Ricky, with your help, I fixed the problem. I had started krb5kdc, not realizing that the krb server was also built into samba. Once I stopped this and re-started SAMBA, the internal dns server started working. Simon On Tue, Apr 9, 2013 at 7:22 PM, simon+sa...@matthews.eu wrote: On Tue, 9 Apr 2013, Ricky Nance wrote: What samba version are you using (samba -V) # samba -V Version 4.0.4 ? Also what is the output of samba-tool testparm -v --suppress-prompt | grep server services # samba-tool testparm -v --suppress-prompt | grep server services server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns Simon On Tue, Apr 9, 2013 at 6:34 PM, simon+sa...@matthews.eu wrote: After running the classicupgrade, configuring and starting krb5, starting the new samba4 server, I started looking at DNS. Nothing is listening on port 53, so I assume the internal DNS is not working. I have NOT specified the use of the BIND_DLZ plugin, so it should be using its internal dns server. Where should I start looking for a solution to this? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] NTP doesnt work for Win2000 clients + Samba 4.0.4 (see tcpdump)
On Tue, 2013-04-09 at 19:01 +0400, ?icro MEGAS wrote: Hi all, I am using Samba 4.0.4 as AD DC on my test environment and realized that all my W2k clients (default installation, no special setups made on the clients) cannot receive the correct time of my samba 4.0.4 AD domain controller. Windows XP and 7 work fine though. The problem occurs at three W2k test clients I tried with. The default behavior of Windows clients is to use the update type Nt5DS which means, that the client tries to get the time of its domain controller. Unfortunately this fails for my W2k clients in conjunction with Samba 4.0.4 and also an error in event log appears, that says that the time couldnt be retrieved of my samba4 server mysmb4srv.ad.mycompany.com. As soon as I execute on win2000 clients cmd prompt net time /setsntp:mysmb4srv.ad.mycompany.com it works. This command causes the registry entries under HKLM\System\Current Control Set\Services\W32Time\Parameters to change the default behavior from type=Nt5DS to type=NTP and adds a line NTP server=mysmb4srv.ad.mycompany.com. With this setting the time sync works fine as soon as I restart the Windows Time Service. I have logged the received ntp packets at samba4's side: Issue: Win2000 clients cannot update time through NTP of my samba 4.0.4 server which is installed and configured like shown on the Samba4 HowTo (+NTP HowTo). Seems that the Nt5DS discovery mode on win2000 clients doesnt interact fine with samba4 ??? Here are the tcpdump -vv udp port 123 logs To even have a chance of offering an opionin on this, you need to get us the pcap file, not the text output (this applies at any time anybody is asking for a packet capture - the text output is next to useless). Any help appreciated. Lucas (lo...@irc.freenode.net) -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] NTP doesnt work for Win2000 clients + Samba 4.0.4 (see tcpdump)
On Tue, 2013-04-09 at 08:14 -0700, Gregory Sloop wrote: iM I am using Samba 4.0.4 as AD DC on my test environment and iM realized that all my W2k clients (default installation, no special iM setups made on the clients) cannot receive the correct time of my iM samba 4.0.4 AD domain controller. Windows XP and 7 work fine iM though. The problem occurs at three W2k test clients I tried with. iM The default behavior of Windows clients is to use the update type iM Nt5DS which means, that the client tries to get the time of its iM domain controller. Unfortunately this fails for my W2k clients in iM conjunction with Samba 4.0.4 and also an error in event log iM appears, that says that the time couldnt be retrieved of my samba4 iM server mysmb4srv.ad.mycompany.com. iM As soon as I execute on win2000 clients cmd prompt net time iM /setsntp:mysmb4srv.ad.mycompany.com it works. This command causes iM the registry entries under HKLM\System\Current Control iM Set\Services\W32Time\Parameters to change the default behavior iM from type=Nt5DS to type=NTP and adds a line NTP iM server=mysmb4srv.ad.mycompany.com. With this setting the time iM sync works fine as soon as I restart the Windows Time Service. I iM have logged the received ntp packets at samba4's side: iM Issue: Win2000 clients cannot update time through NTP of my samba 4.0.4 server which is installed iM and configured like shown on the Samba4 HowTo (+NTP HowTo). Seems that the Nt5DS discovery mode iM on win2000 clients doesnt interact fine with samba4 ??? Here are iM the tcpdump -vv udp port 123 logs I'm sure someone will give you more data, but W2000 was completely out of maintenance mode, what, two+ years ago? Making changes to the registry so it will use NTP for time updates is fairly easy - which will make it compatible with the AD server. It would seem, to me at least, a bad use of resources to trouble-shoot/fix a Win2000 problem when there are work-around's and when Win2000 is not supported any more, and has multiple unpatched vulnerabilities. Just my opinion of course. I tend to agree. The exception is that we do work to allow migration from Windows 2000 servers (most folks go via temp 2003 installs, but it has been known to work directly). Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Wrong local DNS responses from samba4
I just updated samba4 to git master from a few hours ago (69b3d1944501f), and the problem persists. - If you look into the zone via the windows DNS snap-in - do you see the correct IP for this record there? No, it shows the incorrect record. - If you comment out the 'dns forwarder' line in smb.conf (+ restart samba), what does $ dig +short @192.168.0.2 aio1.corp.example.com tells you now? The same, incorrect record. - Does the following output shows you the correct IP for this record? $ samba-tool dns query 192.168.0.2 corp.example.com aio1 ALL Sadly, it's also the incorrect record. With the original configuration (dns forwarder is in smb.conf), it shows: $ /usr/local/samba/bin/samba-tool dns query 192.168.0.2 corp.example.comaio1 ALL -U Administrator Password for [CORP\Administrator]: Name=, Records=1, Children=0 A: 192.168.0.168 (flags=f0, serial=110, ttl=1200) Any thoughts? The machine (aio1) is definitely at .171 (not .168) and has been for days, per the DHCP server logs. Same situation for the ~10 other Windows 8 clients connected to the AD DC. - Nick -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba_dnsupdate?
