Re: [Samba] ./configure LDAP checks failing on AIX
On Thu, 2013-07-25 at 14:40 +, Gilles Pion wrote: Samba version 4.0.7 Aix 6.1 Compiler: IBM xlc Last lines of ./configure output: Checking for ldap_init : not found Checking for ldap_init_fd : not found Checking for ldap_initialize : not found Checking for ldap_set_rebind_proc : not found Checking for ldap_add_result_entry : ok Checking whether ldap_set_rebind_proc takes 3 arguments : ok Active Directory support not available: LDAP support ist not available. path/wscript:760: error: Active Directory support not found. Use --without-ads for building without Active Directory support. Reason (verified) the generated test.c file user in configure checks doesn't have the required ldap include: #include ldap.h I've not found a clean way to patch configure to fix this Anyone able to help? Where is ldap.h on your system. It may be enough to just specify CFLAGS=-I/usr/local/openldap/include ./configure (if that is where ldap.h is). If we have found ldap.h, it will be added to those tests. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] AD DC and the Guest account
On Thu, 2013-07-25 at 17:07 +0200, i...@bugblatterbeast.de wrote: I'm using samba4.0.1 and it works very well in general. Unfortunately I'm missing something like map to guest = bad user and I can't get the Guest account to work. Is there any way to set up some public shares on an AD DC ? [global] workgroup = DOMAIN realm = DOMAIN.LOCAL netbios name = HOST server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate logon path = \\%L\profiles\%U logon home = \\%L\%U\.9xprofile logon drive = U: printcap name = /dev/null load printers = no printing = bsd interfaces = eth0 guest ok = yes security = user map to guest = bad user In general they are a bad idea on the DC, and I can't recall right now if we just talked about the patch to have it based on enabling the Guest account in the sam, or did the work. Certainly when matching windows (which I would like to do for this, but understand the desire to also have the smb.conf option work) the correct way is to see if Guest is enabled. Otherwise, it is a known issue, so at least don't feel bad about hitting it. Sorry, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] (no subject)
Andrew Bartlett abartlet at samba.org writes:
Where is ldap.h on your system. It may be enough to just specify
CFLAGS=-I/usr/local/openldap/include ./configure
(if that is where ldap.h is).
If we have found ldap.h, it will be added to those tests.
I'm using a dedicated openldap installation located in the samba destination
directory
(openldap ./configure prefix is the same as samba ./configure prefix)
Also, as I've alway done for configure env variables, for includes switches,
I'm not using CFLAGS
but CPPLAGS.
(which BTW contains the required -I switch pointing to ldap headers
directory)
Is this not correct?
Note that with the following fix to .source3/wscript the check is
successfull,
replaced
conf.CHECK_FUNCS_IN('ldap_init ldap_init_fd ldap_initialize
ldap_set_rebind_proc', 'ldap')
conf.CHECK_FUNCS_IN('ldap_add_result_entry', 'ldap')
by
conf.CHECK_FUNCS_IN('ldap_init ldap_init_fd ldap_initialize
ldap_set_rebind_proc', 'ldap',
headers='ldap.h lber.h')
conf.CHECK_FUNCS_IN('ldap_add_result_entry', 'ldap',
headers='ldap.h')
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Does anyone think a mini-Samba server would be useful?
On Wed, 2013-07-24 at 11:19 -0700, Paul D. DeRocco wrote: I'm working on a couple of Yocto Project based embedded projects, one using a Gumstix Overo board and the other using an Intel Atom motherboard. Both need a simple Samba server, which isn't included in the standard build. The only existing Yocto-compatible recipe for Samba is an OpenEmbedded one for version 3.6.8. I was quite surprised to find that adding Samba almost tripled the size of my Atom build. I understand that version 4 is quite a bit smaller, but we're still talking many tens of megabytes of stuff. I would think there would be lots of people in my boat, who are doing embedded systems and who would like to include a really simple SMB file server. For instance, a data acquisition system needs to record large amounts of data to a local disk, and then provide access to it over a network so people can bring it into Matlab or other tools. A CNC machine tool system needs a way to have Gerber or other files loaded into them. A media server needs to be able to serve up video or audio files. Any embedded device needs to have a way of being fed configuration data, or having its firmware upgraded. The requirements for such a system are much smaller than what Samba provides: * It only needs to serve files, not printers or other resources. I wonder if there's a way to build such a mini-Samba out of the existing Samba code base. It's certainly way above my abilities, but it may be something that someone on the Samba team could do without mounting a major development effort. How many other people would find such a system useful? One thing we have found when developing Samba is that very quickly we find that one thing depends on another. It isn't easy to 'just do the basics'. Indeed, the AD DC isn't actually that large, compared with so much else that we need. That isn't to say that for example printing comes free - and I think there even is an option to disable that code - but a 'cut down samba' isn't free either. Much of the bulk comes from library code we have come to depend on across the whole sever. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Error on classic upgrade - valid group
On Tue, 2013-07-23 at 20:41 -0300, Jonis Maurin Ceará wrote: Hi. I'm trying to convert from s3 to s4 using classic upgrade. I have LDAP backend and i'm getting this error: Ignoring group 'pgrd' S-1-5-21-511255529-1355219746-1726288727-3007 listed but then not found: Unable to enumerate group members, (-1073741596,NT_STATUS_INTERNAL_DB_CORRUPTION) The problem is that this group is valid and almost all our users are in this group, so i can't just ignore. Brownsing my ldap i can find and see this group and this SID. What could be wrong? How are they members of this group? The thing that Samba's classicupgrade code does that the operational Samba 3.x DC didn't do by default is set 'ldapsam:trusted = yes'. This means that if you were using groupOfNames based groups, we might not read that correctly in our internal handler, but nss_ldap would have, if configured. It's just a guess, but somewhere to start. Otherwise, perhaps look at this group and see if there is anything different about it? Can you show me the LDIF? Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Does anyone think a mini-Samba server would be useful?
From: Andrew Bartlett [mailto:abart...@samba.org] One thing we have found when developing Samba is that very quickly we find that one thing depends on another. It isn't easy to 'just do the basics'. Indeed, the AD DC isn't actually that large, compared with so much else that we need. That isn't to say that for example printing comes free - and I think there even is an option to disable that code - but a 'cut down samba' isn't free either. Much of the bulk comes from library code we have come to depend on across the whole sever. That all may be true, but when it's around eighty megabytes, something's wrong. That's a Microsoftian level of bloat. -- Ciao, Paul D. DeRocco Paulmailto:pdero...@ix.netcom.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] SMB throughput inquiry, Jeremy, and James' bow tie
I went to the site to subscribe again and ended up watching some of Jeremy's Google interviews. I particularly enjoyed the interview with James and the bow tie lesson at the end. :) So anyway, I recently upgraded my home network to end-to-end GbE. My clients are Windows XP SP3 w/hot fixes, and my Samba server is 3.5.6 atop vanilla kernel.org Linux 3.2.6 and Debian 6.0.6. With FDX fast ethernet steady SMB throughput was ~8.5MB/s. FTP and HTTP throughput were ~11.5MB/s. With GbE steady SMB throughput is ~23MB/s, nearly a 3x improvement, making large file copies such as ISOs much speedier. However ProFTPd and Lighttpd throughput are both a steady ~48MB/s, just over double the SMB throughput. I've tweaked the various Windows TCP stack registry settings, WindowScaling ON, Timestamps OFF, 256KB TcpWindowSize, etc. Between two Windows machines SMB throughput is ~45MB/s. You can see from the remarks below the various smb.conf options I've tried. No tweaking thus far of either Windows or Samba has yielded any improvement, at all. It seems that regardless of tweaking I'm stuck at ~23MB/s. [global] # max xmit=65536 # socket options=TCP_NODELAY IPTOS_LOWDELAY # read raw=yes # large readwrite=yes # aio read size=8192 nt acl support=no fstype=Samba client signing=disabled smb encrypt=disabled # smb ports=139 smb ports=445 The Linux server has an Intel PRO/1000GT NIC, the clients motherboard embedded RealTek 8111/8169, the latter being the reason I'm limited to ~50MB/s over the wire. I run nmbd via the standard init script at startup but I run smbd via inetd. This doesn't appear to affect throughput. I effect config changes with kill -HUP of inetd and killing smbd. I have Wireshark installed on one of the Windows XP machines, though I'm a complete novice with it. I assume a packet trace may be necessary to figure out where the SMB request/reply latency is hiding. ~23MB/s is a marked improvement and I'm not intending to complain here. It just seems rather low given FTP/HTTP throughput. I'm wondering how much of that ~48MB/s I'm leaving on the table, that could be coaxed out of Windows or smbd, the kernel, etc with some tweaking. I don't want to take up a bunch of anyone's time with this. If you can just tell me what information you need in order to point me in the right direction, I'll do my best to provide it with little fuss. Thanks again for providing such an invaluable piece of open source software to the world. -- Stan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SMB throughput inquiry, Jeremy, and James' bow tie
