Re: [Samba] Logon scripts, home directories, and Samba4 AD
This could do the job Identify the home share on your samba3 fileserver (certain it is member of your samba4 domain?!) as dfs root Ex: msdfs root= yes On samba4 ads [home] msdfs proxy= \your-samba3-server\homes read only = No with rsat point to \your-samba3-server\homes Good luck --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Lee Allen Gesendet: Mittwoch, 3. Juli 2013 00:20 An: samba@lists.samba.org; samba-techni...@lists.samba.org Betreff: [Samba] Logon scripts, home directories, and Samba4 AD I apologize if this appears twice: I posted it several hours ago and it has not appeared on the list, so I am tweaking the email address and trying again. I have two separate (virtual) servers: one running Samba4 functioning as an AD controller, and one running Samba 3.6.1 functioning as a file print server. On the Samba3 side I am using security=ads and winbind and authenticating against the Samba4 ADC. Everything is working great. Where things get a little messy is with the [homes] shares. Here is what I am doing now: My Samba3 smb.conf has a typical [homes] section. I create a subdirectory for each user, and set ownership permissions. I create a logon script on the Samba4 system -- one for each user, because the username is embedded in it: net use H: \\samba3\username And then I use RSAT to set the logon script to the correct value for each user. It's just a lot of steps that need to be performed (perfectly) for each user. Is there a better way? I see RSAT allows me to specify a Home folder. Could this be a folder on the Samba3 server -- ie, \\samba3\username ? (I tried that and it did not work) I can imagine some scripts that would create the logon script on the Samba4 system, and create the necessary directories on the Samba3 system. I could probably manage that, but I hate to re-invent the wheel -- If there is a clean, orthodox way to do this, I would like to know what it is. Thank you. Lee Allen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Logon scripts, home directories, and Samba4 AD
Hi, This could do the job Identify the home share on your samba3 fileserver (certain it is member of your samba4 domain?!) as dfs root Ex: msdfs root= yes On samba4 ads [home] msdfs proxy= \your-samba3-server\homes read only = No with rsat point to \your-samba3-server\homes Good luck --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- Even easier specify \\your-samba3-server\%USERNAME% as the home folder setting under ADUC for all the users you want (you can even select them set this once) if you also specify home drive H: it will get mounted at that drive letter -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Lee Allen Gesendet: Mittwoch, 3. Juli 2013 00:20 An: samba@lists.samba.org; samba-techni...@lists.samba.org Betreff: [Samba] Logon scripts, home directories, and Samba4 AD I apologize if this appears twice: I posted it several hours ago and it has not appeared on the list, so I am tweaking the email address and trying again. I have two separate (virtual) servers: one running Samba4 functioning as an AD controller, and one running Samba 3.6.1 functioning as a file print server. On the Samba3 side I am using security=ads and winbind and authenticating against the Samba4 ADC. Everything is working great. Where things get a little messy is with the [homes] shares. Here is what I am doing now: My Samba3 smb.conf has a typical [homes] section. I create a subdirectory for each user, and set ownership permissions. I create a logon script on the Samba4 system -- one for each user, because the username is embedded in it: net use H: \\samba3\username And then I use RSAT to set the logon script to the correct value for each user. It's just a lot of steps that need to be performed (perfectly) for each user. Is there a better way? I see RSAT allows me to specify a Home folder. Could this be a folder on the Samba3 server -- ie, \\samba3\username ? (I tried that and it did not work) I can imagine some scripts that would create the logon script on the Samba4 system, and create the necessary directories on the Samba3 system. I could probably manage that, but I hate to re-invent the wheel -- If there is a clean, orthodox way to do this, I would like to know what it is. Thank you. Lee Allen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [PATCH] Do not close winbind socket during use
On Thu, 2013-06-27 at 11:42 +1000, Andrew Bartlett wrote: On Wed, 2013-06-26 at 20:39 +1000, Andrew Bartlett wrote: On Mon, 2013-06-24 at 15:26 +, philippe.simo...@swisscom.com wrote: Hi Andrew, and by putting more num-callers : valgrind --num-callers=50 samba -i -M single Thanks for getting me that. I've managed to reproduce it here, but not under valgrind, and only when I hack the code to force a timeout. At least this should help me figure out why we process the winbind socket close, which is the crux of this issue. I think I've found the cause of the issue you are hitting. There is still another issue with the nested event loop in the krb5 libs, but these two patches should help significantly. As you have had more luck than I in reproducing this in a unaltered setting, please let me know if this helps. Patches are for git master, but may apply to 4.0 as well. G'Day, The original reporter has confirmed to me that this removes the segfault for him. It changes it to a 105 sec hang, (due to the winbind client trying for 5 second at at a time many times). Can I get a review on it so we can rid master and eventually 4.0 of this nasty crash? Thanks, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org From df7c099be9366b0439f12d0924bd2192ad4888bd Mon Sep 17 00:00:00 2001 From: Andrew Bartlett abart...@samba.org Date: Thu, 27 Jun 2013 11:27:03 +1000 Subject: [PATCH 1/2] service_stream: Log if the connection termination is deferred or not --- source4/smbd/service_stream.c | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/source4/smbd/service_stream.c b/source4/smbd/service_stream.c index 22c4c04..74bb477 100644 --- a/source4/smbd/service_stream.c +++ b/source4/smbd/service_stream.c @@ -60,7 +60,11 @@ void stream_terminate_connection(struct stream_connection *srv_conn, const char if (!reason) reason = unknown reason; - DEBUG(3,(Terminating connection - '%s'\n, reason)); + if (srv_conn-processing) { + DEBUG(3,(Terminating connection deferred - '%s'\n, reason)); + } else { + DEBUG(3,(Terminating connection - '%s'\n, reason)); + } srv_conn-terminate = reason; -- 1.7.11.7 From 0daf694bce47710a62f7e38aa2830bc1b40f3dfc Mon Sep 17 00:00:00 2001 From: Andrew Bartlett abart...@samba.org Date: Thu, 27 Jun 2013 11:28:03 +1000 Subject: [PATCH 2/2] s4-winbindd: Do not terminate a connection that is still pending Instead, wait until the call attempts to reply, and let it terminate then (often this happens in the attempt to then write to the broken pipe). Andrew Bartlett --- source4/winbind/wb_samba3_protocol.c | 5 + source4/winbind/wb_server.c | 14 +- source4/winbind/wb_server.h | 5 - 3 files changed, 22 insertions(+), 2 deletions(-) diff --git a/source4/winbind/wb_samba3_protocol.c b/source4/winbind/wb_samba3_protocol.c index 2846e9c..1b78c99 100644 --- a/source4/winbind/wb_samba3_protocol.c +++ b/source4/winbind/wb_samba3_protocol.c @@ -297,6 +297,8 @@ NTSTATUS wbsrv_samba3_send_reply(struct wbsrv_samba3_call *call) struct tevent_req *subreq; NTSTATUS status; + call-wbconn-pending_calls--; + status = wbsrv_samba3_push_reply(call); NT_STATUS_NOT_OK_RETURN(status); @@ -355,9 +357,12 @@ NTSTATUS wbsrv_samba3_process(struct wbsrv_samba3_call *call) return status; } + call-wbconn-pending_calls++; + status = wbsrv_samba3_handle_call(call); if (!NT_STATUS_IS_OK(status)) { + call-wbconn-pending_calls--; talloc_free(call); return status; } diff --git a/source4/winbind/wb_server.c b/source4/winbind/wb_server.c index 983f9f5..fb67d23 100644 --- a/source4/winbind/wb_server.c +++ b/source4/winbind/wb_server.c @@ -31,7 +31,14 @@ void wbsrv_terminate_connection(struct wbsrv_connection *wbconn, const char *reason) { - stream_terminate_connection(wbconn-conn, reason); + if (wbconn-pending_calls == 0) { + char *full_reason = talloc_asprintf(wbconn, wbsrv: %s, reason); + stream_terminate_connection(wbconn-conn, full_reason ? full_reason : reason); + } else { + DEBUG(3,(wbsrv: terminating connection due to '%s' defered due to %d pending calls\n, + reason, wbconn-pending_calls)); + wbconn-terminate = reason; + } } static void wbsrv_call_loop(struct tevent_req *subreq) @@ -41,6 +48,11 @@ static void wbsrv_call_loop(struct tevent_req *subreq) struct wbsrv_samba3_call *call; NTSTATUS status; + if (wbsrv_conn-terminate) { + wbsrv_terminate_connection(wbsrv_conn, wbsrv_conn-terminate); + return; + } + call = talloc_zero(wbsrv_conn, struct wbsrv_samba3_call); if (call == NULL) { wbsrv_terminate_connection(wbsrv_conn, wbsrv_call_loop: diff --git a/source4/winbind/wb_server.h b/source4/winbind/wb_server.h index 9b03004..941af68 100644 --- a/source4/winbind/wb_server.h +++ b/source4/winbind/wb_server.h @@ -94,9 +94,12 @@ struct
