Re: [Samba] Samba 4 not honoring setgid
On Wed, 2013-07-24 at 22:34 -0400, Ryan Bair wrote: I'm running Samba 4.0.7 on CentOS 6.4 as a AD DC with s3fs. I have a shared directory with the setgid bit set. From the shell on the server, new files and directories inherit the group as expected. However, new items created through samba get the user's primary group instead. Config for the share is super simple: [test] path = /srv/test read only = no Sounds like a bug. Has any one else experienced this? Hi openSUSE 12.3 DC 4.0.7 also tested with latest git Not sure what /srv/test has but am guessing that you have set chmod g+s? If so, I can reproduce what you see. The g+s is ignored when accessed on a cifs mounted share and instead the primaryGroupID is used. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Win dcpromo and SysVol Replication
When I DCPROMO a Win2003 server into an existing Samba4.1RC1 domain with two Samba DCs, all appears to be working correctly from the Samba side but the WinDC never starts sharing SysVol as it should. Sites and Services shows all DCs as expected and forcing repl with the Samba PDC works correctly while doing that with the second Samba DC shows the following: The following error occurred during the attempt to synchronize naming context DomainDnsZones.mydomain.local from domain controller SambaDC2 to domain controller WinDC: The naming context is in the process of being removed or is not replicated from the specified server. The operation will not continue. This also affects the ability to demote the WinDC. More info available if needed. Thanx, Garth -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 not honoring setgid
Thank you for confirming. I do have g+s on the directory. I'll file a bug about this issue today. On Thu, Jul 25, 2013 at 3:30 AM, steve st...@steve-ss.com wrote: On Wed, 2013-07-24 at 22:34 -0400, Ryan Bair wrote: I'm running Samba 4.0.7 on CentOS 6.4 as a AD DC with s3fs. I have a shared directory with the setgid bit set. From the shell on the server, new files and directories inherit the group as expected. However, new items created through samba get the user's primary group instead. Config for the share is super simple: [test] path = /srv/test read only = no Sounds like a bug. Has any one else experienced this? Hi openSUSE 12.3 DC 4.0.7 also tested with latest git Not sure what /srv/test has but am guessing that you have set chmod g+s? If so, I can reproduce what you see. The g+s is ignored when accessed on a cifs mounted share and instead the primaryGroupID is used. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 not honoring setgid
On Thu, 2013-07-25 at 08:17 -0400, Ryan Bair wrote: Thank you for confirming. I do have g+s on the directory. I'll file a bug about this issue today. No problem. If you go with the bugzilla, could you post the link here? Thanks. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Shared [home] shows up as printer
I just installed Fedora 19 and I'm trying to get everything back up and running. I have managed to get samba up and running through some brute force measures of disabling(for now) the firewalld. That being said, my shares for a data folder are working fine, but when I try to pull up my home directory for my user, my client says that the link is to a printer. I have the same results with Windows 7 and smbclient on Linux. The home partition was working fine on Fedora 18 – I preserved my /home when I did the recent install. Is there something with SELinux that tells samba about the type of file it is looking at? The homes directory config is the default from the smb.conf. Thanks, Lynch “This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed, and may contain information that is non-public, proprietary, privileged, confidential and exempt from disclosure under applicable law or may be constituted as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this message in error, notify sender immediately and delete this message immediately.” -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba/Winbind GID/IDs not the same using AD RID