On Tue, Jul 30, 2013 at 02:26:42AM -0500, Stan Hoeppner wrote: I went to the site to subscribe again and ended up watching some of Jeremy's Google interviews. I particularly enjoyed the interview with James and the bow tie lesson at the end. :) So anyway, I recently upgraded my home network to end-to-end GbE. My clients are Windows XP SP3 w/hot fixes, and my Samba server is 3.5.6 atop vanilla kernel.org Linux 3.2.6 and Debian 6.0.6. With FDX fast ethernet steady SMB throughput was ~8.5MB/s. FTP and HTTP throughput were ~11.5MB/s. With GbE steady SMB throughput is ~23MB/s, nearly a 3x improvement, making large file copies such as ISOs much speedier. However ProFTPd and Lighttpd throughput are both a steady ~48MB/s, just over double the SMB throughput. I've tweaked the various Windows TCP stack registry settings, WindowScaling ON, Timestamps OFF, 256KB TcpWindowSize, etc. Between two Windows machines SMB throughput is ~45MB/s. You can see from the remarks below the various smb.conf options I've tried. No tweaking thus far of either Windows or Samba has yielded any improvement, at all. It seems that regardless of tweaking I'm stuck at ~23MB/s. [global] # max xmit=65536 # socket options=TCP_NODELAY IPTOS_LOWDELAY # read raw=yes # large readwrite=yes # aio read size=8192 nt acl support=no fstype=Samba client signing=disabled smb encrypt=disabled # smb ports=139 smb ports=445 The Linux server has an Intel PRO/1000GT NIC, the clients motherboard embedded RealTek 8111/8169, the latter being the reason I'm limited to ~50MB/s over the wire. I run nmbd via the standard init script at startup but I run smbd via inetd. This doesn't appear to affect throughput. I effect config changes with kill -HUP of inetd and killing smbd. I have Wireshark installed on one of the Windows XP machines, though I'm a complete novice with it. I assume a packet trace may be necessary to figure out where the SMB request/reply latency is hiding. ~23MB/s is a marked improvement and I'm not intending to complain here. It just seems rather low given FTP/HTTP throughput. I'm wondering how much of that ~48MB/s I'm leaving on the table, that could be coaxed out of Windows or smbd, the kernel, etc with some tweaking. The main question is -- does your client issue multiple requests in parallel? If not, you are effectively limited to a TCP Window size of roughly 60k, because the higher level only issues requests of that size sequentially. If you have a properly multi-threaded or async copy program on the client, I think even XP would be able to do multi-issue. With newer clients like Windows 7 the situation is even better: The SMB2 client is a lot better performance-wise than XP ever was. With best regards, Volker Lendecke -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kont...@sernet.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SMB throughput inquiry, Jeremy, and James' bow tie
Hai, as compairison. Running Ubuntu 12.04 LTS. kernel 3.2.0-(latest ubuntu kernel ) Samba 3.6.12 Sernet release. 1 x ssd, top speed 400Mb/s ( reallife speeds ) 2 x 5400 RPM disk in raid 1, mdraid aka software raid. Draytek 2850 with gigabit ports. Copy speed from server to pc. about 110-120MB/s ( aka the speed i see in windows ) large files, like 2+ Gibabit files ) Copy speed from server to pc, about 40-80MB/s files from 1-50 Mb. Copy speed from server to pc, about 1-20MB/s lots of small files ( like 1kb-2Mb ) Tuning, windows side, Power schema, High performance disabled search indexing service. and . netsh interface tcp set global autotuning=disabled Tuning samba side. only, other settings are default. socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072 I suggest, upgrade your debian samba, to at lease 3.6.6 from backports. Or use the sernet packages. I noticed a improvement in speed after this upgrade. In my office i'm running samba 3.6.6 from backports on debian. On ubuntu im using the sernet packages 3.6.12 Good luck. Louis -Oorspronkelijk bericht- Van: s...@hardwarefreak.com [mailto:samba-boun...@lists.samba.org] Namens Stan Hoeppner Verzonden: dinsdag 30 juli 2013 9:27 Aan: samba@lists.samba.org Onderwerp: [Samba] SMB throughput inquiry, Jeremy, and James' bow tie I went to the site to subscribe again and ended up watching some of Jeremy's Google interviews. I particularly enjoyed the interview with James and the bow tie lesson at the end. :) So anyway, I recently upgraded my home network to end-to-end GbE. My clients are Windows XP SP3 w/hot fixes, and my Samba server is 3.5.6 atop vanilla kernel.org Linux 3.2.6 and Debian 6.0.6. With FDX fast ethernet steady SMB throughput was ~8.5MB/s. FTP and HTTP throughput were ~11.5MB/s. With GbE steady SMB throughput is ~23MB/s, nearly a 3x improvement, making large file copies such as ISOs much speedier. However ProFTPd and Lighttpd throughput are both a steady ~48MB/s, just over double the SMB throughput. I've tweaked the various Windows TCP stack registry settings, WindowScaling ON, Timestamps OFF, 256KB TcpWindowSize, etc. Between two Windows machines SMB throughput is ~45MB/s. You can see from the remarks below the various smb.conf options I've tried. No tweaking thus far of either Windows or Samba has yielded any improvement, at all. It seems that regardless of tweaking I'm stuck at ~23MB/s. [global] # max xmit=65536 # socket options=TCP_NODELAY IPTOS_LOWDELAY # read raw=yes # large readwrite=yes # aio read size=8192 nt acl support=no fstype=Samba client signing=disabled smb encrypt=disabled # smb ports=139 smb ports=445 The Linux server has an Intel PRO/1000GT NIC, the clients motherboard embedded RealTek 8111/8169, the latter being the reason I'm limited to ~50MB/s over the wire. I run nmbd via the standard init script at startup but I run smbd via inetd. This doesn't appear to affect throughput. I effect config changes with kill -HUP of inetd and killing smbd. I have Wireshark installed on one of the Windows XP machines, though I'm a complete novice with it. I assume a packet trace may be necessary to figure out where the SMB request/reply latency is hiding. ~23MB/s is a marked improvement and I'm not intending to complain here. It just seems rather low given FTP/HTTP throughput. I'm wondering how much of that ~48MB/s I'm leaving on the table, that could be coaxed out of Windows or smbd, the kernel, etc with some tweaking. I don't want to take up a bunch of anyone's time with this. If you can just tell me what information you need in order to point me in the right direction, I'll do my best to provide it with little fuss. Thanks again for providing such an invaluable piece of open source software to the world. -- Stan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] NT4 clients
Hi Andrew, To clarify, it is the Win7 client sending the TGS request to the DC and the DC responds positively. I now have a more complete understanding of what's going on: 1. Win7 initiates a session with NT4. Nothing interesting. 2. Win7 sends the negotiate protocol response. Of note, we state that we support extended security. 3. NT4 responds that it does not support extended security. More precisely, when NT4 dinosaurs roamed the earth, that bit was likely still reserved. 4. Win7 issues a TGS request to the _DC_ to see if the host with that name really doesn't support extended security, or if the NT4 machine is trying to subject it to some sort of elaborate ruse. (i) 5. DC responds positively to the TGS req. (!!!) 6. Win7 closes the connection, and displays the error to the user. i. The notes on http://msdn.microsoft.com/en-us/library/cc246806.aspx state: 94 Section 3.2.5.2: http://msdn.microsoft.com/en-us/library/d367854f-5eee-45e8-a588-eed596a1a521#endNote94When the server completes negotiation and returns the CAP_EXTENDED_SECURITY flag as not set, Windows-based SMB clients query the Key Distribution Center (KDC)http://msdn.microsoft.com/en-us/library/0aa17e1f-b3c1-478a-9bf0-2d826888d081#key_distribution_center_KDCto verify whether a service ticket is registered for the given security principal name (SPN)http://msdn.microsoft.com/en-us/library/54af12e1-fcc1-4d62-bd47-c80514ac2615#spn. If the query indicates that the SPNhttp://msdn.microsoft.com/en-us/library/54af12e1-fcc1-4d62-bd47-c80514ac2615#spnis registered with the KDChttp://msdn.microsoft.com/en-us/library/0aa17e1f-b3c1-478a-9bf0-2d826888d081#key_distribution_center_KDC, then the SMB client terminates the connection and returns an implementation-specific security downgrade error to the caller. Since the Samba DC replies that the SPN is available (by fulfilling the request), I'm assuming we're triggering this documented behavior in the Win7 client. Also of note, `klist` on the client has an entry for cifs/nt4test which `setspn -Q cifs/nt4test` confirms does not exist. I can't confirm the behavior in #5 is a bug, but it certainly seems suspect. On Jul 30, 2013 1:07 AM, Andrew Bartlett abart...@samba.org wrote: On Mon, 2013-07-29 at 19:29 -0400, Ryan Bair wrote: Yes, AD has explicit support for pre-2000 clients. WINS is alive and well and name resolution is working. I really think the bogus TGS reply is messing things up, but I'd like to have someone more knowledgeable confirm the behavior is incorrect. NT4 doesn't know about Kerberos, I think any TGS traffic is highly likely a red herring. Are you really sure the client is issuing it, and you have not additional software installed on the NT4 machine? Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ./configure LDAP checks failing on AIX
(reposting because gmane web interface appears tu have stripped
subject header)
Where is ldap.h on your system. It may be enough to just specify
CFLAGS=-I/usr/local/openldap/include ./configure
(if that is where ldap.h is).
If we have found ldap.h, it will be added to those tests.
I'm using a dedicated openldap installation located in the samba destination
directory
(openldap ./configure prefix is the same as samba ./configure prefix)
Also, as I've alway done for configure env variables, for includes switches,
I'm not using CFLAGS
but CPPLAGS.
(which BTW contains the required -I switch pointing to ldap headers directory)
Is this not correct?