[Samba] Samba 4 Rhedhat 6 And classicupgrade errors
Hi, i upgrade on a new server samba3 to samba4 with a LDAP Backend. I have followed this HowTO http://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTO until de classicupgrade step Here is the errors I get /usr/local/samba/bin/samba-tool domain classicupgrade --dbdir=/root/samba3/tdbfiles --use-xattrs=yes --realm=bceao.int /root/samba3/tdbfiles/smb.conf Reading smb.conf WARNING: The idmap backend option is deprecated WARNING: The idmap uid option is deprecated WARNING: The idmap gid option is deprecated Provisioning Exporting account policy Exporting groups Ignoring group 'Administrateurs' S-1-5-32-544 listed but then not found: Unable to enumerate members for alias, (-1073741487,NT_STATUS_NO_SUCH_ALIAS) Ignoring group 'Operateurs de compte' S-1-5-32-548 listed but then not found: Unable to enumerate members for alias, (-1073741487,NT_STATUS_NO_SUCH_ALIAS) Ignoring group 'Operateurs impression' S-1-5-32-550 listed but then not found: Unable to enumerate members for alias, (-1073741487,NT_STATUS_NO_SUCH_ALIAS) Ignoring group 'Operateurs de sauvegarde' S-1-5-32-551 listed but then not found: Unable to enumerate members for alias, (-1073741487,NT_STATUS_NO_SUCH_ALIAS) Ignoring group 'Replicateurs' S-1-5-32-552 listed but then not found: Unable to enumerate members for alias, (-1073741487,NT_STATUS_NO_SUCH_ALIAS) Ignoring group 'Invites' S-1-5-32-546 listed but then not found: Unable to enumerate members for alias, (-1073741487,NT_STATUS_NO_SUCH_ALIAS) Ignoring group 'Operateurs de serveur' S-1-5-32-549 listed but then not found: Unable to enumerate members for alias, (-1073741487,NT_STATUS_NO_SUCH_ALIAS) Ignoring group 'Utilisateurs' S-1-5-32-545 listed but then not found: Unable to enumerate members for alias, (-1073741487,NT_STATUS_NO_SUCH_ALIAS) Exporting users sid S-1-5-21-3933610348-2251462730-2069165054-1000 does not belong to our domain Demoting BDC account trust for z00-dc3, this DC must be elevated to an AD DC using 'samba-tool domain promote' Skipping wellknown rid=500 (for username=pdc_admin) Skipping wellknown rid=501 (for username=nobody) Ignoring group memberships of 'toto' S-1-5-21-1770481708-1631662840-68360779-30866: Unable to enumerate group memberships, (-1073741596,NT_STATUS_INTERNAL_DB_CORRUPTION) Ignoring group memberships of 'etoto' S-1-5-21-1770481708-1631662840-68360779-66424: Unable to enumerate group memberships, (-1073741596,NT_STATUS_INTERNAL_DB_CORRUPTION) Demoting BDC account trust for z00-dc02, this DC must be elevated to an AD DC using 'samba-tool domain promote' Next rid = 66425 Following sids are both user and group sids: S-1-5-21-1770481708-1631662840-68360779-3221 ERROR(class 'samba.provision.ProvisioningError'): uncaught exception - ProvisioningError: Please remove duplicate sid entries before upgrade. File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py, line 1318, in run useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs) File /usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py, line 778, in upgrade_from_samba3 raise ProvisioningError(Please remove duplicate sid entries before upgrade.) I create a link to all files wich are in the same directory as the secret.tdb file. But this didn't solve the problem. Please, could anyone help me. I have this error since one week and coud not figure it out. i need help. MMe GUEI NOEE MELAINE BP 3108 DAKAR SENEGAL SERVICE INFORMATIQUE -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Logon scripts, home directories, and Samba4 AD
Thank you, that works great, and it eliminates the need to create logon scripts for each user. That's a big improvement. ADUC complains it cannot create the folder. Not surprising, because the specified folder \\samba3\username does not really exist -- it's a [homes] share, the true pathname is \\samba3\nas\homes\username. So I still need to create the directory in the samba3 system, and set permissions appropriately. Is there a way around this? The only solution I can see is to write a script that will create the necessary directories when a user is created. But that wouldn't be simple, because it's on a different server -- the user is created on the samba4 ADC and the shares are on the samba3 fileserver. On Wed, Jul 3, 2013 at 3:22 AM, Gémes Géza g...@kzsdabas.hu wrote: Hi, This could do the job Identify the home share on your samba3 fileserver (certain it is member of your samba4 domain?!) as dfs root Ex: msdfs root= yes On samba4 ads [home] msdfs proxy= \your-samba3-server\homes read only = No with rsat point to \your-samba3-server\homes Good luck --**- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --**- Even easier specify \\your-samba3-server\%**USERNAME% as the home folder setting under ADUC for all the users you want (you can even select them set this once) if you also specify home drive H: it will get mounted at that drive letter -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-bounces@lists.** samba.org samba-boun...@lists.samba.org] Im Auftrag von Lee Allen Gesendet: Mittwoch, 3. Juli 2013 00:20 An: samba@lists.samba.org; samba-technical@lists.samba.**orgsamba-techni...@lists.samba.org Betreff: [Samba] Logon scripts, home directories, and Samba4 AD I apologize if this appears twice: I posted it several hours ago and it has not appeared on the list, so I am tweaking the email address and trying again. I have two separate (virtual) servers: one running Samba4 functioning as an AD controller, and one running Samba 3.6.1 functioning as a file print server. On the Samba3 side I am using security=ads and winbind and authenticating against the Samba4 ADC. Everything is working great. Where things get a little messy is with the [homes] shares. Here is what I am doing now: My Samba3 smb.conf has a typical [homes] section. I create a subdirectory for each user, and set ownership permissions. I create a logon script on the Samba4 system -- one for each user, because the username is embedded in it: net use H: \\samba3\username And then I use RSAT to set the logon script to the correct value for each user. It's just a lot of steps that need to be performed (perfectly) for each user. Is there a better way? I see RSAT allows me to specify a Home folder. Could this be a folder on the Samba3 server -- ie, \\samba3\username ? (I tried that and it did not work) I can imagine some scripts that would create the logon script on the Samba4 system, and create the necessary directories on the Samba3 system. I could probably manage that, but I hate to re-invent the wheel -- If there is a clean, orthodox way to do this, I would like to know what it is. Thank you. Lee Allen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- *Lee Allen* email: l...@leecallen.com bus: (716) 773-2729 home: (716) 773-2326 cell: (716) 880-0854 fax: (716) 408-8844 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Domain Rename
