Re: [Samba] Error Message while joining a Domain as a DC
Yes I get the passwort promt after typing kinit administrator. I have two krb5.conf. One in /etc and one in /usr/local/samba/private P.S. This samba is manually kompiled and installed in /usr/local/samba/ Am 29.05.2013 23:28, schrieb Jim Potter: This looks like s kerberos error - can you kinit administrator and get a password prompt on the new DC? If not, check resolv.conf on new DC points at existing DC and check the realm details in krb5.conf Jim On 29/05/2013 20:18, Ulrich Schneider wrote: I joined an existing domain according to: https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC My var/log.samba shows the following error message ... and unfortunately ... I have no idea what that means. [2013/05/29 20:48:00, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database. [2013/05/29 20:48:00, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database. [2013/05/29 20:48:00, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database. [2013/05/29 20:48:00, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database. [2013/05/29 20:48:00, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database. [2013/05/29 20:48:00, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database. [2013/05/29 20:48:00, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database. [2013/05/29 20:58:01, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database. [2013/05/29 20:58:01, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database. [2013/05/29 20:58:01, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database. [2013/05/29 20:58:01, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database. [2013/05/29 21:08:01, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: Traceback (most recent call last): [2013/05/29 21:08:01, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: File /usr/local/samba/sbin/samba_dnsupdate, line 506, in module [2013/05/29 21:08:01, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: get_credentials(lp) [2013/05/29 21:08:01, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: File /usr/local/samba/sbin/samba_dnsupdate, line 119, in get_credentials [2013/05/29 21:08:01, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: creds.get_named_ccache(lp, ccachename) [2013/05/29 21:08:01, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: RuntimeError: kinit for SERVERT$@GYM-FEU.LOCAL failed (Cannot contact any KDC for requested realm) [2013/05/29 21:08:01, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate:
[Samba] Sysvol replication and group policies
As I read in the article listet at the and of this email there is no sysvol replication while joining a domain as a dc. This means to me (if im right) that there are no group policies available on the samba dc. Is this right? On the other hand if I create a new domain n a samba dc and if I set up asamba as a new dc ... group policies are available. Is this correct? https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC#A_Note_on_SysVol_replication A Note on SysVol replication Currently the replication of the SysVol share isn't implemented. If you make any changes on that share, you have to keep the shares on all your DCs in sync manually (e. g. with an rsync cronjob). -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Replication fails
I'm using samba 4.0.3 (host samba01) and samba 4.0.5 (samba02) as DCs. samba01 already existed and I used samba-tool domain join to join samba02 to domain samba.x.y.z. This worked quiet well, but now replication fails: /usr/local/samba/bin/samba-tool drs showrepl INBOUND NEIGHBORS ... DC=DomainDnsZones,DC=samba,DC=x,DC=y,DC=z Default-First-Site-Name\SAMBA01 via RPC DSA object GUID: 2eeb19c5-6844-4363-8b73-afa2b9a75001 Last attempt @ Mon May 20 03:00:41 2013 CEST failed, result 2 (WERR_BADFILE) 623 consecutive failure(s). Last success @ Fri May 17 23:45:19 2013 CEST ... KCC CONNECTION OBJECTS Connection -- Connection name: 76dc04cb-85e3-4d81-9b53-465166fd2f78 Enabled: TRUE Server DNS name : samba01.samba.x.y.z Server DN name : CN=NTDS Settings,CN=SAMBA01,CN=Servers,CN=Default- First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=x,DC=y,DC=z TransportType: RPC options: 0x0001 Warning: No NC replicated for Connection! Trying samba-tool drs replicate breaks at: /usr/local/samba/bin/samba-tool drs replicate samba02 samba01 'DC=samba,DC=x,DC=y,DC=z' -d 5 ... drsuapi_DsReplicaSync: struct drsuapi_DsReplicaSync out: struct drsuapi_DsReplicaSync result : WERR_BADFILE ERROR(class 'samba.drs_utils.drsException'): DsReplicaSync failed - drsException: DsReplicaSync failed (2, 'WERR_BADFILE') File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/drs.py, line 334, in run drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle, source_dsa_guid, NC, req_options) File /usr/local/samba/lib/python2.7/site-packages/samba/drs_utils.py, line 83, in sendDsReplicaSync raise drsException(DsReplicaSync failed %s % estr) ... I supposed, that there must be something wrong with the DsReplicaSync()- method, but I can't find anything about it in the python-files or in http://www.samba.org/~jelmer/samba4-python/nameIndex.html. Any suggestions what could be wrong or where can I find some information on the DsReplicaSync()-method used in /usr/local/samba/lib/python2.7/site- packages/samba/drs_utils.py, line 81? Please let me know, if I should send any other information. Best regards, Tobias -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 Secondary DC Replication Concerns