Now for the next question. I think (hope?) that I am quite close now. In order to add a machine to the domain, I think that I need to add a record to samba's DNS table. But samba_dnsupdate isn't working: # samba_dnsupdate -d 5 INFO: Current debug levels: all: 5 tdb: 5 printdrivers: 5 lanman: 5 smb: 5 rpc_parse: 5 rpc_srv: 5 rpc_cli: 5 passdb: 5 sam: 5 auth: 5 winbind: 5 vfs: 5 idmap: 5 quota: 5 acls: 5 locking: 5 msdfs: 5 dmapi: 5 registry: 5 lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf params.c:pm_process() - Processing configuration file /usr/local/samba/etc/smb.conf Processing section [global] Processing section [netlogon] Processing section [sysvol] pm_process() returned Yes added interface eth0 ip=fe80::5054:ff:fefd:9729%eth0 bcast=fe80:::::%eth0 netmask=::::: added interface eth0 ip=192.168.99.19 bcast=192.168.99.255 netmask=255.255.255.0 schema_fsmo_init: we are master[yes] updates allowed[no] As you can see updates are not allowed. But my smb.conf looks like this: [global] workgroup = MYAD realm = MYAD.my.domain netbios name = SAMBA4 server role = active directory domain controller idmap_ldb:use rfc2307 = yes # log file = /var/log/samba/samba.log.%m log level = 3 allow dns updates = True dns forwarder = 192.168.99.2 Simon On Tue, 9 Apr 2013, Ricky Nance wrote: Glad to hear :) Ricky On Tue, Apr 9, 2013 at 8:15 PM, Simon Matthews si...@matthews-family.org.uk wrote: On Tue, 9 Apr 2013, Ricky Nance wrote: That looks normal... Can you pastebin your log.samba... first mv or rm /usr/local/samba/var/log.samba, then restart samba, then pastebin log.samba. Also (with samba running) can you give us the output of ps ax | grep samba and the output of netstat -anp | grep LISTEN | grep samba Thanks, Ricky, with your help, I fixed the problem. I had started krb5kdc, not realizing that the krb server was also built into samba. Once I stopped this and re-started SAMBA, the internal dns server started working. Simon On Tue, Apr 9, 2013 at 7:22 PM, simon+sa...@matthews.eu wrote: On Tue, 9 Apr 2013, Ricky Nance wrote: What samba version are you using (samba -V) # samba -V Version 4.0.4 ? Also what is the output of samba-tool testparm -v --suppress-prompt | grep server services # samba-tool testparm -v --suppress-prompt | grep server services server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns Simon On Tue, Apr 9, 2013 at 6:34 PM, simon+sa...@matthews.eu wrote: After running the classicupgrade, configuring and starting krb5, starting the new samba4 server, I started looking at DNS. Nothing is listening on port 53, so I assume the internal DNS is not working. I have NOT specified the use of the BIND_DLZ plugin, so it should be using its internal dns server. Where should I start looking for a solution to this? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 member of an another « Samba4 » domain
2013-04-10 01:32 keltezéssel, François Lafont írta: Le 09/04/2013 09:34, Matthieu Patou a écrit : Le 08/04/2013 01:37, Matthieu Patou a écrit : Then, in the DC server, I have done: --- samba-tool domain provision # I keep the default answers each time, seems to work fine # 192.168.0.21 = IP of DC server which are DNS server (internal DNS) echo nameserver 192.168.0.21 /etc/resolv.conf ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 vi /etc/nsswitch.conf # add winbind for passwd and group ldconfig samba --- [...] --- echo nameserver 192.168.0.21 /etc/resolv.conf samba-tool domain join chezmoi.priv MEMBER -U administrator --realm=CHEZMOI.PRIV # seems to work fine ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 vi /etc/nsswitch.conf # add winbind for passwd and group ldconfig vi /usr/local/samba/etc/smb.conf # see below smbd nmbd winbindd -i -d 10 --- And Boum ! I have the same error which I have described in my previous message. The winbindd command is stopped. [...] Are you sure that the two host have a different name as you are creating everything from the same base ? Yes I'm absolutely sure because the names of the 2 servers have been set *during* the installation with a netinstall CD : - hostname == wheezy-server for the DC server - hostname == wheezy-2 for the MEMBER server Also could you do a net join -d 10 and attach the secrets.tdb after the first join ? Yes, no problem. But, you suggest I use this command: net ads join -d 10 -U administrator I would like to understand. For join a member server in a domain (with a Samba4 DC), which command should I use: 1. net ads join -U administrator or 2. samba-tool domain join chezmoi.priv member -U administrator ? So, if I understand well, you ask me to try the first command (net ads join) with -d 10 option. Here: http://sisco.laf.free.fr/codes/samba4.zip you'll find the output of the join command in debug mode and the secrets.*db files (before and after the join, in the member server and in the dc server): - with the net ads join -U administrator -d 10 command - and with the samba-tool domain join chezmoi.priv MEMBER -U administrator command if so for the new user did you set the needed attributes ? I have just run: samba-tool user add test12 --random-password That's all. Which are the needed attributes? When you specify rfc2307 winbindd expect to use uidNumber and gidNumber in order to convert the SID to uid/gid, hence the error message. But is the rfc2307 option in smb.conf really mandatory? 1. For example, when I install a simple Samba4 DC like this: --- samba-tool domain provision # I keep the default answers each time echo nameserver 192.168.0.21 /etc/resolv.conf # The DNS is the DC himself ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 vi /etc/nsswitch.conf # add winbind for passwd and group ldconfig samba --- It seems to work fine. getent password, wbinfo -u, wbinfo -i user1, wbinfo -n=user1 are OK, yet there is no rfc2307 string in the default smb.conf file. 2. Another example. I have installed a member server like this (member of a Samba4 DC, I have no Windows server): --- vi /usr/local/samba/etc/smb.conf # see below for the smb.conf file vi /usr/local/samba/etc/smb.conf # The DC is the DNS server ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 vi /etc/nsswitch.conf # add winbind ldconfig net ads join -U administrator smbd nmbd winbindd --- with this smb.conf file: --- # No refer to rfc2307. [global] workgroup = CHEZMOI security = ADS realm = CHEZMOI.PRIV encrypt passwords = yes idmap config *:backend = tdb idmap config *:range = 70001-8 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes --- and the member server seems to work fine. If I create a user toto on the DC: samba-tool user add toto --random-password In the member, I have: root@member:~# wbinfo -i toto toto:*:70011:70001:toto:/home/CHEZMOI/toto:/bin/false root@member:~# wbinfo -n=toto S-1-5-21-1430849794-1775759099-2616264933-1112 SID_USER (1) The only problem that I see,
