[Samba] Samba 4 success story
Hi guys, I thought I should send a quick email through to report my experience upgrading a Samba3 + OpenLDAP site to Samba4. I did lots of reading and had a bunch of howto documents, including the official one, at my disposal. I set up a shiny new Ubuntu 12.04 64bit virtual machine using OpenVZ and installed the samba4 packages out of http://ppa.launchpad.net/kernevil. I went through the samba-tool classic upgrade documented in the official how to several times in a test environment to beat our LDAP into shape, which was mostly usernames with the same name as a group, and a few duplicate SIDs, but all this was fairly painless. After the testing migration worked, the for-real migration worked first time. We used ldapsam:trussed = yes in the classic upgrade step as we did it on new hardware. I modified our existing Bind DNS servers to look to the Samba 4 DNS server for the AD domain, and modified the /etc/resolv.conf to search the AD domain. We ended up using bind9-dlz on the Samba4 server as this gave us greater flexibility. I installed the krb5-user package and copied /var/lib/samba/private/krb5.conf to /etc. This was the only thing I had to do to make the kerberos client work. A kinit root@FQDN.DOMAIN worked first time, and a klist confirmed the ticket. I modified my existing DHCP server to serve out the new AD domain name to our clients, and removed the WINS stuff. Once this was done, our clients pretty much logged on and migrated to the new domain on their own, as per the Microsoft migration path. Most clients needed two reboots, and one client had a problem with the time skewing the kerberos ticket, but mostly it worked first time. By this time, the whole migration had taken about 90 minutes and it was all working really well. I spent quite a bit of time testing everything and I even installed the Microsoft remote admin pack which worked just like we were running an AD server…. Oh wait, we are! In hindsight, the use of kernevil packages was bad decision, as those packages don't include the winbind client tools or CUPS support. It worked flawlessly other than that, and upgrading those packages should be nice and easy. I have been told that the Debian packages out of squeeze-backports would have been a better choice, but I haven't looked at them as of yet. This is day 3 of running Samba4 and after a few changes to make other things talk to AD Samba instead of NT4 Samba, things are really stable. A big thank-you goes out to all the Samba developers. This is one of those situations where I took extreme caution just in case things broke, but they never did. Site #1 migrated to Samba4, and I have quite a few more to go. Exciting times. Alex Ferrara Director Receptive IT Solutions -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3 dynamically enable or disable share
Jonathan, I really don't want to repartition--again! But yes, your idea is intresting. As a point of note that is what LVM is for, the 20th century called and wants partitions back. Point taken! But really, I had already enough issues with this server, I just wanted to keep it as simple as possible. Getting back on topic [...] And then have Samba come up with the shares in available = no configuration [...] This is exactly what I was looking for. I completely missed the available parameter in smb.conf. My bad. Thank you so much, and thanks to everybody else for their ideas. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] nis homedir issue on samba- 3.6.9-151.el6 (CentOS 6.4 64bit)
maybe there is a bug regarding the use of nis to mount the user's home directory at the login or my misconfiguration. After the CentOS 6.4 (64bit) installation I checked for the latest samba version on the official repository using yum: the latest version (that was already installed) is samba- 3.6.9-151.el6. From man smb.conf I have seen that nis homedir is not yet deprecated, I used it a decade ago on samba-2.2.12 with successful. On CentOS 6.4 I don't use ldap, but only nis and the latter works without problem, I installed also autofs (auto.home). autofs+nis are simple and work great, I can 'su' home users on nfs without problem. [global] workgroup = DORK ;changed for privacy netbios name = lince server string = DMIT domain server interfaces = eth0 ; smb ports = 445 hosts allow = 129.123.38., 139.123.39., 179.21.23., 127. ;changed for privacy hosts deny = ALL os level = 33 domain master = yes local master = yes preferred master = yes domain logons = yes security = user guest accout = guest encrypt passwords = yes check password script = /usr/local/sbin/crackcheck -d /usr/share/cracklib/pw_dict smb passwd file = /etc/samba/smbpasswd passdb backend = smbpasswd username map = /etc/samba/smbusers time server = Yes log file = /var/log/samba/pc/%m.log nis homedir = yes homedir map = auto.home null passwords = yes client lanman auth = no logon script = logon.bat logon path = logon drive = M: logon home = \\%N\%U wins support = no wins server = winsserver ;changed for privacy log level = 2 lock directory = /var/log/samba/locks/ state directory = /var/log/samba/state/ cache directory = /var/log/samba/cache/ pid directory = /var/log/samba/pid/ usershare path = /var/log/samba/usershare/ printjob username = %M\%U hide dot files = No[netlogon] path = /etc/samba/netlogon ; max protocol = smb2 kernel oplocks = no oplocks = no level2 oplocks = no posix locking = no follow symlinks = yes wide links = yes unix extensions = no nt acl support = no printing = lprng printcap name = /usr/local/samba/lib/printcap load printers = yes print command = /usr/bin/lpr -P%p %s; rm %s lpq command = /usr/bin/lpq -P%p lprm command = /usr/bin/lprm -P%p %j printcap cache time = 0 ### speed tuning socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE write raw = yes read raw = no ### for japanese font :( dos charset = cp932 display charset = cp932 unix charset = cp932 ; profiles drammatically slow the logout so I disabled ; [profiles] ; comment = Network Profiles Share ; path = /etc/samba/profiles ; read only = No ; store dos attribute = Yes ; create mask = 0600 ; directory mask = 0700 ; browseable = no [netlogon] path = /etc/samba/netlogon writeable = no public = yes [root] comment = Root di %h path = / read only = yes public = no locking = no [printers] printable = yes public = yes writable = no guest ok = yes #create mode = 0700 [homes] comment = Users Home Directories read only = No create mask = 0644 directory mask = 0711 browseable = No valid users = %S ; %S = the name of the current service, if any. service = map name, ; so map name A-USER can only be connected by A-USER, %S = %u ; ; By default, \\server\username shares can be connected to by anyone ; with access to the samba server. This parameter make sure that only ; username can connect to \\server\username [project] comment = Group project directories path = /usr/local/samba/lib/prj ;this path contains several links to nfs read only = no writable = yes create mode = 0775 force create mode = 0775 directory mode = 02775 force directory mode = 02775 public = no oplocks = no continues but not important! As you can see in the smb.conf I added 'nis homedir = yes' and 'homedir map = auto.home' Samba- 3.6.9-151.el6 is included in CentOS 6.4 so to check if has been compiled with configure --with-automount I used the command 'smbd -b|grep -i automount': [root@dork]#smbd -b| grep -i automount WITH_AUTOMOUNT WITH_AUTOMOUNT this is a piece of my /etc/auto.home: pippo server1:/dati3/export/home/ pluto server2:/iscsi/home/ #paperino server1:/dati2/export/home/ mickeymouseserver2:/iscsi/home/ spiderman server1:/dati2/export/home/ ,,, continues but not important! Now after samba configuration I'm able to join the 'DORK' domain from win7 and at login the latter mounts all resources declared through logon.bat without problem except the user's home directory because 'nis homedir' fails. I think, M: is not mounted on win7 because the variable %N is black (strange!), I can say that because I also added %N to the file log name 'log file = /var/log/samba/test/%N_%p.log (but even %p is
Re: [Samba] nis homedir issue on samba- 3.6.9-151.el6 (CentOS 6.4 64bit)
can be a pam problem? [root@dork]# cat /etc/pam.d/samba #%PAM-1.0 auth required pam_nologin.so auth include password-auth accountinclude password-auth sessioninclude password-auth password include password-auth 2013/5/1 Vincenzo De Sanctis vincenzo.desanc...@gmail.com maybe there is a bug regarding the use of nis to mount the user's home directory at the login or my misconfiguration. After the CentOS 6.4 (64bit) installation I checked for the latest samba version on the official repository using yum: the latest version (that was already installed) is samba- 3.6.9-151.el6. From man smb.conf I have seen that nis homedir is not yet deprecated, I used it a decade ago on samba-2.2.12 with successful. On CentOS 6.4 I don't use ldap, but only nis and the latter works without problem, I installed also autofs (auto.home). autofs+nis are simple and work great, I can 'su' home users on nfs without problem. [global] workgroup = DORK ;changed for privacy netbios name = lince server string = DMIT domain server interfaces = eth0 ; smb ports = 445 hosts allow = 129.123.38., 139.123.39., 179.21.23., 127. ;changed for privacy hosts deny = ALL os level = 33 domain master = yes local master = yes preferred master = yes domain logons = yes security = user guest accout = guest encrypt passwords = yes check password script = /usr/local/sbin/crackcheck -d /usr/share/cracklib/pw_dict smb passwd file = /etc/samba/smbpasswd passdb backend = smbpasswd username map = /etc/samba/smbusers time server = Yes log file = /var/log/samba/pc/%m.log nis homedir = yes homedir map = auto.home null passwords = yes client lanman auth = no logon script = logon.bat logon path = logon drive = M: logon home = \\%N\%U wins support = no wins server = winsserver ;changed for privacy log level = 2 lock directory = /var/log/samba/locks/ state directory = /var/log/samba/state/ cache directory = /var/log/samba/cache/ pid directory = /var/log/samba/pid/ usershare path = /var/log/samba/usershare/ printjob username = %M\%U hide dot files = No[netlogon] path = /etc/samba/netlogon ; max protocol = smb2 kernel oplocks = no oplocks = no level2 oplocks = no posix locking = no follow symlinks = yes wide links = yes unix extensions = no nt acl support = no printing = lprng printcap name = /usr/local/samba/lib/printcap load printers = yes print command = /usr/bin/lpr -P%p %s; rm %s lpq command = /usr/bin/lpq -P%p lprm command = /usr/bin/lprm -P%p %j printcap cache time = 0 ### speed tuning socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE write raw = yes read raw = no ### for japanese font :( dos charset = cp932 display charset = cp932 unix charset = cp932 ; profiles drammatically slow the logout so I disabled ; [profiles] ; comment = Network Profiles Share ; path = /etc/samba/profiles ; read only = No ; store dos attribute = Yes ; create mask = 0600 ; directory mask = 0700 ; browseable = no [netlogon] path = /etc/samba/netlogon writeable = no public = yes [root] comment = Root di %h path = / read only = yes public = no locking = no [printers] printable = yes public = yes writable = no guest ok = yes #create mode = 0700 [homes] comment = Users Home Directories read only = No create mask = 0644 directory mask = 0711 browseable = No valid users = %S ; %S = the name of the current service, if any. service = map name, ; so map name A-USER can only be connected by A-USER, %S = %u ; ; By default, \\server\username shares can be connected to by anyone ; with access to the samba server. This parameter make sure that only ; username can connect to \\server\username [project] comment = Group project directories path = /usr/local/samba/lib/prj ;this path contains several links to nfs read only = no writable = yes create mode = 0775 force create mode = 0775 directory mode = 02775 force directory mode = 02775 public = no oplocks = no continues but not important! As you can see in the smb.conf I added 'nis homedir = yes' and 'homedir map = auto.home' Samba- 3.6.9-151.el6 is included in CentOS 6.4 so to check if has been compiled with configure --with-automount I used the command 'smbd -b|grep -i automount': [root@dork]#smbd -b| grep -i automount WITH_AUTOMOUNT WITH_AUTOMOUNT this is a piece of my /etc/auto.home: pippo server1:/dati3/export/home/ pluto server2:/iscsi/home/ #paperino server1:/dati2/export/home/ mickeymouseserver2:/iscsi/home/ spiderman server1:/dati2/export/home/
[Samba] Samba4 does't run netlogon scripts and batch files
I've tried to move from Samba 3.6.14 to Samba 4.0.5. Process went smooth, Win8Pro clients joined domain successfully. But now netlogon startup scripts does not run on clients at signin. Also .bat batch files from network shares does not executes (Win8 says do not have permissions) without execute bit set. This is the right behavior? How to get back previous? If I return 3.6.14 version everything is back to normal and works fine. Thank You. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] how to upload printer driver from 64bit windows 7/8?
Hello Graeme Am 01.05.2013 04:27, schrieb kylew...@southa.com: Anyone know how to upload 64bit printer driver to a samba server from x64 windows so that all x64 PC can do point and print? When I browser to //server with 64bit windows 7/8 , there's no Printers folder at the server. I cannot view the printer properties and upload printer driver as I usually do with 32bit windows XP. Have you setup samba to work as a print-server (https://wiki.samba.org/index.php/Samba_as_a_print_server)? If you have a [print$] share and on it the required driver directory structure, you should be able to upload drivers through the the wizzard (On Win7 go to \\servername, click 'open remote printers', righ-click somewhere, 'server settings', 'drivers', ...) Regards Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 does't run netlogon scripts and batch files
So a couple of things come into play here, when moving to AD you need to either create a Group Policy that will run the logon script, or set the logon script per individual. Secondly, .bat should be able to run off the network drive by setting the correct ACL's (I was thinking chmod 755 from linux worked, but I may be wrong), in windows, right click on the .bat, then hit the security tab, and add something like everyone, or authenticated users, and select the correct acl's (play around with it as I don't remember right off). Ricky On Wed, May 1, 2013 at 5:41 AM, Varda Zklir v...@yahoo.com wrote: I've tried to move from Samba 3.6.14 to Samba 4.0.5. Process went smooth, Win8Pro clients joined domain successfully. But now netlogon startup scripts does not run on clients at signin. Also .bat batch files from network shares does not executes (Win8 says do not have permissions) without execute bit set. This is the right behavior? How to get back previous? If I return 3.6.14 version everything is back to normal and works fine. Thank You. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Latest winbind creating fault