Note that with the following fix to .source3/wscript the check is
successfull,
replaced
conf.CHECK_FUNCS_IN('ldap_init ldap_init_fd ldap_initialize
ldap_set_rebind_proc', 'ldap')
conf.CHECK_FUNCS_IN('ldap_add_result_entry', 'ldap')
by
conf.CHECK_FUNCS_IN('ldap_init ldap_init_fd ldap_initialize
ldap_set_rebind_proc', 'ldap',
headers='ldap.h lber.h')
conf.CHECK_FUNCS_IN('ldap_add_result_entry', 'ldap',
headers='ldap.h')
--
Gilles PION
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] NT_STATUS_TOO_MANY_OPENED_FILES with Samba 4.0.6 and Internal DNS
I posted an question about something that might be the same problem in ServerFault: http://serverfault.com/questions/527214/samba-4-file-server-will-not-allow-any-additional-users-to-log-on Den 10.07.13 16:43, skrev Andrew Martin: Hello, I am using Samba 4.0.6 on Ubuntu 12.04 with the internal DNS and dns forwarder set to forward to an upstream dnsmasq server as follows: [global] workgroup = EXAMPLE realm = EXAMPLE.COM netbios name = DC0 server role = active directory domain controller dns forwarder = 192.168.010 idmap_ldb:use rfc2307 = Yes # disable printing since we're not using it and to get rid of printcap errors in log printcap name = /dev/null load printers = no printing = bsd [netlogon] path = /var/lib/samba/sysvol/example.com/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No Samba 4 has been working well so far as an AD DC, however I have seen this message appear in the samba log: [2013/07/10 08:52:35, 0] ../source4/smbd/process_single.c:57(single_accept_connection) single_accept_connection: accept: NT_STATUS_TOO_MANY_OPENED_FILES I found this bug report and thread regarding this issue, and stating that it had been fixed in 4.0.0 rc3: https://bugzilla.samba.org/show_bug.cgi?id=8878 http://samba.2283325.n4.nabble.com/Samba3-gt-samba-4-td4638214.html I confirmed that the attached patch is indeed applied in my copy of 4.0.6. What else can I do to debug this problem? Thanks, Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] AD DC and the Guest account
Quoting Andrew Bartlett abart...@samba.org: On Thu, 2013-07-25 at 17:07 +0200, i...@bugblatterbeast.de wrote: I'm using samba4.0.1 and it works very well in general. Unfortunately I'm missing something like map to guest = bad user and I can't get the Guest account to work. Is there any way to set up some public shares on an AD DC ? [global] workgroup = DOMAIN realm = DOMAIN.LOCAL netbios name = HOST server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate logon path = \\%L\profiles\%U logon home = \\%L\%U\.9xprofile logon drive = U: printcap name = /dev/null load printers = no printing = bsd interfaces = eth0 guest ok = yes security = user map to guest = bad user In general they are a bad idea on the DC, and I can't recall right now if we just talked about the patch to have it based on enabling the Guest account in the sam, or did the work. Certainly when matching windows (which I would like to do for this, but understand the desire to also have the smb.conf option work) the correct way is to see if Guest is enabled. Otherwise, it is a known issue, so at least don't feel bad about hitting it. Sorry, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz Thanks for the reply. I will try the SAM-configuration one more time (I'm not that good with windows), though I think I did all I could. If the guest account won't work now, I'll wait patiently for the next releases. Please keep up the good work. Regards, bbb This message was sent using IMP, the Internet Messaging Program. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] NT_STATUS_TOO_MANY_OPENED_FILES with Samba 4.0.6 and Internal DNS
I posted an question about something that might be the same problem in ServerFault: http://serverfault.com/questions/527214/samba-4-file-server-will-not-allow-any-additional-users-to-log-on Den 10.07.13 16:43, skrev Andrew Martin: Hello, I am using Samba 4.0.6 on Ubuntu 12.04 with the internal DNS and dns forwarder set to forward to an upstream dnsmasq server as follows: [global] workgroup = EXAMPLE realm = EXAMPLE.COM netbios name = DC0 server role = active directory domain controller dns forwarder = 192.168.010 idmap_ldb:use rfc2307 = Yes # disable printing since we're not using it and to get rid of printcap errors in log printcap name = /dev/null load printers = no printing = bsd [netlogon] path = /var/lib/samba/sysvol/example.com/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No Samba 4 has been working well so far as an AD DC, however I have seen this message appear in the samba log: [2013/07/10 08:52:35, 0] ../source4/smbd/process_single.c:57(single_accept_connection) single_accept_connection: accept: NT_STATUS_TOO_MANY_OPENED_FILES I found this bug report and thread regarding this issue, and stating that it had been fixed in 4.0.0 rc3: https://bugzilla.samba.org/show_bug.cgi?id=8878 http://samba.2283325.n4.nabble.com/Samba3-gt-samba-4-td4638214.html I confirmed that the attached patch is indeed applied in my copy of 4.0.6. What else can I do to debug this problem? Thanks, Andrew It happened to me too last weekend, with almost no users connected. but I'm using samba4 with bind_dlz. my samba4 last update was 2 weeks ago. Felix. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How to install a replacement PDC?
Thanks very much for your detailed reply. I’m sure it will be very helpful. Is there an easy way to search for your earlier posts? I’m looking in the archives, and opening them by month, then searching for your name. It just seems a bit long-winded – I’m not sure when you would have posted them! Thanks again. On Mon, 29 Jul 2013 16:49:48 +0100 Gaiseric Vandal gaiseric.van...@gmail.com wrote: Run the testparm -v to see full details, including defaults that may not have been explicitly specified in smb.conf. You want to look out for the passdb backend value. On samba 3.4 or later tdbsam is probably the only valid local option. If you were using the smbpasswd file (text?) format on 3.0.x you may need to use the smbpasswd command to export / import to the TDB (trivial data base) format. With the old primary domain server running you should join the new machine to the domain as a member server. (net join.) The localsid on all dc's should match the domainsid. You can probably then make the new machine a DC by changing the smb.conf to allow domain logons and by changing the localsid to be the domain sid.Verify that they user accounts are the same on each DC with pdbedit -Lv. You may find that some accounts did not export properly. Also make sure that each domain controller has the same group mappings (net rpc groupmap list ?) From 3.0. to 3.4 or later you may find you need to explicitly some of the well known groups. You may also need to create an explicit nobody user in linux (and specify guest account = nobody in smb.conf.) Search for earlier post by me that cover DC migration and 3.0x to 3.4. upgrades. On 07/29/13 11:24, sam...@nym.hush.com wrote: Also, here are the 'global' sections from the 'testparm' command. Existing Unix server [global] workgroup = DDOMAIN server string = Samba Server PDC smb passwd file = /etc/smbpasswd log file = /usr/lib/samba/var/log.%m max log size = 50 time server = Yes keepalive = 0 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No disable spoolss = Yes logon script = %U.bat logon drive = G: domain logons = Yes os level = 64 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes hosts allow = 192.0.0., 127. New Debian server [global] workgroup = DDOMAIN server string = %h server (Samba %v) interfaces = 127.0.0.0/8, eth0 bind interfaces only = Yes obey pam restrictions = Yes smb passwd file = /etc/smbpasswd ### I added this, but the file doesn’t exit pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 logon script = %U.bat logon drive = G: domain logons = Yes os level = 64 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes panic action = /usr/share/samba/panic-action %d -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ./configure LDAP checks failing on AIX
You may also want to set LD_LIBRARY_PATH to include /usr/local/openldap/lib On 07/30/13 02:31, Andrew Bartlett wrote: On Thu, 2013-07-25 at 14:40 +, Gilles Pion wrote: Samba version 4.0.7 Aix 6.1 Compiler: IBM xlc Last lines of ./configure output: Checking for ldap_init : not found Checking for ldap_init_fd : not found Checking for ldap_initialize : not found Checking for ldap_set_rebind_proc : not found Checking for ldap_add_result_entry : ok Checking whether ldap_set_rebind_proc takes 3 arguments : ok Active Directory support not available: LDAP support ist not available. path/wscript:760: error: Active Directory support not found. Use --without-ads for building without Active Directory support. Reason (verified) the generated test.c file user in configure checks doesn't have the required ldap include: #include ldap.h I've not found a clean way to patch configure to fix this Anyone able to help? Where is ldap.h on your system. It may be enough to just specify CFLAGS=-I/usr/local/openldap/include ./configure (if that is where ldap.h is). If we have found ldap.h, it will be added to those tests. Andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How to install a replacement PDC?
On Mon, Jul 29, 2013 at 6:47 AM, sam...@nym.hush.com wrote: I’d appreciate some pointers on what to do. I don’t want to have the exact same users on the new Debian server (some of the users on the Unix server have left) so was hoping to just create users and groups manually rather than copy existing files across. Do I need to edit the UIDs and GIDs somehow, and then export/import some password/security files? I’ve seen that on the Unix server there’s a file named /etc/smbpasswd, but that isn’t on the Debian server, so I’m wondering if they’re using a different type of security back- end… Is there a command which will report this, or which smb.conf parameters will identify this? I don’t do a lot of this stuff, so any help would be appreciated. Most likely is that It would have simplest to copy the old Samba configuration to the new system. Update the smb.conf for necessary changes (review all of the Changelog's from the old version to the new version), change from the smbpasswd backend to the tdbsam backend (the new default), then remove the users you no longer want or need. Having said that I just finished migrating an NT4 PDC with Exchange 5.5 to two new VM's; the PDC part to a new Debian Samba installation by hand (the long way), and the Exchange 5.5 part to a new NT4 server install (sounds like fun, right?). Fortunately the client install base was under 25 so doing it the long way was not out of the question. Had I been moving between Samba version I would not even have been tempted to do anything except follow the first paragraph above. Basically, in the long way, you need the same domain SID, the same user SID's and I believe also the same machine SID's (I manually set all of these as well), etc. and the proper group mappings (no longer automatic, see chapter 9 of the official howto). Then you'll have to rejoin all machines to the new PDC although really you are just resetting the trust password. The UID/GID's are meaningless to the Windows side, no need to mess with those, although I prefer to use different ranges for Windows users, and Machines (and also a different group for Machines - just a nicety for scripting later on). Done properly the users will see no difference when they login to the domain, same profile, etc. Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How to install a replacement PDC?
