Re: [Samba] Samba 4 ADDC. Dynamic DNS updates from Windows clients.
On 13 May 2013 03:08, Zane Zakraisek doublez...@gmail.com wrote: I then attempted to change the IP Address on the Win 8 client and re-ran ipconfig /registerdns. This time it did not update the DNS A record. #FacePalm. This looks like bug 9559. Here's the link to the Bugzilla report. https://bugzilla.samba.org/show_bug.cgi?id=9559 I'm not sure when it'll be addressed, but there's a few people (including me) that have the same issue. There's a few options available to get around this, but thats if you don't mind using BIND. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Don't mind installing BIND at all. Thanks for clearing that up. If anyone reading has write access to the wiki it might be worth mentioning that dynamic DNS updates are broken in the internal DNS server at the moment though :-) Does installing BIND as per the samba wiki work OK then, or is there anything else I need to be doing? Thanks again, Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 ADDC. Dynamic DNS updates from Windows clients.
On 13/05/13 09:20, Chris Rowson wrote: Don't mind installing BIND at all. Thanks for clearing that up. If anyone reading has write access to the wiki it might be worth mentioning that dynamic DNS updates are broken in the internal DNS server at the moment though :-) Does installing BIND as per the samba wiki work OK then, or is there anything else I need to be doing? Hi Ah, this probably explains my nsupdate problem creating tsig errors against the internal server: https://lists.samba.org/archive/samba/2013-May/173262.html and why our Linux clients don't get A records when they join the domain: https://lists.samba.org/archive/samba/2013-May/173214.html I can confirm that switching to BIND solves both issues. It's easy to do so maybe try that and wait until the internal dns gets fixed? HTH Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4.0.0 upgrade to 4.0.5 from source
Check /usr/local/samba/var/log.samba for errors. On my install, when i only had a comparable list of processes, it was due to bind running and already taking up port 53 in combination with internal dns being used (check for 'dns' on the 'server services' line in smb.conf,) so there were errors in the logfile about not being able to setup some services, which seemed to have as consequence that some instances died 2013/5/12 Mārtiņš Gailītis martins.gaili...@outlook.com Sorry, html formatting was enabled: Right now i have a Ubuntu 12.04.2 LTS 64bit KVM machine running samba 4.0.0 (used as AD domain controller) that was build from source right after 4.0.0 stable was released.It's working pretty stable (a couple of times had to restart samba because of service just stopped working unexpectedly). .Right now i see that there is a 4.0.5 version, that has to be more stable than 4.0.0.Tried to compile and install it, but with no luck :( I read upgrading-samba4.txt before trying to upgrade. ./configure --enable-debug --enable-selftest make -j 4 make install /usr/local/samba/bin/samba-tool dbcheck --fix (fixed huge amount of errors) Started samba! With compiling and installing everything goes pretty smooth, but after starting samba - there is only three instances in process list and nothing's working (before there was i guess more than 10 samba -D instances): root 1275 1262 0 11:12 ?00:00:00 /usr/local/samba/sbin/samba -D root 1269 1263 0 11:12 ?00:00:00 /usr/local/samba/sbin/smbd --option=server role check:inhibit=yes --foreground root 1279 1269 0 11:12 ?00:00:00 /usr/local/samba/sbin/smbd --option=server role check:inhibit=yes --foreground Is there some special instruction of how to upgrade samba4 from source?! As i said, read upgrading-samba4.txt before trying to upgrade. Thanks in advance! Martins ./configure --enable-debug --enable-selftestmake -j 4make install/usr/local/samba/bin/samba-tool dbcheckWith compiling and installing everything goes pretty smooth, but after starting samba - there is only three instances in process list and nothing's working:root 1275 1262 0 11:12 ? 00:00:00 /usr/local/samba/sbin/samba -Droot 1269 1263 0 11:12 ? 00:00:00 /usr/local/samba/sbin/smbd --option=server role check:inhibit=yes --foregroundroot 1279 1269 0 11:12 ? 00:0 0:00 /usr/local/samba/sbin/smbd --option=server role check:inhibit=yes --foreground Is there some special instruction of how to upgrade samba4 from source?! I read upgrading-samba4.txt before trying to upgrade.Thanks in advance! kind regards,Martins -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Michael De Groote ICT-coordinator Sint-Pietersschool Korbeek-Lo ICT-support Sancta Maria Basisschool Leuven -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba4 + kerberos + pam
Hi, I have a problem with samba4 and PAM Kerberos Authentication. I can login to my machine using the domain user/password and manually create the Kerberos ticket (kinit). Now I want to automatically create a kerberos ticket on login. As stated in the wiki (https://wiki.samba.org/index.php/PAM_Kerberos_Authentication) I need to create the config file in /etc/security/pam_winbind.conf with the corresponding settings. krb5_auth = yes krb5_ccache_type = FILE Im nearly sure that this file is used since I can set the debug option in there and it is used. When I login with a domain user /var/log/auth.log states success of kerberos and I have a shell, but no ticket is created. I'm using a self compiled version of samba (4.0.5). Is this a bug in samba4 or am I missing something? Thanks! David -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SSL certificate in SAMBA4 LDAP?
seems like interesting info for the wiki Michael 2013/5/10 Tim Vangehugten timvangehug...@gmail.com Today I have looked again at the SSL certs from samba and I got them to work with intermediate certificates. If you want to do this you need to have to following: IntermediateCA.crt Yourdomain.crt Yourdomain.key and last your Global Root CA.pem (Mine intermediate CA is Alphassl so this was GlobalSign_root_CA.pem) Now copy your IntermediateCA.crt to /usr/local/samba/private/tls/ca.pem and Yourdomain.key to /usr/local/samba/private/tls/key.pem The part where it went wrong at first time was the cert.pem but to make it work you have to do the following, create the file /usr/local/samba/private/tls/cert.pem and put at the beginning of the file the certificate from Yourdomain.crt followed by the certificate in the file IntermediateCA.crt and behind this you have to put your rootCA.pem and then save the file. Your cert.pem will look like the following: -BEGIN CERTIFICATE- Certificate of Yourdomain.crt -END CERTIFICATE- -BEGIN CERTIFICATE- Certificate of IntermediateCA.crt -END CERTIFICATE- -BEGIN CERTIFICATE- Certificate of RootCA.crt in mine case this was GlobalSign_root_CA.pem -END CERTIFICATE- Restart samba and you now have your ldap running with a verified intermediate certificate. Best Regards Tim Vangehugten 2013/4/27 Michael Wood esiot...@gmail.com On 27 April 2013 10:02, Tim Vangehugten timvangehug...@gmail.com wrote: I already put them into /usr/local/samba/private/tls and samba had read them I just get the error that my CA is untrusted though I got my certificate signed by an intermediate CA. So probably it's somewhere my fault and not related to samba :) OK, not sure how it works with intermediate CAs. Maybe you need to have both root and intermediate CA certs in ca.pem, but I haven't tried it. 2013/4/26 Michael Wood esiot...@gmail.com On 25 April 2013 15:38, Tim Vangehugten timvangehug...@gmail.com wrote: Hello, Is it possible to load my signed certificate into samba4 ldap so the samba4 ldap would use it if a client connects to it? And if so, could someone provide me with the details on howto do this or point me in the right direction? Yes. Make sure you have the GnuTLS development libraries installed before compiling Samba. Then put your CA cert, cert and key in /usr/local/samba/private/tls. They should be named ca.pem, cert.pem and key.pem. I think you'll also need a DH params file. -- Michael Wood esiot...@gmail.com -- Michael Wood esiot...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Michael De Groote ICT-coordinator Sint-Pietersschool Korbeek-Lo ICT-support Sancta Maria Basisschool Leuven -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] ZFS on Linux + ACLs
Hello, Does anyone test ZFS on Linux and ACLs? I can't setup POSIX ACLs and any extended even using acl_xattr or acl_tdb. Is any way to use ACLs with ZFS on Linux (Samba 3 or 4)? Best regards /Adrian Berlin -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Sudden authentication failures, hex dumps in log.samba
On 10.5.2013 16:32, Pekka L.J. Jalkanen wrote: On 10.5.2013 14:04, Pekka L.J. Jalkanen wrote: Question: how much more verbosity for log.samba would be needed to further investigate this problem? I'd rather not log everything with -d10 for extended periods of time, because I really can't know how long it will take for the problem to reappear. I've now increased logging from the default level to -d3. -d3 logging pays off: [2013/05/10 14:31:06, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Client no longer in database: someu...@mydomain.site [2013/05/10 14:31:06, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Failed building TGS-REP to ipv4:10.10.59.151:4736 [2013/05/10 14:31:06, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: TGS-REQ someu...@mydomain.site from ipv4:10.10.59.151:4737 for cifs/w2k3r2dc.mydomain.s...