[Samba] was: samba_dnsupdate? now Could not find child xxxxx -- ignoring
OK, solved that problem. nsupdate worked, even if samba_dnsupdate did not. New problem: Lots of entries like this in the log: [2013/04/09 22:25:39.559029, 2] ../source3/smbd/server.c:436(remove_child_pid) Could not find child 15172 -- ignoring [2013/04/09 22:26:39.613172, 2] ../source3/smbd/server.c:436(remove_child_pid) Could not find child 15175 -- ignoring I see a bug that describes this problem, but it is marked as fixed since June 2011. https://bugzilla.samba.org/show_activity.cgi?id=8269 Simon On Tue, 9 Apr 2013, simon+sa...@matthews.eu wrote: Now for the next question. I think (hope?) that I am quite close now. In order to add a machine to the domain, I think that I need to add a record to samba's DNS table. But samba_dnsupdate isn't working: # samba_dnsupdate -d 5 INFO: Current debug levels: all: 5 tdb: 5 printdrivers: 5 lanman: 5 smb: 5 rpc_parse: 5 rpc_srv: 5 rpc_cli: 5 passdb: 5 sam: 5 auth: 5 winbind: 5 vfs: 5 idmap: 5 quota: 5 acls: 5 locking: 5 msdfs: 5 dmapi: 5 registry: 5 lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf params.c:pm_process() - Processing configuration file /usr/local/samba/etc/smb.conf Processing section [global] Processing section [netlogon] Processing section [sysvol] pm_process() returned Yes added interface eth0 ip=fe80::5054:ff:fefd:9729%eth0 bcast=fe80:::::%eth0 netmask=::::: added interface eth0 ip=192.168.99.19 bcast=192.168.99.255 netmask=255.255.255.0 schema_fsmo_init: we are master[yes] updates allowed[no] As you can see updates are not allowed. But my smb.conf looks like this: [global] workgroup = MYAD realm = MYAD.my.domain netbios name = SAMBA4 server role = active directory domain controller idmap_ldb:use rfc2307 = yes # log file = /var/log/samba/samba.log.%m log level = 3 allow dns updates = True dns forwarder = 192.168.99.2 Simon On Tue, 9 Apr 2013, Ricky Nance wrote: Glad to hear :) Ricky On Tue, Apr 9, 2013 at 8:15 PM, Simon Matthews si...@matthews-family.org.uk wrote: On Tue, 9 Apr 2013, Ricky Nance wrote: That looks normal... Can you pastebin your log.samba... first mv or rm /usr/local/samba/var/log.samba, then restart samba, then pastebin log.samba. Also (with samba running) can you give us the output of ps ax | grep samba and the output of netstat -anp | grep LISTEN | grep samba Thanks, Ricky, with your help, I fixed the problem. I had started krb5kdc, not realizing that the krb server was also built into samba. Once I stopped this and re-started SAMBA, the internal dns server started working. Simon On Tue, Apr 9, 2013 at 7:22 PM, simon+sa...@matthews.eu wrote: On Tue, 9 Apr 2013, Ricky Nance wrote: What samba version are you using (samba -V) # samba -V Version 4.0.4 ? Also what is the output of samba-tool testparm -v --suppress-prompt | grep server services # samba-tool testparm -v --suppress-prompt | grep server services server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns Simon On Tue, Apr 9, 2013 at 6:34 PM, simon+sa...@matthews.eu wrote: After running the classicupgrade, configuring and starting krb5, starting the new samba4 server, I started looking at DNS. Nothing is listening on port 53, so I assume the internal DNS is not working. I have NOT specified the use of the BIND_DLZ plugin, so it should be using its internal dns server. Where should I start looking for a solution to this? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Announce] Samba 4.0.5 Available for Download
= Well it takes a certain kind of girl to wear a backless dress with a Beretta 70 strapped to her thigh. James Bond, Skyfall = Release Announcements - This is is the latest stable release of Samba 4.0. Major enhancements in Samba 4.0.5 include: o Fix large reads/writes from some Linux clients (bug #9706). o Add 'samba-tool dbcheck --reset-well-known-acls' (bugs #9740 and #9267). Changes since 4.0.4: o Michael Adam ob...@samba.org * BUG 9617: libnss-winbindd does not provide pass struct for groups mapped with ID_TYPE_BOTH and vice versa. * BUG 9653: idmap_autorid: Fix freeing of non-talloced memory. * BUG 9711: s4:winbindd: Do not drop the workgroup name in the getgrnam, getgrent and getgrgid calls. o Jeremy Allison j...@samba.org * BUG 9130: Certain xattrs cause Windows error 0x800700FF. * BUG 9519: Samba returns unexpected error on SMB posix open. * BUG 9642: Fix the build of vfs_afsacl. * BUG 9695: Backport tevent changes to bring library to version 0.9.18. * BUG 9706: Fix large reads/writes from some Linux clients. * BUG 9724: is_encrypted_packet() function incorrectly used inside server. * BUG 9733: Fix 'smbcontrol close-share'. * BUG 9748: Remove unneeded fstat system call from hot read path. * BUG 9760: Fix incorrect parsing of SMB2 command codes. o Christian Ambach a...@samba.org * BUG 9643: Fix the build with --fake-kaserver. * BUG 9644: Fix compile of source3/lib/afs.c. * BUG 9669: Fix crash in 'net rpc join' against a Samba 3.0.33 PDC. o Timur Bakeyev ti...@freebsd.org * BUG 9666: Fix filtering of link-local addresses. o Andrew Bartlett abart...@samba.org * BUG 9663: 'make test' hangs. * BUG 9697: DsReplicaGetInfo fails due to sendto() EMSGSIZE error on UNIX domain socket. * BUG 9703: Fix build on solaris8: Do not force a specific perl on pod2man. * BUG 9717: Set LD_LIBRARY_PATH in install_with_python.sh. * BUG 9718: s4-idmap: Remove requirement that posixAccount or posixGroup be set for rfc2307. * BUG 9719: Allow forcing an override of an old @MODULES record. * BUG 9720: Do not print the admin password during 'samba-tool classicupgrade'. * BUG 9721: Make samba_upgradedns more robust (do not guess addresses when just changing roles). * BUG 9725: upgradeprovision and 'samba-tool dbcheck' patches for 4.0.NEXT. * BUG 9728: DO NOT install samba_upgradeprovision in 4.0.x. * BUG 9739: PIDL: Build fixes for hosts without CPP (Solaris 11). * BUG 9740: Add 'samba-tool dbcheck --reset-well-known-acls'. * BUG 9267: Can't delegate adding computers to domain. o Alexander Bokovoy a...@samba.org * BUG 9636: PIDL: Fix parsing linemarkers in preprocessor output. * BUG 9639: Rename internal subsystem pdb_ldap to pdb_ldapsam. o Ira Cooper i...@samba.org * BUG 9646: Make SMB2_GETINFO multi-volume aware. o David Disseldorp dd...@samba.org * BUG 9633: Recursive mget should continue on EPERM. o Landon Fuller land...@bikemonkey.org * BUG 9656: Work around FreeBSD's getaddrinfo() underscore issue. * BUG 9696: Remove incomplete samba_dnsupdate IPv6 link-local address check. * BUG 9697: Handle EMSGSIZE on UNIX domain sockets. o Björn Jacke b...