Hi Folks If I have 2 x Samba4 AD DCs, a primary and secondary, am I correct in assuming that if I add a Windows Client to the DOMAIN it should eventually replicate to the secondary DC? Paully -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] getfacl - winbind
Hi, A nice problem came up. If I want to set directory permissions with getfacl or ls -la that directory or wbinfo --uid-info winbind is dieing and I got this error message in samba.log: == samba/samba.log == [2013/05/30 15:03:31, 0] ../lib/util/fault.c:72(fault_report) === [2013/05/30 15:03:31, 0] ../lib/util/fault.c:73(fault_report) INTERNAL ERROR: Signal 11 in pid 3658 (4.0.5) Please read the Trouble-Shooting section of the Samba HOWTO [2013/05/30 15:03:31, 0] ../lib/util/fault.c:75(fault_report) === [2013/05/30 15:03:31, 0] ../lib/util/fault.c:144(smb_panic_default) PANIC: internal error The weird thing is getfacl working smooth on the directories in the domain root eg: TEST.DOMAIN/group01, but winbind?? dies when I want to list any subdirectory eg: TEST.DOMAIN/group01/user01 Regards, Robert -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Need help with file corruption issue
Hi all, I've run into an issue and am wondering if folks can give some advice on how to resolve it. Basically Samba appears to be getting confused, providing some other file's contents. Initially I saw this on a Windows host that has mounted a share from CentOs, but I've been able to repro it on the CentOs host using a self-mount. Here's my test script: #!/usr/bin/perl use File::Temp qw( tempfile ); use strict; $| = 1; my $local_grid_share = '/grid/samba_stress_test'; my $mounted_grid_share = '/root/grid/samba_stress_test'; while (1) { my $content1 = rand() x 5 . \n; my ($fh, $filepath) = tempfile( DIR = $local_grid_share ); print $fh $content1; close $fh; system(chown xen $filepath); my ($filename) = $filepath =~ /.*\/(.*)/; print \n$filename... ; if (-f $mounted_grid_share/$filename) { open IN, $mounted_grid_share/$filename; local $/ = undef; my $content2 = IN; close IN; if ($content1 eq $content2) { print Same!\n$filepath : $content1$mounted_grid_share/$filename: $content2; } else { print Different!\n$filepath : $content1$mounted_grid_share/$filename: $content2; exit; } } else { print File is missing!\n; exit; } unlink $filepath; } Here's the mount command and an illustration of the problem: # ifconfig | grep inet.addr | grep -v 127.0.0.1 inet addr:10.0.0.11 Bcast:10.0.0.255 Mask:255.255.255.0 # mount -t cifs -ousername=the_user,password=the_password //10.0.0.11/grid /root/grid # mkdir /grid/samba_stress_test; chown xen /grid/samba_stress_test # perl samba_stress_test.pl snip a lot of successful comparisons udCVYFNkc5... Same! /grid/samba_stress_test/udCVYFNkc5 : 0.07392498237819470.07392498237819470.07392498237819470.07392498237819470.0739249823781947 /root/grid/samba_stress_test/udCVYFNkc5: 0.07392498237819470.07392498237819470.07392498237819470.07392498237819470.0739249823781947 uETPmRzm99... Different! /grid/samba_stress_test/uETPmRzm99 : 0.9774832438332160.9774832438332160.9774832438332160.9774832438332160.977483243833216 /root/grid/samba_stress_test/uETPmRzm99: 0.07392498237819470.07392498237819470.07392498237819470.07392498237819470.073924982378# So the new file supposedly has the content of the previous *deleted* file. Note that sometimes the content is truncated. (See above -- the # for the next prompt is at the end of the previous line because there's no newline). If I re-share the mount that's on the Windows machine, and mount it in this Linux machine, then it consistently repros on the second iteration. With a little effort I can get the file from the Windows machine and compare it, if that's helpful. Here is some information about my setup: # cat /etc/centos-release CentOS release 6.3 (Final) # yum list | grep '^samba' samba.x86_64 3.5.10-125.el6 @base samba-client.x86_64 3.5.10-125.el6 @base samba-common.x86_64 3.5.10-125.el6 @base samba-winbind-clients.x86_64 3.5.10-125.el6 @base samba4-libs.x86_644.0.0-23.alpha11.el6 @base/$releasever samba.x86_64 3.6.9-151.el6base samba-client.x86_64 3.6.9-151.el6base samba-common.i686 3.6.9-151.el6base samba-common.x86_64 3.6.9-151.el6base samba-doc.x86_64 3.6.9-151.el6base samba-domainjoin-gui.x86_64 3.6.9-151.el6base samba-swat.x86_64 3.6.9-151.el6base samba-winbind.x86_64 3.6.9-151.el6base samba-winbind-clients.i6863.6.9-151.el6base samba-winbind-clients.x86_64 3.6.9-151.el6base samba-winbind-devel.i686 3.6.9-151.el6base samba-winbind-devel.x86_643.6.9-151.el6base samba-winbind-krb5-locator.x86_64 3.6.9-151.el6base samba4.x86_64 4.0.0-55.el6.rc4 base samba4-client.x86_64 4.0.0-55.el6.rc4 base samba4-common.x86_64 4.0.0-55.el6.rc4 base samba4-dc.x86_64 4.0.0-55.el6.rc4 base samba4-dc-libs.x86_64 4.0.0-55.el6.rc4 base samba4-devel.i686 4.0.0-23.alpha11.el6 base samba4-devel.x86_64 4.0.0-55.el6.rc4 base samba4-libs.i686 4.0.0-23.alpha11.el6 base samba4-libs.x86_644.0.0-55.el6.rc4 base samba4-pidl.x86_644.0.0-55.el6.rc4 base samba4-python.x86_64 4.0.0-55.el6.rc4 base samba4-swat.x86_644.0.0-55.el6.rc4 base samba4-test.x86_644.0.0-55.el6.rc4 base samba4-winbind.x86_64