You may want to look into using the Sernet packages instead of the Debian ones, then you'll have an up-to-date Samba 3.6.16 installation. Only problem I had was that I needed to add Samba to run level 2 as it appears my CLI only install of Wheezy doesn't boot into run level 3 (as Debian claims is their default). Chris On Tue, Jul 30, 2013 at 9:00 AM, sam...@nym.hush.com wrote: Thanks very much for your detailed reply. I’m sure it will be very helpful. Is there an easy way to search for your earlier posts? I’m looking in the archives, and opening them by month, then searching for your name. It just seems a bit long-winded – I’m not sure when you would have posted them! Thanks again. On Mon, 29 Jul 2013 16:49:48 +0100 Gaiseric Vandal gaiseric.van...@gmail.com wrote: Run the testparm -v to see full details, including defaults that may not have been explicitly specified in smb.conf. You want to look out for the passdb backend value. On samba 3.4 or later tdbsam is probably the only valid local option. If you were using the smbpasswd file (text?) format on 3.0.x you may need to use the smbpasswd command to export / import to the TDB (trivial data base) format. With the old primary domain server running you should join the new machine to the domain as a member server. (net join.) The localsid on all dc's should match the domainsid. You can probably then make the new machine a DC by changing the smb.conf to allow domain logons and by changing the localsid to be the domain sid.Verify that they user accounts are the same on each DC with pdbedit -Lv. You may find that some accounts did not export properly. Also make sure that each domain controller has the same group mappings (net rpc groupmap list ?) From 3.0. to 3.4 or later you may find you need to explicitly some of the well known groups. You may also need to create an explicit nobody user in linux (and specify guest account = nobody in smb.conf.) Search for earlier post by me that cover DC migration and 3.0x to 3.4. upgrades. On 07/29/13 11:24, sam...@nym.hush.com wrote: Also, here are the 'global' sections from the 'testparm' command. Existing Unix server [global] workgroup = DDOMAIN server string = Samba Server PDC smb passwd file = /etc/smbpasswd log file = /usr/lib/samba/var/log.%m max log size = 50 time server = Yes keepalive = 0 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No disable spoolss = Yes logon script = %U.bat logon drive = G: domain logons = Yes os level = 64 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes hosts allow = 192.0.0., 127. New Debian server [global] workgroup = DDOMAIN server string = %h server (Samba %v) interfaces = 127.0.0.0/8, eth0 bind interfaces only = Yes obey pam restrictions = Yes smb passwd file = /etc/smbpasswd ### I added this, but the file doesn’t exit pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 logon script = %U.bat logon drive = G: domain logons = Yes os level = 64 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes panic action = /usr/share/samba/panic-action %d -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows 8 pro and Samba 4
Hallo, Am 30.07.2013 14:17, schrieb iss...@aralar.edunet.es: Well, to begin with a BIG THANK YOU!!! win 8 pro joined the samba NT4 style domain. After making the 2 changes, 1) put my dns suffix in computer- properties- computer name- dns suffix 2) add the keys to the registry with the values [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services \LanManWorkstation\Parameters] DWORD DomainCompatibilityMode 1 DWORD DNSNameResolutionRequired 0 The win8 machine joined our samba 4.0.x NT4 style domain (running on opensuse 12.2) seamlessly . I also realized that it was also able to join the samba 3.6.3 NT4 style domain (running on opensuse 11.4). Men! You can´t imagine how excited I was this morning. I tested 3 domain user accounts, gem, ped, testacc i.e logging into the win8 as a domain user and logging out. Everything went fine. Good to know if this solves your problem. I'll try to clarify the Wiki article about the registry changes for that during the next time. But, at logging out win8 informs me that it could not synchronize the profile perfectly and referred me to the system logs. I attach the system log section as pdf. It seems it has problem synchronizing some folders. What do you think I can do about it? I don't speak spanish. But if I use Google translate, Es posible que este error se deba a problemas de red o derechos de seguridad insuficientes. I interprete it, that you maybe don't have permissions to store the profile on the server. What are the permissions on your profiles share (\\china\profiles)? Can a user create there a new folder for your *.v2 profile? Secondly your email raised another issue what is the difference between running samba as NT4 domain style or as AD DC? AD allows you to have a central place for user management and many more. http://en.wikipedia.org/wiki/Active_Directory Current windows versions can still join NT4 style domains. But they can't use many of the great features an AD allows you to do. E. g. group policies to preconfigure/restrict/etc. user accounts/machines, etc. Also you can use the Windows tools for administrating accounts, groups, set permission on shares/files, etc. Have a look to the Samba Wiki (http://wiki.samba.org/index.php/Samba). There are some HowTos that show you how to setup Samba AD or migrate an existing NT4-style domain. But if you are currently happy with the domain you have and don't require any of the AD features, you can of course stay on your NT4 domain. But even for small company networks AD would be a good advancement in administration. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Slow FIND_FIRST2 response
I'm running Samba 4.0.7 on CentOS 6.4 running double duty as DC and file server. OS X clients are taking a _long_ time to list long directories. One directory with 10K entries is taking 3-4 minutes to display the entries in Finder. I captured a few seconds worth of packets and noticed that it's doing three requests per file: 1. NTCreateAndX - just opens the file 2. Close 3. FIND_FIRST2 - to look for the resource fork The first two happen extremely fast, the 3rd one is the kicker. Samba is taking about 0.025 seconds to return a response to the client (usually no such file status). Multiple that by 10K requests and you have a few minutes on your hands. I'm guessing the problem is that Samba must honor case-insensitivity for the lookup which is likely an expensive operation. Is there anyway to speed this up? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How to install a replacement PDC?
On Tue, Jul 30, 2013 at 12:36 PM, Chris Smith smb...@chrissmith.org wrote: Only problem I had was that I needed to add Samba to run level 2 as it appears my CLI only install of Wheezy doesn't boot into run level 3 (as Debian claims is their default). Just read somewhere else the run level 2 is the default for Debian - in that case I think Sernet should modify the init script. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Slow FIND_FIRST2 response
On Tue, Jul 30, 2013 at 12:56:18PM -0400, Ryan Bair wrote: I'm running Samba 4.0.7 on CentOS 6.4 running double duty as DC and file server. OS X clients are taking a _long_ time to list long directories. One directory with 10K entries is taking 3-4 minutes to display the entries in Finder. I captured a few seconds worth of packets and noticed that it's doing three requests per file: 1. NTCreateAndX - just opens the file 2. Close 3. FIND_FIRST2 - to look for the resource fork The first two happen extremely fast, the 3rd one is the kicker. Samba is taking about 0.025 seconds to return a response to the client (usually no such file status). Multiple that by 10K requests and you have a few minutes on your hands. Can you do an strace -ttT -o smbd.strace -p smbd-pid of the smbd serving the client while it's doing that? You can find out the smbd pid with the smbstatus command. Please upload the smbd.strace somewhere for inspection. Thanks, Volker Lendecke -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kont...@sernet.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Intermittent access to Sysvol/Netlogon shares
Hello all- Cutting to the chase, I'm noticing varying/intermittent access to the netlogon and sysvol shares. All clients are windows 7 and samba is 4.0.6. Some clients are able to run 'gpupdate /force' and will successfully apply updates. Other clients fail out on this and state that it can't read the default domain policy GPT.INI file from \\domain\ When I try to manually navigate there, I can connect to \\domain\ but am denied access to both netlogon and sysvol with an 'access denied, internal error' message. Connecting to either DC via \\dc\ works and from there, for the clients that failed \\domain\ it seems to be arbitrary if they can browse the entire directory (no relation to nltest /dsgetdc). Additionally, they might not be able to access say netlogon, but if i browse through sysvol, I can get into what is the netlogon folder no problem. Clients that have no issue connecting to \\domain\ are equally able to browse all parts of \\dc\. samba-tool ntacl sysvolcheck, samba-tool drs showrepl, samba_dnsupdate --verbose and samba-tool dbcheck all report zero errors. There is presently nothing in the logs either. Of the two DCs, for the last week or so, one of them was panicking internally and crashing to an weird state every few minutes; a patch provided by Andrew Bartlett has since stopped that behavior. If that DC is the only one running or if the other one is running concurrently, seemingly random clients will experience the above issues and some will be fine. If the DC who didn't have that glitch is the only one running, it appears that this issue does not ever occur. Anyone have any clue what might be so messed up with that first DC? -Mike Ray -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Suggestions testing Samba 4 on same subnet as Standalone Samba 3 Server
My network currently has the following server running Samba 3 as a standalone server to 50 client boxes: Linux a1 2.6.35.7 #3 SMP Samba Version 3.5.6. Currently, no true NT Domain Controller, in Windows speak - it's a Workgroup only. I have another server that I want to configure to use Samba 4 as an Active Directory Domain Controller and file server: Linux a10 3.7.10-gentoo-r1 #1 SMP Samba Version 4.0.4. I only have one subnet and cannot disrupt the users, but have read the following concerns on the Samba wiki: Make sure you thoroughly test your conversion and how your clients react before you activate your new server in your production environment! Once a Windows client finds and connects to the new server, it is not possible to go back! Also, it is necessary to do testing on a separate network so that the old and new domain controllers don't clash. The issues with having both domains 'live' at the same time are: The databases are not syncronised after the initial migration Even if no changes are made to the DB, clients which see an AD DC will no longer honour NT4 system policies The new Samba4 PDC and the old DC will both claim to hold the #1b name as the netbios domain master The paths to certain files and directories for your Samba3 installation are often distribution specific (for example, /var/lib/samba vs. /etc/samba). Please be sure to verify and if necessary, modify paths used in examples appropriately. - - - - - - Has anyone dealt with only having one subnet upon which to configure and test a new Samba 4 server in the presence of a currently active Samba 3 server? I was thinking maybe the simplest way would be to make an iptables firewall on the Samba 4 server -- allowing connections from only one particular address on the subnet and use that one address for a client box to test on. Possible iptables rule (allowing one client address, blocking all others on subnet): iptables -t filter -A INPUT -i eth0 -s 192.168.1.200 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -t filter -A INPUT -i eth0 ! -s 192.168.1.200 -j DROP Would this be adequate to separate the Samba 4 server from others on the LAN? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Fwd: About samba 3.0.28 trust AD