@sernet.de * BUG 7825: Fix GNU ld version detection with old gcc releases. o Daniel Kobras d.kob...@science-computing.de * BUG 9039: Never try to map global SAM name. o Guenter Kukkukk ku...@samba.org * BUG 9701: Fix vfs_catia and update documentation. o Volker Lendecke v...@samba.org * BUG 9695: Backport tevent changes to bring library to version 0.9.18. * BUG 9727: Fix NULL pointer dereference. * BUG 9736: Change to smbd/dir.c code gives significant performance increases on large directory listings. o Stefan Metzmacher me...@samba.org * BUG 9557: Fix build on AIX. * BUG 9625: Reauth-capable client fails to access shares on Windows member. * BUG 9695: Backport tevent changes to bring library to version 0.9.18. * BUG 9706: Parameter is incorrect on Android. o Andreas Schneider a...@samba.org * BUG 9664: Fix correct linking of libreplace with cmdline-credentials. * BUG 9683: Fix several resource (fd) leaks. * BUG 9685: Fix a memory leak in spoolss rpc server. * BUG 9686: Fix a possible buffer overrun in pdb_smbpasswd. * BUG 9687: Fix several possible null pointer dereferences. * BUG 9723: Add a tool to migrate latin1 printing tdbs to registry. * BUG 9735: Fix Winbind separator in upn to username conversion. * BUG 9758: Don't leak the epm_Map policy
[SCM] CTDB repository - branch master updated - ctdb-2.1-48-g35264e4
The branch, master has been updated via 35264e42ade4676468cf7713fa339c784e932953 (commit) from 1c7adbccc69ac276d2b957ad16c3802fdb8868ca (commit) http://gitweb.samba.org/?p=ctdb.git;a=shortlog;h=master - Log - commit 35264e42ade4676468cf7713fa339c784e932953 Author: Amitay Isaacs ami...@gmail.com Date: Wed Mar 27 12:32:43 2013 +1100 tools/ltdbtool: Fix handling of -e option Also, include description of -e option in usage. Signed-off-by: Amitay Isaacs ami...@gmail.com --- Summary of changes: tools/ltdbtool.c |9 ++--- 1 files changed, 6 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/tools/ltdbtool.c b/tools/ltdbtool.c index b7ad5a5..add9c32 100644 --- a/tools/ltdbtool.c +++ b/tools/ltdbtool.c @@ -77,7 +77,9 @@ static int help(const char* cmd) -O numthe number of bytes to interpret as ctdb record header\n for the output database (beware!)\n \n - -p print header (for the dump command), defaults ot off\n + -e Include empty records, defaults to off\n +\n + -p print header (for the dump command), defaults to off\n \n -h print this help\n \n @@ -91,8 +93,8 @@ static int help(const char* cmd) static int usage(const char* cmd) { fprintf(stderr, - Usage: %s dump [-p] [-s{0|32|64}] idb\n - %s convert [-s{0|32|64}] [-o{0|32|64}] idb odb\n + Usage: %s dump [-e] [-p] [-s{0|32|64}] idb\n + %s convert [-e] [-s{0|32|64}] [-o{0|32|64}] idb odb\n %s {help|-h}\n , cmd, cmd, cmd); return -1; @@ -229,6 +231,7 @@ int main(int argc, char* argv[]) break; case 'e': keep_empty = true; + break; case 'h': return help(argv[0]); default: -- CTDB repository
[SCM] Samba Shared Repository - branch v4-0-test updated
The branch, v4-0-test has been updated via 5d5f301 VERSION: Bump version number up to 4.0.6 via ed09ee7 VERSION: Disable git snapshots for the 4.0.5 release. via 9c6bd38 WHATSNEW: Add major enhancements. from ff9d832 WHATSNEW: Add changes since 4.0.4. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test - Log - commit 5d5f30189c6d447994d8f15b3abddd469692643f Author: Karolin Seeger ksee...@samba.org Date: Tue Apr 9 10:12:56 2013 +0200 VERSION: Bump version number up to 4.0.6 and re-enable git snapshots. Signed-off-by: Karolin Seeger ksee...@samba.org commit ed09ee74fcd4929c3ca11ce821b70e1d3ee0d5d8 Author: Karolin Seeger ksee...@samba.org Date: Tue Apr 9 10:11:23 2013 +0200 VERSION: Disable git snapshots for the 4.0.5 release. Signed-off-by: Karolin Seeger ksee...@samba.org commit 9c6bd3808d74991e4e11b2a006a3f4a3e4575905 Author: Karolin Seeger ksee...@samba.org Date: Tue Apr 9 10:08:57 2013 +0200 WHATSNEW: Add major enhancements. And update some of the changes since 4.0.4. Karolin --- Summary of changes: VERSION |2 +- WHATSNEW.txt |6 -- 2 files changed, 5 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index a999766..f7a1c23 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=0 -SAMBA_VERSION_RELEASE=5 +SAMBA_VERSION_RELEASE=6 # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 9f55336..2f8d863 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -8,7 +8,8 @@ This is is the latest stable release of Samba 4.0. Major enhancements in Samba 4.0.5 include: -o +o Fix large reads/writes from some Linux clients (bug #9706). +o Add 'samba-tool dbcheck --reset-well-known-acls' (bugs #9740 and #9267). Changes since 4.0.4: @@ -27,7 +28,7 @@ o Jeremy Allison j...@samba.org * BUG 9519: Samba returns unexpected error on SMB posix open. * BUG 9642: Fix the build of vfs_afsacl. * BUG 9695: Backport tevent changes to bring library to version 0.9.18. -* BUG 9706: Parameter is incorrect on Android. +* BUG 9706: Fix large reads/writes from some Linux clients. * BUG 9724: is_encrypted_packet() function incorrectly used inside server. * BUG 9733: Fix 'smbcontrol close-share'. * BUG 9748: Remove unneeded fstat system call from hot read path. @@ -62,6 +63,7 @@ o Andrew Bartlett abart...@samba.org * BUG 9728: DO NOT install samba_upgradeprovision in 4.0.x. * BUG 9739: PIDL: Build fixes for hosts without CPP (Solaris 11). * BUG 9740: Add 'samba-tool dbcheck --reset-well-known-acls'. +* BUG 9267: Can't delegate adding computers to domain. o Alexander Bokovoy a...@samba.org -- Samba Shared Repository
[SCM] Samba Shared Repository - annotated tag samba-4.0.5 created
The annotated tag, samba-4.0.5 has been created at b804b5f101f901b789d7fac693d5cf2285a49e9e (tag) tagging ed09ee74fcd4929c3ca11ce821b70e1d3ee0d5d8 (commit) replaces samba-4.0.4 tagged by Karolin Seeger on Tue Apr 9 10:17:31 2013 +0200 - Log - samba: tag release samba-4.0.5 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQBRY86bbzORW2Vot+oRAoEsAJ9UJfZby9bRGGY95wJCanUBGqVlBwCePmS4 VxT5osVH9kmxRfJb6jLt1wU= =aKMd -END PGP SIGNATURE- Alexander Bokovoy (3): PIDL: fix parsing linemarkers in preprocessor output source3/wscript: support 'pdb_ldap' module in configure autoconf: rename pdb_ldap module to pdb_ldapsam Andreas Schneider (32): Rename pdb_ldap to pdb_ldapsam waf: Fix correct linking of libreplace with cmdline-credentials. s3-lsasd: Don't leak file descriptors. Reviewed-by: Alexander Bokovoy a...@samba.org s3-param: Don't leak file descriptor. Reviewed-by: Alexander Bokovoy a...@samba.org s3-vfs: Don't leak file descriptor. Reviewed-by: Alexander Bokovoy a...@samba.org s3-smbd: Don't leak subcntarr array. Reviewed-by: Alexander Bokovoy a...@samba.org winbind: Don't leak memory on return. Reviewed-by: Alexander Bokovoy a...