Re: [Samba] Samba4 Secondary DC Replication Concerns
Hello Paul, Am 30.05.2013 13:53, schrieb Paul Littlefield: If I have 2 x Samba4 AD DCs, a primary and secondary, am I correct in assuming that if I add a Windows Client to the DOMAIN it should eventually replicate to the secondary DC? What exactly do you mean? Machine accounts? If you have multiple DC in your domain, and the directory replication works ('samba-tool drs showrepl'), then every changes made are transfered to each DC (accounts, directory ACLs, etc.) Only the SysVol share replication is currently not implemented. You have to find a workaround (like doing it with rsync). Regard, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Sysvol replication and group policies
Hello Ulrich, Am 30.05.2013 12:35, schrieb Ulrich Schneider: As I read in the article listet at the and of this email there is no sysvol replication while joining a domain as a dc. This means to me (if im right) that there are no group policies available on the samba dc. Is this right? On the other hand if I create a new domain n a samba dc and if I set up asamba as a new dc ... group policies are available. Is this correct? A Samba DC can provide GP. They are stored on the SysVol share. But because SysVol replication currently isn't implemented, you have to care about the replication to other DCs by yourself. Many people using rsync for doing this job. Depending on the way how you transfer the files between the SysVol shares, you maybe have to do changes on one DC, from where they are transfered to other DC. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 Secondary DC Replication Concerns
On 5/30/2013 10:37 AM, Marc Muehlfeld wrote: Hello Paul, Am 30.05.2013 13:53, schrieb Paul Littlefield: If I have 2 x Samba4 AD DCs, a primary and secondary, am I correct in assuming that if I add a Windows Client to the DOMAIN it should eventually replicate to the secondary DC? What exactly do you mean? Machine accounts? Yes, every change you make to the domain is automatically replicated to the secondary, when you add a user, group, machine it gets replicated. I have a Samba AD DC which replicates to a W2K8 R2 and I can even select DCs and chnage whichever I want and changes are instantly replicated between DCs. If you have multiple DC in your domain, and the directory replication works ('samba-tool drs showrepl'), then every changes made are transfered to each DC (accounts, directory ACLs, etc.) Only the SysVol share replication is currently not implemented. You have to find a workaround (like doing it with rsync). Regard, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 and Profile directory issues.
Hi, On 5/30/2013 8:17 AM, Ricky Nance wrote: Are you logged in as DOMAIN\Administrator to the windows machine? My own dumb mistakes, I created a remote desktop connection to that server and hadn't noticed I as logged in as a non admin user. Now home directories are created as it should and profile directories are too, but with the .V2 extension. I stheis the expected behavior?, I read that this might happoen uf I had mixed Windows clients WXP, Win7 but I just have one client and it's a Win7 one. Thanks for your advise it really helped. me. Ricky On Thu, May 30, 2013 at 12:16 AM, David González Herrera - [DGHVoIP] i...@dghvoip.com mailto:i...@dghvoip.com wrote: On 5/28/2013 6:59 PM, Ricky Nance wrote: Odd thing, your mail was from several days ago, but it just came through on my stuff today. Lets try a couple of things, try changing [users] to [homes] and also adding a line under global: Done template homedir = /home/%ACCOUNTNAME% Done Also, comment out the directory_mode line, restart samba and then try setting it in in your active directory users and computers as \\10.10.10.5\homes\%USERNAME% and see if it works. Also can you double check after these changes that your windows user can still write to \\10.10.10.5\homes as well? Done too but now, when I select a group of users and try to change their properties the Home and Profile fields to \\10.10.10.5\homes\%USERNAME% it returns Access is Denied (I haven't created any home directory) it usually created the directories automatically after the PAM changes and all of your suggestions it can't be done anymore, I-m sure it's due to some permission thing but I just can't fiure it out myself. Thanks for your help. Thanks, Ricky On Tue, May 28, 2013 at 6:43 PM, David González Herrera - [DGHVoIP] i...@dghvoip.com mailto:i...