Typo? idmap config THRACE : backed = rid should be idmap config THRACE : backend = rid I also suggest that you remove these lines password server = livia bkdc Socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 ldap ssl = no Rowland On 24 July 2013 23:00, erin gibson bbelt1...@gmail.com wrote: Hello everyone, I recent upgraded to wheezy debian and the syntax of the smb.conf changed when i moved up versions. It took about a week but i think i am almost there. I got my systems to join the WIn2008 domain and can authenticate and login on linux now with my AD users. Now I just need to figure out how to change my SID and GID of my users and groups. On some systems they are the same and a few other they are different. I am not sure if i am using the right method for my smb.confg or not. here are my pastebin details. http://sprunge.us/BgAW http://sprunge.us/BgAW http://pastebin.com/YHWSC7DK Thanks Erin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] DsGetDomainControllerInfoW fails with level 2008+, works with 2003
Hello, I stumbled on this problem while troubleshooting a time synchronization problem. The Windows commands w32tm /monitor and nltest /dclist:domain appear to both use the same call to query the domain for a list of domain controllers. When the DC is Samba4 (2003 domain forest level) these commands complete successfully. After raising the levels to 2008 or 2008_R2 and restarting Samba (no other changes) both commands immediately begin to fail. Can anyone tell me if this behavior is expected? Does anyone have a Windows Server 2008+ DC where they can test this? These commands can be executed on any W7 domain client. (2003) C:\Users\Administrator.TESTDOMw32tm /monitor ADC1.internal.testdom.com *** PDC ***[10.10.65.254:123]: ICMP: 0ms delay NTP: +0.000s offset from ADC1.internal.testdom.com RefID: 64-132-226-3.static.twtelecom.net [64.132.226.3] Stratum: 2 Warning: Reverse name resolution is best effort. It may not be correct since RefID field in time packets differs across NTP implementations and may not be using IP addresses. C:\Users\Administrator.TESTDOMnltest /dclist:testdom Get list of DCs in domain 'testdom' from '\\ADC1'. ADC1.internal.testdom.com [PDC] [DS] Site: Default-First-Site-Name The command completed successfully (2008_R2) C:\Users\Administrator.TESTDOMw32tm /monitor GetDcList failed with error code: 0x80070032. Exiting with error 0x80070032 C:\Users\Administrator.TESTDOMnltest /dclist:testdom Get list of DCs in domain 'testdom' from '\\ADC1'. Cannot call DsGetDomainControllerInfoW to testdom (\\ADC1).Status = 50 0x32 ERROR_NOT_SUPPORTED List of DCs in Domain testdom \\ADC1 (PDC) The command completed successfully -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] RODC between samba v4 servers
I'm preparing a lab to test the scenario in which a remote office uses a RODC to cache all users/computers/GPOs from a DC. I've set up a environment with all requirements (two subnets, one with a DC and the other with a RODC). I've joined the domain with a windows machine to the RODC subnet with both DCs being up. Using the windows tools (DSA), I've placed a user account and the machine account inside the Allowed password replication group. I've switched off the master DC, and tried to login with the cached user in the cached computer, but it failed. I've preloaded (samba-tool rodc preload) both the user account and the machine account in the RODC, without luck. I've a couple of questions: - Does samba 4.0.7 supports caching passwords for users? - What is the preload command for? Caching of passwords? The following link ( http://technet.microsoft.com/en-us/library/dd736918%28v=ws.10%29.aspx) talks about setting up the Next Closest DC in the network in the DC settings to allow RODCs to be trusted, should this be performed as well? Or is it enough to set it up as a GPO? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] ./configure LDAP checks failing on AIX
Samba version 4.0.7 Aix 6.1 Compiler: IBM xlc Last lines of ./configure output: Checking for ldap_init : not found Checking for ldap_init_fd : not found Checking for ldap_initialize : not found Checking for ldap_set_rebind_proc : not found Checking for ldap_add_result_entry : ok Checking whether ldap_set_rebind_proc takes 3 arguments : ok Active Directory support not available: LDAP support ist not available. path/wscript:760: error: Active Directory support not found. Use --without-ads for building without Active Directory support. Reason (verified) the generated test.c file user in configure checks doesn't have the required ldap include: #include ldap.h I've not found a clean way to patch configure to fix this Anyone able to help? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Cleanup CN=Deleted Objects, DC=DomainDnsZones, DC=domain, DC=local