@samba.org winbind: Don't leak centry memory. Reviewed-by: Alexander Bokovoy a...@samba.org s3-libsmb: Don't leak memory on error. Reviewed-by: Alexander Bokovoy a...@samba.org s3-vfs: Don't leak file descriptor on error. Reviewed-by: Alexander Bokovoy a...@samba.org lib-util: Don't leak file descriptor on error. Reviewed-by: Alexander Bokovoy a...@samba.org s3-rpc_server: Make sure that fd is really closed on error. Reviewed-by: Alexander Bokovoy a...@samba.org s3-spoolss: Don't leak memory. Reviewed-by: Alexander Bokovoy a...@samba.org pdb: Fix array overrun by one. Reviewed-by: Alexander Bokovoy a...@samba.org libsmb: Fix possible null pointer dereference. Reviewed-by: Alexander Bokovoy a...@samba.org nmbd: Fix request data data processing. s3-tldap: Make sure we don't deref a null pointer. Reviewed-by: Alexander Bokovoy a...@samba.org librpc: Add NULL check for ndr functions for epm bindings. s4-libcli: Check return code of smbcli_request_setup(). Reviewed-by: Alexander Bokovoy a...@samba.org pyauth: Check return value of lpcfg_from_py_object(). Reviewed-by: Alexander Bokovoy a...@samba.org s4-libcli: Check return value of smbcli_request_setup(). Reviewed-by: Alexander Bokovoy a...@samba.org s4-socket: Make sure unix socket addresses are null terminated. pidl: Add skip option to elements. ndr: Add ndr_ntprinting_string_flags() function. idl: Add flags for strings in ntprinting idl. ndr: Pass down string_flags in ndr_pull_ntprinting_printer(). s3-net: Add encoding=CP to 'net printing migrate'. s3-net: Add encoding=CP to 'net printing dump'. torture: Add ntprinting latin1 test. BUG 9735: Fix winbind seperator in upn to username conversion. epm: Increase debug level for already registered endpoints. BUG 9758: Don't leak the epm_Map policy handle. Andrew Bartlett (57): s4-lib/socket: Return the original EMSGSIZE when sendto() and setsockopt() both fail tsocket_bsd: Attempt to increase the SO_SNDBUF if we get EMSGSIZE in sendto() selftest: skip base.dir2 tests as they just spin on modern ext4 selftest: also skip raw.search as it also spins build: Do not force a specific perl from ${PERL} when running pod2man build: Set LD_LIBRARY_PATH in install_with_python.sh s4-idmap: Remove requirement that posixAccount or posixGroup be set for rfc2307 selftest: Add test for rfc2307 mapping handling s4-dbcheck: Allow forcing an override of an old @MODULES record samba-tool classicupgrade: Do not print the admin password during upgrade scripting/samba_upgradedns: Only look for IPv4/IPv6 addresses if we actually them scripting: No longer install samba_upgradeprovision build: Remove the forced use of only the first part of the compiler string build: Do not pass CPP= to pidl, skip the env variable entirely samba_upgradeprovision: Remove options to fix FS ACLs scripting: Make tdb_copy use the python subprocess module scripting: Make tdb_copy a common util function in samba.tdb_util samba_upgradeprovision: Do not update privileges.ldb any more (unchanged since 2009) samba_upgradeprovision: Use tdb_util.tdb_copy not shutil.copy2 dsdb-descriptor: Spell out security descriptor flags as constants dsdb-descriptor: Avoid segfault copying an SD without an owner or group build: Rename samba_python waf node to avoid duplicate name build: Change bin/default/python - bin/python symlink to bin/default/python_modules samba-tool
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated via d80eec7 Announce Samba 4.0.5. from 0994f3f FAQ: Some updates. http://gitweb.samba.org/?p=samba-web.git;a=shortlog;h=master - Log - commit d80eec71ff7b92174babd7f6b3366f0609aa50f1 Author: Karolin Seeger ksee...@samba.org Date: Tue Apr 9 10:48:44 2013 +0200 Announce Samba 4.0.5. Signed-off-by: Karolin Seeger ksee...@samba.org --- Summary of changes: generated_news/latest_10_bodies.html| 25 ++-- generated_news/latest_10_headlines.html |4 +- generated_news/latest_2_bodies.html | 27 ++--- history/header_history.html |1 + history/samba-4.0.5.html| 185 +++ latest_stable_release.html |6 +- 6 files changed, 216 insertions(+), 32 deletions(-) create mode 100755 history/samba-4.0.5.html Changeset truncated at 500 lines: diff --git a/generated_news/latest_10_bodies.html b/generated_news/latest_10_bodies.html index 7489b5d..6ae083f 100644 --- a/generated_news/latest_10_bodies.html +++ b/generated_news/latest_10_bodies.html @@ -1,3 +1,16 @@ + h5a name=4.0.509 April 2013/a/h5 + p class=headlineSamba 4.0.5 Available for Download/p + pThis is the latest stable release of the Samba 4.0 series./p + +pThe uncompressed tarballs and patch files have been signed +using GnuPG (ID 6568B7EA). The source code can be +a href=http://samba.org/samba/ftp/stable/samba-4.0.5.tar.gz;downloaded +now/a. A a href=http://samba.org/samba/ftp/patches/patch-4.0.4-4.0.5.diffs.gz; +patch against Samba 4.0.4/a is also available. See +a href=http://samba.org/samba/history/samba-4.0.5.html; the release notes + for more info/a./p + + h5a name=CVE-2013-045402 April 2013/a/h5 p class=headlineSamba 3.6.0 - 3.6.5 (inclusive) bug fix Available for Download/p @@ -127,15 +140,3 @@ now/a. A a href=http://samba.org/samba/ftp/patches/patch-4.0.0-4.0.1.diffs. patch against Samba 4.0.0/a is also available. See a href=http://samba.org/samba/history/samba-4.0.1.html; the release notes for more info/a./p - - h5a name=3.5.2017 December 2012/a/h5 - p class=headlineSamba 3.5.20 Available for Download/p - pThis is the latest stable release of the Samba 3.5 series./p - -pThe uncompressed tarballs and patch files have been signed -using GnuPG (ID 6568B7EA). The source code can be -a href=http://samba.org/samba/ftp/stable/samba-3.5.20.tar.gz;downloaded -now/a. A a href=http://samba.org/samba/ftp/patches/patch-3.5.19-3.5.20.diffs.gz; -patch against Samba 3.5.19/a is also available. See -a href=http://samba.org/samba/history/samba-3.5.20.html; -the release notes for more info/a./p diff --git a/generated_news/latest_10_headlines.html b/generated_news/latest_10_headlines.html index 4416ab1..dc25e84 100644 --- a/generated_news/latest_10_headlines.html +++ b/generated_news/latest_10_headlines.html @@ -1,4 +1,6 @@ ul + li 09 April 2013 a href=#4.0.5Samba 4.0.5 Available for Download/a/li + li 02 April 2013 a href=#CVE-2013-0454Samba 3.6.0 - 3.6.5 (inclusive) bug fix Available for Download/a/li li 19 March 2013 a href=#4.0.4Samba 4.0.4 Available for Download/a/li @@ -16,6 +18,4 @@ li 15 January 2013 a href=#4.0.1Samba 4.0.1 Available for Download/a/li li 17 December 2012 a href=#3.5.20Samba 3.5.20 Available for Download/a/li - - li 11 December 2012 a href=#4.0.0Samba 4.0.0 Available for Download/a/li /ul diff --git a/generated_news/latest_2_bodies.html