@mydomain.site [renewable, forwardable] [2013/05/10 14:31:06, 1] ../librpc/ndr/ndr.c:412(ndr_pull_error) ndr_pull_error(11): Pull bytes 2 (../librpc/ndr/ndr_basic.c:103) Client is Windows XP. I've yet to see this problem on newer clients... this and the other one that previously failed are the last two XP clients here that still remain in heavy production use. Somewhat similar error occurred with a Windows 7 machine. But note that for some reason only the short domain dame was used in reference to the realm: [2013/05/13 08:04:53, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: AS-REQ otheruser@MYDOMAIN from ipv4:10.10.59.148:58027 for krbtgt/MYDOMAIN@MYDOMAIN [2013/05/13 08:04:53, 1] ../librpc/ndr/ndr.c:412(ndr_pull_error) ndr_pull_error(11): Pull bytes 2 (../librpc/ndr/ndr_basic.c:103) [2013/05/13 08:04:53, 0] ../lib/util/util.c:457(dump_data) [] 00 00 00 00 62 00 00 00 00 00 00 00 20 00 20 00 b... . . [0010] 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00. . . . . . . . [0020] 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00. . . . . . . . [0030] 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00. . . . . . . . [0040] 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00. . . . . . . . [0050] 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00. . . . . . . . [0060] 20 00 20 00 20 00 20 00 20 00 20 00 50 00 00 . . . . . .P.. [2013/05/13 08:04:53, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: UNKNOWN -- otheruser@MYDOMAIN: no such entry found in hdb What is also common with this client and the other that previously failed is that they both have once been migrated from a different domain (that no longer exists) using MS ADMT. This also applies to the users' accounts that were used. Don't know if that really matters, but just for the record. Also the Windows 7 client was once migrated this way. Both the second case and the third case were also different from the first one in the way that the users had no problems logging on. However, even though they said to me that they had had no authentication problems, I still think that they haven't just noticed, as I found the following from the event log of the second client: - Event Type: Warning Event Source: LSASRV Event Category: SPNEGO (Negotiator) Event ID: 40960 Date: 10.5.2013 Time: 13:52:42 User: N/A Computer: XPWKSTN2 Description: The Security System detected an attempted downgrade attack for server LDAP/samba4dc.mydomain.site. The failure code from authentication protocol Kerberos was Insufficient system resources exist to complete the API. (0xc09a). Event Type: Warning Event Source: LSASRV Event Category: SPNEGO (Negotiator) Event ID: 40961 Date: 10.5.2013 Time: 13:52:42 User: N/A Computer: XPWKSTN2 Description: The Security System could not establish a secured connection with the server LDAP/samba4dc.mydomain.site. No authentication protocol was available. Event Type: Warning Event Source: LSASRV Event Category: SPNEGO (Negotiator) Event ID: 40960 Date: 10.5.2013 Time: 14:31:05 User: N/A Computer: XPWKSTN2 Description: The Security System detected an attempted downgrade attack for server cifs/w2k3r2dc.mydomain.site. The failure code from authentication protocol Kerberos was Insufficient system resources exist to complete the API. (0xc09a). Event Type: Warning Event Source: LSASRV Event Category: SPNEGO (Negotiator) Event ID: 40961 Date: 10.5.2013 Time: 14:31:06 User: N/A Computer: XPWKSTN2 Description: The Security System could not establish a secured connection with the server cifs/w2k3r2dc.mydomain.site. No authentication protocol was available. - All this is really odd, though, as these machines have been part of the domain
[Samba] samba 3 - smb2 cpu usage
Hi all, At the moment we are running Debian squeeze with stock samba 3.5.6. and are testing some new samba installations from ubuntu 12.04, centos 6.4 and debian wheezy. All running in a VM on a XenServer. The samba servers are member of a 2008R2 domain, using smb1 protocol all are running fine and we get a constant 90MB/s (big file transfer) on our 1GB network. We would like to enable smb2 protocol for performance reasons, but when we do enable SMB2 (max protocol = SMB2) file transfer speed drops to 50-60MB/s (one big file) instead of the 80-90MB/s we used to get before. We noticed when this happens the cpu is at its max instead of 60-70% when using smb1. iostat doesn't show any serious load and our raid 10 setup isn't experience any difficulties. Using the packages (3.6.13) from EnterpriseSamba we get simular results. Is it known enabling smb2 requires a faster cpu and our cpu is simply not powerfull enough or is there another problem which we should look into? (Or should we just stick to smb1, because smb2 isn't worth the trouble?) Some hardware specs: IBM 3650 M3 - Xeon 2.13Ghz 4 cores (2 cores per VM) 4GB RAM (per VM) Smartraid 5015 + bbu (4 sas disks / raid10) 1 GB network. HP Z400 workstation + Windows 7 mount options: /dev/mapper/vg-logical_volume on /data type ext4 (rw,nodiratime,relatime,acl,data=ordered,barrier=0,grpquota,errors=remount-ro) smb.conf: [global] workgroup = OURDOMAIN realm = OURDOMAIN.EU server string = %h server security = ADS log file = /var/log/samba/log.%m max log size = 1000 max protocol = SMB2 client signing = required server signing = required load printers = No winbind separator = + winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes idmap config OURDOMAIN:range = 2 - 4 idmap config OURDOMAIN:backend = rid idmap config * : range = 2000-2999 idmap config * : backend = tdb hide unreadable = Yes [data1] path = /data/data1 read only = No inherit permissions = Yes inherit acls = Yes Thanks, Danny -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ZFS on Linux + ACLs
Yep, i read it before. Maybe is any other way? - Original Message - From: Edward Ashley To: Adrian Berlin Cc: samba@lists.samba.org Subject: Re: [Samba] ZFS on Linux + ACLs Date: Mon, 13 May 2013 12:31:54 +0100 https://github.com/zfsonlinux/zfs/issues/170 On 13 May 2013 12:12, Adrian Berlin g...@rock.com wrote: Hello, Does anyone test ZFS on Linux and ACLs? I can't setup POSIX ACLs and any extended even using acl_xattr or acl_tdb. Is any way to use ACLs with ZFS on Linux (Samba 3 or 4)? Best regards /Adrian Berlin -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Edward Ashley = Developer - e. n...@redmonkeysoftware.com u. www.redmonkeysoftware.com t. 0845 867 3849 f. 0845 867 4127 Red Monkey Software | Superior Software Solutions Red Monkey Software Ltd, 24 The Layne, Elmer Sands, Bognor Regis, West Sussex. PO22 6JL Registered in England and Wales no 5923420 Registered Office: 20 Springfield Road, Crawley, West Sussex, RH11 8AD -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ZFS on Linux + ACLs
https://github.com/zfsonlinux/zfs/issues/170 On 13 May 2013 12:12, Adrian Berlin g...@rock.com wrote: Hello, Does anyone test ZFS on Linux and ACLs? I can't setup POSIX ACLs and any extended even using acl_xattr or acl_tdb. Is any way to use ACLs with ZFS on Linux (Samba 3 or 4)? Best regards /Adrian Berlin -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Edward AshleyDevelopere. n...@redmonkeysoftware.comu. www.redmonkeysoftware.comt. 0845 867 3849f. 0845 867 4127 [image: Red Monkey Software | Superior Software Solutions]http://www.redmonkeysoftware.com/ Red Monkey Software Ltd, 24 The Layne, Elmer Sands, Bognor Regis, West Sussex. PO22 6JL Registered in England and Wales no 5923420 Registered Office: 20 Springfield Road, Crawley, West Sussex, RH11 8AD Edward Ashley Developer e. n...@redmonkeysoftware.com u. www.redmonkeysoftware.com t. 0845 867 3849 f. 0845 867 4127 Red Monkey Software | Superior Software Solutions Red Monkey Software Ltd, 24 The Layne, Elmer Sands, Bognor Regis, West Sussex. PO22 6JL Registered in England and Wales no 5923420 Registered Office: 20 Springfield Road, Crawley, West Sussex, RH11 8AD -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba fsmo/demote/unjoin trouble after crash
Hi all, i've got initial setup on DC1 (4.0.1)... all working good and flawless Added additional geographically distributed controllers (DC2, DC3, DC4,DC5) with 4.0.5 - no problem. All PC's can connect to their own site/DC Transferred all FSMO's to DC2 - transferred successfully (with seize error bug) DC1 crashed badly during maintenance, SAMBA was updated to 4.0.5, data restored from backup. Now, the problem is: 1) DC1 sees itself as owner of all FSMO's, although DC[2,3,4,5] sees DC2 as owner of FSMO's 3) DC1 is missing some users (created between backup and crash), wbinfo for these users return E_DOMAIN_NOT_FOUND 4) Got decrypt integrity check failed errors, fixed with chtdcpass, witch not results to Failed to find HOST$#DOMAIN(kvno) (client reboot seems to fix this) 4) any attempt to replicate missing information from DC2/DC3 to DC1 (samba-tool drs replicate) results in errors after it (cannot find own NTDS) 5) impossible to demote / unjoin server and provision from scratch - some DRS errors Question is: how can i change FSMO owner (ldbedit ?) on DC1 to be DC2 and then: a) replicate missing users (and computer trust accounts) to DC1 b) force removing DC1 from domain for good ( reinstall from scratch ) Domain as a whole recreation from scratch is sadly *not* an option :( -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] fw: hi
http://www.thamesbd.com/ljidvelmy.php -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4.0.0 upgrade to 4.0.5 from source
Hi! Thanks for a tip! I'm using bind9 for dns functionality and defined it during provisioning process. Here is my smb.conf and part of log file from working 4.0.0 installation. [global] workgroup = domain realm = domain.local netbios name = AD server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns acl:search = false dns forwarder = 192.168.1.1 dns forwarder = 8.8.8.8 printcap name = /dev/null load printers = no eventlog list = Application System Security SyslogLinux /usr/local/samba/var/log.samba writes: [2013/05/13 01:00:06, 0] ../source4/smbd/server.c:475(binary_smbd_main) samba: using 'standard' process model [2013/05/13 01:00:06, 0] ../source4/smbd/service_stream.c:342(stream_setup_socket) Failed to listen on 0.0.0.0:53 - NT_STATUS_ADDRESS_ALREADY_ASSOCIATED [2013/05/13 01:00:06, 0] ../source4/dns_server/dns_server.c:616(dns_add_socket) Failed to bind to 0.0.0.0:53 TCP - NT_STATUS_ADDRESS_ALREADY_ASSOCIATED [2013/05/13 01:00:06, 0] ../source4/smbd/service_task.c:35(task_server_terminate) task_server_terminate: [dns failed to setup interfaces] Is samba internal DNS is trying start as well?! regards, Martins Date: Mon, 13 May 2013 11:21:56 +0200 Subject: Re: [Samba] Samba 4.0.0 upgrade to 4.0.5 from source From: i...@sint-pietersschool.be To: martins.gaili...@outlook.com CC: samba@lists.samba.org Check /usr/local/samba/var/log.samba for errors. On my install, when i only had a comparable list of processes, it was due to bind running and already taking up port 53 in combination with internal dns being used (check for 'dns' on the 'server services' line in smb.conf,) so there were errors in the logfile about not being able to setup some services, which seemed to have as consequence that some instances died 2013/5/12 Mārtiņš Gailītis martins.gaili...