Hi Ricky, Thanks for sharing your opinion @samba Technical – can you please give me a final Yes or No on this because no one knows more than you guys Thanks, Sandeep *From:* Ricky Nance [mailto:ricky.na...@gmail.com] *Sent:* 02 July 2013 20:37 *To:* Sandeep Kumar *Cc:* Frostyfrog; Michael Wood; Samba Technical; samba@lists.samba.org *Subject:* Re: [Samba] Samba Domain Rename Like Michael said, samba 4 as an AD DC would probably not be happy if you just change the 'workgroup = ' line in your smb.conf (as a matter of fact, that line shouldn't exist in a AD DC setup in my opinion) the domain is more than likely embedded very deep inside of the LDB's, and I would strongly recommend against changing those, however, with sufficient backups and lots of luck you might be successful in changing it (look into ldbsearch and ldbedit if you are really REALLY brave). I think even changing every instance in the LDB's however will still not work, as during provision the machine joins itself to the domain (yes it joins itself to itself if I recall right). I would try to avoid this at all costs, but if you must do it, starting over may be your best option. Just my thoughts, Ricky -- www.arborfs.com This e-mail and any attachment are confidential and contain proprietary information, some or all of which may be legally privileged. It is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient, please notify the author immediately by telephone or by replying to this e-mail, and then delete all copies of the e-mail on your system. If you are not the intended recipient, you must not use, disclose, distribute, copy, print or rely on this e-mail. Whilst we have taken reasonable precautions to ensure that this e-mail and any attachment has been checked for viruses, we cannot guarantee that they are virus free and we cannot accept liability for any damage sustained as a result of software viruses. We would advise that you carry out your own virus checks, especially before opening an attachment. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Win8 account sees its home share, but does not have permissions to access
So what is the output of `ls -alhZ /home | grep mark` ? Ricky -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Logon scripts, home directories, and Samba4 AD
So you authenticate against the samba4 ads with your samba3 is this true? Then you can do a root preexec and run a script on your samba3 server every time the users connect to [homes]. Ex: [homes] root preexec = /path-to-script/./user-home-dir %U Your script user-home-dir (where $1 is the login of the user): #!/bin/bash #if exist directory if test -d /path-to/your-users-home-dirs/$1 then #put Directory is already there in a log file echo $1 Directory already up and running /system/log/eanm.log else mkdir /path-to/your-users-home-dirs/$1 chmod -R 700 /path-to/your-users-home-dirs/$1 chown -R $1:Domain Users / path-to/your-users-home-dirs/$1 echo /path-to/your-users-home-dirs/$1 created /system/log/anm.log fi Greetings Daniel --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Lee Allen Gesendet: Mittwoch, 3. Juli 2013 14:56 An: Gémes Géza Cc: samba@lists.samba.org Betreff: Re: [Samba] Logon scripts, home directories, and Samba4 AD Thank you, that works great, and it eliminates the need to create logon scripts for each user. That's a big improvement. ADUC complains it cannot create the folder. Not surprising, because the specified folder \\samba3\username does not really exist -- it's a [homes] share, the true pathname is \\samba3\nas\homes\username. So I still need to create the directory in the samba3 system, and set permissions appropriately. Is there a way around this? The only solution I can see is to write a script that will create the necessary directories when a user is created. But that wouldn't be simple, because it's on a different server -- the user is created on the samba4 ADC and the shares are on the samba3 fileserver. On Wed, Jul 3, 2013 at 3:22 AM, Gémes Géza g...@kzsdabas.hu wrote: Hi, This could do the job Identify the home share on your samba3 fileserver (certain it is member of your samba4 domain?!) as dfs root Ex: msdfs root= yes On samba4 ads [home] msdfs proxy= \your-samba3-server\homes read only = No with rsat point to \your-samba3-server\homes Good luck --**- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --**- Even easier specify \\your-samba3-server\%**USERNAME% as the home folder setting under ADUC for all the users you want (you can even select them set this once) if you also specify home drive H: it will get mounted at that drive letter -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-bounces@lists.** samba.org samba-boun...@lists.samba.org] Im Auftrag von Lee Allen Gesendet: Mittwoch, 3. Juli 2013 00:20 An: samba@lists.samba.org; samba-technical@lists.samba.**orgsamba-techni...@lists.samba.org Betreff: [Samba] Logon scripts, home directories, and Samba4 AD I apologize if this appears twice: I posted it several hours ago and it has not appeared on the list, so I am tweaking the email address and trying again. I have two separate (virtual) servers: one running Samba4 functioning as an AD controller, and one running Samba 3.6.1 functioning as a file print server. On the Samba3 side I am using security=ads and winbind and authenticating against the Samba4 ADC. Everything is working great. Where things get a little messy is with the [homes] shares. Here is what I am doing now: My Samba3 smb.conf has a typical [homes] section. I create a subdirectory for each user, and set ownership permissions. I create a logon script on the Samba4 system -- one for each user, because the username is embedded in it: net use H: \\samba3\username And then I use RSAT to set the logon script to the correct value for each user. It's just a lot of steps that need to be performed (perfectly) for each user. Is there a better way? I see RSAT allows me to specify a Home folder. Could this be a folder on the Samba3 server -- ie, \\samba3\username ? (I tried that and it did not work) I can imagine some scripts that would create the logon script on the Samba4 system, and create the necessary directories on the Samba3 system. I could probably manage that, but I hate to re-invent the wheel -- If there is a clean, orthodox way to do this, I would like to know what it is. Thank you. Lee Allen -- To unsubscribe from this list go to the following URL and read the instructions:
Re: [Samba] Logon scripts, home directories, and Samba4 AD
Daniel that's perfect - - the 'root preexec' is exactly what I need. Thank you. On Jul 3, 2013 9:33 AM, Daniel Müller muel...@tropenklinik.de wrote: So you authenticate against the samba4 ads with your samba3 is this true? Then you can do a root preexec and run a script on your samba3 server every time the users connect to [homes]. Ex: [homes] root preexec = /path-to-script/./user-home-dir %U Your script user-home-dir (where $1 is the login of the user): #!/bin/bash #if exist directory if test -d /path-to/your-users-home-dirs/$1 then #put Directory is already there in a log file echo $1 Directory already up and running /system/log/eanm.log else mkdir /path-to/your-users-home-dirs/$1 chmod -R 700 /path-to/your-users-home-dirs/$1 chown -R $1:Domain Users / path-to/your-users-home-dirs/$1 echo /path-to/your-users-home-dirs/$1 created /system/log/anm.log fi Greetings Daniel --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Lee Allen Gesendet: Mittwoch, 3. Juli 2013 14:56 An: Gémes Géza Cc: samba@lists.samba.org Betreff: Re: [Samba] Logon scripts, home directories, and Samba4 AD Thank you, that works great, and it eliminates the need to create logon scripts for each user. That's a big improvement. ADUC complains it cannot create the folder. Not surprising, because the specified folder \\samba3\username does not really exist -- it's a [homes] share, the true pathname is \\samba3\nas\homes\username. So I still need to create the directory in the samba3 system, and set permissions appropriately. Is there a way around this? The only solution I can see is to write a script that will create the necessary directories when a user is created. But that wouldn't be simple, because it's on a different server -- the user is created on the samba4 ADC and the shares are on the samba3 fileserver. On Wed, Jul 3, 2013 at 3:22 AM, Gémes Géza g...@kzsdabas.hu wrote: Hi, This could do the job Identify the home share on your samba3 fileserver (certain it is member of your samba4 domain?!) as dfs root Ex: msdfs root= yes On samba4 ads [home] msdfs proxy= \your-samba3-server\homes read only = No with rsat point to \your-samba3-server\homes Good luck --**- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --**- Even easier specify \\your-samba3-server\%**USERNAME% as the home folder setting under ADUC for all the users you want (you can even select them set this once) if you also specify home drive H: it will get mounted at that drive letter -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-bounces@lists.** samba.org samba-boun...@lists.samba.org] Im Auftrag von Lee Allen Gesendet: Mittwoch, 3. Juli 2013 00:20 An: samba@lists.samba.org; samba-technical@lists.samba.**orgsamba-techni...@lists.samba.org Betreff: [Samba] Logon scripts, home directories, and Samba4 AD I apologize if this appears twice: I posted it several hours ago and it has not appeared on the list, so I am tweaking the email address and trying again. I have two separate (virtual) servers: one running Samba4 functioning as an AD controller, and one running Samba 3.6.1 functioning as a file print server. On the Samba3 side I am using security=ads and winbind and authenticating against the Samba4 ADC. Everything is working great. Where things get a little messy is with the [homes] shares. Here is what I am doing now: My Samba3 smb.conf has a typical [homes] section. I create a subdirectory for each user, and set ownership permissions. I create a logon script on the Samba4 system -- one for each user, because the username is embedded in it: net use H: \\samba3\username And then I use RSAT to set the logon script to the correct value for each user. It's just a lot of steps that need to be performed (perfectly) for each user. Is there a better way? I see RSAT allows me to specify a Home folder. Could this be a folder on the Samba3 server -- ie, \\samba3\username ? (I tried that and it did not work) I can imagine some scripts that would create the logon script on the Samba4 system, and create the necessary directories on the Samba3 system. I could probably manage that, but I hate