b/generated_news/latest_2_bodies.html index 56fe096..fbf18ae 100644 --- a/generated_news/latest_2_bodies.html +++ b/generated_news/latest_2_bodies.html @@ -1,3 +1,15 @@ + h5a name=4.0.509 April 2013/a/h5 + p class=headlineSamba 4.0.5 Available for Download/p + pThis is the latest stable release of the Samba 4.0 series./p + +pThe uncompressed tarballs and patch files have been signed +using GnuPG (ID 6568B7EA). The source code can be +a href=http://samba.org/samba/ftp/stable/samba-4.0.5.tar.gz;downloaded +now/a. A a href=http://samba.org/samba/ftp/patches/patch-4.0.4-4.0.5.diffs.gz; +patch against Samba 4.0.4/a is also available. See +a href=http://samba.org/samba/history/samba-4.0.5.html; the release notes + for more info/a./p + h5a name=CVE-2013-045402 April 2013/a/h5 p class=headlineSamba 3.6.0 - 3.6.5 (inclusive) bug fix Available for Download/p @@ -7,18 +19,3 @@ CVE-2013-0454/a (A writable configured share might get read only)/p pThis a href=http://ftp.samba.org/pub/samba/patches/security/samba-3.6-CVE-2013-0454.patch; patch is required by Samba 3.6.5/a. The patch file has been signed using GnuPG (ID 6568B7EA). - - h5a name=4.0.419 March 2013/a/h5 - p class=headlineSamba 4.0.4 Available for Download/p - -pThis is a bsecurity release/b in order to
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 045c446 BUG 9766: Cache name_to_sid/sid_to_name correctly. via b7c0330 BUG 9139: Fix the username map optimization. from 243278a doc: Document performance impact of hide unxx parameters http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 045c446b5a3ffc7e56d46ac4aa4acae9d27d9f49 Author: Andreas Schneider a...@samba.org Date: Thu Apr 4 12:18:25 2013 +0200 BUG 9766: Cache name_to_sid/sid_to_name correctly. If there is no domain_name specified we still need to set to for caching else we will not find the entry later if we lookup the entry with the domain_name. Reviewed-by: Guenther Deschner g...@samba.org Reviewed-by: Volker Lendecke v...@samba.org Signed-off-by: Andreas Schneider a...@samba.org Autobuild-User(master): Günther Deschner g...@samba.org Autobuild-Date(master): Tue Apr 9 16:32:44 CEST 2013 on sn-devel-104 commit b7c0330b7429ce1b9cda8b1c2446b3a21cbd29db Author: Andreas Schneider a...@samba.org Date: Fri Apr 5 14:07:37 2013 +0200 BUG 9139: Fix the username map optimization. If we successfully map a user. We call set_last_from_to(user_in, unixname); in the while loop reading the map file. After a successfull map we don't stop and continue the loop to check all other mappings in the username mapfile. But when we hit the end of the file and leave the loop we call: set_last_from_to(user_in, user_in); This overwrites the successful mapping, and the next time we call map_username() we skip the username and no mapping is done. Signed-off-by: Andreas Schneider a...@samba.org Reviewed-by: Günther Deschner g...@samba.org --- Summary of changes: source3/auth/user_util.c | 12 source3/winbindd/winbindd_cache.c | 21 + 2 files changed, 29 insertions(+), 4 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/auth/user_util.c b/source3/auth/user_util.c index 4842192..082c885 100644 --- a/source3/auth/user_util.c +++ b/source3/auth/user_util.c @@ -427,12 +427,16 @@ bool map_username(TALLOC_CTX *ctx, const char *user_in, char **p_user_out) x_fclose(f); /* -* Setup the last_from and last_to as an optimization so +* If we didn't successfully map a user in the loop above, +* setup the last_from and last_to as an optimization so * that we don't scan the file again for the same user. */ - - set_last_from_to(user_in, user_in); - store_map_in_gencache(ctx, user_in, user_in); + if (!mapped_user) { + DEBUG(8, (The user '%s' has no mapping. + Skip it next time.\n, user_in)); + set_last_from_to(user_in, user_in); + store_map_in_gencache(ctx, user_in, user_in); + } return mapped_user; } diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c index d7499df..86f15c2 100644 --- a/source3/winbindd/winbindd_cache.c +++ b/source3/winbindd/winbindd_cache.c @@ -943,6 +943,15 @@ static void wcache_save_name_to_sid(struct winbindd_domain *domain, centry = centry_start(domain, status); if (!centry) return; + + if (domain_name[0] == '\0') { + struct winbindd_domain *mydomain = + find_domain_from_sid_noinit(sid); + if (mydomain != NULL) { + domain_name = mydomain-name; + } + } + centry_put_uint32(centry, type); centry_put_sid(centry, sid); fstrcpy(uname, name); @@ -963,6 +972,14 @@ static void wcache_save_sid_to_name(struct winbindd_domain *domain, NTSTATUS sta if (!centry) return; + if (domain_name[0] == '\0') { + struct winbindd_domain *mydomain = + find_domain_from_sid_noinit(sid); + if (mydomain != NULL) { + domain_name = mydomain-name; + } + } + if (NT_STATUS_IS_OK(status)) { centry_put_uint32(centry, type); centry_put_string(centry, domain_name); @@ -1793,6 +1810,10 @@ NTSTATUS wcache_name_to_sid(struct winbindd_domain *domain, return NT_STATUS_NO_MEMORY; } + if (domain_name[0] == '\0') { + domain_name = domain-name; + } + centry = wcache_fetch(cache, domain, NS/%s/%s, domain_name, uname); TALLOC_FREE(uname); if (centry == NULL) { -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via f61ee72 pylibsmb: Avoid a segfault if no credentials are passed to libsmb.Conn() from 045c446 BUG 9766: Cache name_to_sid/sid_to_name correctly. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit f61ee7238b8430572fb266521dad3ee000d1f252 Author: Volker Lendecke v...@samba.org Date: Tue Apr 9 14:29:11 2013 +0200 pylibsmb: Avoid a segfault if no credentials are passed to libsmb.Conn() Signed-off-by: Volker Lendecke v...@samba.org Reviewed-by: Richard Sharpe realrichardsha...@gmail.com Autobuild-User(master): Richard Sharpe sha...@samba.org Autobuild-Date(master): Tue Apr 9 18:30:06 CEST 2013 on sn-devel-104 --- Summary of changes: source3/libsmb/pylibsmb.c | 10 +- 1 files changed, 5 insertions(+), 5 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/libsmb/pylibsmb.c b/source3/libsmb/pylibsmb.c index 4fd5921..2b253f9 100644 --- a/source3/libsmb/pylibsmb.c +++ b/source3/libsmb/pylibsmb.c @@ -406,7 +406,7 @@ static int py_cli_state_init(struct py_cli_state *self, PyObject *args, { NTSTATUS status; char *host, *share; - PyObject *creds; + PyObject *creds = NULL; struct cli_credentials *cli_creds; bool ret; @@ -434,10 +434,10 @@ static int py_cli_state_init(struct py_cli_state *self, PyObject *args, return -1; } - cli_creds = cli_credentials_from_py_object(creds); - if (cli_creds == NULL) { - PyErr_SetString(PyExc_TypeError, Expected credentials); - return -1; + if (creds == NULL) { + cli_creds = cli_credentials_init_anon(NULL); + } else { + cli_creds = PyCredentials_AsCliCredentials(creds); } status = cli_full_connection( -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 28da1af winbindd: Avoid a fd leak when we can not fork from f61ee72 pylibsmb: Avoid a segfault if no credentials are passed to libsmb.Conn() http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 28da1af476853e6b49765bd04a496163e8ebd448 Author: Volker Lendecke v...