@outlook.com Sorry, html formatting was enabled: Right now i have a Ubuntu 12.04.2 LTS 64bit KVM machine running samba 4.0.0 (used as AD domain controller) that was build from source right after 4.0.0 stable was released.It's working pretty stable (a couple of times had to restart samba because of service just stopped working unexpectedly). .Right now i see that there is a 4.0.5 version, that has to be more stable than 4.0.0.Tried to compile and install it, but with no luck :( I read upgrading-samba4.txt before trying to upgrade. ./configure --enable-debug --enable-selftest make -j 4 make install /usr/local/samba/bin/samba-tool dbcheck --fix (fixed huge amount of errors) Started samba! With compiling and installing everything goes pretty smooth, but after starting samba - there is only three instances in process list and nothing's working (before there was i guess more than 10 samba -D instances): root 1275 1262 0 11:12 ? 00:00:00 /usr/local/samba/sbin/samba -D root 1269 1263 0 11:12 ? 00:00:00 /usr/local/samba/sbin/smbd --option=server role check:inhibit=yes --foreground root 1279 1269 0 11:12 ? 00:00:00 /usr/local/samba/sbin/smbd --option=server role check:inhibit=yes --foreground Is there some special instruction of how to upgrade samba4 from source?! As i said, read upgrading-samba4.txt before trying to upgrade. Thanks in advance! Martins ./configure --enable-debug --enable-selftestmake -j 4make install/usr/local/samba/bin/samba-tool dbcheckWith compiling and installing everything goes pretty smooth, but after starting samba - there is only three instances in process list and nothing's working:root 1275 1262 0 11:12 ? 00:00:00 /usr/local/samba/sbin/samba -Droot 1269 1263 0 11:12 ? 00:00:00 /usr/local/samba/sbin/smbd --option=server role check:inhibit=yes --foregroundroot 1279 1269 0 11:12 ? 00:0 0:00 /usr/local/samba/sbin/smbd --option=server role check:inhibit=yes --foreground Is there some special instruction of how to upgrade samba4 from source?! I read upgrading-samba4.txt before trying to upgrade.Thanks in advance! kind regards,Martins -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Michael De Groote ICT-coordinator Sint-Pietersschool Korbeek-Lo ICT-support Sancta Maria Basisschool Leuven -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] win 7 client can't map drive: getpeername failed
Hi, all XP clients work fine. As do most win 7 clients. Just a handful of win7 clients have this issue. We only have one Microsoft server: 2008 R2, it does not have the WINS server feature installed. The qnap box is called saturn and is a member of the domain telnet saturn 139 results in blank screen, blinking cursor so port open I guess. NAS uses our Microsoft server for it's DNS and registers itself in DNS Also on the NAS I have: Enable WINS server NOT checked Local master browser checked Allow only NTLMv2 authentication NOT checked DNS has a reverse lookup zone with a PTR record for client This is my foray into samba so I'm not familiar with the config file structure but here is the global section: [global] log level = 3 passdb backend = smbpasswd workgroup = OUR_DOMAIN security = ADS server string = encrypt passwords = Yes username level = 0 map to guest = Bad User null passwords = yes max log size = 50 socket options = TCP_NODELAY SO_KEEPALIVE SO_SNDBUF=262144 SO_RCVBUF=131072 os level = 20 preferred master = no dns proxy = No smb passwd file=/etc/config/smbpasswd username map = /etc/config/smbusers guest account = guest directory mask = 0777 create mask = 0777 oplocks = yes locking = yes disable spoolss = yes load printers = no display charset = UTF8 force directory security mode = veto files = /.AppleDB/.AppleDouble/.AppleDesktop/:2eDS_Store/Network Trash Folder/Temporary Items/TheVolumeSettingsFolder/.@__thumb/.@__desc/:2e*/ delete veto files = yes map archive = no map system = no map hidden = no map read only = no deadtime = 10 use sendfile = yes unix extensions = no store dos attributes = yes client ntlmv2 auth = yes dos filetime resolution = no inherit acls = yes wide links = yes force unknown acl user = yes template homedir = /share/homes/DOMAIN=%D/%U domain logons = no min receivefile size = 4096 case sensitive = auto domain master = auto local master = yes enhance acl v1 = yes remove everyone = yes kernel oplocks = no mangled names = no realm = OUR_DOMAIN.local password server = SERVER.OUR_DOMAIN.local pam password change = yes winbind separator = + winbind enum users = yes winbind enum groups = yes winbind cache time = 3600 idmap uid = 41-50 idmap gid = 41-50 idmap config OUR_DOMAIN : backend = rid idmap config OUR_DOMAIN : range = 1001-2000 wins support = no name resolve order = host bcast On 10 May 2013 16:19, Gaiseric Vandal gaiseric.van...@gmail.com wrote: Are XP clients having the same problem? Trying with an XP client would help indicate if there was something specific to XP.(I skipped vista.) Can you check in smb.conf - is the server a member server, AD member server, standalone server, or domain controller. - Are ports explicitly defined - how is name resolution configured? - is NTLMv2 required (I couldn't get NTLMv2 support working.) Domain membership shouldn't matter at this point since you aren't even getting to the authentication phase. Can you telnet port 139 to make sure it is open? Do you have a WINS server defined?If so make sure client and NAS are using the same WINS server.Is your NAS configured to use a DNS server? Do you have a reverse lookup zone defined in DNS?the NAS maybe trying to do a reverse lookup on the IP of the client. There doesn't need to be a PTR entry for the client but you are least want the zone. If DNS tries to lookup an IP and gets an immediate host not found that is OK. If it times out because it can't even locate a DNS server then that could cause problems for other services dependent on DNS. On 05/10/13 10:58, Ed Strong wrote: Hi, Thanks for the info, I'm replying to you in gmail to samba@lists.samba.org, hope that is correct ? Yes I can edit the config file on the NAS Looking at the network packets all communication to NAS seems to be on port microsoft-ds (445) I can't see any traffic on ports 137/138/139 If i use the IP I get exactly the same error :( On 10 May 2013 15:01, Gaiseric Vandal gaiseric.van...@gmail.com wrote: I think the Error was Transport endpoint is not connected warnings are sometimes misleading. Do you have any control over the samba config (smb.conf) on the NAS ?On regular samba installs, changing the default port settings can cause more problems. Windows 7 will try to connect on port 445 (SMB or CIFS over tcp/ip), and will then reconnect to ports 137/138/139 (SMB over netbios over tcp/ip) since samba 3.x doesn't handle the newer SMB-over-tcp/ip. Disabling 445 on the server seems to cause more problems than it solves. Are you able to connect via IP ? e.g net use \\qnap_ip\share ? I had problems in the past when I disabled port 445 on samba servers. Remote users (no netbios broadcasts permitted) could connect via IP but not via name. For
Re: [Samba] samba 3 - smb2 cpu usage
On Mon, May 13, 2013 at 12:52:56PM +0200, Danny wrote: Hi all, At the moment we are running Debian squeeze with stock samba 3.5.6. and are testing some new samba installations from ubuntu 12.04, centos 6.4 and debian wheezy. All running in a VM on a XenServer. The samba servers are member of a 2008R2 domain, using smb1 protocol all are running fine and we get a constant 90MB/s (big file transfer) on our 1GB network. We would like to enable smb2 protocol for performance reasons, but when we do enable SMB2 (max protocol = SMB2) file transfer speed drops to 50-60MB/s (one big file) instead of the 80-90MB/s we used to get before. We noticed when this happens the cpu is at its max instead of 60-70% when using smb1. iostat doesn't show any serious load and our raid 10 setup isn't experience any difficulties. Using the packages (3.6.13) from EnterpriseSamba we get simular results. Is it known enabling smb2 requires a faster cpu and our cpu is simply not powerfull enough or is there another problem which we should look into? (Or should we just stick to smb1, because smb2 isn't worth the trouble?) You should definitely use SMB2. The higher CPU is suprising. You should be able to max out a 1GB network with SMB2 easily. Does Debian support the perf utility to find out what the process does? Volker -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kont...@sernet.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4.0.0 upgrade to 4.0.5 from source
Am 13.05.2013 11:21, schrieb Michael De Groote: (check for 'dns' on the 'server services' line in smb.conf,) so there were errors in the logfile about not being able to setup some services, which seemed to have as consequence that some instances died Am 13.05.2013 14:24, schrieb Mārtiņš Gailītis: Here is my smb.conf and part of log file from working 4.0.0 installation. [global] ... server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns Is samba internal DNS is trying start as well?! Let's see... Yes. ;) Try to start without DNS. You just have to remove the last two entries from your server services . It should look like this: [global] ... server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4.0.0 upgrade to 4.0.5 from source
Thnx, wuala :) There is no error restarting samba 4.0.0 after removing last entry dns of line server services. Do i have to remove dnsupdate from config as well if i'm using bind for DNS purposes?! Will try to upgrade and see if everything starts as smooth as it does now! Date: Mon, 13 May 2013 14:57:48 +0200 From: benischind...@gmx.de To: samba@lists.samba.org Subject: Re: [Samba] Samba 4.0.0 upgrade to 4.0.5 from source Am 13.05.2013 11:21, schrieb Michael De Groote: (check for 'dns' on the 'server services' line in smb.conf,) so there were errors in the logfile about not being able to setup some services, which seemed to have as consequence that some instances died Am 13.05.2013 14:24, schrieb Mārtiņš Gailītis: Here is my smb.conf and part of log file from working 4.0.0 installation. [global] ... server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns Is samba internal DNS is trying start as well?! Let's see... Yes. ;) Try to start without DNS. You just have to remove the last two entries from your server services . It should look like this: [global] ... server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Winbind failover timeout?