Hi, Due to an not so well coded dns update script my /var/lib/samba/private/sam.ldb.d/DC=DOMAINDNSZONES,DC=DOMAIN,DC=LOCAL.ldb db consumes now ~500MB. So i decided to delete all the Outdated records. I prepared an list of all the DN's with Base DC=DomainDnsZones,DC=domain,DC=local and Attribute isDeleted=TRUE. There are about 8 outdated entries whom i plan to delete. If I loop over each line in my list and run ldbdel -H DC=DOMAINDNSZONES,DC=DOMAIN,DC=LOCAL.ldb [DN] it takes about an second for each entry so it would take about 22h to delete them all. Is there a way i can speed things up? Thanks in advance achim~ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] AD DC and the Guest account
I'm using samba4.0.1 and it works very well in general. Unfortunately I'm missing something like map to guest = bad user and I can't get the Guest account to work. Is there any way to set up some public shares on an AD DC ? [global] workgroup = DOMAIN realm = DOMAIN.LOCAL netbios name = HOST server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate logon path = \\%L\profiles\%U logon home = \\%L\%U\.9xprofile logon drive = U: printcap name = /dev/null load printers = no printing = bsd interfaces = eth0 guest ok = yes security = user map to guest = bad user At the moment I can't even access \\HOST.DOMAIN.LOCAL without credentials. This message was sent using IMP, the Internet Messaging Program. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Cleanup CN=Deleted Objects, DC=DomainDnsZones, DC=domain, DC=local
Am 25.07.2013 16:57, schrieb Achim Gottinger: Hi, Due to an not so well coded dns update script my /var/lib/samba/private/sam.ldb.d/DC=DOMAINDNSZONES,DC=DOMAIN,DC=LOCAL.ldb db consumes now ~500MB. So i decided to delete all the Outdated records. I prepared an list of all the DN's with Base DC=DomainDnsZones,DC=domain,DC=local and Attribute isDeleted=TRUE. There are about 8 outdated entries whom i plan to delete. If I loop over each line in my list and run ldbdel -H DC=DOMAINDNSZONES,DC=DOMAIN,DC=LOCAL.ldb [DN] it takes about an second for each entry so it would take about 22h to delete them all. Is there a way i can speed things up? Thanks in advance achim~ Found an faster solution using ldbmodify so never mind. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] SMB4 ADDC possible attribute corruption
Hi All, I am having a problem with SMB4 ADDC. I cannot join the AD from Fedora. I have done a wireshark capture and found that it does 2 LDAP search requests when doing a discovery. The 1st query was a search for the defaultNamingContext and supportedCapabilities attributes. This got a successful search response packet and a result of 1. the 2nd query was a search for the NetLogon attribute. This also got a successful search response packet but it had a result of 0 so no attribute details. I am currently using RealmD to join and get: ! Received invalid or unsupported Netlogon data from server I get this from both discover and join samba 4.0.7 compiled from source Realmd discover normally lists required packages to join a certain domain but as it wasn't working a tried installing any packages that i thought it would require. krb5-workstation is installed but not configured as realmd should do this. I have tried this on 2 F19 fresh installs and both have the same fault. i also did a packet capture whilst discovering another 2008R2 domain and the netlogon attribute on the LDAP search was fully populated. This was an MS Win2008 DC though. I am not sure if this LDAP result is the failure of the join but the packet capture finish very abrubtly after that with a couple of ACK's and FIN's. What might throw a bit of a spanner in the works is that i joined the AD fine from a Win7 VM. Not sure if Win7 is unreliant of this netlogon attribute to join. Thanks in advance. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Question on approach to authenticate Linux against Samba4
This is in a test environment: Also, it is wordy, but I'm hoping it explains my scenario. I am migrating from a custom LDAP+Samba3 authentication solution to Samba4. I have used the classicupgrade option to pull off the data from the existing ldap server to populate the samba4 database. I've installed AD DS and Server for NIS tools on a Windows 2008 server that is connected to the Samba4 DC as a member server. All the information appears to be correct, including the Unix uid and group memberships, and the unixHomedirectory. Now I need to authenticate a Linux system against the Samba4 DC and I need to have the unixHomedirectory used. There is a lot of older information on the net on how to authenticate. I'd prefer to not