All, Yesterday morning, I updated samba from samba3-3.6.13-45 to samba3-3.6.14-45 (obtained from sernet) on a couple of CentOS 5.9 boxes. As soon as users started access these boxes, one of my sensors detected a winbind error, as in: Apr 30 08:19:36 norwell winbindd[13283]: INTERNAL ERROR: Signal 11 in pid 13283 (3.6.14) Here's what appears in syslog: Apr 30 08:19:36 norwell winbindd[8938]: [2013/04/30 08:19:36.667710, 0] lib/fault.c:47(fault_report) Apr 30 08:19:36 norwell winbindd[8938]: === Apr 30 08:19:36 norwell winbindd[8938]: [2013/04/30 08:19:36.670612, 0] lib/fault.c:48(fault_report) Apr 30 08:19:36 norwell winbindd[8938]: INTERNAL ERROR: Signal 11 in pid 8938 (3.6.14) Apr 30 08:19:36 norwell winbindd[8938]: Please read the Trouble-Shooting section of the Samba3-HOWTO Apr 30 08:19:36 norwell winbindd[8938]: [2013/04/30 08:19:36.671113, 0] lib/fault.c:50(fault_report) Apr 30 08:19:36 norwell winbindd[8938]: Apr 30 08:19:36 norwell winbindd[8938]: From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf Apr 30 08:19:36 norwell winbindd[8938]: [2013/04/30 08:19:36.671456, 0] lib/fault.c:51(fault_report) Apr 30 08:19:36 norwell winbindd[8938]: === Apr 30 08:19:36 norwell winbindd[8938]: [2013/04/30 08:19:36.671683, 0] lib/util.c:1117(smb_panic) Apr 30 08:19:36 norwell winbindd[8938]: PANIC (pid 8938): internal error Apr 30 08:19:36 norwell winbindd[8938]: [2013/04/30 08:19:36.675330, 0] lib/util.c:1221(log_stack_trace) Apr 30 08:19:36 norwell winbindd[8938]: BACKTRACE: 17 stack frames: Apr 30 08:19:36 norwell winbindd[8938]:#0 winbindd(log_stack_trace+0x2d) [0x31b655] Apr 30 08:19:36 norwell winbindd[8938]:#1 winbindd(smb_panic+0x7c) [0x31b787] Apr 30 08:19:36 norwell winbindd[8938]:#2 winbindd [0x30b8ce] Apr 30 08:19:36 norwell winbindd[8938]:#3 [0xd39420] Apr 30 08:19:36 norwell winbindd[8938]:#4 winbindd [0x23a080] Apr 30 08:19:36 norwell winbindd[8938]:#5 winbindd(_wbint_LookupRids+0x8a) [0x258d08] Apr 30 08:19:36 norwell winbindd[8938]:#6 winbindd [0x263596] Apr 30 08:19:36 norwell winbindd[8938]:#7 winbindd(winbindd_dual_ndrcmd+0x13a) [0x257a42] Apr 30 08:19:36 norwell winbindd[8938]:#8 winbindd [0x256a0c] Apr 30 08:19:36 norwell winbindd[8938]:#9 winbindd [0x32e432] Apr 30 08:19:36 norwell winbindd[8938]:#10 winbindd(tevent_common_loop_immediate+0x111) [0x32ceed] Apr 30 08:19:36 norwell winbindd[8938]:#11 winbindd(run_events_poll+0x3e) [0x32b095] Apr 30 08:19:36 norwell winbindd[8938]:#12 winbindd [0x32b80f] Apr 30 08:19:36 norwell winbindd[8938]:#13 winbindd(_tevent_loop_once+0x9d) [0x32bd2d] Apr 30 08:19:36 norwell winbindd[8938]:#14 winbindd(main+0xd32) [0x22e303] Apr 30 08:19:36 norwell winbindd[8938]: #15 /lib/libc.so.6(__libc_start_main+0xdc) [0xdc0ebc] Apr 30 08:19:36 norwell winbindd[8938]:#16 winbindd [0x22b111] Apr 30 08:19:36 norwell winbindd[8938]: [2013/04/30 08:19:36.677068, 0] lib/fault.c:372(dump_core) Apr 30 08:19:36 norwell winbindd[8938]: dumping core in /var/log/samba/cores/winbindd Apr 30 08:19:36 norwell winbindd[8938]: Unfortunately, I was unable to do any further debugging. This morning, I rolled back installation to samba3-3.6.13-45, and the problem has gone away. Bug in latest version on sernet? Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 does't run netlogon scripts and batch files
Thnaks for you reply. So a couple of things come into play here, when moving to AD you need to No, I've started Samba4 as PDC server role = classic primary domain controller and want to keep such compatibility as much as possible. either create a Group Policy that will run the logon script, or set the logon script per individual. Please point or describe to me a way to do this. Secondly, .bat should be able to run off the network drive by setting the correct ACL's (I was thinking chmod 755 from linux worked, but I may be wrong), in windows, right click on the .bat, then hit the security tab, and add something like everyone, or authenticated users, and select the correct acl's Is there a way to avoid editing access rights to 755 for executable files on network shares? Because my shares configured with create mask = 644 for user's uploaded files and I do not want to break this functionality and want keeps user's files with 644 permissions on server. Is this possible with Samba4? Thank You. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba, Win7 login failure
I have an XP box that is hosting our MRP server software with the databases on a Centos 5 machine via samba. I was running all my apps on it as well. I decided to dedicate that machine to the server software and got a Win7 machine for my apps, databases still on the centos box. I changed the name of the XP machine to server, it still logs into samba with my credentials. The Win7 machine is named differently than the XP box. It will not log into samba shares with my credentials, but it will if I use someone else's. Smbclient -L back to the Win7 machine fails, but works to the XP machine and its new name. Since logging in with another users name works, I have to think the Win7 is communicating properly, I just can't get there with my own credentials. Using my credentials on any other windows box on the network works fine. I'm thinking I missed a step with the new machine, but can't put my finger on it. Any help is appreciated. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Replacing Win2000 DC with Samba4 - Success!