Redhat given me the samba-3.6.6 with samba-winbind-3.6.6. I can setup the trust relationship with my AD. Thanks for your supporting. 2013/7/29 Nico Kadel-Garcia nka...@gmail.com On Sun, Jul 28, 2013 at 5:39 PM, Marc Muehlfeld sa...@marc-muehlfeld.de wrote: Hello, Am 06.07.2013 15:26, schrieb Wong siu yu: I had a RedHat 5.2 need to trust domain the Windows Server 2008 R2 (forest level 2003). Which package I need to install first? I am using samba-3.0.28 but I have no samba-winbind. May I know procedures of trust setting in Linux? Please have a look here first: http://wiki.samba.org/index.php/FAQ#How_to_do_or_fix_..._in_an_outdated_Samba_version.3F Red Hat 5.2 (which is amazingly old now), or RHEL 5.2 (which is only 5 years old)? If RHEL 5.2, you should at least remove the samba-* packages and replace them with the samba3x-* packages, which include samba3x-winbind and are version 3.6.6, instead of the much older samba-3.0.33 which is the last update from a licensed RHEL host. If your RHEL license has expired, you can also consider using the CentOS or Scientific Linux versions of the package. And if you really need them, I've been publishing clean tools for building samba-3.6.12 RPM's at https://github.com/nkadel/samba-3.6.12-srpm. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows 8 pro and Samba 4
The win8 machine is able to resolve the netbios name of the server. ping works fine. I ping the netbios name and it returns the ip address. I attach the 4 screenshots. - the first is the message I get on trying to join the domain - the 2nd - 4th is just to show the network settings of the client. We normally leave all on default settings. The surprising thing is that win7 and winxp join the domain without problems and use exactly the same network settings as the win8. I send you also my samba 4.x global configuration. [global] workgroup = CMARALAR server string = Servidor interfaces = 192.168.1.1/255.255.255.0 bind interfaces only = Yes deadtime = 5 load printers = No add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false %m$ logon script = conecta.vbs logon path = \\%N\profiles\%U logon drive = Z: domain logons = Yes os level = 65 preferred master = Yes domain master = Yes ldap ssl = no idmap config * : range = idmap config * : backend = tdb hide special files = Yes hide unreadable = Yes hide unwriteable files = Yes veto files = /*-China*/*-runtime*/*.desktop*/ Note, I installed opensuse 12.2, after installation, I uninstalled completely samba 3.x and installed samba 4.x, winxp, win7 joins the domain without problems but win8 no! I remember we had the same problem with the samba version that comes with opensuse 11.x and win7, it is only when we installed opensuse 12.x that win7 was able to connect to the samba version. Now the problem is with samba 3.x that comes with opensuse 12.2 and also samba 4.x that is rumoured to support -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Check user's access rights / permissions in CIFS folders (from Linux)
I'm connecting to a Windows CIFS share from a Linux machine using libsmbclient. Is there a way for me to know if the user has write permissions to a particular file/folder? I know that smbcacls can be used to get the ACLs, something like the following: REVISION:1, OWNER:S-1-5-21-1021440835-268907629-4167533493-1165, GROUP:S-1-5-21-1021440835-268907629-4167533493-513, ACL:S-1-1-0:0/16/0x001200a9, ACL:S-1-5-18:0/16/0x001f01ff, ACL:S-1-5-32-544:0/16/0x001f01ff, ACL:S-1-5-21-1021440835-268907629-4167533493-500:0/16/0x001f01ff, smbc_getxattr() in libsmbclient.h also returns these attributes. But how do I use this information to calculate the effective rights of the current user? I think I could do it if I get the SID of the current user and the groups that this user is a member of. But I'm not sure how to do that from a Linux box. Samba version: 3.2.15 Regards,Nitin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How to install a replacement PDC?
Also, here are the 'global' sections from the 'testparm' command. Existing Unix server [global] workgroup = DDOMAIN server string = Samba Server PDC smb passwd file = /etc/smbpasswd log file = /usr/lib/samba/var/log.%m max log size = 50 time server = Yes keepalive = 0 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No disable spoolss = Yes logon script = %U.bat logon drive = G: domain logons = Yes os level = 64 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes hosts allow = 192.0.0., 127. New Debian server [global] workgroup = DDOMAIN server string = %h server (Samba %v) interfaces = 127.0.0.0/8, eth0 bind interfaces only = Yes obey pam restrictions = Yes smb passwd file = /etc/smbpasswd ### I added this, but the file doesn’t exit pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 logon script = %U.bat logon drive = G: domain logons = Yes os level = 64 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes panic action = /usr/share/samba/panic-action %d -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows 8 pro and Samba 4
Am 30.07.2013 18:43, schrieb Marc Muehlfeld: I'll try to clarify the Wiki article about the registry changes for that during the next time. I over-worked the Wiki Win7 registry hack page and also renamed it: https://wiki.samba.org/index.php/Registry_changes_for_NT4-style_domains It should now be clearer what and when registry changes are needed. If something is missing, let me know. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows 8 pro and Samba 4
Thank you for the reference to the meaning of AD DC style domain. The permission on the var/lib/samba/profiles is 1. owner can view and modify content 2. group can view and modify content 3. others forbidden 4 ownership: user (root), group(users) ped, gem, testacc all belong to group users. each samba user has a folder in var/lib/samba/profiles with full permissions. Because of the fact that we have win7, winxp and win8 samba differentiates the user profiles on the different operating system by appending V? for example if ped logs into winxp his profile folder will be ped, if ped logs into win7 or win8 in order not to mix up the ped folder of his winxp profile settings, it creates another folder ped.V2. Also like I said earlier, domain users log in and out using winxp or win7 in our network without any synchronization errors except when it is done from win8. Also I noticed that the profile folder of a winxp or win7 domain user is very different in content from that of win8. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Suggestions testing Samba 4 on same subnet as Standalone Samba 3 Server
On 30/07/13 04:27 PM, Mike wrote: My network currently has the following server running Samba 3 as a standalone server to 50 client boxes: Linux a1 2.6.35.7 #3 SMP Samba Version 3.5.6. Currently, no true NT Domain Controller, in Windows speak - it's a Workgroup only. I have another server that I want to configure to use Samba 4 as an Active Directory Domain Controller and file server: Linux a10 3.7.10-gentoo-r1 #1 SMP Samba Version 4.0.4. I only have one subnet and cannot disrupt the users, but have read the following concerns on the Samba wiki: Make sure you thoroughly test your conversion and how your clients react before you activate your new server in your production environment! Once a Windows client finds and connects to the new server, it is not possible to go back! Also, it is necessary to do testing on a separate network so that the old and new domain controllers don't clash. The issues with having both domains 'live' at the same time are: The databases are not syncronised after the initial migration Even if no changes are made to the DB, clients which see an AD DC will no longer honour NT4 system policies The new Samba4 PDC and the old DC will both claim to hold the #1b name as the netbios domain master The paths to certain files and directories for your Samba3 installation are often distribution specific (for example, /var/lib/samba vs. /etc/samba). Please be sure to verify and if necessary, modify paths used in examples appropriately. - - - - - - Has anyone dealt with only having one subnet upon which to configure and test a new Samba 4 server in the presence of a currently active Samba 3 server? I was thinking maybe the simplest way would be to make an iptables firewall on the Samba 4 server -- allowing connections from only one particular address on the subnet and use that one address for a client box to test on. Possible iptables rule (allowing one client address, blocking all others on subnet): iptables -t filter -A INPUT -i eth0 -s 192.168.1.200 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -t filter -A INPUT -i eth0 ! -s 192.168.1.200 -j DROP Would this be adequate to separate the Samba 4 server from others on the LAN? You're way overthinking this. Just give the new server an IP address that is on a different subnet. e.g. if your current server is 192.168,.1.10/24, give your new server 192.168.2.10/24. Secondly, since you don't have an NT domain, the differences between it and AD are not relevant. What you will find is the difference between a workgroup and a domain. This involves the logins and roaming profiles. What really doesn't change much are the file shares, although you can now simplify them by setting sharing according to domain group rather than individual ids. An even simpler way is to simply NOT use a separate subdomain. Set up the new server as the domain controller for the group. Leave the files printers on the old server. Once all the clients have been switched from the workgroup to the domain, move the files and printers over to the new server, shut down the old one, then create an alias for the old server on the new one. This way, there are no more changes required on the clients. If a problem is identified, you can simply remove the alias and bring the old server back. Of course, you can convert the individual workstations to use the new server name at your leisure so that you can eventually remove the alias. However this is not necessary. In fact, if you later replace the new server, the replacement can assume the old name so that the alias isn't needed any more. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] NT4 clients