be required to install samba4 on these other Linux systems which a lot of these approaches seem to require. These linux systems are running LTSP so I have 50+ users logged in at any given time. I currently NFS mount home directories for the linux systems from a central fileserver. Home directories are of the pattern /home/Graduation_year/username. I've tested the Windows logins. I have an issue with mapped drives to the fileservers but I expected this since the fileservers don't exist on the test network. I expect this issue to be resolved once the fileservers are upgraded to samba4 and joined as member servers. I found http://zachbethel.com/2013/04/10/linux-ldap-authentication-with-samba4/ which I think will work, The ldbsearch works but before embarking further on this approach, I have some concerns. 1) will the unixHomedirectory be honored? 2) will I be able to easily add users so that the unix settings will be properly configured? I currently use the IDEALX smbldap tools. Being able to script account creation is very important to me .. adding 200+ user accounts manually each year is not very appealing. ;) 3) Will the scripting tools be able to automatically assign a unique uid for each unix account. Current approach uses NextFreeUnixID but this does not exist in the Samba4 database (the ldap entry is shown below ) dn: cn=NextFreeUnixId,dc=ncs,dc=k12,dc=de,dc=us objectClass: inetOrgPerson objectClass: sambaUnixIdPool cn: NextFreeUnixId sn: NextFreeUnixId structuralObjectClass: inetOrgPerson entryUUID: 4a73a856-83a5-1029-8294-b4ff885ef639 creatorsName: cn=Manager,dc=ncs,dc=k12,dc=de,dc=us createTimestamp: 20050708023946Z gidNumber: 1002 uidNumber: 3885 I have read through the recent thread on winbind and honestly I am not sure that I want to pursue either winbind or sssd if it is possible to use nss_pam_ldap which seems closest to the current approach. Thank you for your patience and taking the time to read the above. Sincerely, Dave Hopkins -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Question on approach to authenticate Linux against Samba4
On Thu, 2013-07-25 at 16:59 +, dahopk...@comcast.net wrote: I have read through the recent thread on winbind and honestly I am not sure that I want to pursue either winbind or sssd if it is possible to use nss_pam_ldap which seems closest to the current approach. Hi Ok, I can understand that. So why not have a look at nss-pam-ldapd with nslcd? It's almost as good as sssd and it's quick and easy to setup: http://linuxcostablanca.blogspot.com.es/2013/04/ubuntu-client-for-samba4.html hth Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Question on approach to authenticate Linux against Samba4
Thank you for the very quick response. But in trying to follow the suggested link, there are few steps are different. First, Step 3 is to install various packages. I already have auth-client-config installed which had installed libpam_ldap and libnss-ldap since I simply pulled this system into the test environment rather than rebuild from scratch. I have uninstalled these and then added libnss-ldapd and libpam-ldapd along with the kerberos packages. Issue is that I was never asked for a Kerberos realm or IP of the DC. I should have mentioned that this system is running 10.04, not 12.04. So .. which config file do I need to edit to ensure that the IP of the DC is correctly specified? I also installed nslcd. Step 6: I already have samba-common, and samba-common-bin (latest for 10.04) installed. I'd assume I need to uninstall these and install samba4 instead (especially as step 8 is to join the domain). Sincerely, Dave Hopkins - Original Message - From: steve st...@steve-ss.com To: samba@lists.samba.org Sent: Thursday, July 25, 2013 1:45:01 PM Subject: Re: [Samba] Question on approach to authenticate Linux against Samba4 On Thu, 2013-07-25 at 16:59 +, dahopk...@comcast.net wrote: I have read through the recent thread on winbind and honestly I am not sure that I want to pursue either winbind or sssd if it is possible to use nss_pam_ldap which seems closest to the current approach. Hi Ok, I can understand that. So why not have a look at nss-pam-ldapd with nslcd? It's almost as good as sssd and it's quick and easy to setup: http://linuxcostablanca.blogspot.com.es/2013/04/ubuntu-client-for-samba4.html hth Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 - smbd; can't parse the PAC: NT_STATUS_BUFFER_TOO_SMALL error but only for a single domain user (Server 2008 R2 domain, Server 2008 functional level forest).