[Samba] Migration from 3.5.6-27 to 3.6.16-31
Hello, I have a debian etch with (samba 3.5.6-27,) shares and windows 7 in the domain. This works ok. Since i installed the new version 3.6.16-31 I can not login with domain users in my windows client and the shares are inaccessible. I solved the problem with the login, removing the following line in my smb.conf: *ldapsam:trusted = yes* but why this line works with the version 3.5.6-27 and not works with the 3.6.16-31? Anyone can help me with this? Thanks *My sernet packages:* dpkg -l | grep sernet ii sernet-cifs-mount 3.5.6-27 mount helper for the cifs vfs (mostly for ke ii sernet-ldb-tools 3.5.6-27 SerNet Samba ldb tools ii sernet-libpam-smbpass 3.6.16-31pluggable authentication module for SMB pass ii sernet-libsmbclient0 3.6.16-31shared library that allows applications to t ii sernet-libwbclient0 3.6.16-31client library for interfacing with winbind ii sernet-samba 3.6.16-31a LanManager-like file and printer server fo ii sernet-samba-common 3.6.16-31Samba common files used by both the server a ii sernet-smbclient 3.6.16-31a LanManager-like simple client for Unix ii sernet-winbind 3.6.16-31service to resolve user and group informatio *My smb.conf:* ...workgroup = BPEREIRA114 netbios name = Test server string = %h-PDC interfaces = lo, eth0 bind interfaces only = yes passdb backend = ldapsam:ldap://127.0.0.1/ encrypt passwords = yes unix password sync = yes ;; log file = /var/log/samba/%m.log log level = 0 max log size = 10 syslog = 4 syslog only = yes ;enable privileges = yes ;; socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 domain logons = yes os level = 80 preferred master = yes domain master = yes ... ldap machine suffix = ou=Computers ldap group suffix = ou=Groups ldap ssl = no ldap passwd sync = yes *ldapsam:trusted = yes* load printers = yes printing = bsd dos charset = 850 unix charset = iso8859-15 logon path = logon home = logon drive = include = /etc/samba/smb-print.conf [share1] vfs object = recycle:recycle recycle:exclude = *.tmp *.temp *.o *.obj ~$* recycle:keeptree = True recycle:touch = True recycle:versions = True recycle:noversions = .doc|.xls|.ppt recycle:repository = .Recycle Bin recycle:maxsize = 0 comment = path = /temp/share1] public = no browseable = yes readonly = yes admin users = valid users = @Domain Admins, @Domain Users write list = @Domain Admins, @Domain Users create mask = 0770 force create mode = 0770 force security mode = 0770 directory mask = 0770 -- Bruno Pereira /IPBrick ID Dpt/ http://www.ipbrick.com/ IPBRICK International Rua Passos Manuel, 66/76 4000-381 Porto PortugalTEL: +351 221 207 100 FAX: +351 225 189 722 UCoIP: bpere...@ipbrick.com mailto:bpere...@ipbrick.com www.ipbrick.com http://www.ipbrick.com/ www.iportaldoc.com http://www.iportaldoc.com/ Facebook http://www.facebook.com/pages/IPBrick/263923950988/ Twitter http://twitter.com/IPBrick/ Linked In http://pt.linkedin.com/in/ipbrick/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Win8 account sees its home share, but does not have permissions to access
This being a Red Hat derivative, is selinux configured to allow this? On 07/02/2013 2:54 PM, Mark Galeck wrote: Fedora release 17 (Beefy Miracle) On Tue, Jul 2, 2013 at 12:16 PM, Ricky Nance ricky.na...@gmail.com wrote: Mark, which distro are you running? On Tue, Jul 2, 2013 at 2:00 PM, Mark Galeck m...@xpliant.com wrote: Can you log into the linux machine with the user mark and write files to /home/mark without issue? Certainly. I don't know Samba, but I do know Unix/Linux and as far as I can tell, everything on Linux is working fine, as well as on the Windows 8 side. What is the output of smbclient //localhost/homes -Umark -d5 (then at a smb:\ do ls) ?? Command not found - I can't execute this on Linux. I use /bin/systemctl status smb.service to get status On Tue, Jul 2, 2013 at 11:52 AM, Ricky Nance ricky.na...@gmail.comwrote: Can you log into the linux machine with the user mark and write files to /home/mark without issue? What is the output of smbclient //localhost/homes -Umark -d5 (then at a smb:\ do ls). Just a couple of things I would look at\try. Ricky -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Migration from 3.5.6-27 to 3.6.16-31
Hello, I have a debian etch with (samba 3.5.6-27,) shares and windows 7 in the domain. This works ok. Since i installed the new version 3.6.16-31 I can not login with domain users in my windows client and the shares are inaccessible. I solved the problem with the login, removing the following line in my smb.conf: *ldapsam:trusted = yes* but why this line works with the version 3.5.6-27 and not works with the 3.6.16-31? Anyone can help me with this? Thanks *My sernet packages:* dpkg -l | grep sernet ii sernet-cifs-mount 3.5.6-27 mount helper for the cifs vfs (mostly for ke ii sernet-ldb-tools 3.5.6-27 SerNet Samba ldb tools ii sernet-libpam-smbpass 3.6.16-31 pluggable authentication module for SMB pass ii sernet-libsmbclient0 3.6.16-31 shared library that allows applications to t ii sernet-libwbclient0 3.6.16-31 client library for interfacing with winbind ii sernet-samba 3.6.16-31 a LanManager-like file and printer server fo ii sernet-samba-common 3.6.16-31 Samba common files used by both the server a ii sernet-smbclient 3.6.16-31 a LanManager-like simple client for Unix ii sernet-winbind 3.6.16-31 service to resolve user and group informatio *My smb.conf:* ...workgroup = BPEREIRA114 netbios name = Test server string = %h-PDC interfaces = lo, eth0 bind interfaces only = yes passdb backend = ldapsam:ldap://127.0.0.1/ encrypt passwords = yes unix password sync = yes ;; log file = /var/log/samba/%m.log log level = 0 max log size = 10 syslog = 4 syslog only = yes ;enable privileges = yes ;; socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 domain logons = yes os level = 80 preferred master = yes domain master = yes ... ldap machine suffix = ou=Computers ldap group suffix = ou=Groups ldap ssl = no ldap passwd sync = yes *ldapsam:trusted = yes* load printers = yes printing = bsd dos charset = 850 unix charset = iso8859-15 logon path = logon home = logon drive = include = /etc/samba/smb-print.conf [share1] vfs object = recycle:recycle recycle:exclude = *.tmp *.temp *.o *.obj ~$* recycle:keeptree = True recycle:touch = True recycle:versions = True recycle:noversions = .doc|.xls|.ppt recycle:repository = .Recycle Bin recycle:maxsize = 0 comment = path = /temp/share1] public = no browseable = yes readonly = yes admin users = valid users = @Domain Admins, @Domain Users write list = @Domain Admins, @Domain Users create mask = 0770 force create mode = 0770 force security mode = 0770 directory mask = 0770 -- Bruno Pereira /IPBrick ID Dpt/ http://www.ipbrick.com/ IPBRICK International Rua Passos Manuel, 66/76 4000-381 Porto Portugal TEL: +351 221 207 100 FAX: +351 225 189 722 UCoIP: bpere...@ipbrick.com mailto:bpere...@ipbrick.com www.ipbrick.com http://www.ipbrick.com/ www.iportaldoc.com http://www.iportaldoc.com/ Facebook http://www.facebook.com/pages/IPBrick/263923950988/ Twitter http://twitter.com/IPBrick/ Linked In http://pt.linkedin.com/in/ipbrick/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] file server or member server?