On Tue, 2013-07-30 at 05:33 -0400, Ryan Bair wrote: Hi Andrew, To clarify, it is the Win7 client sending the TGS request to the DC and the DC responds positively. I now have a more complete understanding of what's going on: 1. Win7 initiates a session with NT4. Nothing interesting. 2. Win7 sends the negotiate protocol response. Of note, we state that we support extended security. 3. NT4 responds that it does not support extended security. More precisely, when NT4 dinosaurs roamed the earth, that bit was likely still reserved. 4. Win7 issues a TGS request to the _DC_ to see if the host with that name really doesn't support extended security, or if the NT4 machine is trying to subject it to some sort of elaborate ruse. (i) 5. DC responds positively to the TGS req. (!!!) 6. Win7 closes the connection, and displays the error to the user. i. The notes on http://msdn.microsoft.com/en-us/library/cc246806.aspx state: 94 Section 3.2.5.2: When the server completes negotiation and returns the CAP_EXTENDED_SECURITY flag as not set, Windows-based SMB clients query the Key Distribution Center (KDC) to verify whether a service ticket is registered for the given security principal name (SPN). If the query indicates that the SPN is registered with the KDC, then the SMB client terminates the connection and returns an implementation-specific security downgrade error to the caller. Since the Samba DC replies that the SPN is available (by fulfilling the request), I'm assuming we're triggering this documented behavior in the Win7 client. Indeed. Also of note, `klist` on the client has an entry for cifs/nt4test which `setspn -Q cifs/nt4test` confirms does not exist. I can't confirm the behavior in #5 is a bug, but it certainly seems suspect. The cifs/nt4test SPN is implicit, from the implicit host/nt4test SPN that comes from nt4test being the machine's name. The issue for us as a KDC is that there is no flag that I know of that can be set to say that this domain member should not be issued a ticket, and the downgrade protection is an important part of the security of the network. (that protection isn't useful if the member server can still negotiate for only NTLM without protection, but waiting for that is for another day). Have you tested and shows windows behaves any differently? Finally, as a workaround try connecting to the machine by IP or by a name the KDC doesn't know. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] NT4 clients
For what it is worth - it looks like NT4 does NOT use kerberos even with the Active Directory client installed. http://www.petri.co.il/dsclient_for_win98_nt.htm# Windows 2003 Active Directory had some compatibility with NT4 domain controllers. I don't think Samba 4 does.Your best bet may be to try putting the NT4 machine in a separate NT4/Samba 3 domain and establishing trusts. Or more realistically take it OUT of the domain and just create local user accounts with same passwords as the network accounts. The only legit reason I could see to be running NT4 is if it is managing a specialized piece of equipment (e.g. on a manufacturing floor.)In that case the machine(s) should be airgapped from any regular network with internet access. If you follow security news you can imagine why it is important to keep unpatched systems physically isolated from the internet or other networks. On 07/30/13 05:33, Ryan Bair wrote: Hi Andrew, To clarify, it is the Win7 client sending the TGS request to the DC and the DC responds positively. I now have a more complete understanding of what's going on: 1. Win7 initiates a session with NT4. Nothing interesting. 2. Win7 sends the negotiate protocol response. Of note, we state that we support extended security. 3. NT4 responds that it does not support extended security. More precisely, when NT4 dinosaurs roamed the earth, that bit was likely still reserved. 4. Win7 issues a TGS request to the _DC_ to see if the host with that name really doesn't support extended security, or if the NT4 machine is trying to subject it to some sort of elaborate ruse. (i) 5. DC responds positively to the TGS req. (!!!) 6. Win7 closes the connection, and displays the error to the user. i. The notes on http://msdn.microsoft.com/en-us/library/cc246806.aspx state: 94 Section 3.2.5.2: http://msdn.microsoft.com/en-us/library/d367854f-5eee-45e8-a588-eed596a1a521#endNote94When the server completes negotiation and returns the CAP_EXTENDED_SECURITY flag as not set, Windows-based SMB clients query the Key Distribution Center (KDC) http://msdn.microsoft.com/en-us/library/0aa17e1f-b3c1-478a-9bf0-2d826888d081#key_distribution_center_KDC to verify whether a service ticket is registered for the given security principal name (SPN) http://msdn.microsoft.com/en-us/library/54af12e1-fcc1-4d62-bd47-c80514ac2615#spn. If the query indicates that the SPN http://msdn.microsoft.com/en-us/library/54af12e1-fcc1-4d62-bd47-c80514ac2615#spn is registered with the KDC http://msdn.microsoft.com/en-us/library/0aa17e1f-b3c1-478a-9bf0-2d826888d081#key_distribution_center_KDC, then the SMB client terminates the connection and returns an implementation-specific security downgrade error to the caller. Since the Samba DC replies that the SPN is available (by fulfilling the request), I'm assuming we're triggering this documented behavior in the Win7 client. Also of note, `klist` on the client has an entry for cifs/nt4test which `setspn -Q cifs/nt4test` confirms does not exist. I can't confirm the behavior in #5 is a bug, but it certainly seems suspect. On Jul 30, 2013 1:07 AM, Andrew Bartlett abart...@samba.org mailto:abart...@samba.org wrote: On Mon, 2013-07-29 at 19:29 -0400, Ryan Bair wrote: Yes, AD has explicit support for pre-2000 clients. WINS is alive and well and name resolution is working. I really think the bogus TGS reply is messing things up, but I'd like to have someone more knowledgeable confirm the behavior is incorrect. NT4 doesn't know about Kerberos, I think any TGS traffic is highly likely a red herring. Are you really sure the client is issuing it, and you have not additional software installed on the NT4 machine? Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ http://samba.org/%7Eabartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Consistent Inter-Samba UID/GID Mappings
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 2013-07-30 06:36, Marc Muehlfeld wrote: If you don't want to administrate the posix stuff in your AD, have a look on sssd instead of winbind. I'm trying to get SSSD (1.8.4) running properly with my Samba4 AD (4.0.6); it's having problems. Right now it's filtering Users for the attribute dataExpireTimestamp that doesn't exist in my directory, and my attempts to override it ldap_user_search_base = CN=Users,DC=devdom,DC=orange,DC=local?subtree?(objectCategory=User) hasn't worked. Can anyone confirm whether Winbind's IDMAP_RID backend is deprecated in Samba 3.6? Thanks, - -- Chris Hayes, Systems Administrator Tel: +44 (0) 845 123 2848 Fax: +44 (0)1273 808483 www.proporta.com http://www.proporta.com/ Everything covered Proporta.com Ltd. Unit 3, Woodingdean Business Park, Brighton, East Sussex BN2 6NX. Registered Company: 3309803 VAT: GB679 9308 67 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJR+Fm4AAoJELgO0A8EguAKftcH+wX40UmqfS6gYht4n36+G04A AcDBJwD9owm18VoErDnUDYYd+DgQxiNF4SQR0QuGEhUz3UulJSe4gF+L9nWgWmvb CiNU7acWvo2ijkKW1g+5kZTtjdQV12GcRT5KxQwxPwd8NZLCFkog25skxxtXVqrv rm1TNkoZP0Z7EEhihj/hklYhusPEk3XBKXW4nxlTKlgn+lk6OaMaBLXxd0OdVt0C SDb47oIHWhWT7K4a4/h1kV3S0xW5aZtdu5s/zZRgXGckAEYV0tX2rlMbkIRYkwzi fAZv4d6k0x2jqR+NRF602DU4xvHRCGj53TQiygInz9CmDF+OtfbKeuO2uACp3yY= =Ijun -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] NT4 clients
I've noticed that Win2k+ clients have filled in their servicePrincipalName attribute in AD. I know that the cifs SPN is implicit, but are you certain the host SPN is also implicit? If cifs was only meant to be implicit off of the host (and the host not implicit itself), that could be a way to determine if the request should be fulfilled. I have not tried against a Windows DC. I may set up a test DC to see what the behavior is. Connecting by IP address does work. I'll try using an alternative name, that sounds promising as well. In ADUC, there is a checkbox for pre-Windows 2000 when creating a new machine account. I wonder what this does and if we could use it somehow. I know it's not stored anywhere directly, but I'd suspect its there for a reason. On Tue, Jul 30, 2013 at 6:02 PM, Andrew Bartlett abart...@samba.org wrote: On Tue, 2013-07-30 at 05:33 -0400, Ryan Bair wrote: Hi Andrew, To clarify, it is the Win7 client sending the TGS request to the DC and the DC responds positively. I now have a more complete understanding of what's going on: 1. Win7 initiates a session with NT4. Nothing interesting. 2. Win7 sends the negotiate protocol response. Of note, we state that we support extended security. 3. NT4 responds that it does not support extended security. More precisely, when NT4 dinosaurs roamed the earth, that bit was likely still reserved. 4. Win7 issues a TGS request to the _DC_ to see if the host with that name really doesn't support extended security, or if the NT4 machine is trying to subject it to some sort of elaborate ruse. (i) 5. DC responds positively to the TGS req. (!!!) 6. Win7 closes the connection, and displays the error to the user. i. The notes on http://msdn.microsoft.com/en-us/library/cc246806.aspx state: 94 Section 3.2.5.2: When the server completes negotiation and returns the CAP_EXTENDED_SECURITY flag as not set, Windows-based SMB clients query the Key Distribution Center (KDC) to verify whether a service ticket is registered for the given security principal name (SPN). If the query indicates that the SPN is registered with the KDC, then the SMB client terminates the connection and returns an implementation-specific security downgrade error to the caller. Since the Samba DC replies that the SPN is available (by fulfilling the request), I'm assuming we're triggering this documented behavior in the Win7 client. Indeed. Also of note, `klist` on the client has an entry for cifs/nt4test which `setspn -Q cifs/nt4test` confirms does not exist. I can't confirm the behavior in #5 is a bug, but it certainly seems suspect. The cifs/nt4test SPN is implicit, from the implicit host/nt4test SPN that comes from nt4test being the machine's name. The issue for us as a KDC is that there is no flag that I know of that can be set to say that this domain member should not be issued a ticket, and the downgrade protection is an important part of the security of the network. (that protection isn't useful if the member server can still negotiate for only NTLM without protection, but waiting for that is for another day). Have you tested and shows windows behaves any differently? Finally, as a workaround try connecting to the machine by IP or by a name the KDC doesn't know. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] NT4 clients