Hi! Just wanted to share a little success story: We where asked to replace a Win2000 DC deployed by another company which is'nt existing any more. As our focus is software development on linux we wanted to deploy a Samba-server instead of Windows. So after some trial and error and a lot of reading and asking (many thanks to all that tried to help!) in mailing-lists and forums we managed to do the migration in several steps: Samba4 is not able to migrate from Win2000 directly - we think this problem is not sufficiently addressed in the docs and in the wiki. So our first attempts to do so did not succeed. Next step was to set up a Win2012R2 Server (the trial version is enough, no need to activate) and move over from Win2k to Win2012. How to do that is documented in the MS-Docs. Upgrade the Win2k ldap-schemes, add win2012 to domain, demote win2k, done. Then we installed Samba4 and promoted it as an additional DC to the domain. This worked quite well, only little problems syncing the dns-Server. But I'm not shure if that was a problem with Samba4 but with our a little special bind9-setup instead - so no reason to worry about this in this mailing list. After that we discovered that Win2012 can not be easyly removed from the domain - there seem to be some (known) Problems regarding demotion of Win2012 from a samba-domain. So we had to manually remove the win2012-Server from the domain. That was (including some tests) app. an hour of work - so no problem. As an addtional benefit over a direct migration from win2k to samba4 we could use the same name as the win2k-DC for the samba-server. so no need to change scripts using shares with the servername in it or desktop-shortcuts on the client machines! The whole task (without copying the data stored on the fileserver) for replacing a single Win2k DC with Samba4 serving 25 Clients needed app. 10 Hours including a lot of research in the mailing lists and taking several snapshots of the (virtualized) Servers involved to prevent dataloss. Thanks to all involved for the perfect work! Regards Lukas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Build 3.6.12 on Solaris 8
All, I need to build samba 3.6.12 on solaris 8 using studio 12. Has anyone accomplished this and willing to share tips, tricks, or notes? -Kevin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] 4.05 stable - domain join attempt failing with NO DNS zone information found in source domain, not replicating DNS, followed by LDAP error 50
I've been trying to join Samba 4.05 stable to an existing Windows 2000
domain but keep getting an LDAP error 50 - LDAP_INSUFFICIENT_ACCESS_RIGHTS
despite attempting to joining with the Windows administrator account. I did
a capture of the network traffic generated by the failure for more
information on what's going on and discovered the following:
First Samba does an LDAP ROOT bind request to the existing PDC as
administrator (NTLMSSP_AUTH, user: DOMAIN\administratorsasl) which succeeds,
so Samba's error message is somewhat misleading (to me), I was interpreting
that as an error connecting to LDAP.
But then I see a bunch of LDAP SASL GSS-API Integrity request/response
packets Wireshark is apparently unable to decode so it gives the following:
GSS-APISPNEGOBER error: Wrong tag in tagged type - expected class
APPLICATION(1) tag:0 ('end of content') but found class:UNIVERSAL(0) tag:1
Finally, the exchange ends with a timestamp and timestamp echo reply
exchange. I'm guessing this is Kerberos related:
Samba -- PDC - LDAP (FIN, ACK) Seq=.TSV=55321631 TSER=722686
PDC -- Samba - TSV=722686 TSER=55321631
PDC -- SAMBA - TSV=722686 TSER=55321631
SAMBA -- PDC - TSV=55321632 TSER = 722686
Could this be a compatibility problem with Samba and the old Win2K server or
is there some other problem? The NO DNS zone information found in source
domain, not replicating DNS error concerns me. I'd really like to
understand why this isn't working.
I can provide additional info/screenshots/PCAP data if desired. CLI output
follows, SERVER.HERSCHLAUREN is the current Win2K DC, SERVER1 is the joining
Samba server:
[root@Server1 hldata]# samba-tool domain join HERSCHLAUREN DC -U
herschlauren/administrator
Finding a writeable DC for domain 'HERSCHLAUREN'
Found DC SERVER.HERSCHLAUREN
Password for [HERSCHLAUREN\administrator]:
NO DNS zone information found in source domain, not replicating DNS
workgroup is HERSCHLAUREN
realm is HERSCHLAUREN
checking sAMAccountName
Adding CN=SERVER1,OU=Domain Controllers,DC=HERSCHLAUREN
Join failed - cleaning up
checking sAMAccountName
ERROR(ldb): uncaught exception - LDAP error 50
LDAP_INSUFFICIENT_ACCESS_RIGHTS - 0522: SecErr: DSID-031A0ADA, problem
4003 (INSUFF_ACCESS_RIGHTS), data 0
File
/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py,
line 175, in _run
return self.run(*args, **kwargs)
File
/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py,
line 552, in run
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
File /usr/local/samba/lib64/python2.6/site-packages/samba/join.py, line
1104, in join_DC
ctx.do_join()
File /usr/local/samba/lib64/python2.6/site-packages/samba/join.py, line
1007, in do_join
ctx.join_add_objects()
File /usr/local/samba/lib64/python2.6/site-packages/samba/join.py, line
499, in join_add_objects
ctx.samdb.add(rec)
Phil Quesinberry
Q Systems Engineering, Inc.