@dghvoip.com wrote: Hi Ricky, Thank you very much for your reply, I dropped my subscription to the list because no one seems to care about these questions in there, then I guess what's that list for if they won't answer or at least point people to a link that won't take 30secs, well anyways On 5/28/2013 4:44 PM, Ricky Nance wrote: First think you should check is to see if winbind is setup properly (resolving names in Ubuntu as it should be) if not, have a look at https://wiki.samba.org/index.php/Samba4/Winbind#Using_libnss_winbind (section 2 is the important one, section 3 is if you need *nix to authenticate using samba). Ok, did all of these steps and everything seems to work, except that I can't login to the *nix box (ubuntu Serevr 12.04) using the AD users but system users can, that's good :) A quick test would be mkdir /home/test chown someADuser /home/test ls -alhd /home/test (replace someADuser with one of your AD users). If that is working as expected, then the user you are logged into windows with may not have permissions to write to your Users share, if both of those are good, paste your [users] section of your smb.conf and we will go from there. This worked fine indeed, root@samba:~# mkdir /home/test chown dominic /home/test ls -alhd /home/test drwxr-xr-x 2 MUNDO\dominic root 4.0K May 29 01:34 /home/test My smb.conf looks like this: root@samba:~# cat /usr/local/samba/etc/smb.conf # Global parameters [global] workgroup = MUNDO realm = mundo.local netbios name = SAMBA server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate template shell = /bin/bash # Debug logging information log level = 4 log file= /var/log/samba.log max log size= 50 debug timestamp = yes bind interfaces only = yes interfaces = eth1 wins support= yes [users] directory_mode: parameter = 0700 path= /home comment = Users Home Share read only = no browsable = yes [profiles] path= /usr/local/samba/var/profiles browseable = no read only = no writable= yes store dos attributes = Yes directory mask = 0700 create mask = 0600 printable = no profile acls= yes csc policy = disable [netlogon]
Re: [Samba] Samba4 Secondary DC Replication Concerns
On 30/05/13 16:37, Marc Muehlfeld wrote: What exactly do you mean? Machine accounts? Yes, both Computer accounts... $ samba-tool group listmembers Domain Computers |sort -f ...and user accounts... $ samba-tool user list |sort -f However, if I compare the Computers or Users list on both DCs they are not the same. If you have multiple DC in your domain, and the directory replication works ('samba-tool drs showrepl'), then every changes made are transfered to each DC (accounts, directory ACLs, etc.) Ah, I think that's where my setup is going wrong then. I have these errors: Last attempt @ Thu May 30 17:18:56 2013 BST failed, result 2 (WERR_BADFILE) 2087 consecutive failure(s). Last success @ Thu May 23 17:31:12 2013 BST Warning: No NC replicated for Connection! [2013/05/30 17:18:56, 0] ../source4/dsdb/repl/drepl_ridalloc.c:43(drepl_new_rid_pool_callback) ../source4/dsdb/repl/drepl_ridalloc.c:43: RID Manager failed RID allocation - WERR_BADFILE - extended_ret[0x0] Only the SysVol share replication is currently not implemented. You have to find a workaround (like doing it with rsync). OK, well, I am not sure about that yet. Here is some info for you... DC1: Gentoo 3.4.34-gentoo, x86_64, Samba 4.1.0pre1-GIT-8aae8b5 DC2: Ubuntu 3.8.0-19-generic, i686, Samba 4.1.0pre1-GIT-8aae8b5 /etc/resolv.conf on both DCs... domain xyz.com nameserver 192.168.0.208 kinit and klist all appear to work, as does DNS (but not DNS Replication, I know about this bug). I just want to know if DC1 goes down, then I can rely on DC2 to let someone log in to their Windows PC :-) Regards -- Paul Littlefield Telephone: 07801 125705 Email: i...@paully.co.uk Web: www.paully.co.uk Twitter: https://twitter.com/paullittlefield Wiki: http://wiki.indie-it.com/index.php?title=Special:AllPages Blog: http://www.littlefield.info Photo: http://gravatar.com/plittlefield LinkedIn: http://uk.linkedin.com/in/paullittlefield Paul Littlefield is environmentally responsible. Please consider the environment before printing this email. This email and any attachment is intended for the named addressee only, or person authorised to receive it on their behalf. The content should be treated as confidential and the recipient may not disclose this message or any attachment to anyone else without authorisation. If this transmission is received in error please notify the sender immediately and delete this message from your email system. All electronic transmissions to and from me are recorded and may be monitored. Finally, the recipient should check this email and any attachments for viruses. Paul Littlefield accepts no liability for any damage caused by any virus transmitted by this email. Notebook LENOVO ThinkPad Edge Intel(R) Core(TM) i3 CPU U 380 @ 1.33GHz Portage 2.1.11.62 (default/linux/amd64/13.0/desktop, gcc-4.7.2, glibc-2.15-r3, 3.7.9-gentoo x86_64) Gentoo Base System release 2.1 X.Org X Server 1.14.0 xfce-base/xfdesktop-4.10.2 x11-drivers/xf86-video-intel-2.21.6 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 Secondary DC Replication Concerns