@samba.org Date: Tue Apr 9 16:37:29 2013 +0200 winbindd: Avoid a fd leak when we can not fork Signed-off-by: Volker Lendecke v...@samba.org Signed-off-by: Jim McDonough j...@samba.org Autobuild-User(master): Jim McDonough j...@samba.org Autobuild-Date(master): Tue Apr 9 20:27:27 CEST 2013 on sn-devel-104 --- Summary of changes: source3/winbindd/winbindd_dual.c |2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c index e1e45d4..34896d5 100644 --- a/source3/winbindd/winbindd_dual.c +++ b/source3/winbindd/winbindd_dual.c @@ -1398,6 +1398,8 @@ static bool fork_domain_child(struct winbindd_child *child) if (child-pid == -1) { DEBUG(0, (Could not fork: %s\n, strerror(errno))); + close(fdpair[0]); + close(fdpair[1]); return False; } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via a308db6 s3-netlogon: enumerate UPN suffixes from PASSDB when available via 5952755 PASSDB: add support to set and enumerate UPN suffixes associated with our forest via b752417 s3-waf: filter out ldapsam internal init functions via 6058bc9 wafsamba: fix samba_abi for default catch-all case from 28da1af winbindd: Avoid a fd leak when we can not fork http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit a308db6587c866826a280a60b841f0a3926c1078 Author: Alexander Bokovoy a...@samba.org Date: Wed Apr 3 16:52:45 2013 +0300 s3-netlogon: enumerate UPN suffixes from PASSDB when available Optionally append list of UPN suffixes if PDB module returns non-empty one. Refactor fill_forest_trust_array() in source3 to allow reuse of the code between _netr_DsRGetForestTrustInformation() and _netr_GetForestTrustInformation() Implement a special case of _netr_DsRGetForestTrustInformation in smbd when trusted_domain_name is NULL (covered by test_DsrEnumerateDomainTrusts() in rpc.netlogon torture tests, see comment in source4/torture/rpc/netlogon.c). Reviewed-by: Andreas Schneider a...@samba.org Autobuild-User(master): Andreas Schneider a...@cryptomilk.org Autobuild-Date(master): Tue Apr 9 22:19:34 CEST 2013 on sn-devel-104 commit 5952755755fb0ea7f942bb564ca1cfdca5730113 Author: Alexander Bokovoy a...@samba.org Date: Wed Apr 3 16:37:00 2013 +0300 PASSDB: add support to set and enumerate UPN suffixes associated with our forest Samba PDC may manage a forest containing DNS domains in addition to the primary one. Information about them is advertised via netr_DsRGetForestTrustInformation when trusted_domain_name is NULL, according to MS-NRPC and MS-LSAD, and via netr_GetForestTrustInformation. This changeset only expands PASSDB API; how suffixes are maintained is left to specific PDB modules. Set function is added so that suffixes could be managed through 'net' and other Samba utilities, if possible. One possible implementation is available for ipasam module in FreeIPA: http://git.fedorahosted.org/cgit/freeipa.git/commit/?id=cc56723151c9ebf58d891e85617319d861af14a4 Reviewed-by: Andreas Schneider a...@samba.org commit b752417f2d6c478524f0fbf0fda1a5d0401b6f9e Author: Alexander Bokovoy a...@samba.org Date: Wed Apr 3 16:01:34 2013 +0300 s3-waf: filter out ldapsam internal init functions pdb_ldapsam_init* functions (init and init_common) are used in pdb_ipa.c and pdb_nds.c which are always linked together with pdb_ldap.c where pdb_ldapsam_init* functions reside. Tested with both ldapsam integrated (into libpdb) and as a separate module. Reviewed-by: Andreas Schneider a...@samba.org commit 6058bc9bb6ac315fbe7cb18e1d07a846f7849e22 Author: Alexander Bokovoy a...@samba.org Date: Wed Apr 3 15:52:06 2013 +0300 wafsamba: fix samba_abi for default catch-all case Only filter out the symbol when positive match was not found and there is negative match. ABI signature file generator worked incorrectly for cases when mixture of positive and negative matches were provided. This resulted in generating empty signature file for libpdb since there was no catch-all positive match anymore. Commit 9ba44cc610426fb558b49aa9680b5bdf55c29082 removed explicit '*' positive match and corresponding vscript generator adds '*' by default if global match list is empty, so this commit introduces feature parity into signature generator. Reviewed-by: Andreas Schneider a...@samba.org --- Summary of changes: buildtools/wafsamba/samba_abi.py|4 +- source3/include/passdb.h| 18 - source3/passdb/ABI/pdb-0.sigs |2 + source3/passdb/pdb_interface.c | 36 + source3/rpc_server/netlogon/srv_netlog_nt.c | 106 --- source3/wscript_build |1 + 6 files changed, 153 insertions(+), 14 deletions(-) Changeset truncated at 500 lines: diff --git a/buildtools/wafsamba/samba_abi.py b/buildtools/wafsamba/samba_abi.py index 488dab8..76acd00 100644 --- a/buildtools/wafsamba/samba_abi.py +++ b/buildtools/wafsamba/samba_abi.py @@ -50,13 +50,15 @@ def parse_sigs(sigs, abi_match): sa = s.split(':') if abi_match: matched = False +negative = False for p in abi_match: if p[0] == '!' and fnmatch.fnmatch(sa[0], p[1:]): +negative = True break elif fnmatch.fnmatch(sa[0], p): matched = True break -if
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 69b3d19 vfs_fake_perms: Fix bug 9775, segfault for artificial conn_structs via ce2fb2d vfs_fake_perms: Slightly streamline code via 60c2953 vfs_fake_perms: Slightly streamline code from a308db6 s3-netlogon: enumerate UPN suffixes from PASSDB when available http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 69b3d1944501f65427fbd12e4ddd3b66e67deedd Author: Volker Lendecke v...@samba.org Date: Tue Apr 9 21:18:34 2013 +0200 vfs_fake_perms: Fix bug 9775, segfault for artificial conn_structs Signed-off-by: Volker Lendecke v...@samba.org Reviewed-by: Jeremy Allison j...@samba.org Autobuild-User(master): Jeremy Allison j...@samba.org Autobuild-Date(master): Wed Apr 10 00:12:06 CEST 2013 on sn-devel-104 commit ce2fb2d019b6f8304b81e2d4d68bdac31edcf025 Author: Volker Lendecke v...@samba.org Date: Tue Apr 9 21:07:23 2013 +0200 vfs_fake_perms: Slightly streamline code Don't initialize a variable directly set Signed-off-by: Volker Lendecke v...@samba.org Reviewed-by: Jeremy Allison j...@samba.org commit 60c2953a9d5fa12494a8a767c30913398affe453 Author: Volker Lendecke v...@samba.org Date: Tue Apr 9 21:07:23 2013 +0200 vfs_fake_perms: Slightly streamline code Do an early error return Signed-off-by: Volker Lendecke v...@samba.org Reviewed-by: Jeremy Allison j...