Understood. The machine I'm trying to connect is just a member, not a DC. This is something which was well supported in earlier versions of Windows with AD (NT4 didn't die overnight), and reportedly still works in 2012. I'm not expecting any Kerberos to come out of NT4, nor do I see any. The issue is that the Samba DC is fulfilling a TGS request when it really should not. I spelled this out in a bit more detail a few messages back. Thank you for pointing out the security issues. I'm well aware of the issues with having an OS so old hanging around. The machine is involved in ultimately driving a piece of equipment, but the set up requires several other clients to have access via named pipe and SMB share. It's presently isolated as best it can be given all the constraints. It's far from ideal on several fronts, but the solution has been extremely reliable for a long time and we realistically have at least 12 months until replacing the solution is feasible. On Tue, Jul 30, 2013 at 6:12 PM, Gaiseric Vandal gaiseric.van...@gmail.comwrote: For what it is worth - it looks like NT4 does NOT use kerberos even with the Active Directory client installed. http://www.petri.co.il/dsclient_for_win98_nt.htm# Windows 2003 Active Directory had some compatibility with NT4 domain controllers. I don't think Samba 4 does.Your best bet may be to try putting the NT4 machine in a separate NT4/Samba 3 domain and establishing trusts. Or more realistically take it OUT of the domain and just create local user accounts with same passwords as the network accounts. The only legit reason I could see to be running NT4 is if it is managing a specialized piece of equipment (e.g. on a manufacturing floor.)In that case the machine(s) should be airgapped from any regular network with internet access. If you follow security news you can imagine why it is important to keep unpatched systems physically isolated from the internet or other networks. On 07/30/13 05:33, Ryan Bair wrote: Hi Andrew, To clarify, it is the Win7 client sending the TGS request to the DC and the DC responds positively. I now have a more complete understanding of what's going on: 1. Win7 initiates a session with NT4. Nothing interesting. 2. Win7 sends the negotiate protocol response. Of note, we state that we support extended security. 3. NT4 responds that it does not support extended security. More precisely, when NT4 dinosaurs roamed the earth, that bit was likely still reserved. 4. Win7 issues a TGS request to the _DC_ to see if the host with that name really doesn't support extended security, or if the NT4 machine is trying to subject it to some sort of elaborate ruse. (i) 5. DC responds positively to the TGS req. (!!!) 6. Win7 closes the connection, and displays the error to the user. i. The notes on http://msdn.microsoft.com/en-us/library/cc246806.aspxstate: 94 Section 3.2.5.2: http://msdn.microsoft.com/en-us/library/d367854f-5eee-45e8-a588-eed596a1a521#endNote94When the server completes negotiation and returns the CAP_EXTENDED_SECURITY flag as not set, Windows-based SMB clients query the Key Distribution Center (KDC)http://msdn.microsoft.com/en-us/library/0aa17e1f-b3c1-478a-9bf0-2d826888d081#key_distribution_center_KDCto verify whether a service ticket is registered for the given security principal name (SPN)http://msdn.microsoft.com/en-us/library/54af12e1-fcc1-4d62-bd47-c80514ac2615#spn. If the query indicates that the SPNhttp://msdn.microsoft.com/en-us/library/54af12e1-fcc1-4d62-bd47-c80514ac2615#spnis registered with the KDChttp://msdn.microsoft.com/en-us/library/0aa17e1f-b3c1-478a-9bf0-2d826888d081#key_distribution_center_KDC, then the SMB client terminates the connection and returns an implementation-specific security downgrade error to the caller. Since the Samba DC replies that the SPN is available (by fulfilling the request), I'm assuming we're triggering this documented behavior in the Win7 client. Also of note, `klist` on the client has an entry for cifs/nt4test which `setspn -Q cifs/nt4test` confirms does not exist. I can't confirm the behavior in #5 is a bug, but it certainly seems suspect. On Jul 30, 2013 1:07 AM, Andrew Bartlett abart...@samba.org wrote: On Mon, 2013-07-29 at 19:29 -0400, Ryan Bair wrote: Yes, AD has explicit support for pre-2000 clients. WINS is alive and well and name resolution is working. I really think the bogus TGS reply is messing things up, but I'd like to have someone more knowledgeable confirm the behavior is incorrect. NT4 doesn't know about Kerberos, I think any TGS traffic is highly likely a red herring. Are you really sure the client is issuing it, and you have not additional software installed on the NT4 machine? Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT
Re: [Samba] NT4 clients
On Tue, 2013-07-30 at 21:25 -0400, Ryan Bair wrote: Understood. The machine I'm trying to connect is just a member, not a DC. This is something which was well supported in earlier versions of Windows with AD (NT4 didn't die overnight), and reportedly still works in 2012. I'm not expecting any Kerberos to come out of NT4, nor do I see any. The issue is that the Samba DC is fulfilling a TGS request when it really should not. I spelled this out in a bit more detail a few messages back. What I need you to do is show how this is different with Windows 2008, rather than Samba 4.0 as an AD DC. Then I might be able to assist, otherwise, the only 'buggy' part of this would seem to be the new security behavior of Windows 7, which you may be able to disable. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] NT4 clients
Sorry Andrew, that message was intended towards Gaiseric's comment. I will try to get you a trace against Windows 2008, but it may take me a while to get a test environment set up for that. I've also noticed that this happens as far back as Windows 2000 clients, so not isolated to Win7. On Tue, Jul 30, 2013 at 9:31 PM, Andrew Bartlett abart...@samba.org wrote: On Tue, 2013-07-30 at 21:25 -0400, Ryan Bair wrote: Understood. The machine I'm trying to connect is just a member, not a DC. This is something which was well supported in earlier versions of Windows with AD (NT4 didn't die overnight), and reportedly still works in 2012. I'm not expecting any Kerberos to come out of NT4, nor do I see any. The issue is that the Samba DC is fulfilling a TGS request when it really should not. I spelled this out in a bit more detail a few messages back. What I need you to do is show how this is different with Windows 2008, rather than Samba 4.0 as an AD DC. Then I might be able to assist, otherwise, the only 'buggy' part of this would seem to be the new security behavior of Windows 7, which you may be able to disable. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] NT4 clients
Last bit of info. This article, http://support.microsoft.com/kb/258503, indicates that Windows should indeed be setting up its own default SPNs (host and machine name). http://support.microsoft.com/kb/320187 states that the pre-Windows 2000 checkbox is ADUC assigns the machine password based on the machine name. I haven't found any information indicating that it does anything more than this. I'll try to confirm the behavior against a Win2008 DC this week, but right now I'm leaning towards the CIFS SPN being dependent upon a HOST SPN being present. On Tue, Jul 30, 2013 at 8:58 PM, Ryan Bair ryandb...@gmail.com wrote: I've noticed that Win2k+ clients have filled in their servicePrincipalName attribute in AD. I know that the cifs SPN is implicit, but are you certain the host SPN is also implicit? If cifs was only meant to be implicit off of the host (and the host not implicit itself), that could be a way to determine if the request should be fulfilled. I have not tried against a Windows DC. I may set up a test DC to see what the behavior is. Connecting by IP address does work. I'll try using an alternative name, that sounds promising as well. In ADUC, there is a checkbox for pre-Windows 2000 when creating a new machine account. I wonder what this does and if we could use it somehow. I know it's not stored anywhere directly, but I'd suspect its there for a reason. On Tue, Jul 30, 2013 at 6:02 PM, Andrew Bartlett abart...@samba.orgwrote: On Tue, 2013-07-30 at 05:33 -0400, Ryan Bair wrote: Hi Andrew, To clarify, it is the Win7 client sending the TGS request to the DC and the DC responds positively. I now have a more complete understanding of what's going on: 1. Win7 initiates a session with NT4. Nothing interesting. 2. Win7 sends the negotiate protocol response. Of note, we state that we support extended security. 3. NT4 responds that it does not support extended security. More precisely, when NT4 dinosaurs roamed the earth, that bit was likely still reserved. 4. Win7 issues a TGS request to the _DC_ to see if the host with that name really doesn't support extended security, or if the NT4 machine is trying to subject it to some sort of elaborate ruse. (i) 5. DC responds positively to the TGS req. (!!!) 6. Win7 closes the connection, and displays the error to the user. i. The notes on http://msdn.microsoft.com/en-us/library/cc246806.aspx state: 94 Section 3.2.5.2: When the server completes negotiation and returns the CAP_EXTENDED_SECURITY flag as not set, Windows-based SMB clients query the Key Distribution Center (KDC) to verify whether a service ticket is registered for the given security principal name (SPN). If the query indicates that the SPN is registered with the KDC, then the SMB client terminates the connection and returns an implementation-specific security downgrade error to the caller. Since the Samba DC replies that the SPN is available (by fulfilling the request), I'm assuming we're triggering this documented behavior in the Win7 client. Indeed. Also of note, `klist` on the client has an entry for cifs/nt4test which `setspn -Q cifs/nt4test` confirms does not exist. I can't confirm the behavior in #5 is a bug, but it certainly seems suspect. The cifs/nt4test SPN is implicit, from the implicit host/nt4test SPN that comes from nt4test being the machine's name. The issue for us as a KDC is that there is no flag that I know of that can be set to say that this domain member should not be issued a ticket, and the downgrade protection is an important part of the security of the network. (that protection isn't useful if the member server can still negotiate for only NTLM without protection, but waiting for that is for another day). Have you tested and shows windows behaves any differently? Finally, as a workaround try connecting to the machine by IP or by a name the KDC doesn't know. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 Slow Performance