Good day, one and all ... I just had to rebuild our main Samba server (OpenSlowlaris - Slowlaris 11.11), during which I put the latest (at the time; currently 4.2.0pre1-GIT-b505111) Samba4 on there. I thought that by now that Gunther's speculative changes to improve the PAC decode might have made their way into the trunk revision - obviously I was wrong, as I'm once again getting a load of Can't parse the PAC: NT_STATUS_BUFFER_TOO_SMALL messages and a user who can't access any Samba shares. Whoops ... So as we previously discussed looking into things in more detail (specifically finding out why there is no client_principal being passed into kerberos_decode_pac()), but nothing else ever happened, is there anything I can do to assist in getting the improved PAC decoding included into the trunk revision? Whilst I can't guarantee immediate responses to any request, I'm quite happy to stick any code in anywhere you might want if you don't mind potentially waiting a day or so for the results :-) Also: I appreciate this is off-topic, but I was wondering whether anyone is interested in/would like me to open a separate thread on any of these ... Built the code, installed the code, set it up (joined the domain, etc. etc. etc. etc.). Had 2(-and-a-bit) problems (one of which I've fixed): 1. Although bin/default/source3/winbindd/idmap_ad_4.o gets built, bin/default/source3/winbindd/libidmap-ad.so doesn't, so TARGDIR/lib/idmap/ad.so doesn't get installed. No ad idmap backend; no AD UID/SID mapping; much administrator (me) confusion if said administrator is expecting AD UID/SID mapping to work ... I'd completely forgotten about this little hiccup - it's been a while since I initially shoe-horned Samba4 onto OpenSlowlaris, but fortunately I'd made a note of this in the build script I used so after 2 days of banging my head against a wall, I finally remembered to check my own darn' script and saw the comment If ''/usr/local/samba/lib/idmap/ad.so'' doesn't build and install then Bang bang bang bang ... Doh! Linked libidmap-ad.so manually and copied into /usr/local/samba/lib/idmap/ad.so and, as if by magic, my UID/SID mapping started working ... 2. net ads testjoin works; wbinfo -t works (as do wbinfo -u, wbinfo -g, ). In fact everything works (after installing ad.so!) *except* ... If I do a net rpc testjoin (and remember, wbinfo -t *does* work here) I get an error stating that it can't connect to GATEWAY (local server name) and therefore the join to the FIRSTGRADE domain isn't valid. Duh? So for some reason, net rpc testjoin is trying to connect to the local server rather than any DC for the domain. No particular reason apparent in the log files, and it doesn't seem to be affecting anything, but it is an odd disparity. Ramped up debugging but couldn't see any sensible explanation in the logs ... [3. Kinda ... Sorta ... Can't build Samba4 on Slowlaris 11.11 without complaints about no ldap_add_result_entry() support in LDAP libs! filling every log file on the system. So I kicked and forced and prodded and poked and finally managed to persuade Samba to build using OpenLDAP-2.4, which gets rid of this problem. However that involved fiddling with CPPFLAGS and LDFLAGS before calling any build scripts; it's nasty, messy and dirty - I don't approve of any solution which involves that sort of messing around (yuk). There has to be a better way ... From looking at other discussions, it seems Samba4 as a DC isn't supported (yet?) using OpenLDAP, but might it be worthwhile providing some way to encourage the use of OpenLDAP, rather than the OS native LDAP (whatever that may be), if it *can* be used? Perhaps a --I-cant-believe-its-not-OpenLDAP flag of some sort (sorry, British humour - that probably doesn't mean anything to anyone else ...)