On Tue, 2013-07-02 at 09:28 +0200, steve wrote: [SNIP] Do I have this? 1. is a domain controller and a file server. 2. is a member server and a file server. Yes, that is what you have. Another question, why do you say: '...its a domain server (or domain controller).' Which _is_ it? If it's the same thing then why does it have two names? It's English, every word has multiple meanings and the same thing can be described with multiple words. It is what makes English one of the most expressive languages there is. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Messed up SIDs: How to change machine SID?
Dear Samba Gurus, I got the following errors: tail -f /var/log/samba/log.wb-DOM1 [2013/07/02 15:49:19.990168, 2] winbindd/winbindd_rpc.c:320(rpc_name_to_sid) name_to_sid: failed to lookup name: NT_STATUS_NONE_MAPPED log.smbd [2013/07/02 15:40:51.809516, 2] auth/token_util.c:455(finalize_local_nt_token) WARNING: Failed to create BUILTIN\Administrators group! Can Winbind allocate gids? [2013/07/02 15:40:51.811330, 2] auth/token_util.c:479(finalize_local_nt_token) WARNING: Failed to create BUILTIN\Users group! Can Winbind allocate gids? I guess the reason might be this: net getdomainsid SID for local machine M1 is:S-1-5-21-3981825222-1828954701-2606613544 SID for domain DOM1 is: S-1-5-21-2762780445-1763757571-3541238449 net getdomainsid SID for local machine M2 is:S-1-5-21-2913448378-2543514743-1508345481 SID for domain DOM1 is: S-1-5-21-2762780445-1763757571-3541238449 Shouldn't the SIDs be the same except the last digits??? Cheers, Marcus -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Messed up SIDs: How to change machine SID?
I have an LDAP backend. In LDAP, the machine accounts for my windows and linux clients so show the same base SID as the domain SID (ie.. all but the last digits.) However I also have the mismatch with net getdomainsid - which definately explains why they don't behave as I would expect. You may want to try fixing this with net setlocalsid. I guess when you joing unix or linux member server to the domain the localsid is not updated. Re the BUILTIN groups you may want to explicitly map these to unix groups rather than relying on winbind to do it e.g. I created unix groups #getent group Builtin Admins::544: Builtin Users::545: Builtin Guests::546: Then mapped the well know built-in Windows groups to the unix groups #net groupmap add ntgroup=Administrators unixgroup=544 sid=S-1-5-32-544 type=builtin #net groupmap add ntgroup=Users unixgroup=545 sid=S-1-5-32-545 type=builtin #net groupmap add ntgroup=Guests unixgroup=546 sid=S-1-5-32-546 type=builtin # net groupmap list | grep -i builtin Administrators (S-1-5-32-544) - Builtin Admins Users (S-1-5-32-545) - Builtin Users Guests (S-1-5-32-546) - Builtin Guests The linux samba member servers I use mostly for IT use anyway so I never shook out all the bugs. On 07/03/13 11:49, Marcus Mundt wrote: Dear Samba Gurus, I got the following errors: tail -f /var/log/samba/log.wb-DOM1 [2013/07/02 15:49:19.990168, 2] winbindd/winbindd_rpc.c:320(rpc_name_to_sid) name_to_sid: failed to lookup name: NT_STATUS_NONE_MAPPED log.smbd [2013/07/02 15:40:51.809516, 2] auth/token_util.c:455(finalize_local_nt_token) WARNING: Failed to create BUILTIN\Administrators group! Can Winbind allocate gids? [2013/07/02 15:40:51.811330, 2] auth/token_util.c:479(finalize_local_nt_token) WARNING: Failed to create BUILTIN\Users group! Can Winbind allocate gids? I guess the reason might be this: net getdomainsid SID for local machine M1 is:S-1-5-21-3981825222-1828954701-2606613544 SID for domain DOM1 is: S-1-5-21-2762780445-1763757571-3541238449 net getdomainsid SID for local machine M2 is:S-1-5-21-2913448378-2543514743-1508345481 SID for domain DOM1 is: S-1-5-21-2762780445-1763757571-3541238449 Shouldn't the SIDs be the same except the last digits??? Cheers, Marcus -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Win8 account sees its home share, but does not have permissions to access
[root@v64-sw-dev003-mark /]# ls -alhZ /home | grep mark drwx--. mark mark unconfined_u:object_r:user_home_dir_t:s0 mark On Wed, Jul 3, 2013 at 6:26 AM, Ricky Nance ricky.na...@gmail.com wrote: So what is the output of `ls -alhZ /home | grep mark` ? Ricky -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Win8 account sees its home share, but does not have permissions to access
how do I check this? On Wed, Jul 3, 2013 at 7:18 AM, Dale Schroeder d...@briannassaladdressing.com wrote: This being a Red Hat derivative, is selinux configured to allow this? On 07/02/2013 2:54 PM, Mark Galeck wrote: Fedora release 17 (Beefy Miracle) On Tue, Jul 2, 2013 at 12:16 PM, Ricky Nance ricky.na...@gmail.com wrote: Mark, which distro are you running? On Tue, Jul 2, 2013 at 2:00 PM, Mark Galeck m...@xpliant.com wrote: Can you log into the linux machine with the user mark and write files to /home/mark without issue? Certainly. I don't know Samba, but I do know Unix/Linux and as far as I can tell, everything on Linux is working fine, as well as on the Windows 8 side. What is the output of smbclient //localhost/homes -Umark -d5 (then at a smb:\ do ls) ?? Command not found - I can't execute this on Linux. I use /bin/systemctl status smb.service to get status On Tue, Jul 2, 2013 at 11:52 AM, Ricky Nance ricky.na...@gmail.com wrote: Can you log into the linux machine with the user mark and write files to /home/mark without issue? What is the output of smbclient //localhost/homes -Umark -d5 (then at a smb:\ do ls). Just a couple of things I would look at\try. Ricky -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Removed params 'force security mode' etc. What to use instead?