I've got no answers, but I realised that I had a picked up a rather poor title, so here's a better one, combined with a more concise summary of my earlier babbling... Are there any smb.conf settings that control (Samba 3) Winbind's DC failover timeout when security = ADS? I do realise that there is a setting called ldap connection timeout, but I assume it is only related to situations where domain logons have been turned on and ldapsam is being utilised as a password backend. Is this correct? In case such settings do not exist can anyone please explain me the way that Winbind actually handles these failover situations internally? How transparent should the failover process be in practice? Any experiences? Thanks, Pekka L.J. Jalkanen On 10.5.2013 21:14, Pekka L.J. Jalkanen wrote: Hello all, I've a box running Samba 3.5.6 (Debian Squeeze) that retrieves its user accounts from AD, using Winbind. The box is receiving incoming mail. Idmap backend is AD, with rfc2307 schema mode. Currently it's only accessing one AD DC, and the MTA on the Samba box is stopped whenever the DC is temporarily offline to prevent rejection of any incoming mail with user unknown status. However, I'd like to add another DC to the mix, but I'm concerned that mail could get rejected if the active DC suddenly goes offline and winbind doesn't switch to another DC promptly enough. Consider the following scenario: 1. There is an AD account foo. The account hasn't been used for some time, and it's thus not in winbind's cache. It's possibly not even in Winbind's idmap cache. 2. There are two AD DCs, A and B. 3. Samba member server C runs Winbind and is currently using the DC A. 4. Hardware fails and the DC A suddenly drops offline. 5. Just few seconds later an e-mail is arriving for foo. The MTA tries to check for the user. 6. As Winbind is not yet aware of the unavailability of the DC A, it tries to contact it. A. Now, in the ideal world this would continue as follows: 7. Winbind can't contact the DC A anymore, so it promptly contacts the DC B. 8. The DC B confirms the existence of foo. 9. The MTA delivers mail for foo. B. However, I'm afraid that in the real world, the following could result: 7. Winbind frantically tries to contact the DC A, but timeouts and can't confirm the existence of foo. It tells the MTA that there's no account. 8. The MTA replies sender with a 550 5.1.1 f...@my.site... User unknown error. 9. After the timeout Winbind finally manages to switch to the DC B, but the sender has already got the delivery failure message and now thinks that the address f...@my.site is no longer valid. I tried to look at the documentation, but didn't find any recommendations regarding winbind cache settings in situations where availability is critical. Is it recommended to just disable all Winbind caching entirely? Or do just the opposite and try to cache as much as ever possible? What are the practical effects of winbind cache time and idmap cache time smb.conf options in this situation? Also, are the caches for all accounts replenished every time the cache of any account expires, or in per-account basis? And do the idmap cache times even work in a predictable way with this old Samba, where bug 8658 still unfixed? Or should I just try to upgrade as soon as possible? I build a test box similar to the actual box receiving mail (Winbind cache time was the default (300 seconds) and idmap cache time was set to 86,400 seconds (one day)) and flooded it with messages while at the same time switching connections to the DCs back and forth. And sure enough, I did get some delivery errors due to Winbind unavailability, if the account receiving the mail hadn't been queried after the last winbind restart and before the DC went offline. So the likelihood of the scenario 'B' feels all too great. Any recommendations for avoiding it? Pekka L.J. Jalkanen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba-tool of delegation of permissions
Am 13.05.2013 14:53, schrieb daniel gonzalez: For doing it with ADUC, see here: http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Joining_Computers_to_the_domain.27-permissions Hello Marc, with ADUC don't work computers xp, only 7. It is working fine here for XP and Win7 in production and my test environment. The HowTo is from me. So I know, it's working :-) Have you read the 'Known issues/limitations' on that page (http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Known_issues.2Flimitations)? You still need 'acl:search=false' in your smb.conf, even if you run the latest version. If it still doesn't work, then please give some more information (error messages, steps you did, well-known-ACLs reset, etc.). Maybe we can find out then, what is different in your environment to mine. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] DNS Problems with Samba4.0.5
Hi all, Here's my problem : after installing and setting up samba 4 on a Ubuntu server 13.04, everything is ok : samba is working, I can connect ; kerberos is ok also. BUT !!! I have a problem with dns forwarding. Here's my settings : in samba domain provision, i select 10.10.70.10 (i.e. my samba server) as dns forwarder (we have a firewall, but it's not set as DNS forwarder) I change the resolv.conf file to the following : search XX.X ; domain XX.X ; nameserver 10.10.70.10 ; nameserver 8.8.8.8 What am I doing wrong...? I think it's just a small issue, but can't find it. Thanks, Thierry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] DNS Problems with Samba4.0.5
Hello Thierry, Am 13.05.2013 16:22, schrieb Thierry Gonon: I have a problem with dns forwarding. Here's my settings : in samba domain provision, i select 10.10.70.10 (i.e. my samba server) as dns forwarder (we have a firewall, but it's not set as DNS forwarder) I change the resolv.conf file to the following : search XX.X ; domain XX.X ; nameserver 10.10.70.10 ; nameserver 8.8.8.8 What am I doing wrong...? I think it's just a small issue, but can't find it. Do I understand your problem right: You set your samba host as forwarder? Then this is the issue. Set 'dns forwarder = 8.8.8.8' in your smb.conf (+ restart) and put 'nameserver 10.10.70.10' in your /etc/resolv.conf. 'dns forwarder' lists the DNS servers, where requests are send to, the samba server can't answer from it's own zones. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] win 7 client can't map drive: getpeername failed
That suggests either a configuration difference with some of the win 7 machines or a difference with some of the AD accounts for the machines. On the NAS, does the getent passwd command display user and machine accounts? Is it may be showing only some machine accounts and not others? It might be possible that samba has been unable to account an idmap entry for newer machines. All though I would think this would affect authentication issues, not connection issues. I have found idmapping to be one of the less reliable functions in samba. Are all the Win 7 machines configured with identical network settings (apart from the IP address itself of course.) this should be the case if you use DHCP. Are their any security settings on the problem Win 7 machines that are different? If you use gpedit.msc - computer - security settings , you may want to review things like NTLMv2 settings. Are all the machine accounts in the same AD container ? If this is all AD, then you should not need to use WINS. Although it may also help resolve confusion about which machine is the local master browser.Which shouldn't really matter either. I use samba 3.x as a non-AD PDC so the WINS and browser stuff is more important. Is the Microsoft server is the AD PDC it may expect to be the local master browser. I think there can only be one local master browser per subnet.And if you look thru the nmbd logs (?) on the NAS as well as the logs on the Win 2008 server . you may see results of a browser election. the testparm -v will show you all the config settings, including those set by default even if not explicitly set in smb.conf On 05/13/13 08:44, Ed Strong wrote: Hi, all XP clients work fine. As do most win 7 clients. Just a handful of win7 clients have this issue. We only have one Microsoft server: 2008 R2, it does not have the WINS server feature installed. The qnap box is called saturn and is a member of the domain telnet saturn 139 results in blank screen, blinking cursor so port open I guess. NAS uses our Microsoft server for it's DNS and registers itself in DNS Also on the NAS I have: Enable WINS server NOT checked Local master browser checked Allow only NTLMv2 authentication NOT checked DNS has a reverse lookup zone with a PTR record for client This is my foray into samba so I'm not familiar with the config file structure but here is the global section: [global] log level = 3 passdb backend = smbpasswd workgroup = OUR_DOMAIN security = ADS server string = encrypt passwords = Yes username level = 0 map to guest = Bad User null passwords = yes max log size = 50 socket options = TCP_NODELAY SO_KEEPALIVE SO_SNDBUF=262144 SO_RCVBUF=131072 os level = 20 preferred master = no dns proxy = No smb passwd file=/etc/config/smbpasswd username map = /etc/config/smbusers guest account = guest directory mask = 0777 create mask = 0777 oplocks = yes locking = yes disable spoolss = yes load printers = no display charset = UTF8 force directory security mode = veto files = /.AppleDB/.AppleDouble/.AppleDesktop/:2eDS_Store/Network Trash Folder/Temporary Items/TheVolumeSettingsFolder/.@__thumb/.@__desc/:2e*/ delete veto files = yes map archive = no map system = no map hidden = no map read only = no deadtime = 10 use sendfile = yes unix extensions = no store dos attributes = yes client ntlmv2 auth = yes dos filetime resolution = no inherit acls = yes wide links = yes force unknown acl user = yes template homedir = /share/homes/DOMAIN=%D/%U domain logons = no min receivefile size = 4096 case sensitive = auto domain master = auto local master = yes enhance acl v1 = yes remove everyone = yes kernel oplocks = no mangled names = no realm = OUR_DOMAIN.local password server = SERVER.OUR_DOMAIN.local pam password change = yes winbind separator = + winbind enum users = yes winbind enum groups = yes winbind cache time = 3600 idmap uid = 41-50 idmap gid = 41-50 idmap config OUR_DOMAIN : backend = rid idmap config OUR_DOMAIN : range = 1001-2000 wins support = no name resolve order = host bcast On 10 May 2013 16:19, Gaiseric Vandal gaiseric.van...@gmail.com mailto:gaiseric.van...@gmail.com wrote: Are XP clients having the same problem? Trying with an XP client would help indicate if there was something specific to XP. (I skipped vista.) Can you check in smb.conf - is the server a member server, AD member server, standalone server, or domain controller. - Are ports explicitly defined - how is name resolution configured? - is NTLMv2 required (I couldn't get NTLMv2 support working.) Domain membership shouldn't matter at this point since you aren't even getting to the authentication phase. Can you telnet port 139 to make sure it is open? Do you have a WINS server