@samba.org --- Summary of changes: source3/modules/vfs_fake_perms.c | 66 +++-- 1 files changed, 48 insertions(+), 18 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/modules/vfs_fake_perms.c b/source3/modules/vfs_fake_perms.c index 4cda7ea..8eb6e3c 100644 --- a/source3/modules/vfs_fake_perms.c +++ b/source3/modules/vfs_fake_perms.c @@ -32,17 +32,32 @@ static int fake_perms_stat(vfs_handle_struct *handle, struct smb_filename *smb_fname) { - int ret = -1; + int ret; ret = SMB_VFS_NEXT_STAT(handle, smb_fname); - if (ret == 0) { - if (S_ISDIR(smb_fname-st.st_ex_mode)) { - smb_fname-st.st_ex_mode = S_IFDIR | S_IRWXU; - } else { - smb_fname-st.st_ex_mode = S_IRWXU; - } - smb_fname-st.st_ex_uid = handle-conn-session_info-unix_token-uid; - smb_fname-st.st_ex_gid = handle-conn-session_info-unix_token-gid; + if (ret != 0) { + return ret; + } + + if (S_ISDIR(smb_fname-st.st_ex_mode)) { + smb_fname-st.st_ex_mode = S_IFDIR | S_IRWXU; + } else { + smb_fname-st.st_ex_mode = S_IRWXU; + } + + if (handle-conn-session_info != NULL) { + struct security_unix_token *utok; + + utok = handle-conn-session_info-unix_token; + smb_fname-st.st_ex_uid = utok-uid; + smb_fname-st.st_ex_gid = utok-gid; + } else { + /* +* We have an artificial connection for dfs for example. It +* sucks, but the current uid/gid is the best we have. +*/ + smb_fname-st.st_ex_uid = geteuid(); + smb_fname-st.st_ex_gid = getegid(); } return ret; @@ -50,18 +65,33 @@ static int fake_perms_stat(vfs_handle_struct *handle, static int fake_perms_fstat(vfs_handle_struct *handle, files_struct *fsp, SMB_STRUCT_STAT *sbuf) { - int ret = -1; + int ret; ret = SMB_VFS_NEXT_FSTAT(handle, fsp, sbuf); - if (ret == 0) { - if (S_ISDIR(sbuf-st_ex_mode)) { - sbuf-st_ex_mode = S_IFDIR | S_IRWXU; - } else { - sbuf-st_ex_mode = S_IRWXU; - } - sbuf-st_ex_uid = handle-conn-session_info-unix_token-uid; - sbuf-st_ex_gid = handle-conn-session_info-unix_token-gid; + if (ret != 0) { + return ret; } + + if (S_ISDIR(sbuf-st_ex_mode)) { + sbuf-st_ex_mode = S_IFDIR | S_IRWXU; + } else { + sbuf-st_ex_mode = S_IRWXU; + } + if (handle-conn-session_info != NULL) { + struct security_unix_token *utok; + + utok = handle-conn-session_info-unix_token; + sbuf-st_ex_uid = utok-uid; + sbuf-st_ex_gid = utok-gid; + } else { + /* +* We have an artificial connection for dfs for example. It +* sucks, but the current uid/gid is the best we have. +*/ + sbuf-st_ex_uid = geteuid(); + sbuf-st_ex_gid = getegid(); + } + return ret; } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 8aae8b5 s3:smbd: do not access data behind req-buf+req-buflen in srvstr_pull_req_talloc() via a70e9db s3:smbd: convert srvstr_pull_req_talloc() into a function via 98f9e5e s3:smbd: do not access data behind req-buf+req-buflen in srvstr_get_path_req_wcard() via e7e37b3 python-samba-tool domain classicupgrade: Make failure to connect directly to the LDAP backend fatal via 45a596f build: Remove extra space in shebang via 58e3c53 build: Replace #!/usr/bin/env python with passed in PYTHON= from 69b3d19 vfs_fake_perms: Fix bug 9775, segfault for artificial conn_structs http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 8aae8b5bad167ac732b7f8949dfb40aebb2f26a9 Author: Ralph Wuerthner ralph.wuerth...@de.ibm.com Date: Thu Apr 4 13:29:01 2013 +0200 s3:smbd: do not access data behind req-buf+req-buflen in srvstr_pull_req_talloc() Reviewed-by: Volker Lendecke v...@samba.org Reviewed-by: Michael Adam ob...@samba.org Autobuild-User(master): Michael Adam ob...@samba.org Autobuild-Date(master): Wed Apr 10 02:03:13 CEST 2013 on sn-devel-104 commit a70e9db0f325e9be85983c172f0cc68992b0f593 Author: Ralph Wuerthner ralph.wuerth...@de.ibm.com Date: Thu Apr 4 13:24:36 2013 +0200 s3:smbd: convert srvstr_pull_req_talloc() into a function Reviewed-by: Volker Lendecke v...@samba.org Reviewed-by: Michael Adam ob...@samba.org commit 98f9e5edd35d6fb54dea74f799b017967b0a13fd Author: Ralph Wuerthner ralph.wuerth...@de.ibm.com Date: Thu Apr 4 12:59:36 2013 +0200 s3:smbd: do not access data behind req-buf+req-buflen in srvstr_get_path_req_wcard() Reviewed-by: Volker Lendecke v...@samba.org Reviewed-by: Michael Adam ob...@samba.org commit e7e37b3b90100f762a45f2f3c047e14e3619c216 Author: Andrew Bartlett abart...@samba.org Date: Fri Apr 5 15:23:20 2013 +1100 python-samba-tool domain classicupgrade: Make failure to connect directly to the LDAP backend fatal This is better than failing just a little further down the stack with a useless error about use-before-set. Andrew Bartlett Reviewed-by: Michael Adam ob...@samba.org commit 45a596fbe9ed2b198956d58784999df780f6dd65 Author: Andrew Bartlett abart...@samba.org Date: Mon Apr 8 08:33:55 2013 +1000 build: Remove extra space in shebang Reviewed-by: Michael Adam ob...@samba.org commit 58e3c5323e343dcab1c528c6b6a44925b76cb297 Author: Andrew Bartlett abart...@samba.org Date: Mon Apr 8 15:57:45 2013 +1000 build: Replace #!/usr/bin/env python with passed in PYTHON= This means that if we were forced to use a specific python for the build, we will put that binary into the top of samba-tool, so it continues to work after the install. Andrew Bartlett Reviewed-by: Michael Adam ob...@samba.org --- Summary of changes: buildtools/wafsamba/samba_python.py | 10 ++ buildtools/wafsamba/wafsamba.py | 15 ++- python/samba/upgrade.py |2 +- source3/include/srvstr.h|9 - source3/smbd/proto.h|2 ++ source3/smbd/reply.c| 31 --- source3/wscript |2 +- wscript |7 ++- 8 files changed, 58 insertions(+), 20 deletions(-) Changeset truncated at 500 lines: diff --git a/buildtools/wafsamba/samba_python.py b/buildtools/wafsamba/samba_python.py index b2172f7..847b431 100644 --- a/buildtools/wafsamba/samba_python.py +++ b/buildtools/wafsamba/samba_python.py @@ -5,6 +5,16 @@ from samba_utils import * from samba_autoconf import * from Configure import conf + +@conf +def SAMBA_CHECK_PYTHON(conf, mandatory=True): +# enable tool to build python extensions +conf.find_program('python', var='PYTHON', mandatory=mandatory) +conf.check_tool('python') +path_python = conf.find_program('python') +conf.env.PYTHON_SPECIFIED = (conf.env.PYTHON != path_python) +conf.check_python_version((2,4,2)) + @conf def SAMBA_CHECK_PYTHON_HEADERS(conf, mandatory=True): if conf.env[python_headers_checked] == []: diff --git a/buildtools/wafsamba/wafsamba.py b/buildtools/wafsamba/wafsamba.py index f7156ec..3559cc1 100644 --- a/buildtools/wafsamba/wafsamba.py +++ b/buildtools/wafsamba/wafsamba.py @@ -696,14 +696,25 @@ def copy_and_fix_python_path(task): replacement=sys.path.insert(0, %s) sys.path.insert(1, %s) % (task.env[PYTHONARCHDIR], task.env[PYTHONDIR]) +shebang = None + +if task.env[PYTHON][0] == /: +replacement_shebang = #!%s % task.env[PYTHON] +else: +replacement_shebang = #!/usr/bin/env %s % task.env[PYTHON] +