Hello list, I noticed that the fix for bug 9190 (inc in samba 4.0) resulted in the removal of the following config parameters: security mask force security mode directory mask force directory security mode I have a couple questions regarding this, and haven't really seen any good info on it, so... 1) Why were they removed? There doesn't seems to be any explanation in the bug notes or release notes. Maybe I'm missing something? (not judging, just confused) 2) What can be used instead? I don't see any comparable settings in samba to obtain the same effect (preventing clients from removing certain security bits from existing files, ie group permissions) I have a situation currently where it looks like I will need to implement the above 'force' settings in my samba 3.x environment to deal with some misbehaving OS X clients that insist on stripping group permissions from files in certain situations. I'd rather not start using settings that I know are removed in future versions, but I'm not sure of a better way. Can anyone recommend the best way to deal with this? Thanks! Brian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Win8 account sees its home share, but does not have permissions to access
You just did, there are rules there ' unconfined_u:object_r:user_home_dir_t' this leads me to think selinux is your issue, however, I can't say that I have messed around with selinux at all, so maybe someone else can chime in and help you out. You should be able to disable it temporarly just to check. Please refer to the following thread https://ask.fedoraproject.org/question/10507/how-to-disable-fedora-17-selinux/ Thanks, Ricky -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Removed params 'force security mode' etc. What to use instead?
On 03/07/13 19:56, Brian H. Nelson wrote: [SNIP] I have a situation currently where it looks like I will need to implement the above 'force' settings in my samba 3.x environment to deal with some misbehaving OS X clients that insist on stripping group permissions from files in certain situations. I'd rather not start using settings that I know are removed in future versions, but I'm not sure of a better way. Can anyone recommend the best way to deal with this? My guess is this is related to the Unix extensions. Basically certain versions of OS X; I can't remember which ones but 10.5 sticks in my mind but that might be related to symbolic links and it was 10.6 that was the problem, notice the file server does Unix extensions and then decides to go behind the Samba servers back and fiddle with the permissions. Here is the kicker however the force settings don't help. It would appear that you can override them using the Unix extensions. The only solution I could come up with was turning Unix extensions off. The basics are the SMB client in OS X seems to change it's behaviour with every major release, and a working config that deals with them all is hard to come by. The rewritten client in 10.7 was particularly bad especially in early point releases. From memory it did not become usable till 10.7.3 JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Domain Rename
Yeah, I've never fully set up a samba *checks samba version* 4 domain. What I suggested was what I thought might work. I guess it's time for me to completely set things up and see how it works. ~Frostyfrog From a friendly web page developer. ^.^ On Tue, Jul 2, 2013 at 2:52 AM, Michael Wood esiot...@gmail.com wrote: If Sandeep is running Samba 4 as an Active Directory domain controller, then I very much doubt that just editing the workgroup setting in smb.conf will fix it. There are e.g. files in the samba private directory named after the domain and also containing the name of the domain. I don't know if there's a straightforward way of renaming the domain. I suspect there isn't. Sandeep, if you don't get a good answer here, you could try getting the attention of one of the Samba developers on the IRC channel, perhaps. On 2 July 2013 07:49, Frostyfrog frostyfr...@gmail.com wrote: I'm not sure which distro you are using (I use Archlinux), but these steps should work if you have command line access (press the key surrounded in when there is one, don't type the or the stuff inside): 1. Login to the server 2. type: vim /etc/samba/smb.confenter 3. type: /workgroup =enter (If that doesn't work, try it without the equals) 4. press the arrow keys until it is placed just after the equals 5. type c$ 6. type in what you want the new domain name to be 7. press esc 8. type: :wq 9. restart samba Disclaimer: These steps are not for those who have no idea what they are doing (although it may seem that way), please proceed with caution. ~Frostyfrog From a friendly web page developer. ^.^ On Mon, Jul 1, 2013 at 11:24 PM, Sandeep Kumar sandeep.ku...@arborfs.com wrote: Hi Team, I am using samba 4 Domain in my production environment and everything is working fine but now for some reason I have to rename the domain Can you please help on this, I need to do this asap Waiting for your response……… Many Thanks, Sandeep Kumar *Arbor Financial Systems Ltd* Direct: +91 172 400 6144 Support: +44 (0) 203 070 9650 www.arborfs.com -- Michael Wood esiot...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Domain Rename
On Tue, 2013-07-02 at 20:07 +0200, Denis Cardon wrote: Hi Sandeep, Changing a domain name, even in an all-Microsoft Windows server environment, is strongly discouraged, at least on the user mailing lists I am on. Better would be to use the domain migration tools, and migrate to a newly named domain. I had recently to migrate a windows 2003 domaine from a short dns domain name media1 to standard dns name media1.local before migrating to a samba4 domain. There are actually some microsoft tool to do the migration, but it is far from trivial. I don't know if there are anything in samba4 to do the same thing though, and probably the method outlined by Michael might still be the best one. Indeed, renaming a domain breaks all the base assumptions in AD. Samba 4.0 as an AD DC has no code to support this, if it works with the Microsoft tool that was used in your situation it would be a miracle, but just occasionally we find this stuff just happens to work because the hard work is in the client tool, not the DC. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba 4 installation failing several troubleshooting steps
Troubleshooting steps fail. Trying to replace a standalone Netware server with a Samba4 server with AD. To isolate this test setup, changed server's static IP address and separated the wiring. Then went through the Troubleshooting portion of The Samba Checklist. Some tests pass. Some tests fail. I'm weak on Samba, DNS and AD. I appreciate your instructions on how to overcome the indicated test failures. The setup: - an inexpensive router provides DHCP to a network of three computers - Samba4 server (SERVER) has static ip 192.168.3.210 - Windows XP Pro SP3 workstation (WORKSTATION) - Linux Mint workstation (used for ssh to SERVER) - Domain is domane.lan - workgroup is OFFICE - Samba4 downloaded from git, version 4.1.0pre1-GIT-3e66cb7, using internal DNS - SERVER runs Ubuntu 12 LTS, recent download with updates, no firewall smb.conf, resolv.conf, and a query result for DNS records may all be seen at http://pastebin.com/B5gyDi1s (samba 4 configurations as part of troubleshooting questions) When making suggestions, please detail the commands you would like me to try. 1) WORKSTATION can log into the domain and can ping SERVER by its ip address. WORKSTATION initially could not ping SERVER by its name, but could after an entry for SERVER was added in C:\windows\system32\drivers\etc\hosts. 2) SERVER can ping WORKSTATION by its ip address but cannot ping the workstation by its name. 3) /usr/local/samba/bin/testparm /usr/local/samba/etc/smb.conf does not report any errors. 4) On WORKSTATION I was never able to get a browse list of shares. An early error seen in /usr/local/samba/var/log.samba is: [2013/06/21 22:43:29, 0] ../source4/dsdb/common/util_samr.c:185(dsdb_add_user) Failed to create user record CN=WORKSTATION,CN=Computers,DC=domane,DC=lan: dsdb_access: Access check failed on CN=Computers,DC=domane,DC=lan 5) host -t SRV _ldap._tcp.domane.lan. gives expected results host -t SRV _kerberos._udp.domane.lan. gives expected results host -t A server.domane.lan. gives expected results 6) On WORKSTATION, checked the box “Use this connection's DNS suffix in DNS registration” in Windows XP's TCP/IP properties, General, Advanced, DNS. SERVER still cannot ping workstation by name. 7) smbclient -L SERVER does provide a list of shares. 8) /usr/local/samba/bin/nmblookup -B SERVER __SAMBA__.responds with querying __SAMBA__. on 127.0.0.1 name_query failed to find name __SAMBA__. 9) nmblookup -B WORKSTATION.domane.lan '*' gives the confusing response querying * on 192.168.3.255 192.168.3.2 *00 This is confusing because 192.168.3.2 is the ip addres of the Mint computer running ssh to SERVER. WORKSTATION has an ip address of 192.168.3.3 10) nmblookup -d 2 '*' responds with rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) added interface eth0 ip=fe80::211:11ff:fe6f:8df0%eth0 bcast=fe80:::::%eth0 netmask=::::: added interface eth0 ip=192.168.3.210 bcast=192.168.3.255 netmask=255.255.255.0 querying * on 192.168.3.255 Got a positive name query response from 192.168.3.2 ( 192.168.3.2 ) 192.168.3.2 *00 Again, this is confusing because 192.168.3.2 is the ip address of the Minut computer running ssh to SERVER. WORKSTATION has an ip address of 192.168.3.3 11) smbclient //SERVER/INVOICES -UAdministrator requests a password and responds with session setup failed: NT_STATUS_LOGON_FAILURE Domain=[OFFICE] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-3e66cb7] smb: \ 12) smbclient //SERVER/INVOICES with a user other and Administrator requests a password and responds with session setup failed: NT_STATUS_LOGON_FAILURE 13) On WORKSTATION, the command net view \\SERVER responds with a list of shares. 14) On WORKSTATION, the command net use x: \\SERVER\INVOICES responds well. If logged in as administrator, it is possible to use the dir command to see a list of files. 15) On WORKSTATION, when graphically browsing the network SERVER is seen but it does not contain a list of shares. There is nothing to graphically select to map. If a share name is known, it can be manually mapped similar to prior example. 16) /usr/local/samba/bin /nmblookup -M OFFICE responds with name_query failed to find name OFFICE#1d This is in spite of having preferred master = yes in smb.conf Thank you for helping to identify what is going wrong, and for your suggestions for fixes. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] file server or member server?