Re: [Samba] samba 3 - smb2 cpu usage
Op 13-5-2013 14:57, Volker Lendecke schreef: On Mon, May 13, 2013 at 12:52:56PM +0200, Danny wrote: Hi all, At the moment we are running Debian squeeze with stock samba 3.5.6. and are testing some new samba installations from ubuntu 12.04, centos 6.4 and debian wheezy. All running in a VM on a XenServer. The samba servers are member of a 2008R2 domain, using smb1 protocol all are running fine and we get a constant 90MB/s (big file transfer) on our 1GB network. We would like to enable smb2 protocol for performance reasons, but when we do enable SMB2 (max protocol = SMB2) file transfer speed drops to 50-60MB/s (one big file) instead of the 80-90MB/s we used to get before. We noticed when this happens the cpu is at its max instead of 60-70% when using smb1. iostat doesn't show any serious load and our raid 10 setup isn't experience any difficulties. Using the packages (3.6.13) from EnterpriseSamba we get simular results. Is it known enabling smb2 requires a faster cpu and our cpu is simply not powerfull enough or is there another problem which we should look into? (Or should we just stick to smb1, because smb2 isn't worth the trouble?) You should definitely use SMB2. The higher CPU is suprising. You should be able to max out a 1GB network with SMB2 easily. Does Debian support the perf utility to find out what the process does? Volker Thanks for replying. 'perf top' smb2 enabled shows: Events: 33K cycles 53.07% [kernel][k] hypercall_page 36.33% smbd[.] SHA256_Update 1.99% [kernel][k] copy_user_generic_string 1.23% libc-2.13.so[.] 0x793e1 1.10% [xen_netfront] [k] xennet_poll /cut 'perf top' smb2 disabled shows: Events: 16K cycles 72.59% [kernel][k] hypercall_page 12.04% smbd[.] 0x40a5ee 1.86% [kernel][k] copy_user_generic_string 1.37% [xen_netfront] [k] xennet_poll 0.56% libc-2.13.so[.] 0x89283 0.35% [kernel][k] xen_restore_fl_direct 0.35% [kernel][k] pvclock_clocksource_read Looking at the above, disabling client and server signing gives me (in a quick test) back my performance. But now I'm prone to man in middle attacks? and if we run into other interoperabilities. (e.g. Windows clients/servers)? Danny -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Setting password expiration policy
Can I use samba-tool to globally set passwords to never expire like this: /usr/local/samba/bin/samba-tool domain passwordsettings set --max-pwd-age=0 Or do I have to set max age to some positive value and set expiration in ADUC when creating each user as Password never expires? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Logon script via GPO
Hello Folks, I'm trying to get a logon script to execute via a GPO with Samba 4.0.5. I used the Group Policy Editor that came with the Administration tools and linked a simple 'logon.bat' batch file to automatically mount a network share for a given 'OU=students'. When I log in with a user that's in this container, it does not seem to execute the login script. Anyone have an idea why this isn't working? Here's the Policy on the Samba4 server: [root@foo Logon]# pwd /usr/local/samba/var/locks/sysvol/foobar.com/Policies/{A9793D9B-1FCF-4F7E-BB12-33F9383F8B92}/User/Scripts/Logon [root@foo Logon]# ls logon.bat I've done this before on a regular non-samba AD domain... What's missing to get this to work? Thank You! -- Luc Lalonde, analyste - Département de génie informatique: École polytechnique de Montréal (514) 340-4711 x5049 luc.lalo...@polymtl.ca - If you are not paying for it, you're not the customer; you're the product being sold. (Andrew Lewis) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Logon script via GPO
On 13 May 2013 17:38, Luc Lalonde luc.lalo...@polymtl.ca wrote: Hello Folks, I'm trying to get a logon script to execute via a GPO with Samba 4.0.5. I used the Group Policy Editor that came with the Administration tools and linked a simple 'logon.bat' batch file to automatically mount a network share for a given 'OU=students'. When I log in with a user that's in this container, it does not seem to execute the login script. Anyone have an idea why this isn't working? Here's the Policy on the Samba4 server: [root@foo Logon]# pwd /usr/local/samba/var/locks/sysvol/ foobar.com/Policies/{A9793D9B-1FCF-4F7E-BB12-33F9383F8B92}/User/Scripts/Logon [root@foo Logon]# ls logon.bat I've done this before on a regular non-samba AD domain... What's missing to get this to work? Thank You! -- Luc Lalonde, analyste - Département de génie informatique: École polytechnique de Montréal (514) 340-4711 x5049 luc.lalo...@polymtl.ca - If you are not paying for it, you're not the customer; you're the product being sold. (Andrew Lewis) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Any logs on the client machine? Just wonder if it's seeing the policy. Also, have you tried gpresult on the client? Cheers, Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] nis homedir doesn't work
nis works well: #ypcat -k auto.home user1 server1:/path/ autofs works well: #cd /home/user1 (no problem) compliled with configure --with-automount: #smbd -b| grep -i automount * WITH_AUTOMOUNT WITH_AUTOMOUNT * Why doesn't samba read ypcat auto.home? see below for additional detailit's a rebus! Let the best man win! :) maybe there is a bug regarding the use of nis to mount the user's home directory at the login or my misconfiguration. After the CentOS 6.4 (64bit) installation I checked for the latest samba version on the official repository using yum: the latest version (that was already installed) is samba- 3.6.9-151.el6. From man smb.conf I have seen that nis homedir is not yet deprecated, I used it a decade ago on samba-2.2.12 with successful. On CentOS 6.4 I don't use ldap, but only nis and the latter works without problem, I installed also autofs (auto.home). autofs+nis are simple and work great, I can 'su' home users on nfs without problem. [global] workgroup = DORK ;changed for privacy netbios name = lince server string = DMIT domain server interfaces = eth0 ; smb ports = 445 hosts allow = 129.123.38., 139.123.39., 179.21.23., 127. ;changed for privacy hosts deny = ALL os level = 33 domain master = yes local master = yes preferred master = yes domain logons = yes security = user guest accout = guest encrypt passwords = yes check password script = /usr/local/sbin/crackcheck -d /usr/share/cracklib/pw_dict smb passwd file = /etc/samba/smbpasswd passdb backend = smbpasswd username map = /etc/samba/smbusers time server = Yes log file = /var/log/samba/pc/%m.log * nis homedir = yes homedir map = auto.home* null passwords = yes client lanman auth = no logon script = logon.bat logon path = * logon drive = M: logon home = \\%N\%U* wins support = no wins server = winsserver ;changed for privacy log level = 2 lock directory = /var/log/samba/locks/ state directory = /var/log/samba/state/ cache directory = /var/log/samba/cache/ pid directory = /var/log/samba/pid/ usershare path = /var/log/samba/usershare/ printjob username = %M\%U hide dot files = No[netlogon] path = /etc/samba/netlogon ; max protocol = smb2 kernel oplocks = no oplocks = no level2 oplocks = no posix locking = no follow symlinks = yes wide links = yes unix extensions = no nt acl support = no printing = lprng printcap name = /usr/local/samba/lib/printcap load printers = yes print command = /usr/bin/lpr -P%p %s; rm %s lpq command = /usr/bin/lpq -P%p lprm command = /usr/bin/lprm -P%p %j printcap cache time = 0 ### speed tuning socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE write raw = yes read raw = no ### for japanese font :( dos charset = cp932 display charset = cp932 unix charset = cp932 ; profiles drammatically slow the logout so I disabled ; [profiles] ; comment = Network Profiles Share ; path = /etc/samba/profiles ; read only = No ; store dos attribute = Yes ; create mask = 0600 ; directory mask = 0700 ; browseable = no [netlogon] path = /etc/samba/netlogon writeable = no public = yes [root] comment = Root di %h path = / read only = yes public = no locking = no [printers] printable = yes public = yes writable = no guest ok = yes #create mode = 0700 [homes] comment = Users Home Directories read only = No create mask = 0644 directory mask = 0711 browseable = No valid users = %S ; %S = the name of the current service, if any. service = map name, ; so map name A-USER can only be connected by A-USER, %S = %u ; ; By default, \\server\username shares can be connected to by anyone ; with access to the samba server. This parameter make sure that only ; username can connect to \\server\username [project] comment = Group project directories path = /usr/local/samba/lib/prj ;this path contains several links to nfs read only = no writable = yes create mode = 0775 force create mode = 0775 directory mode = 02775 force directory mode = 02775 public = no oplocks = no continues but not important! As you can see in the smb.conf I bold *'*nis homedir = yes' and 'homedir map = auto.home' Samba- 3.6.9-151.el6 is included in CentOS 6.4 so to check if has been compiled with configure --with-automount I used the command 'smbd -b|grep -i automount': [root@dork]#smbd -b| grep -i automount * WITH_AUTOMOUNT WITH_AUTOMOUNT * this is a piece of my /etc/auto.home: pippo server1:/dati3/export/home/ pluto server2:/iscsi/home/ #paperino server1:/dati2/export/home/ mickeymouseserver2:/iscsi/home/ spiderman server1:/dati2/export/home/ ,,, continues but not important! Now after samba configuration I'm able to join the