Embedded Systems Hardware/Software Development and VoIP Business Telephone
Hosting
Improve your business telephone services and save money
(410) 969-8002
http://www.qsystemsengineering.com
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Replacing Win2000 DC with Samba4 - Success!
Samba4 is not able to migrate from Win2000 directly - we think this problem is not sufficiently addressed in the docs and in the wiki. So our first attempts to do so did not succeed. I have to agree, this explains the problem we were having. Apparently your research Kung Fu is better than mine, I was never able to turn up anything to show that this was the case so I was expecting it to work and had posted a question about it on the forum which no one was able to answer, presumably due to the lack of info mentioned above. Many thanks for sharing your success story. This info needs to go on the Wiki. Cheers, - Phil -- View this message in context: http://samba.2283325.n4.nabble.com/Replacing-Win2000-DC-with-Samba4-Success-tp4647535p4647538.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Build 3.6.12 on Solaris 8
Longer term you might just want to look at moving to Solaris 10, since it has samba 3.6.x included already.So much simpler than compiling.Although ZFS support does add new complications. That being said, I did have some luck compiling samba 3.4.x on Solaris 10 (prior to Sun/Oracle releasing an update for its bundled version.)I had to use Sun studio and dmake. (Ideally you would use gcc but the version of make included with solaris breaks things.) According to my notes CC='/usr/bin/cc -xc99' CXX=/usr/bin/CC I don't remember why but I think that tells Sun Studio to compile stuff with open source compatibility in mind. If you LDAP for an account backend, domain trusts or idmapping you may need to compile openldap first. The sun ldap may be ok for some dependencies but not others. Instead of the make command, use dmake or dmake -serial. Samba source should include some of its own dependencies ( tdb, talloc etc) you may need to cd into the subdirectories and run dmake or dmake -serial first. Otherwise samba build may fail because of the dependencies. I used the following config command ./configure --prefix=/usr/local/samba-3.4.12 \ --with-privatedir=/etc/samba/private \ --with-lockdir=/var/samba/locks \ --with-configdir=/etc/samba \ --with-libtalloc=no \ --with-libtdb=yes \ --with-ads=no \ --with-ldap=yes \ --with-krb5=/usr If you don't have trusts or ADS support required you can skip kerberos support. Libtalloc might be required for idmapping. You may have to say no for most config options, config and compile, then enable options one at a time and config and compile again. On 05/01/13 10:41, Shaw, Kevin wrote: All, I need to build samba 3.6.12 on solaris 8 using studio 12. Has anyone accomplished this and willing to share tips, tricks, or notes? -Kevin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] [Solved] SAMBA 3.6.6 PDC domain not available / no challenge sent to client
Dear all, just to close my posting: I have started with a new configuration of a Samba PDC from scratch in a virtual network with virtual machines and tweaked it until it worked as needed, then copied the smb.conf file to my old configuration. I don't know which of the parameters was bad but however - I was able to join the missing PC to the domain again and to log on successfully. Kind regards, Ralf -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba, Win7 login failure
Hello, Am 01.05.2013 16:33, schrieb snowybunting: It will not log into samba shares with my credentials, but it will if I use someone else's. Smbclient -L back to the Win7 machine fails, but works to the XP machine and its new name. Since logging in with another users name works, I have to think the Win7 is communicating properly, I just can't get there with my own credentials. Just a guess: XP supported LM an NTLM hashed password. Win7 uses only NTLM by default. Maybe your password was last time set a long time ago and only the LM hash was saved on your server. And if the other users had changed their password later, where it was also stored as NTLM hash, this could explain, why they can login and you can't. What happens if you reset your password? For more ideas/help, please provide some more information (samba version, etc.). Regards Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba, Win7 login failure
On 5/1/2013 11:41 AM, Marc Muehlfeld wrote: Just a guess: XP supported LM an NTLM hashed password. Win7 uses only NTLM by default. Maybe your password was last time set a long time ago and only the LM hash was saved on your server. And if the other users had changed their password later, where it was also stored as NTLM hash, this could explain, why they can login and you can't. What happens if you reset your password? Excellent guess. I did smbpasswd -a username just for laughs and before reading your reply, and it connected immediately. I did not know why until your explanation. Thanks for the reply. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 does't run netlogon scripts and batch files