I'll have a go :) My 2p: A Windows domain is an authentication-and-authorisation space, defined by a database of all usernames known within that space, together with their passwords, group memberships and much more related stuff. The username database (held as a set of files of course) is managed by one or more servers dedicated to the task of processing logon attempts, verifying passwords, authorising filesystem access requests, etc. This type of server is known as a domain controller (or domain server if you like). The domain will also contain, in general, many workstations used by the end-users, and a number of servers holding files, services and other objects available for the use of the users. The files and services have permission settings which define which users can access them and in which ways. The permission settings reference the usernames defined in the username database. Any machine (workstation or server) needing to make use of the username database must be joined to the domain (which means exchanging keys, so that secure communication can occur); we call such machines members of the domain member servers, member workstations. In a medium to large organisation there are usually quite a few member servers dedicated to file serving, some to web serving, some to print serving, and a few to more esoteric tasks (SQL, DNS, DHCP, WINS [does that still exist ?], etc. etc.). You could refer to these servers as fileservers, webservers, printservers, SQLservers, DNS servers, etc. you see the pattern here ? :-) You /can/ combine some of these server roles (including domain controller) in one physical server, but you must be careful about performance, especially in geographically dispersed networks. Note that all access requests must ultimately effectively be processed and approved by the domain controllers, which can make them pretty busy machines - so that job is often done by dedicated servers. There may also be other Windows servers owned by the organisation, which are not members or controllers of the domain - these servers are known as stand-alone servers, and their users will not share the same username password database as is used within the domain. Steve Are there any guidelines for this sort of stuff? Yes. In the Microsoft world, typically the sysadmins all go on [gulp] MCSE (Microsoft Certified System Engineer) training programmes, where all this stuff is taught in some detail - including how to estimate performance requirements from expected user population required data flows, and thus how to arrive at an effective network and domain design. Usually you discover that you need an unbelievable number of servers, and that the cost of server licenses and client access licenses (an iniquitous concept) is likely to bankrupt your employer ;-) After your boss has had a heart attack, you think about Samba I don't know whether or not there are FOSS-world courses which teach the same (CIFS/SMB/AD) concepts. You can also find any number of $50 text books on the subject (Windows Active Directory) in any decent bookstore. e.g. http://shop.oreilly.com/product/0636920028932.do Active Directory Cookbook, 4th Edition Solutions for Administrators Developers (but they will usually be focused on Microsoft products). BTW: if you don't already know about it, you really should also try to learn as much of the stuff on this website as you possibly can : http://ubiqx.org/cifs/ It's more about the protocols, rather than domain design - but still important for a sysadmin (and it's by one of the Samba team). [I hope this helped ... maybe you already know all this stuff, and I didn't understand your question .. it was fun trying anyway :)] Good luck. Nick -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Apparent bug remains in v4.0.7 - Hosts allow parameter causing errors and vey slow MS Office document access
From smb.conf: hosts allow = 10.0.0. 127. Same story using the following syntax instead: hosts allow = 10.0.0.0/24 127.0.0.1/8 If I comment out the hosts allow line, the slow MS Office document access and most of the errors in the log go away. From log.samba: [2013/07/04 00:15:52, 0] ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet) NTLMSSP NTLM2 packet check failed due to invalid signature! [2013/07/04 00:15:52, 0] ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet) NTLMSSP NTLM2 packet check failed due to invalid signature! [2013/07/04 00:16:03, 0] ../source4/lib/socket/access.c:356(socket_check_access) socket_check_access: Denied connection to 'smbd' from LOCAL/unixdom (LOCAL/unixdom) [2013/07/04 00:16:03, 0] ../source4/lib/socket/access.c:356(socket_check_access) socket_check_access: Denied connection to 'smbd' from LOCAL/unixdom (LOCAL/unixdom) [2013/07/04 00:16:03, 0] ../source4/lib/socket/access.c:356(socket_check_access) socket_check_access: Denied connection to 'smbd' from LOCAL/unixdom (LOCAL/unixdom) ... (dozens to hundreds of these Denied connection to smbd messages per second) From log.smbd: [2013/07/04 00:17:11.857930, 1] ../source3/rpc_server/rpc_ncacn_np.c:622(make_external_rpc_pipe_p) tstream_npa_connect_recv to /usr/local/samba/var/run/ncalrpc/np for pipe wkssvc and user HERSCHLAUREN\vquesinberry failed: Broken pipe [2013/07/04 00:17:11.860705, 1] ../source3/rpc_server/rpc_ncacn_np.c:622(make_external_rpc_pipe_p) tstream_npa_connect_recv to /usr/local/samba/var/run/ncalrpc/np for pipe wkssvc and user HERSCHLAUREN\vquesinberry failed: Broken pipe [2013/07/04 00:17:37.207795, 1] ../source3/rpc_server/rpc_ncacn_np.c:622(make_external_rpc_pipe_p) tstream_npa_connect_recv to /usr/local/samba/var/run/ncalrpc/np for pipe wkssvc and user HERSCHLAUREN\vquesinberry failed: Connection reset by peer [2013/07/04 00:17:37.210691, 1] ../source3/rpc_server/rpc_ncacn_np.c:622(make_external_rpc_pipe_p) tstream_npa_connect_recv to /usr/local/samba/var/run/ncalrpc/np for pipe wkssvc and user HERSCHLAUREN\vquesinberry failed: Connection reset by peer [2013/07/04 00:17:37.213195, 1] ../source3/rpc_server/rpc_ncacn_np.c:622(make_external_rpc_pipe_p) tstream_npa_connect_recv to /usr/local/samba/var/run/ncalrpc/np for pipe wkssvc and user HERSCHLAUREN\vquesinberry failed: Connection reset by peer [2013/07/04 00:17:37.219431, 1] ../source3/rpc_server/rpc_ncacn_np.c:622(make_external_rpc_pipe_p) tstream_npa_connect_recv to /usr/local/samba/var/run/ncalrpc/np for pipe wkssvc and user HERSCHLAUREN\vquesinberry failed: Connection reset by peer I just compiled and am now running 4.07 stable but the problem was also present in 4.0.6. We'd like to be able to use the hosts allow parameter to ensure that no one outside the LAN can access the server but I can always use iptables to do the job if necessary. Testparm output: Load smb config files from /usr/local/samba/etc/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section [netlogon] Processing section [sysvol] Processing section [homes] Processing section [hldata] Processing section [C] Processing section [D] Processing section [MacData] Processing section [QBooks] Processing section [printers] Processing section [print$] Loaded services file OK. Server role: ROLE_ACTIVE_DIRECTORY_DC Press enter to see a dump of your service definitions [global] workgroup = HERSCHLAUREN realm = HERSCHLAUREN.COM server string = HerschLinux server role = active directory domain controller passdb backend = samba_dsdb max log size = 524288 deadtime = 15 add machine script = /usr/sbin/useradd -n -g machines -d /dev/null -s /sbin/nologin %u preferred master = Yes domain master = Yes wins support = Yes allow dns updates = nonsecure and secure dns forwarder = 10.0.0.1 rpc_server:tcpip = no rpc_daemon:spoolssd = embedded rpc_server:spoolss = embedded rpc_server:winreg = embedded rpc_server:ntsvcs = embedded rpc_server:eventlog = embedded rpc_server:srvsvc = embedded rpc_server:svcctl = embedded rpc_server:default = external idmap config * : backend = tdb invalid users = nobody, root hosts allow = 10.0.0., 127. map archive = No map readonly = no store dos attributes = Yes vfs objects = dfs_samba4, acl_xattr [netlogon] path = /usr/local/samba/var/locks/sysvol/herschlauren.com/scripts [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No [homes] path = /home read only = No [hldata] comment = Data directory for entire Windows share (Samba) path = /hldata valid users = *CENSORED* read only = No [C] comment = C: Drive path = /hldata/C valid
[SCM] Samba Shared Repository - branch v4-0-test updated
The branch, v4-0-test has been updated via 0b80e93 vfs_streams_xattr: Do not attempt to write empty attribute twice via f695430 Initialize the file descriptor in the files_struct before trying to close it. Otherwise, if one of the SETXATTR calls had failed, the close() call will return EBADF. from 9f7cbc7 s3:smbd:smb2: fix setting of scavenge timeout when reconnecting durable handles http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test - Log - commit 0b80e9376daf07089dac6221a51dff1ffee6cbac Author: Christof Schmitt christof.schm...@us.ibm.com Date: Wed Jun 12 14:55:15 2013 -0700 vfs_streams_xattr: Do not attempt to write empty attribute twice The create disposition FILE_OVERWRITE_IF is mapped to the flags O_CREAT|O_TRUNC. In vfs_streams_xattr, this triggers two calls to SMB_VFS_SETXATTR. The second can fail if O_EXCL is also set, resulting in an unnecessary error. Merge the identical code to handle O_CREAT and O_TRUNC to avoid setting an empty attribute twice. Also add the flags parameter to the debug message. Signed-off-by: Christof Schmitt christof.schm...@us.ibm.com Reviewed-by: Jeremy Allison j...@samba.org Reviewed-by: Volker Lendecke v...@samba.org (cherry picked from commit 4cd7e1d283f060e794023d5b0a48a7ec97d33820) The last two patches address bug #9970 - Backport vfs_streams_xattr fixes to 4.0 and 4.1. Autobuild-User(v4-0-test): Karolin Seeger ksee...@samba.org Autobuild-Date(v4-0-test): Wed Jul 3 12:22:43 CEST 2013 on sn-devel-104 commit f695430ffb7bb036ffbfdbc5baafb8e8698670e8 Author: Christof Schmitt christof.schm...@us.ibm.com Date: Wed Jun 12 14:49:53 2013 -0700 Initialize the file descriptor in the files_struct before trying to close it. Otherwise, if one of the SETXATTR calls had failed, the close() call will return EBADF. Signed-off-by: Christof Schmitt christof.schm...@us.ibm.com Reviewed-by: Jeremy Allison j...@samba.org Reviewed-by: Richard Sharpe rsha...@samba.org Autobuild-User(master): Jeremy Allison j...@samba.org Autobuild-Date(master): Thu Jun 13 01:43:18 CEST 2013 on sn-devel-104 (cherry picked from commit 5c488cfb79873287e769622fd5da43b7a735e29c) --- Summary of changes: source3/modules/vfs_streams_xattr.c | 43 +- 1 files changed, 12 insertions(+), 31 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/modules/vfs_streams_xattr.c b/source3/modules/vfs_streams_xattr.c index dd1135d..6650021 100644 --- a/source3/modules/vfs_streams_xattr.c +++ b/source3/modules/vfs_streams_xattr.c @@ -367,8 +367,8 @@ static int streams_xattr_open(vfs_handle_struct *handle, int baseflags; int hostfd = -1; - DEBUG(10, (streams_xattr_open called for %s\n, - smb_fname_str_dbg(smb_fname))); + DEBUG(10, (streams_xattr_open called for %s with flags 0x%x\n, + smb_fname_str_dbg(smb_fname), flags)); if (!is_ntfs_stream_smb_fname(smb_fname)) { return SMB_VFS_NEXT_OPEN(handle, smb_fname, fsp, flags, mode); @@ -452,40 +452,20 @@ static int streams_xattr_open(vfs_handle_struct *handle, goto fail; } - if (!NT_STATUS_IS_OK(status)) { + if ((!NT_STATUS_IS_OK(status) (flags O_CREAT)) || + (flags O_TRUNC)) { /* -* The attribute does not exist +* The attribute does not exist or needs to be truncated */ -if (flags O_CREAT) { - /* -* Darn, xattrs need at least 1 byte -*/ -char null = '\0'; + /* +* Darn, xattrs need at least 1 byte +*/ + char null = '\0'; - DEBUG(10, (creating attribute %s on file %s\n, - xattr_name, smb_fname-base_name)); + DEBUG(10, (creating or truncating attribute %s on file %s\n, + xattr_name, smb_fname-base_name)); - if (fsp-base_fsp-fh-fd != -1) { - if (SMB_VFS_FSETXATTR( - fsp-base_fsp, xattr_name, - null, sizeof(null), - flags O_EXCL ? XATTR_CREATE : 0) == -1) { - goto fail; - } - } else { - if (SMB_VFS_SETXATTR( - handle-conn, smb_fname-base_name, - xattr_name, null, sizeof(null), -
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 2536ee8 Make the output of the crackname script more readable from caf3af3 s3-winbind: Allow sec_initial_uid() to store creds. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 2536ee8b640c1257dbe28a977ae0b48a62093d0c Author: Matthieu Patou m...@matws.net Date: Sun Jun 30 01:59:53 2013 -0700 Make the output of the crackname script more readable Signed-off-by: Matthieu Patou m...@matws.net Reviewed-by: Andreas Schneider a...@samba.org Autobuild-User(master): Jeremy Allison j...@samba.org Autobuild-Date(master): Wed Jul 3 23:17:57 CEST 2013 on sn-devel-104 --- Summary of changes: source4/scripting/devel/crackname |8 1 files changed, 4 insertions(+), 4 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/scripting/devel/crackname b/source4/scripting/devel/crackname index b6a372e..2e17985 100755 --- a/source4/scripting/devel/crackname +++ b/source4/scripting/devel/crackname @@ -71,8 +71,8 @@ if __name__ == __main__: req.names = [names] (result, ctr) = drs.DsCrackNames(drs_handle, 1, req) -print # of result %d %ctr.count +print # of result = %d %ctr.count if ctr.count: -print ctr.array[0].status -print ctr.array[0].result_name -print ctr.array[0].dns_domain_name +print status = %d % ctr.array[0].status +print result name = %s % ctr.array[0].result_name +print domain = %s % ctr.array[0].dns_domain_name -- Samba Shared Repository