Re: [Samba] Logon script via GPO
Hello Chris, Thanks for the hint... I looked in the client's event logs. There was a permission problem accessing the 'Netlogon' share on the Samba4 server. Problem solved, Thank You! - Original Message - From: Chris Rowson christopherrow...@gmail.com Cc: samba@lists.samba.org Sent: Monday, May 13, 2013 12:57:55 PM GMT -05:00 US/Canada Eastern Subject: Re: [Samba] Logon script via GPO On 13 May 2013 17:38, Luc Lalonde luc.lalo...@polymtl.ca wrote: Hello Folks, I'm trying to get a logon script to execute via a GPO with Samba 4.0.5. I used the Group Policy Editor that came with the Administration tools and linked a simple 'logon.bat' batch file to automatically mount a network share for a given 'OU=students'. When I log in with a user that's in this container, it does not seem to execute the login script. Anyone have an idea why this isn't working? Here's the Policy on the Samba4 server: [root@foo Logon]# pwd /usr/local/samba/var/locks/sysvol/ foobar.com/Policies/{A9793D9B-1FCF-4F7E-BB12-33F9383F8B92}/User/Scripts/Logon [root@foo Logon]# ls logon.bat I've done this before on a regular non-samba AD domain... What's missing to get this to work? Thank You! -- Luc Lalonde, analyste - Département de génie informatique: École polytechnique de Montréal (514) 340-4711 x5049 luc.lalo...@polymtl.ca - If you are not paying for it, you're not the customer; you're the product being sold. (Andrew Lewis) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Any logs on the client machine? Just wonder if it's seeing the policy. Also, have you tried gpresult on the client? Cheers, Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Luc Lalonde, analyste - Département de génie informatique: École polytechnique de Montréal (514) 340-4711 x5049 luc.lalo...@polymtl.ca - If you are not paying for it, you're not the customer; you're the product being sold. (Andrew Lewis) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4.0.0 upgrade to 4.0.5 from source
hmmm, i don't know what the dnsupdate service does... and i dont really find it in the manual of smb.conf 2013/5/13 Mārtiņš Gailītis martins.gaili...@outlook.com Thnx, wuala :) There is no error restarting samba 4.0.0 after removing last entry dns of line server services. Do i have to remove dnsupdate from config as well if i'm using bind for DNS purposes?! Will try to upgrade and see if everything starts as smooth as it does now! Date: Mon, 13 May 2013 14:57:48 +0200 From: benischind...@gmx.de To: samba@lists.samba.org Subject: Re: [Samba] Samba 4.0.0 upgrade to 4.0.5 from source Am 13.05.2013 11:21, schrieb Michael De Groote: (check for 'dns' on the 'server services' line in smb.conf,) so there were errors in the logfile about not being able to setup some services, which seemed to have as consequence that some instances died Am 13.05.2013 14:24, schrieb Mārtiņš Gailītis: Here is my smb.conf and part of log file from working 4.0.0 installation. [global] ... server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns Is samba internal DNS is trying start as well?! Let's see... Yes. ;) Try to start without DNS. You just have to remove the last two entries from your server services . It should look like this: [global] ... server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Michael De Groote ICT-coordinator Sint-Pietersschool Korbeek-Lo ICT-support Sancta Maria Basisschool Leuven -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Logon script via GPO
*Il n'y a pas de quoi.* Sometimes it is difficult to see the wood for the trees :-) Chris On Mon, May 13, 2013 at 7:12 PM, Luc Lalonde luc.lalo...@polymtl.ca wrote: Hello Chris, Thanks for the hint... I looked in the client's event logs. There was a permission problem accessing the 'Netlogon' share on the Samba4 server. Problem solved, Thank You! - Original Message - From: Chris Rowson christopherrow...@gmail.com Cc: samba@lists.samba.org Sent: Monday, May 13, 2013 12:57:55 PM GMT -05:00 US/Canada Eastern Subject: Re: [Samba] Logon script via GPO On 13 May 2013 17:38, Luc Lalonde luc.lalo...@polymtl.ca wrote: Hello Folks, I'm trying to get a logon script to execute via a GPO with Samba 4.0.5. I used the Group Policy Editor that came with the Administration tools and linked a simple 'logon.bat' batch file to automatically mount a network share for a given 'OU=students'. When I log in with a user that's in this container, it does not seem to execute the login script. Anyone have an idea why this isn't working? Here's the Policy on the Samba4 server: [root@foo Logon]# pwd /usr/local/samba/var/locks/sysvol/ foobar.com/Policies/{A9793D9B-1FCF-4F7E-BB12-33F9383F8B92}/User/Scripts/Logon [root@foo Logon]# ls logon.bat I've done this before on a regular non-samba AD domain... What's missing to get this to work? Thank You! -- Luc Lalonde, analyste - Département de génie informatique: École polytechnique de Montréal (514) 340-4711 x5049 luc.lalo...@polymtl.ca - If you are not paying for it, you're not the customer; you're the product being sold. (Andrew Lewis) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Any logs on the client machine? Just wonder if it's seeing the policy. Also, have you tried gpresult on the client? Cheers, Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Luc Lalonde, analyste - Département de génie informatique: École polytechnique de Montréal (514) 340-4711 x5049 luc.lalo...@polymtl.ca - If you are not paying for it, you're not the customer; you're the product being sold. (Andrew Lewis) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 CUPS: NT_STATUS_ACCESS_DENIED opening remote file
I'm setting up cups printing with Samba 4.0.5. I downloaded both the windows drivers and the postscript drivers and put them into /usr/share/cups/drivers/. I configured cups through the web interface. Created a printer and printed a test page. I edited smb.conf and put in the necessary entries for cups printing: [global] ... load printers = yes printing = cups printcap name = cups ... [printers] comment = All Printers path = /srv/share/spool browseable = Yes read only = No printable = Yes [print$] comment = Point and Print Printer Drivers path = /srv/share/print browseable = Yes read only = No write list = root Checked the permissions on files and target directories: # ls -l /usr/share/cups/drivers/ total 2348 -rw-r--r-- 1 root root 803 May 13 12:02 cups6.inf -rw-r--r-- 1 root root 72 May 13 12:02 cups6.ini -rw-r--r-- 1 root root 12568 May 13 12:02 cupsps6.dll -rw-r--r-- 1 root root 13672 May 13 12:02 cupsui6.dll -rwxr-xr-x 1 root root 728576 May 13 15:01 ps5ui.dll -rwxr-xr-x 1 root root 543232 May 13 15:01 pscript5.dll -rwxr-xr-x 1 root root 26038 May 13 15:01 pscript.hlp -rwxr-xr-x 1 root root 1060548 May 13 15:01 pscript.ntf # # ls -l /srv/share/print /srv/share/print: total 32 drwxr-xr-x 2 root root 4096 May 12 23:13 COLOR drwxr-xr-x 2 root root 4096 May 12 23:13 IA64 drwxr-xr-x 2 root root 4096 May 12 23:13 W32ALPHA drwxr-xr-x 2 root root 4096 May 12 23:13 W32MIPS drwxr-xr-x 2 root root 4096 May 12 23:13 W32PPC drwxr-xr-x 2 root root 4096 May 12 23:13 W32X86 drwxr-xr-x 2 root root 4096 May 12 23:13 WIN40 drwxr-xr-x 2 root root 4096 May 12 23:13 x64 Then ran cupsaddsmb to install the drivers into Samba: # PATH=/usr/local/samba/bin:$PATH cupsaddsmb -v -H localhost -U root -a Password for root required to access localhost via SAMBA: Running command: smbclient //localhost/print$ -N -A /tmp/cupsjExFEC -c 'mkdir W32X86;put /tmp/cupshtyLSS W32X86/Cups-PDF.ppd;put /usr/share/cups/drivers/ps5ui.dll W32X86/ps5ui.dll;put /usr/share/cups/drivers/pscript.hlp W32X86/pscript.hlp;put /usr/share/cups/drivers/pscript.ntf W32X86/pscript.ntf;put /usr/share/cups/drivers/pscript5.dll W32X86/pscript5.dll' Domain=[XXX] OS=[Unix] Server=[Samba 4.0.5] NT_STATUS_OBJECT_NAME_COLLISION making remote directory \W32X86 NT_STATUS_ACCESS_DENIED opening remote file \W32X86/Cups-PDF.ppd NT_STATUS_ACCESS_DENIED opening remote file \W32X86/ps5ui.dll NT_STATUS_ACCESS_DENIED opening remote file \W32X86/pscript.hlp NT_STATUS_ACCESS_DENIED opening remote file \W32X86/pscript.ntf NT_STATUS_ACCESS_DENIED opening remote file \W32X86/pscript5.dll And I end up getting access errors. All the permissions look right. I can manually create files in the directories as root. I made sure that root user was in smbpasswd. What I am missing here? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 CUPS: NT_STATUS_ACCESS_DENIED opening remote file