On 30/05/13 16:45, David González Herrera - [DGHVoIP] wrote: Yes, every change you make to the domain is automatically replicated to the secondary, when you add a user, group, machine it gets replicated. I have a Samba AD DC which replicates to a W2K8 R2 and I can even select DCs and chnage whichever I want and changes are instantly replicated between DCs. OK, that's what I thought it should do (which is what happens with DHCP and BIND secondary servers in our network). So, I guess it's a Samba DC1 to Samba DC2 issue then? I have read quite a bit on this. Like many others, I followed the instructions to the letter, kinit, provision, DNS check, CNAME addition, etc all appear to be fine. I am just worried that this Secondary DC is not replicating. So, should I try an after hours fix it? * stop Samba * git pull * make, install * restart Samba on both DCs. How does that sound? -- Paul Littlefield Telephone: 07801 125705 Email: i...@paully.co.uk Web: www.paully.co.uk Twitter: https://twitter.com/paullittlefield Wiki: http://wiki.indie-it.com/index.php?title=Special:AllPages Blog: http://www.littlefield.info Photo: http://gravatar.com/plittlefield LinkedIn: http://uk.linkedin.com/in/paullittlefield Paul Littlefield is environmentally responsible. Please consider the environment before printing this email. This email and any attachment is intended for the named addressee only, or person authorised to receive it on their behalf. The content should be treated as confidential and the recipient may not disclose this message or any attachment to anyone else without authorisation. If this transmission is received in error please notify the sender immediately and delete this message from your email system. All electronic transmissions to and from me are recorded and may be monitored. Finally, the recipient should check this email and any attachments for viruses. Paul Littlefield accepts no liability for any damage caused by any virus transmitted by this email. Notebook LENOVO ThinkPad Edge Intel(R) Core(TM) i3 CPU U 380 @ 1.33GHz Portage 2.1.11.62 (default/linux/amd64/13.0/desktop, gcc-4.7.2, glibc-2.15-r3, 3.7.9-gentoo x86_64) Gentoo Base System release 2.1 X.Org X Server 1.14.0 xfce-base/xfdesktop-4.10.2 x11-drivers/xf86-video-intel-2.21.6 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 Secondary DC Replication Concerns
Hello Paul, Am 30.05.2013 18:23, schrieb Paul Littlefield: Ah, I think that's where my setup is going wrong then. I have these errors: Last attempt @ Thu May 30 17:18:56 2013 BST failed, result 2 (WERR_BADFILE) 2087 consecutive failure(s). Last success @ Thu May 23 17:31:12 2013 BST Warning: No NC replicated for Connection! [2013/05/30 17:18:56, 0] ../source4/dsdb/repl/drepl_ridalloc.c:43(drepl_new_rid_pool_callback) ../source4/dsdb/repl/drepl_ridalloc.c:43: RID Manager failed RID allocation - WERR_BADFILE - extended_ret[0x0] Did you followed exactly the HowTo when joining the second DC? https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC Maybe something was missing. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Configuring New Replacement Server For Samba
Hi, I am replacing my current RHEL 6 clustered samba server with new servers. The IP's and hostnames will be the same. The samba version on the old config is: samba-3.5.10-115.el6_2.x86_64 The samba version on the new config is: samba-3.6.9-151.el6.x86_64 What do I need to do to copy the samba configuration to the new servers. Will I need to do a net join again? or will it just work because the ip's and hostnames are the same. Thanks Bob -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Issues with acl_xattr module
Hi all, i'm new in this mailing list, i need some help with a problem i experience with my samba setup. I set up a fileserver on top of debian 6 with samba-3.6.6 on an XFS filesystem partition. I tried to use vsf acl_xattr for better windows compatibility and it seems generally working good, but i experience some strange behavior: I added two acls with different restrictions one for a user and the other for a group the user is member of, it seems that the more restrictive permissions are evaluated. To reproduce the problem i used a domain user that is member of group1 and that group1 has read-wrire(modify) permissions on the file i want to write to. As soon as i apply another acl with read-only permission on the same file for the specified user, i can't write to file anymore. The very strange thing is that as i try to apply a read only acl to group and a read write acl to user i can write the file normally. I dont know if this is some sort of my misconfiguration or wrong filesystem permision on top of the share i tried many variations including enabling end disabling acl_xattr:ignore system acls option. but no change. Filesystem is XFS and comes with extended attributes enabled. Follows the global smb.conf and the share definition. Any help will be appreciated. Mitja Tavcar [global] workgroup = INTRA realm = INTRA.COMUNE.TRENTO.IT server string = File server applicazioni security = ADS log file = /var/log/samba/%m-%U.smbd load printers = No printcap name = /dev/null disable spoolss = Yes local master = No domain master = No registry shares = Yes template shell = /bin/bash winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes idmap config INTRA : range = 1-9 idmap config INTRA : backend = rid idmap config * : range = 100-200 idmap config * : backend = tdb hosts allow = 192.168.0.0/255.255.0.0, 10.2.0.0/255.255.0.0 [pippo$] path = /smbmnt/disk_servizi/Servizi/pippo/ read only = no browseable = No store dos attributes = Yes vfs objects = acl_xattr acl_xattr:ignore system acls = Yes ea support = Yes inherit acls = Yes guest ok = no available = yes inherit permissions = yes map acl inherit = yes acl map full control = no -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ktpass.sh error / How to generate a keytab for a new service (apache) with SAMBA4?