Sorry I made the wrong assumption that you were using it as an AD DC. Conventional samba 3 stuff should all remain the same, so without testing this I am not sure what's going on. On May 1, 2013 8:44 AM, Varda Zklir v...@yahoo.com wrote: Thnaks for you reply. So a couple of things come into play here, when moving to AD you need to No, I've started Samba4 as PDC server role = classic primary domain controller and want to keep such compatibility as much as possible. either create a Group Policy that will run the logon script, or set the logon script per individual. Please point or describe to me a way to do this. Secondly, .bat should be able to run off the network drive by setting the correct ACL's (I was thinking chmod 755 from linux worked, but I may be wrong), in windows, right click on the .bat, then hit the security tab, and add something like everyone, or authenticated users, and select the correct acl's Is there a way to avoid editing access rights to 755 for executable files on network shares? Because my shares configured with create mask = 644 for user's uploaded files and I do not want to break this functionality and want keeps user's files with 644 permissions on server. Is this possible with Samba4? Thank You. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Build 3.6.12 on Solaris 8
I had to build OpenLDAP for full ldap functionality. The solaris version of kerberos should be sufficient. But you don't need LDAP so you can even disable ldap and krb5 in configure. samba should have a configure script ./configure --help will show you the options.If you don't specify prefix it will build in /usr/local (/usr/local/sbin, /usr/local/lib etc) which may not be what you want. I usually like the specify something like --prefix=/usr/local/samba-3.6.12 then symlink /usr/local/samba-3.6.12 to /usr/local/samba. This lets me build new versions with out breaking the running version. Just make sure you have LD_LIBRARY_PATH and PATH set correctly. Configure will see what prereqs are installed. It will also see which version of cc, gcc and make are available. configure will create a make script. make or dmake will use that file to compile and link stuff in the correct order. I wouldn't have thought you needed a map file, assuming the windows user names match the unix user names. On 05/01/13 12:01, Shaw, Kevin wrote: Thanks so much for the reply! I've just updated my solaris 10 samba server to 3.6.12 (119757-27 sparc or 119758-27 x86). The solaris 8 system is out of my control. My problem is that I know very little about building S/W. I do have studio12 setup. Hopefully this will work: CC='/auto/studio12/sparc/SUNWspro/bin/cc -xc99' CXX= auto/studio12/sparc/SUNWspro/bin I use user.map file to map unix to windows accounts so LDAP is not necessary. Did you build Kerberos or any other S/W before samba? TIA -Kevin -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Gaiseric Vandal Sent: Wednesday, May 01, 2013 8:29 AM To: samba@lists.samba.org Subject: Re: [Samba] Build 3.6.12 on Solaris 8 Longer term you might just want to look at moving to Solaris 10, since it has samba 3.6.x included already.So much simpler than compiling.Although ZFS support does add new complications. That being said, I did have some luck compiling samba 3.4.x on Solaris 10 (prior to Sun/Oracle releasing an update for its bundled version.)I had to use Sun studio and dmake. (Ideally you would use gcc but the version of make included with solaris breaks things.) According to my notes CC='/usr/bin/cc -xc99' CXX=/usr/bin/CC I don't remember why but I think that tells Sun Studio to compile stuff with open source compatibility in mind. If you LDAP for an account backend, domain trusts or idmapping you may need to compile openldap first. The sun ldap may be ok for some dependencies but not others. Instead of the make command, use dmake or dmake -serial. Samba source should include some of its own dependencies ( tdb, talloc etc) you may need to cd into the subdirectories and run dmake or dmake -serial first. Otherwise samba build may fail because of the dependencies. I used the following config command ./configure --prefix=/usr/local/samba-3.4.12 \ --with-privatedir=/etc/samba/private \ --with-lockdir=/var/samba/locks \ --with-configdir=/etc/samba \ --with-libtalloc=no \ --with-libtdb=yes \ --with-ads=no \ --with-ldap=yes \ --with-krb5=/usr If you don't have trusts or ADS support required you can skip kerberos support. Libtalloc might be required for idmapping. You may have to say no for most config options, config and compile, then enable options one at a time and config and compile again. On 05/01/13 10:41, Shaw, Kevin wrote: All, I need to build samba 3.6.12 on solaris 8 using studio 12. Has anyone accomplished this and willing to share tips, tricks, or notes? -Kevin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] slow automounted cifs
Samba 4.0.6 git both DC and fileserver with openSUSE 12.3 clients Hi I'm trying to debug why logins to Linux clients are sometimes slow. Here is a login with the user steve2 requesting his (automounted) home folder: ] Kerberos: TGS-REQ authtime: 2013-05-01T20:57:27 starttime: 2013-05-01T20:57:27 endtime: 2013-05-02T06:57:27 renew till: 2013-05-02T20:57:25 Kerberos: AS-REQ ste...@hh3.site from ipv4:192.168.1.21:58661 for krbtgt/hh3.s...@hh3.site Kerberos: Client sent patypes: 149 Kerberos: Looking for PKINIT pa-data -- ste...@hh3.site Kerberos: Looking for ENC-TS pa-data -- ste...@hh3.site Kerberos: No preauth found, returning PREAUTH-REQUIRED -- ste...@hh3.site Kerberos: AS-REQ ste...@hh3.site from ipv4:192.168.1.21:60993 for krbtgt/hh3.s...@hh3.site Kerberos: Client sent patypes: encrypted-timestamp, 149 Kerberos: Looking for PKINIT pa-data -- ste...@hh3.site Kerberos: Looking for ENC-TS pa-data -- ste...@hh3.site Kerberos: ENC-TS Pre-authentication succeeded -- ste...