?] If you think it's worth opening a thread on any of these (probably, I'd guess, in the main Samba discussion rather than Samba-Technical?) then please say so and I'll do so. Otherwise I'll continue quietly to ignore them :-) Many thanks folks, and have a great week/weekend, Cheers, Tris. -Original Message- From: Tris Mabbs [mailto:tm-samba201...@firstgrade.co.uk] Sent: 15 March 2013 17:59 To: Andrew Bartlett Cc: 'Michael Wood'; Guenther Deschner; samba@lists.samba.org; samba-techni...@samba.org Subject: RE: [Samba] Samba 4 - smbd; can't parse the PAC: NT_STATUS_BUFFER_TOO_SMALL error but only for a single domain user (Server 2008 R2 domain, Server 2008 functional level forest). So it seems that with these changes, kerberos_decode_pac() is never entered with client_principal anything other than a NULL pointer. So I'm (very) happy that these changes fix my problem. However it does seem a little curious that client_principal now never appears to be set - I don't know whether that's expected
Re: [Samba] Win dcpromo and SysVol Replication
Hello Garth, Am 25.07.2013 13:21, schrieb Garth Keesler: When I DCPROMO a Win2003 server into an existing Samba4.1RC1 domain with two Samba DCs, all appears to be working correctly from the Samba side but the WinDC never starts sharing SysVol as it should. Sites and Services shows all DCs as expected and forcing repl with the Samba PDC works correctly while doing that with the second Samba DC shows the following: The following error occurred during the attempt to synchronize naming context DomainDnsZones.mydomain.local from domain controller SambaDC2 to domain controller WinDC: The naming context is in the process of being removed or is not replicated from the specified server. The operation will not continue. Samba currently doesn't support SysVol replication. It's planned, but not implemented yet. To replicate the content, you need to create a manual workaround. http://wiki.samba.org/index.php/FAQ#Is_SysVol_share_replication_supported_by_a_Samba_AD_DC.3F Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Question on approach to authenticate Linux against Samba4
On 25/07/13 17:59, dahopk...@comcast.net wrote: 1) will the unixHomedirectory be honored? 2) will I be able to easily add users so that the unix settings will be properly configured? I currently use the IDEALX smbldap tools. Being able to script account creation is very important to me .. adding 200+ user accounts manually each year is not very appealing. ;) It is scriptable, though to be honest a powershell script from Windows probably works better at this point in time. 3) Will the scripting tools be able to automatically assign a unique uid for each unix account. Current approach uses NextFreeUnixID but this does not exist in the Samba4 database (the ldap entry is shown below ) Nope. Either maintain the accounts somewhere else where you can do that and have a script that then creates and disables accounts as needed in AD, or have your script look for the highest UID and increment from that. I have read through the recent thread on winbind and honestly I am not sure that I want to pursue either winbind or sssd if it is possible to use nss_pam_ldap which seems closest to the current approach. Assuming these are Linux workstations, then sssd is the way to go for the future. If you are running a samba 3.x member file server then I personally would use winbind. I have not looked at Samba4 yet (campus agreements in higher education where I work make real Microsoft AD controllers very very cheap that why would you do it), but there are reports of issues with winbind on samba4 file servers. Then again I would be hesitant in putting a Samba 4 file server into production. You gain little over a Samba 3.6.x server. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Question on approach to authenticate Linux against Samba4