Hi, had the same error trying to re-setup DNS keytab. In my setup kvno was indeed existing, not seen by ktpass.sh The problem: 1)ldbsearch -k 1 does not work with ldap://localhost or ldap://IPyou *must*** use hostname of the machine 2)ldbsearch (at least in my setup) does not exists, where ktpass.sh is trying to find it and ktpass.sh *does not complain about it* Try passing: --path-to-ldbsearch directory_of_ldbsearch Or alternatively, apply attached path to your samba source tree (ne recompile needed) You can verify if you have this principal by: samba-tool spn list your user that should have this principal 2013.04.29 19:52, Tim Vangehugten rašė: Hi, I was trying to get a new keytab in samba4 for my apache service. So I tried the following command: sh ktpass.sh --out /etc/apache.keytab --princ HTTP/myhost.samba.my.dom...@samba.my.DOMAIN --pass VerySecure123 --enc des-cbc-md5 I get the following error: Unable to find kvno for principal HTTP/myhost.samba.my.dom...@samba.my.DOMAIN Am I doing something wron or shouldn't I be using ktpass.sh? Best Regards Tim Vangehugten diff --git a/source4/scripting/bin/ktpass.sh b/source4/scripting/bin/ktpass.sh index e758eb3..b4583b1 100755 --- a/source4/scripting/bin/ktpass.sh +++ b/source4/scripting/bin/ktpass.sh @@ -54,10 +54,21 @@ if [ -z $enc ]; then enc=rc4-hmac fi if [ -z $path ]; then - path=`dirname $0`/../bin/ - if [ ! -f ${path}ldbsearch ]; then -path=`dirname $0`/../../bin/ - fi +path=`which ldbsearch 2/dev/null` +if [ -f $path ]; then + path=`dirname $path` +else + for d in $(dirname $0)/../bin $(dirname $0)/../../bin /opt/samba4 /usr/local/samba4 /usr/local /usr; do + [ ! -f $d/ldbsearch ] continue + path=$d + break; + done + if [ -z $path ]; then + echo Cannot figure out where do you have your ldbsearch + usage + fi +fi +path=$path/ fi if [ -z $outfile -o -z $princ -o -z $pass ]; then echo At least one mandatory parameter (--out, --princ, --pass) was not specified -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Server 2012 Encrypted Shares
On Wed, Mar 06, 2013 at 01:28:39PM -0600, Cory Spence wrote: In all my efforts, I can't seem to get this to work in the lab. Does Samba 4 support SMB 3.0 encrypted shares? This would include either where the Samba server is serving out an encrypted share as the file server or as a client connecting to a Server 2012 encrypted share. Yes. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 and Profile directory issues.
Yes, with all versions of windows after XP the .V2 will be appended to the usernames, if you have a mix of pre-XP and post-XP machines you will end up with 2 profiles per user. Glad its working for you, Ricky On Thu, May 30, 2013 at 10:52 AM, David González Herrera - [DGHVoIP] i...@dghvoip.com wrote: Hi, On 5/30/2013 8:17 AM, Ricky Nance wrote: Are you logged in as DOMAIN\Administrator to the windows machine? My own dumb mistakes, I created a remote desktop connection to that server and hadn't noticed I as logged in as a non admin user. Now home directories are created as it should and profile directories are too, but with the .V2 extension. I stheis the expected behavior?, I read that this might happoen uf I had mixed Windows clients WXP, Win7 but I just have one client and it's a Win7 one. Thanks for your advise it really helped. me. Ricky On Thu, May 30, 2013 at 12:16 AM, David González Herrera - [DGHVoIP] i...@dghvoip.com wrote: On 5/28/2013 6:59 PM, Ricky Nance wrote: Odd thing, your mail was from several days ago, but it just came through on my stuff today. Lets try a couple of things, try changing [users] to [homes] and also adding a line under global: Done template homedir = /home/%ACCOUNTNAME% Done Also, comment out the directory_mode line, restart samba and then try setting it in in your active directory users and computers as \\10.10.10.5\homes\%USERNAME% and see if it works. Also can you double check after these changes that your windows user can still write to \\10.10.10.5\homes as well? Done too but now, when I select a group of users and try to change their properties the Home and Profile fields to \\10.10.10.5\homes\%USERNAME% it returns Access is Denied (I haven't created any home directory) it usually created the directories automatically after the PAM changes and all of your suggestions it can't be done anymore, I-m sure it's due to some permission thing but I just can't fiure it out myself. Thanks for your help. Thanks, Ricky On Tue, May 28, 2013 at 6:43 PM, David González Herrera - [DGHVoIP] i...