On 13/05/13 21:36, Gerry Reno wrote: I'm setting up cups printing with Samba 4.0.5. I downloaded both the windows drivers and the postscript drivers and put them into /usr/share/cups/drivers/. I configured cups through the web interface. Created a printer and printed a test page. I edited smb.conf and put in the necessary entries for cups printing: [global] ... load printers = yes printing = cups printcap name = cups ... [printers] comment = All Printers path = /srv/share/spool browseable = Yes read only = No printable = Yes [print$] comment = Point and Print Printer Drivers path = /srv/share/print browseable = Yes read only = No write list = root Checked the permissions on files and target directories: # ls -l /usr/share/cups/drivers/ total 2348 -rw-r--r-- 1 root root 803 May 13 12:02 cups6.inf -rw-r--r-- 1 root root 72 May 13 12:02 cups6.ini -rw-r--r-- 1 root root 12568 May 13 12:02 cupsps6.dll -rw-r--r-- 1 root root 13672 May 13 12:02 cupsui6.dll -rwxr-xr-x 1 root root 728576 May 13 15:01 ps5ui.dll -rwxr-xr-x 1 root root 543232 May 13 15:01 pscript5.dll -rwxr-xr-x 1 root root 26038 May 13 15:01 pscript.hlp -rwxr-xr-x 1 root root 1060548 May 13 15:01 pscript.ntf # # ls -l /srv/share/print /srv/share/print: total 32 drwxr-xr-x 2 root root 4096 May 12 23:13 COLOR drwxr-xr-x 2 root root 4096 May 12 23:13 IA64 drwxr-xr-x 2 root root 4096 May 12 23:13 W32ALPHA drwxr-xr-x 2 root root 4096 May 12 23:13 W32MIPS drwxr-xr-x 2 root root 4096 May 12 23:13 W32PPC drwxr-xr-x 2 root root 4096 May 12 23:13 W32X86 drwxr-xr-x 2 root root 4096 May 12 23:13 WIN40 drwxr-xr-x 2 root root 4096 May 12 23:13 x64 Then ran cupsaddsmb to install the drivers into Samba: # PATH=/usr/local/samba/bin:$PATH cupsaddsmb -v -H localhost -U root -a Password for root required to access localhost via SAMBA: Running command: smbclient //localhost/print$ -N -A /tmp/cupsjExFEC -c 'mkdir W32X86;put /tmp/cupshtyLSS W32X86/Cups-PDF.ppd;put /usr/share/cups/drivers/ps5ui.dll W32X86/ps5ui.dll;put /usr/share/cups/drivers/pscript.hlp W32X86/pscript.hlp;put /usr/share/cups/drivers/pscript.ntf W32X86/pscript.ntf;put /usr/share/cups/drivers/pscript5.dll W32X86/pscript5.dll' Domain=[XXX] OS=[Unix] Server=[Samba 4.0.5] NT_STATUS_OBJECT_NAME_COLLISION making remote directory \W32X86 NT_STATUS_ACCESS_DENIED opening remote file \W32X86/Cups-PDF.ppd NT_STATUS_ACCESS_DENIED opening remote file \W32X86/ps5ui.dll NT_STATUS_ACCESS_DENIED opening remote file \W32X86/pscript.hlp NT_STATUS_ACCESS_DENIED opening remote file \W32X86/pscript.ntf NT_STATUS_ACCESS_DENIED opening remote file \W32X86/pscript5.dll And I end up getting access errors. All the permissions look right. I can manually create files in the directories as root. I made sure that root user was in smbpasswd. What I am missing here? Hi I don't think printing works with 4.0.5: https://bugzilla.samba.org/show_bug.cgi?id=9745 We also get access denied errors when installing the drivers. Shall we add this tread to the bugzilla? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 CUPS: NT_STATUS_ACCESS_DENIED opening remote file
On 05/13/2013 03:59 PM, steve wrote: On 13/05/13 21:36, Gerry Reno wrote: I'm setting up cups printing with Samba 4.0.5. I downloaded both the windows drivers and the postscript drivers and put them into /usr/share/cups/drivers/. I configured cups through the web interface. Created a printer and printed a test page. I edited smb.conf and put in the necessary entries for cups printing: [global] ... load printers = yes printing = cups printcap name = cups ... [printers] comment = All Printers path = /srv/share/spool browseable = Yes read only = No printable = Yes [print$] comment = Point and Print Printer Drivers path = /srv/share/print browseable = Yes read only = No write list = root Checked the permissions on files and target directories: # ls -l /usr/share/cups/drivers/ total 2348 -rw-r--r-- 1 root root 803 May 13 12:02 cups6.inf -rw-r--r-- 1 root root 72 May 13 12:02 cups6.ini -rw-r--r-- 1 root root 12568 May 13 12:02 cupsps6.dll -rw-r--r-- 1 root root 13672 May 13 12:02 cupsui6.dll -rwxr-xr-x 1 root root 728576 May 13 15:01 ps5ui.dll -rwxr-xr-x 1 root root 543232 May 13 15:01 pscript5.dll -rwxr-xr-x 1 root root 26038 May 13 15:01 pscript.hlp -rwxr-xr-x 1 root root 1060548 May 13 15:01 pscript.ntf # # ls -l /srv/share/print /srv/share/print: total 32 drwxr-xr-x 2 root root 4096 May 12 23:13 COLOR drwxr-xr-x 2 root root 4096 May 12 23:13 IA64 drwxr-xr-x 2 root root 4096 May 12 23:13 W32ALPHA drwxr-xr-x 2 root root 4096 May 12 23:13 W32MIPS drwxr-xr-x 2 root root 4096 May 12 23:13 W32PPC drwxr-xr-x 2 root root 4096 May 12 23:13 W32X86 drwxr-xr-x 2 root root 4096 May 12 23:13 WIN40 drwxr-xr-x 2 root root 4096 May 12 23:13 x64 Then ran cupsaddsmb to install the drivers into Samba: # PATH=/usr/local/samba/bin:$PATH cupsaddsmb -v -H localhost -U root -a Password for root required to access localhost via SAMBA: Running command: smbclient //localhost/print$ -N -A /tmp/cupsjExFEC -c 'mkdir W32X86;put /tmp/cupshtyLSS W32X86/Cups-PDF.ppd;put /usr/share/cups/drivers/ps5ui.dll W32X86/ps5ui.dll;put /usr/share/cups/drivers/pscript.hlp W32X86/pscript.hlp;put /usr/share/cups/drivers/pscript.ntf W32X86/pscript.ntf;put /usr/share/cups/drivers/pscript5.dll W32X86/pscript5.dll' Domain=[XXX] OS=[Unix] Server=[Samba 4.0.5] NT_STATUS_OBJECT_NAME_COLLISION making remote directory \W32X86 NT_STATUS_ACCESS_DENIED opening remote file \W32X86/Cups-PDF.ppd NT_STATUS_ACCESS_DENIED opening remote file \W32X86/ps5ui.dll NT_STATUS_ACCESS_DENIED opening remote file \W32X86/pscript.hlp NT_STATUS_ACCESS_DENIED opening remote file \W32X86/pscript.ntf NT_STATUS_ACCESS_DENIED opening remote file \W32X86/pscript5.dll And I end up getting access errors. All the permissions look right. I can manually create files in the directories as root. I made sure that root user was in smbpasswd. What I am missing here? Hi I don't think printing works with 4.0.5: https://bugzilla.samba.org/show_bug.cgi?id=9745 We also get access denied errors when installing the drivers. Shall we add this tread to the bugzilla? Cheers, Steve Done. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4.0.0 upgrade to 4.0.5 from source
Huray - it works! Thnx ;) Date: Mon, 13 May 2013 20:50:36 +0200 From: i...@sint-pietersschool.be To: samba@lists.samba.org Subject: Re: [Samba] Samba 4.0.0 upgrade to 4.0.5 from source hmmm, i don't know what the dnsupdate service does... and i dont really find it in the manual of smb.conf 2013/5/13 Mārtiņš Gailītis martins.gaili...@outlook.com Thnx, wuala :) There is no error restarting samba 4.0.0 after removing last entry dns of line server services. Do i have to remove dnsupdate from config as well if i'm using bind for DNS purposes?! Will try to upgrade and see if everything starts as smooth as it does now! Date: Mon, 13 May 2013 14:57:48 +0200 From: benischind...@gmx.de To: samba@lists.samba.org Subject: Re: [Samba] Samba 4.0.0 upgrade to 4.0.5 from source Am 13.05.2013 11:21, schrieb Michael De Groote: (check for 'dns' on the 'server services' line in smb.conf,) so there were errors in the logfile about not being able to setup some services, which seemed to have as consequence that some instances died Am 13.05.2013 14:24, schrieb Mārtiņš Gailītis: Here is my smb.conf and part of log file from working 4.0.0 installation. [global] ... server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns Is samba internal DNS is trying start as well?! Let's see... Yes. ;) Try to start without DNS. You just have to remove the last two entries from your server services . It should look like this: [global] ... server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Michael De Groote ICT-coordinator Sint-Pietersschool Korbeek-Lo ICT-support Sancta Maria Basisschool Leuven -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Sudden authentication failures, hex dumps in log.samba
On Mon, 2013-05-13 at 14:24 +0300, Pekka L.J. Jalkanen wrote: Any ideas how to resolve this problem? No comments, it seems. I can see that even if this is a bug in Samba it would be really hard to reproduce. But it's really frustrating too, because if the authentication isn't reliable I sort of have to keep the Windows DC around. So if somebody would have an enlightened suggestion what to do, I'd be grateful. The only idea I'm having myself would be to recreate the machine accounts of the computers in question, but that'd be just a shot in the dark, and if the problem lies within the user accounts instead, that wouldn't help. G'Day, I'm sorry I haven't been able to get back to you. The issue is the same for all of these accounts. We simply have a password encoded in a format that we do not correctly parse. The 00 20 stuff is literally some unicode space (ie the spacebar, yes!) padding that is in this structure. I need to get both and encrypted copy of the data and some time to work over it, so we can correct this issue in our IDL. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4.0.0 upgrade to 4.0.5 from source
On Mon, 2013-05-13 at 16:03 +0300, Mārtiņš Gailītis wrote: Thnx, wuala :) There is no error restarting samba 4.0.0 after removing last entry dns of line server services. Do i have to remove dnsupdate from config as well if i'm using bind for DNS purposes?! Will try to upgrade and see if everything starts as smooth as it does now! No, just set 'server servers = -dns' if you don't want to run the DNS server. Also you may wish to run: samba-tool dbcheck --reset-well-known-acls --fix This will fix up some incorrect defaults we had with 4.0.0. It will however wipe any changes you have made to some ACLs (not all, just ones we have special defaults for). I hope this helps, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4.0.0 upgrade to 4.0.5 from source
With 'server services = -dns' still error: Failed to start service '-dns' - NT_STATUS_INVALID_SYSTEM_SERVICE Removed again from config and everything goes smooth. It is recommended or absolutely necessary to reset acls?! Subject: Re: [Samba] Samba 4.0.0 upgrade to 4.0.5 from source From: abart...@samba.org To: martins.gaili...@outlook.com CC: benischind...@gmx.de; samba@lists.samba.org Date: Tue, 14 May 2013 17:07:14 +1200 On Mon, 2013-05-13 at 16:03 +0300, Mārtiņš Gailītis wrote: Thnx, wuala :) There is no error restarting samba 4.0.0 after removing last entry dns of line server services. Do i have to remove dnsupdate from config as well if i'm using bind for DNS purposes?! Will try to upgrade and see if everything starts as smooth as it does now! No, just set 'server servers = -dns' if you don't want to run the DNS server. Also you may wish to run: samba-tool dbcheck --reset-well-known-acls --fix This will fix up some incorrect defaults we had with 4.0.0. It will however wipe any changes you have made to some ACLs (not all, just ones we have special defaults for). I hope this helps, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4.0.0 upgrade to 4.0.5 from source