On 25/07/13 20:14, dahopk...@comcast.net wrote: [SNIP] Step 6: I already have samba-common, and samba-common-bin (latest for 10.04) installed. I'd assume I need to uninstall these and install samba4 instead (especially as step 8 is to join the domain). Not familiar with Ubuntu, but that is very very unlikely. Samba 3.x has been able to be a member server of an AD domain for a long time now, and the version included with 10.04 is almost certainly capable of doing that. Samba4 is primarily about being able to imitate an Active Directory domain controller. The point about joining the domain is to get a Kerberos ticket so the machine can authenticate against the AD to do lookups etc. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Question on approach to authenticate Linux against Samba4
On Thu, 2013-07-25 at 19:14 +, dahopk...@comcast.net wrote: Thank you for the very quick response. But in trying to follow the suggested link, there are few steps are different. First, Step 3 is to install various packages. I already have auth-client-config installed which had installed libpam_ldap and libnss-ldap since I simply pulled this system into the test environment rather than rebuild from scratch. I have uninstalled these and then added libnss-ldapd and libpam-ldapd along with the kerberos packages. Perfect. Issue is that I was never asked for a Kerberos realm or IP of the DC. I should have mentioned that this system is running 10.04, not 12.04. So .. which config file do I need to edit to ensure that the IP of the DC is correctly specified? DNS does that so you don't need to. Just run: sudo dpkg-reconfigure krb5-config or simply copy /usr/local/samba/private/krb5.conf from the DC to /etc on the client For good measure add the DC to /etc/hosts on the client. I also installed nslcd. Correct. Step 6: I already have samba-common, and samba-common-bin (latest for 10.04) installed. 10.04 . Did these go in OK? sasl2-bin libsasl2-2 libsasl2-modules libsasl2-modules-gssapi-mit I'd assume I need to uninstall these and install samba4 instead (especially as step 8 is to join the domain). No. You only need enough of samba on the client to get the net command to join the domain. Any old version of samba will do. What you have is more than enough. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Question on approach to authenticate Linux against Samba4
On Thu, 2013-07-25 at 20:59 +0100, Jonathan Buzzard wrote: On 25/07/13 20:14, dahopk...@comcast.net wrote: [SNIP] Step 6: I already have samba-common, and samba-common-bin (latest for 10.04) installed. I'd assume I need to uninstall these and install samba4 instead (especially as step 8 is to join the domain). Not familiar with Ubuntu, but that is very very unlikely. Samba 3.x has been able to be a member server of an AD domain for a long time now, and the version included with 10.04 is almost certainly capable of doing that. Samba4 is primarily about being able to imitate an Active Directory domain controller. The point about joining the domain is to get a Kerberos ticket so the machine can authenticate against the AD to do lookups etc. So that's a 'No.' then:) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via a74c7d7 torture/drs: Expand an error message to aid debugging via 63c05e8 dsdb/samdb: use RECYCLED it implies DELETED... via 6016ba3 selftest: ensure samba4.nss.test.*using.*winbind is always tested via 93b8315 selftest: ensure samba4.rpc.samr.large-dc.two.samr.many is always tested via 5e1f279 rpc_server-drsuapi: Improve comments and DEBUG lines via e9faf50 dsdb: Add assert in drepl_take_FSMO_role via ae0ba6b selftest: Ensure the DC has started and and got a RID set before we proceed via db9c3c6 dsdb-ridalloc: Rework ridalloc to return error strings where RID allocation fails via 31fb7f9 dsdb: Rework subtree_rename module to use recursive LDB_SCOPE_ONELEVEL searches via 03b44d2 dsdb-descriptor: Do not do a subtree search unless we have child entries from ca98d81 dynconfig: Remove last s3 markers now we have just one build system http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit a74c7d780cb6a1e8a5a63ebbbcf36fd7cf717ea1 Author: Andrew Bartlett abart...