@hh3.site using arcfour-hmac-md5 Kerberos: AS-REQ authtime: 2013-05-01T20:58:08 starttime: unset endtime: 2013-05-02T06:58:08 renew till: 2013-05-02T20:58:05 Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using arcfour-hmac-md5/arcfour-hmac-md5 Kerberos: Requested flags: renewable-ok Kerberos: TGS-REQ CATRAL$@HH3.SITE from ipv4:192.168.1.21:45034 for cifs/h...@hh3.site [canonicalize, renewable] Kerberos: TGS-REQ authtime: 2013-05-01T20:57:27 starttime: 2013-05-01T20:58:09 endtime: 2013-05-02T06:57:27 renew till: 2013-05-02T20:57:25 Kerberos: TGS-REQ ste...@hh3.site from ipv4:192.168.1.21:45264 for cifs/h...@hh3.site [canonicalize, renewable] Kerberos: TGS-REQ authtime: 2013-05-01T20:58:08 starttime: 2013-05-01T20:58:10 endtime: 2013-05-02T06:58:08 renew till: 2013-05-02T20:58:05 In particular, I notice that there are 2 requests to the fileserver, one from CATRAL$ (the machine key is in the keytab already) and one from steve2 who just got a ticket. Does this look OK? Do both the machine and the user need to prove themselves? Any pointers as to where I could start to look otherwise? To be fair, this only tends to happen when lots of people are logging in (it's a school where 20 kids will all log in at the same time e.g. at the start of class). Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 does't run netlogon scripts and batch files
Anyway thanks for your assistance. So I'm still wonder how to properly run executable files from samba shares without setting x-bit on file. May be other people have ideas? I've set in [global] section: nt acl support = no dos filemode = yes But no luck. Thank You. Conventional samba 3 stuff should all remain the same, so without testing this I am not sure what's going on. Thnaks for you reply. So a couple of things come into play here, when moving to AD you need to No, I've started Samba4 as PDC server role = classic primary domain controller and want to keep such compatibility as much as possible. either create a Group Policy that will run the logon script, or set the logon script per individual. Please point or describe to me a way to do this. Secondly, .bat should be able to run off the network drive by setting the correct ACL's (I was thinking chmod 755 from linux worked, but I may be wrong), in windows, right click on the .bat, then hit the security tab, and add something like everyone, or authenticated users, and select the correct acl's Is there a way to avoid editing access rights to 755 for executable files on network shares? Because my shares configured with create mask = 644 for user's uploaded files and I do not want to break this functionality and want keeps user's files with 644 permissions on server. Is this possible with Samba4? Thank You. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] AD client can't connect to share after winbind cache expires [Samba 3.4.12 on Gentoo]
Hello Matej, Am 28.04.2013 20:47, schrieb M Z: ... wbinfo -u, wbinfo -g work (list all 30K AD users,groups) also getent passwd, group work (list all local and AD users/groups) ... So quick summary - I have to issue wbinfo -u to populate winbind cache to be able to log in with AD account. After the cache expires, the AD accounts can't log in anymore. smb.conf: ... winbind enum users = yes winbind enum groups = yes What happens if you turn this two off? If you have 30K AD users/groups, as you wrote, it needs some time to pull this information from your DC. Maybe this causes your problem. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Replacing Win2000 DC with Samba4 - Success!
On Wed, 2013-05-01 at 14:42 +, Lukas Gradl wrote: Hi! Just wanted to share a little success story: We where asked to replace a Win2000 DC deployed by another company which is'nt existing any more. As our focus is software development on linux we wanted to deploy a Samba-server instead of Windows. So after some trial and error and a lot of reading and asking (many thanks to all that tried to help!) in mailing-lists and forums we managed to do the migration in several steps: Samba4 is not able to migrate from Win2000 directly - we think this problem is not sufficiently addressed in the docs and in the wiki. So our first attempts to do so did not succeed. Did you record the details of why this didn't work? While I've expressed some hesitation at Windows 2000 support here previously, the one exception to that is for this kind of migration. This has worked in the past - indeed, the script has a special case in it to do a password change the way Windows 2000 will accept. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Replacing Win2000 DC with Samba4 - Success!
On Wed, 2013-05-01 at 08:21 -0700, Phil Quesinberry wrote: Samba4 is not able to migrate from Win2000 directly - we think this problem is not sufficiently addressed in the docs and in the wiki. So our first attempts to do so did not succeed. I have to agree, this explains the problem we were having. Apparently your research Kung Fu is better than mine, I was never able to turn up anything to show that this was the case so I was expecting it to work and had posted a question about it on the forum which no one was able to answer, presumably due to the lack of info mentioned above. As I just said to Lukus, I would like to make this work. Can you let me know the details of what fails, it shouldn't be too hard to fix (unlike NTP, which we can't fix). Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