On Tue, 2013-05-14 at 08:31 +0300, Mārtiņš Gailītis wrote: With 'server services = -dns' still error: Failed to start service '-dns' - NT_STATUS_INVALID_SYSTEM_SERVICE Removed again from config and everything goes smooth. That's very odd. The idea with these + and - things is a way to modify the default list, without having the full list be specified in every-bodies configuration files, so that when we add a new service, it doesn't just get ignored, because it isn't in the list! It is recommended or absolutely necessary to reset acls?! Recommended. We got the default ACLs quite wrong previously. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch v3-6-test updated
The branch, v3-6-test has been updated via 9094b53 Remove the compound_related_in_progress state from the smb2 global state. via f4900ce The core of the fix to allow opens to go async inside a compound request. via 5185365 Ensure we don't try and cancel anything that is in a compound-related request. via 171087a Only do the 1 second delay for sharing violations for SMB1, not SMB2. from 1303a68 WHATSNEW: Start release notes for Samba 3.6.16. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test - Log - commit 9094b538c85a550b40827799f56427a926d315cd Author: Jeremy Allison j...@samba.org Date: Wed May 8 15:10:32 2013 -0700 Remove the compound_related_in_progress state from the smb2 global state. And also remove the restriction that we can't read a new request whilst we're in this state. Signed-off-by: Jeremy Allison j...@samba.org The last 4 patches address bug #9722 - Samba does not properly handle Oplock breaks in compound requests. commit f4900ce9e0c52beb2dcf34eaf4bcd5f398d7900c Author: Jeremy Allison j...@samba.org Date: Wed May 8 15:08:50 2013 -0700 The core of the fix to allow opens to go async inside a compound request. This is only allowed for opens that cause an oplock break, otherwise it is not allowed. See [MS-SMB2].pdf note 194 on Section 3.3.5.2.7. Signed-off-by: Jeremy Allison j...@samba.org commit 5185365c6b215905663aca5161924a357268f64d Author: Jeremy Allison j...@samba.org Date: Wed May 8 11:51:38 2013 -0700 Ensure we don't try and cancel anything that is in a compound-related request. Too hard to deal with splitting off the replies. Signed-off-by: Jeremy Allison j...@samba.org commit 171087a499531bf529fe800de73e0e10ecdcc6f7 Author: Jeremy Allison j...@samba.org Date: Wed May 8 11:50:32 2013 -0700 Only do the 1 second delay for sharing violations for SMB1, not SMB2. Match Windows behavior. Signed-off-by: Jeremy Allison j...@samba.org --- Summary of changes: source3/smbd/globals.h |1 - source3/smbd/open.c|3 +- source3/smbd/smb2_server.c | 145 +++ 3 files changed, 66 insertions(+), 83 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/smbd/globals.h b/source3/smbd/globals.h index 730bb7e..ce5b18d 100644 --- a/source3/smbd/globals.h +++ b/source3/smbd/globals.h @@ -647,7 +647,6 @@ struct smbd_server_connection { uint32_t max_trans; uint32_t max_read; uint32_t max_write; - bool compound_related_in_progress; } smb2; }; diff --git a/source3/smbd/open.c b/source3/smbd/open.c index d10b697..447de80 100644 --- a/source3/smbd/open.c +++ b/source3/smbd/open.c @@ -2002,10 +2002,11 @@ static NTSTATUS open_file_ntcreate(connection_struct *conn, /* * If we're returning a share violation, ensure we -* cope with the braindead 1 second delay. +* cope with the braindead 1 second delay (SMB1 only). */ if (!(oplock_request INTERNAL_OPEN_ONLY) + !conn-sconn-using_smb2 lp_defer_sharing_violations()) { struct timeval timeout; struct deferred_open_record state; diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c index cc884c3..9615907 100644 --- a/source3/smbd/smb2_server.c +++ b/source3/smbd/smb2_server.c @@ -927,7 +927,6 @@ NTSTATUS smbd_smb2_request_pending_queue(struct smbd_smb2_request *req, uint32_t flags = 0; uint64_t message_id = 0; uint64_t async_id = 0; - struct iovec *outvec = NULL; if (!tevent_req_is_in_progress(subreq)) { return NT_STATUS_OK; @@ -944,16 +943,27 @@ NTSTATUS smbd_smb2_request_pending_queue(struct smbd_smb2_request *req, if (req-in.vector_count i + 3) { /* * We're trying to go async in a compound -* request chain. This is not allowed. -* Cancel the outstanding request. +* request chain. +* This is only allowed for opens that +* cause an oplock break, otherwise it +* is not allowed. See [MS-SMB2].pdf +* note 194 on Section 3.3.5.2.7. */ - bool ok = tevent_req_cancel(req-subreq); - if (ok) { - return NT_STATUS_OK; - } - TALLOC_FREE(req-subreq); - return smbd_smb2_request_error(req, - NT_STATUS_INTERNAL_ERROR);
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via fde1757 build: Add missing dep from vfs_nfs4acl_xattr to NDR_NFS4ACL from 09d3f57 lib: Fix CID 241650 Sizeof not portable http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit fde1757f800ee661aa3e5133fed7c910dcb4163e Author: Andrew Bartlett abart...@samba.org Date: Tue May 14 09:23:33 2013 +1200 build: Add missing dep from vfs_nfs4acl_xattr to NDR_NFS4ACL Reviewed-by: Andreas Schneider a...@samba.org Autobuild-User(master): Andreas Schneider a...@cryptomilk.org Autobuild-Date(master): Tue May 14 01:23:17 CEST 2013 on sn-devel-104 --- Summary of changes: source3/modules/wscript_build |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/modules/wscript_build b/source3/modules/wscript_build index 65e96b2..937dbde 100644 --- a/source3/modules/wscript_build +++ b/source3/modules/wscript_build @@ -251,7 +251,7 @@ bld.SAMBA3_MODULE('vfs_zfsacl', bld.SAMBA3_MODULE('vfs_nfs4acl_xattr', subsystem='vfs', source=VFS_NFS4ACL_XATTR_SRC, -deps='NFS4_ACLS sunacl', +deps='NFS4_ACLS sunacl NDR_NFS4ACL', init_function='', internal_module=bld.SAMBA3_IS_STATIC_MODULE('vfs_nfs4acl_xattr'), enabled=bld.SAMBA3_IS_ENABLED_MODULE('vfs_nfs4acl_xattr')) -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 3fda852 selftests-drs: make our generated class subclass of classschema via 33b5479 Export PROMOTED_DC related variable via 2bdf2c5 dsdb: make the name of non related class more obvious from fde1757 build: Add missing dep from vfs_nfs4acl_xattr to NDR_NFS4ACL http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 3fda85276b9a3b3df6c5f1341dd586606deacfb1 Author: Matthieu Patou m...@matws.net Date: Mon May 6 00:58:28 2013 -0700 selftests-drs: make our generated class subclass of classschema Without this change objectclass=[top, classSchema, Foobar] will not be sorted correctly and will generated an error saying that class Foobar is unreleated to classSchema (which is not true). It's mimicing what other classes of the default schema are doing (ie. contact) Signed-off-by: Matthieu Patou m...@matws.net Reviewed-by: Andrew Bartlett abart...@samba.org Autobuild-User(master): Andrew Bartlett abart...@samba.org Autobuild-Date(master): Tue May 14 07:07:19 CEST 2013 on sn-devel-104 commit 33b54799a61eb6873eaeea2e7853f1314d8e6eee Author: Matthieu Patou m...@matws.net Date: Mon May 13 09:16:24 2013 -0700 Export PROMOTED_DC related variable Signed-off-by: Matthieu Patou m...@matws.net Reviewed-by: Andrew Bartlett abart...@samba.org commit 2bdf2c56cc1f7635441cf3b13d94941157b047f8 Author: Matthieu Patou m...@matws.net Date: Mon May 6 01:09:05 2013 -0700 dsdb: make the name of non related class more obvious Signed-off-by: Matthieu Patou m...@matws.net Reviewed-by: Andrew Bartlett abart...@samba.org --- Summary of changes: selftest/selftest.pl |5 + selftest/selftest.py |6 ++ source4/dsdb/samdb/ldb_modules/objectclass.c |5 +++-- source4/torture/drs/python/repl_schema.py|3 ++- 4 files changed, 16 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/selftest/selftest.pl b/selftest/selftest.pl index 639c8a2..cc947a1 100755 --- a/selftest/selftest.pl +++ b/selftest/selftest.pl @@ -692,6 +692,11 @@ my @exported_envvars = ( VAMPIRE_DC_NETBIOSNAME, VAMPIRE_DC_NETBIOSALIAS, + PROMOTED_DC_SERVER, + PROMOTED_DC_SERVER_IP, + PROMOTED_DC_NETBIOSNAME, + PROMOTED_DC_NETBIOSALIAS, + # server stuff SERVER, SERVER_IP, diff --git a/selftest/selftest.py b/selftest/selftest.py index af2e552..2da1ef8 100755 --- a/selftest/selftest.py +++ b/selftest/selftest.py @@ -388,6 +388,12 @@ exported_envvars = [ VAMPIRE_DC_NETBIOSNAME, VAMPIRE_DC_NETBIOSALIAS, +# domain controller stuff for Vampired DC +PROMOTED_DC_SERVER, +PROMOTED_DC_SERVER_IP, +PROMOTED_DC_NETBIOSNAME, +PROMOTED_DC_NETBIOSALIAS, + # server stuff SERVER, SERVER_IP, diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c index de154ec..f6f7338 100644 --- a/source4/dsdb/samdb/ldb_modules/objectclass.c +++ b/source4/dsdb/samdb/ldb_modules/objectclass.c @@ -127,8 +127,9 @@ static int check_unrelated_objectclasses(struct ldb_module *module, } ldb_asprintf_errstring(ldb, - objectclass: the objectclass '%s' seems to be unrelated to the entry!, - tmp_class-lDAPDisplayName); + objectclass: the objectclass '%s' seems to be unrelated to %s!, + tmp_class-lDAPDisplayName, + struct_objectclass-lDAPDisplayName); return LDB_ERR_OBJECT_CLASS_VIOLATION; } diff --git a/source4/torture/drs/python/repl_schema.py b/source4/torture/drs/python/repl_schema.py index cbed640..aefeadb 100644 --- a/source4/torture/drs/python/repl_schema.py +++ b/source4/torture/drs/python/repl_schema.py @@ -174,7 +174,8 @@ class DrsReplSchemaTestCase(drs_base.DrsBaseTestCase): # add a base classSchema class so we can use our new # attribute in class definition in a sibling class (c_ldn, c_dn) = self._schema_new_class(self.ldb_dc1, cls-A, - {systemMayContain: a_ldn}) + {systemMayContain: a_ldn, +subClassOf: classSchema}) # add new classSchema object with value for a_ldb attribute (c_ldn, c_dn) = self._schema_new_class(self.ldb_dc1, cls-B, {objectClass: [top, classSchema, c_ldn], -- Samba Shared Repository