@dghvoip.com wrote: Hi Ricky, Thank you very much for your reply, I dropped my subscription to the list because no one seems to care about these questions in there, then I guess what's that list for if they won't answer or at least point people to a link that won't take 30secs, well anyways On 5/28/2013 4:44 PM, Ricky Nance wrote: First think you should check is to see if winbind is setup properly (resolving names in Ubuntu as it should be) if not, have a look at https://wiki.samba.org/index.php/Samba4/Winbind#Using_libnss_winbind (section 2 is the important one, section 3 is if you need *nix to authenticate using samba). Ok, did all of these steps and everything seems to work, except that I can't login to the *nix box (ubuntu Serevr 12.04) using the AD users but system users can, that's good :) A quick test would be mkdir /home/test chown someADuser /home/test ls -alhd /home/test (replace someADuser with one of your AD users). If that is working as expected, then the user you are logged into windows with may not have permissions to write to your Users share, if both of those are good, paste your [users] section of your smb.conf and we will go from there. This worked fine indeed, root@samba:~# mkdir /home/test chown dominic /home/test ls -alhd /home/test drwxr-xr-x 2 MUNDO\dominic root 4.0K May 29 01:34 /home/test My smb.conf looks like this: root@samba:~# cat /usr/local/samba/etc/smb.conf # Global parameters [global] workgroup = MUNDO realm = mundo.local netbios name = SAMBA server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate template shell = /bin/bash # Debug logging information log level = 4 log file= /var/log/samba.log max log size= 50 debug timestamp = yes bind interfaces only = yes interfaces = eth1 wins support= yes [users] directory_mode: parameter = 0700 path= /home comment = Users Home Share read only = no browsable = yes [profiles] path= /usr/local/samba/var/profiles browseable = no read only = no writable= yes store dos attributes = Yes directory mask = 0700 create mask = 0600 printable = no profile acls= yes csc policy = disable [netlogon] path = /usr/local/samba/var/locks/sysvol/mundo.local/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No Thanks again. Ricky On Mon, May 20, 2013 at 7:50 PM, David
Re: [Samba] Samba4 Secondary DC Replication Concerns
Comments below Sent from my iPhone On May 30, 2013, at 11:30, Paul Littlefield i...@paully.co.uk wrote: On 30/05/13 16:45, David González Herrera - [DGHVoIP] wrote: Yes, every change you make to the domain is automatically replicated to the secondary, when you add a user, group, machine it gets replicated. I have a Samba AD DC which replicates to a W2K8 R2 and I can even select DCs and chnage whichever I want and changes are instantly replicated between DCs. OK, that's what I thought it should do (which is what happens with DHCP and BIND secondary servers in our network). So, I guess it's a Samba DC1 to Samba DC2 issue then? I have read quite a bit on this. Like many others, I followed the instructions to the letter, kinit, provision, DNS check, CNAME addition, etc all appear to be fine. I am just worried that this Secondary DC is not replicating. Im no expert nor a deceloper just a suggestion. Do you see any WERR_OK when you start samba like -M single -d4. That's what I see on my logs when changes are made on any DC. So, should I try an after hours fix it? * stop Samba * git pull Make clean ./configure.developer * make, install * restart Samba on both DCs. How does that sound? IF ITS not a production system try re provision and set replication again. Cheers -- Paul Littlefield Telephone: 07801 125705 Email: i...@paully.co.uk Web: www.paully.co.uk Twitter: https://twitter.com/paullittlefield Wiki: http://wiki.indie-it.com/index.php?title=Special:AllPages Blog: http://www.littlefield.info Photo: http://gravatar.com/plittlefield LinkedIn: http://uk.linkedin.com/in/paullittlefield Paul Littlefield is environmentally responsible. Please consider the environment before printing this email. This email and any attachment is intended for the named addressee only, or person authorised to receive it on their behalf. The content should be treated as confidential and the recipient may not disclose this message or any attachment to anyone else without authorisation. If this transmission is received in error please notify the sender immediately and delete this message from your email system. All electronic transmissions to and from me are recorded and may be monitored. Finally, the recipient should check this email and any attachments for viruses. Paul Littlefield accepts no liability for any damage caused by any virus transmitted by this email. Notebook LENOVO ThinkPad Edge Intel(R) Core(TM) i3 CPU U 380 @ 1.33GHz Portage 2.1.11.62 (default/linux/amd64/13.0/desktop, gcc-4.7.2, glibc-2.15-r3, 3.7.9-gentoo x86_64) Gentoo Base System release 2.1 X.Org X Server 1.14.0 xfce-base/xfdesktop-4.10.2 x11-drivers/xf86-video-intel-2.21.6 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Looking for compiled version 1.9 of Samba - revised
What do you mean bridge? Are you trying to make files accessible to windows users ? It looks like GCC binaries are availble for SCO- althou maybe not your version. http://gcc.gnu.org/install/binaries.html ftp://ftp2.sco.com/pub/skunkware/odt3/CD-ROM/bin/ On 05/29/13 19:52, Paul Davis wrote: Much thanks to all respondents. Since 1.9 is a very old version, I have the source code but am looking (close to begging) for someone who has a compiler to create an executable for me. I would be glad to send along the source , if you could compile and return an executable. This is the better request than to ask someone for their compiler. Thank you Paul Davis Sr. Business Development Manager CONNX Solutions - www.connx.comhttp://www.connx.com/ Direct -(425) 519-6670 Mobile -(425) 269-3956 Toll free - (888) 882-6669 x6670 From: Paul Davis Sent: Thursday, May 23, 2013 3:48 PM To: 'samba@lists.samba.org' Subject: Looking for compiled version 1.9 of Samba I am trying to assist a client who need a compiled version of Samba 1.9 for his SCO ODT 3.2 v4.2 environment. We are trying to connect an old version of DataFlex on SCO and need the bridge. Anybody have an old compiled version? Thanks Paul Davis Sr. Business Development Manager CONNX Solutions - www.connx.comhttp://www.connx.com/ Direct -(425) 519-6670 Mobile -(425) 269-3956 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 Secondary DC Replication Concerns