@samba.org Date: Mon Jun 17 22:37:54 2013 +1000 torture/drs: Expand an error message to aid debugging Reviewed-by: Stefan Metzmacher me...@samba.org Autobuild-User(master): Stefan Metzmacher me...@samba.org Autobuild-Date(master): Thu Jul 25 13:51:44 CEST 2013 on sn-devel-104 commit 63c05e820f1449b2dfa6e4f096d8270284a60bbb Author: Stefan Metzmacher me...@samba.org Date: Mon Jun 10 14:00:01 2013 +0200 dsdb/samdb: use RECYCLED it implies DELETED... Signed-off-by: Stefan Metzmacher me...@samba.org commit 6016ba3a02c5418b44bb61d434f3a25d6e5991b8 Author: Andrew Bartlett abart...@samba.org Date: Sat Jul 13 19:35:52 2013 +1000 selftest: ensure samba4.nss.test.*using.*winbind is always tested With the winbind fixes now in master this should be more reliable. Andrew Bartlett Signed-off-by: Andrew Bartlett abart...@samba.org Reviewed-by: Stefan Metzmacher me...@samba.org commit 93b83151c9563f4c1f47b925fed079d275f8ec43 Author: Andrew Bartlett abart...@samba.org Date: Sat Jul 13 19:34:45 2013 +1000 selftest: ensure samba4.rpc.samr.large-dc.two.samr.many is always tested This test should now be more reliable with the over-allocation of RID values now fixed. Andrew Bartlett Signed-off-by: Andrew Bartlett abart...@samba.org Reviewed-by: Stefan Metzmacher me...@samba.org commit 5e1f2795f28b0a213b4529e046edec68caa3bd41 Author: Andrew Bartlett abart...@samba.org Date: Fri Jun 28 09:19:48 2013 +1000 rpc_server-drsuapi: Improve comments and DEBUG lines Signed-off-by: Andrew Bartlett abart...@samba.org Reviewed-by: Stefan Metzmacher me...@samba.org commit e9faf50ee123a8d1d647ebffa39107ca0dce756c Author: Andrew Bartlett abart...@samba.org Date: Fri Jun 28 09:15:16 2013 +1000 dsdb: Add assert in drepl_take_FSMO_role Pair-Programmed-With: Stefan Metzmacher me...@samba.org Signed-off-by: Andrew Bartlett abart...@samba.org Signed-off-by: Stefan Metzmacher me...@samba.org commit ae0ba6bd833f71c4337ae3b6621bf797cb3c48c2 Author: Andrew Bartlett abart...@samba.org Date: Wed Jun 19 11:33:36 2013 +1000 selftest: Ensure the DC has started and and got a RID set before we proceed This avoids errors when a busy DC has not yet fetched a RID set, showing up as flapping tests when users are created, such as the samr.large-dc test. Andrew Bartlett Signed-off-by: Andrew Bartlett abart...@samba.org Reviewed-by: Stefan Metzmacher me...@samba.org commit db9c3c62c89e1328872e3fdedde22b78770728a9 Author: Andrew Bartlett abart...@samba.org Date: Wed Jun 19 10:30:48 2013 +1000 dsdb-ridalloc: Rework ridalloc to return error strings where RID allocation fails We now also only poke the RID manager once per request. This may help track down why RID allocation can fail, as while we never wait for the RID set to be created/updated, it may be the only clue the admin gets as to why the async allocations were failing. Andrew Bartlett Pair-Programmed-With: Stefan Metzmacher me...@samba.org Signed-off-by: Andrew Bartlett abart...@samba.org Signed-off-by: Stefan Metzmacher me...@samba.org Reviewed-by: Stefan Metzmacher me...@samba.org commit 31fb7f9c1b93b0f2114dec5096e43616ed317720 Author: Andrew Bartlett abart...@samba.org Date: Sun Jun 23 21:38:40 2013 +1000 dsdb: Rework subtree_rename module to use recursive LDB_SCOPE_ONELEVEL searches This should be more efficient, particularly in the leaf node case when renaming and deleting entries on large databases. Andrew Bartlett Signed-off-by: Andrew Bartlett abart...@samba.org Reviewed-by: Stefan Metzmacher me...@samba.org