Hey there Paul, Following up on my previous message I'm assuming that if you'll follow my advise of re-provisioning Samba, remember to *always* backup either using /usr/local/samba_backup script or making a tar out of your tdb files, because provisioning it again is a destructive non-recoverable procedure. As I said if it's not a production system try re provisioning, but always as a rule of thumb have a backup handy just in case things go south. Cheers. On 5/30/2013 1:25 PM, David González - [DGHVOIP] wrote: Comments below Sent from my iPhone On May 30, 2013, at 11:30, Paul Littlefield i...@paully.co.uk wrote: On 30/05/13 16:45, David González Herrera - [DGHVoIP] wrote: Yes, every change you make to the domain is automatically replicated to the secondary, when you add a user, group, machine it gets replicated. I have a Samba AD DC which replicates to a W2K8 R2 and I can even select DCs and chnage whichever I want and changes are instantly replicated between DCs. OK, that's what I thought it should do (which is what happens with DHCP and BIND secondary servers in our network). So, I guess it's a Samba DC1 to Samba DC2 issue then? I have read quite a bit on this. Like many others, I followed the instructions to the letter, kinit, provision, DNS check, CNAME addition, etc all appear to be fine. I am just worried that this Secondary DC is not replicating. Im no expert nor a deceloper just a suggestion. Do you see any WERR_OK when you start samba like -M single -d4. That's what I see on my logs when changes are made on any DC. So, should I try an after hours fix it? * stop Samba * git pull Make clean ./configure.developer * make, install * restart Samba on both DCs. How does that sound? IF ITS not a production system try re provision and set replication again. Cheers -- Paul Littlefield Telephone: 07801 125705 Email: i...@paully.co.uk Web: www.paully.co.uk Twitter: https://twitter.com/paullittlefield Wiki: http://wiki.indie-it.com/index.php?title=Special:AllPages Blog: http://www.littlefield.info Photo: http://gravatar.com/plittlefield LinkedIn: http://uk.linkedin.com/in/paullittlefield Paul Littlefield is environmentally responsible. Please consider the environment before printing this email. This email and any attachment is intended for the named addressee only, or person authorised to receive it on their behalf. The content should be treated as confidential and the recipient may not disclose this message or any attachment to anyone else without authorisation. If this transmission is received in error please notify the sender immediately and delete this message from your email system. All electronic transmissions to and from me are recorded and may be monitored. Finally, the recipient should check this email and any attachments for viruses. Paul Littlefield accepts no liability for any damage caused by any virus transmitted by this email. Notebook LENOVO ThinkPad Edge Intel(R) Core(TM) i3 CPU U 380 @ 1.33GHz Portage 2.1.11.62 (default/linux/amd64/13.0/desktop, gcc-4.7.2, glibc-2.15-r3, 3.7.9-gentoo x86_64) Gentoo Base System release 2.1 X.Org X Server 1.14.0 xfce-base/xfdesktop-4.10.2 x11-drivers/xf86-video-intel-2.21.6 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 553d63f s4-dns: set TTL value in the NS server part of the SOA record from 09aaa99 build-htmlman-nogit: Run build-htmlman-nogit with bash. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 553d63f0ead74ea101b2169bdad4af80caa16e2b Author: Guenter Kukkukk ku...@samba.org Date: Thu May 30 02:19:32 2013 +0200 s4-dns: set TTL value in the NS server part of the SOA record noticed this when using samba-tool to create a new zone Signed-off-by: Guenter Kukkukk ku...@samba.org Reviewed-by: Andrew Bartlett abart...@samba.org Reviewed-by: Amitay Isaacs ami...@gmail.com Autobuild-User(master): Andrew Bartlett abart...@samba.org Autobuild-Date(master): Thu May 30 09:41:20 CEST 2013 on sn-devel-104 --- Summary of changes: source4/rpc_server/dnsserver/dnsdb.c |1 + 1 files changed, 1 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/rpc_server/dnsserver/dnsdb.c b/source4/rpc_server/dnsserver/dnsdb.c index 91e9aa8..8cdeae4 100644 --- a/source4/rpc_server/dnsserver/dnsdb.c +++ b/source4/rpc_server/dnsserver/dnsdb.c @@ -934,6 +934,7 @@ WERROR dnsserver_db_create_zone(struct ldb_context *samdb, dns_rec[1].wType = DNS_TYPE_NS; dns_rec[1].rank = DNS_RANK_ZONE; dns_rec[1].dwSerial = soa.serial; + dns_rec[1].dwTtlSeconds = 3600; dns_rec[1].dwTimeStamp = (uint32_t)t; dns_rec[1].data.ns = server_fqdn; -- Samba Shared Repository