On 29 Jul, 2013, at 1:13 PM, Andrew Bartlett abart...@samba.org wrote: On Sat, 2013-07-27 at 23:20 +0800, Kinglok, Fong wrote: Dear all, After using samba 3 for two years, I have just spent totally one week finishing setting up a samba 4 file system in my working school. There are about 200 computers, 80+ staff, 1000 students and 10 printers. The AD was properly setup, mandatory profile and one GPO policy (which is printer download trust) is effective for all users. Logon script is for mapping four shares and 10 printers from the file server. Also, I have setup two additional DCs (with AD replication and DHCP server) for two other subnets in the hope to speed up the logon process. The benefits of Samba 4 are clear: more robust file serving (supporting the windows ACL), speedy printing (with the help of point and printer driver) and administration of AD through with windows remote admin tool. However, logon speed is just far from good. In the days of Samba 3.6, users can logon the system within 20 seconds, even with more than 80 users logon in the same time (two classes students login during computer lesson). Now, with only one user logging in (who is me), it takes nearly 60 seconds to do the logon. I have tried disabling drive and printer mapping in logon script and applying a registry hack (note 1) shorten the profile waiting time in windows 7 client side but it makes no difference in logon speed. I have taken a look on the document in sambaXP 2013: http://sambaxp.org/fileadmin/user_upload/SambaXP2013-DATA/thu/track1/Matthieu_Patou-Smaller_Faster_Scalier.pdf and two thread in samba-technical mailing list: https://lists.samba.org/archive/samba-technical/2013-January/089755.html https://lists.samba.org/archive/samba-technical/2013-May/092332.html It seems that samba team is doing some great work in spotting the unindexed search in LDB as one of block in performance. It is one block, but it is the one we expect to really hit at around 1, not 1000-2000. As Richard has indicated, what we need from you is an indication of what operation is slow. Timeouts of this order indicate something different to a slow database - they indicate things like DNS timeing out. Once you work out which specific operation is blocking, we can investigate more - be it in regards to your network, or our code, we don't mind either way, but we need to work out which to look into. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz Thank you all for responding. In these days, I am trying hard to understand the reason of the delay in logon. Following your advice, I've done some test on 1. Profile deploying 2. GPO For the first one, I try using roaming profile for one testing user, it turns out 7 seconds to logon the system. It seems that the culprit of the delay is in the my old mandatory profile. For the second one, I try disable all GPO (I only enable point and printer driver trust and folder redirection), turning it on / off does not change the logon time significantly. So, I try digging into how to create mandatory profile properly once again. Here I found: http://oakdome.com/k5/tutorials/windows-7-mandatory-roaming-profile.php By following the link's instruction, I found it needs 20 seconds in logon. I hope I can further decrease the logon time (anyone got a hint?) I will keep updating the list if I found something worth sharing. Thanks. Kinglok, Fong signature.asc Description: Message signed with OpenPGP using GPGMail -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 Slow Performance
On Wed, 2013-07-31 at 10:07 +0800, Kinglok, Fong wrote: On 29 Jul, 2013, at 1:13 PM, Andrew Bartlett abart...@samba.org wrote: On Sat, 2013-07-27 at 23:20 +0800, Kinglok, Fong wrote: Dear all, After using samba 3 for two years, I have just spent totally one week finishing setting up a samba 4 file system in my working school. There are about 200 computers, 80+ staff, 1000 students and 10 printers. The AD was properly setup, mandatory profile and one GPO policy (which is printer download trust) is effective for all users. Logon script is for mapping four shares and 10 printers from the file server. Also, I have setup two additional DCs (with AD replication and DHCP server) for two other subnets in the hope to speed up the logon process. The benefits of Samba 4 are clear: more robust file serving (supporting the windows ACL), speedy printing (with the help of point and printer driver) and administration of AD through with windows remote admin tool. However, logon speed is just far from good. In the days of Samba 3.6, users can logon the system within 20 seconds, even with more than 80 users logon in the same time (two classes students login during computer lesson). Now, with only one user logging in (who is me), it takes nearly 60 seconds to do the logon. I have tried disabling drive and printer mapping in logon script and applying a registry hack (note 1) shorten the profile waiting time in windows 7 client side but it makes no difference in logon speed. I have taken a look on the document in sambaXP 2013: http://sambaxp.org/fileadmin/user_upload/SambaXP2013-DATA/thu/track1/Matthieu_Patou-Smaller_Faster_Scalier.pdf and two thread in samba-technical mailing list: https://lists.samba.org/archive/samba-technical/2013-January/089755.html https://lists.samba.org/archive/samba-technical/2013-May/092332.html It seems that samba team is doing some great work in spotting the unindexed search in LDB as one of block in performance. It is one block, but it is the one we expect to really hit at around 1, not 1000-2000. As Richard has indicated, what we need from you is an indication of what operation is slow. Timeouts of this order indicate something different to a slow database - they indicate things like DNS timeing out. Once you work out which specific operation is blocking, we can investigate more - be it in regards to your network, or our code, we don't mind either way, but we need to work out which to look into. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz Thank you all for responding. In these days, I am trying hard to understand the reason of the delay in logon. Following your advice, I've done some test on 1. Profile deploying 2. GPO For the first one, I try using roaming profile for one testing user, it turns out 7 seconds to logon the system. It seems that the culprit of the delay is in the my old mandatory profile. For the second one, I try disable all GPO (I only enable point and printer driver trust and folder redirection), turning it on / off does not change the logon time significantly. So, I try digging into how to create mandatory profile properly once again. Here I found: http://oakdome.com/k5/tutorials/windows-7-mandatory-roaming-profile.php By following the link's instruction, I found it needs 20 seconds in logon. I hope I can further decrease the logon time (anyone got a hint?) I will keep updating the list if I found something worth sharing. Thanks for getting back to us. It sounds like this is mostly a client-side delay than a Samba issue. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Printer IP
HI! My printer somehow got its IP changed. How do I change my server (Mint linux 13, Samba 4.06) to reflect the change? -jimc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Printer IP
Hello Jimc, Am 31.07.2013 06:34, schrieb jimc: My printer somehow got its IP changed. How do I change my server (Mint linux 13, Samba 4.06) to reflect the change? I suggest not to use IP addresses in your Samba configuration. Use names and make sure, you're having a working DNS to resolve. Then you don't have to worry if your devices are changing their IPs. Or use static IPs on devices that are IP-hardcoded somewhere. Because you gave no information about your environment (Printserver cups/lpd/..., Samba configuration section of the printer, etc) it's hard to provide a good help. So I can only give you a very general hint: Have a look in your printer configuration and in smb.conf, search for the old IP in it and replace it. Most Linux distribution are shipped with a tool for printer configuration. So this maybe is a place to start. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 7615b25 samba-tool dbcheck: Correctly remove deleted DNs in dbcheck via f2afdb6 dsdb: Include MS-ADTS doc references on deleted object contstraints via a9e565a dsdb tests: Add member/memberOf checking to delete_objects testing via 0162be3 dsdb: Improve DRS deleted link source/target handing in repl_meta_data via 32955a1 dsdb: Ensure we always force deleted objects back under the deleted objects DN via a796cad dsdb/repl_meta_data: split out replmd_deletion_state() via d3aad89 dsdb: Prune deleted objects of links and extra attributes of replicated deletes from 8f8e843 s3:winbind: add a warning DEBUG message when skipping a sid from the mapped GID list http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 7615b2549d9549683978cb3e85b926e2ba63e294 Author: Andrew Bartlett abart...@samba.org Date: Sun Apr 14 13:32:49 2013 +1000 samba-tool dbcheck: Correctly remove deleted DNs in dbcheck The previous pattern never matched, as it was a typo. Andrew Bartlett Signed-off-by: Andrew Bartlett abart...@samba.org Reviewed-by: Stefan Metzmacher me...@samba.org Autobuild-User(master): Stefan Metzmacher me...@samba.org Autobuild-Date(master): Tue Jul 30 12:55:00 CEST 2013 on sn-devel-104 commit f2afdb61698c37389be286f9443471d4aeba49b8 Author: Andrew Bartlett abart...@samba.org Date: Tue Jun 4 20:22:31 2013 +1000 dsdb: Include MS-ADTS doc references on deleted object contstraints Signed-off-by: Andrew Bartlett abart...@samba.org Reviewed-by: Stefan Metzmacher me...@samba.org commit a9e565a5a4478f7b923f35311e170de2044ff848 Author: Andrew Bartlett abart...@samba.org Date: Mon Jun 3 17:51:41 2013 +1000 dsdb tests: Add member/memberOf checking to delete_objects testing Pair-Programmed-With: Stefan Metzmacher me...@samba.org Signed-off-by: Andrew Bartlett abart...@samba.org Signed-off-by: Stefan Metzmacher me...@samba.org commit 0162be32ab4f9716a4300d1f1a0caae8b0133f7c Author: Andrew Bartlett abart...@samba.org Date: Tue Jun 4 19:57:06 2013 +1000 dsdb: Improve DRS deleted link source/target handing in repl_meta_data We now correctly ignore the link updates if the source or target is deleted locally. This fixes the long-standing failure in the vampire_dc dbcheck test. Pair-Programmed-With: Stefan Metzmacher me...@samba.org Andrew Bartlett Signed-off-by: Andrew Bartlett abart...@samba.org Signed-off-by: Stefan Metzmacher me...@samba.org commit 32955a1dec3a97ab4550869dbeb5034247f3b1bc Author: Andrew Bartlett abart...@samba.org Date: Mon Jun 17 22:37:20 2013 +1000 dsdb: Ensure we always force deleted objects back under the deleted objects DN Signed-off-by: Andrew Bartlett abart...@samba.org Reviewed-by: Stefan Metzmacher me...@samba.org commit a796cad90f1028ccc54a3539e34dc0728b990a96 Author: Stefan Metzmacher me...@samba.org Date: Wed Jun 5 09:35:42 2013 +0200 dsdb/repl_meta_data: split out replmd_deletion_state() Signed-off-by: Stefan Metzmacher me...@samba.org Reviewed-by: Andrew Bartlett abart...@samba.org commit d3aad891c5759f66bd891cb47866d908a0562a8a Author: Andrew Bartlett abart...@samba.org Date: Fri May 31 20:01:17 2013 +1000 dsdb: Prune deleted objects of links and extra attributes of replicated deletes When an object is deleted, the links to be removed are not propogated, you have to watch out for them manually! We do this by calling back into the originating update delete code (ie what is called if you ldb_delete() locally) so that any extra attribute found locally and not on the remote server becomes removed remotely too. We currently do the same with links, but that isn't strictly correct, but for now our getNCChanges server code filters these out, so only the usn is bumped. Andrew Bartlett Signed-off-by: Andrew Bartlett abart...@samba.org Reviewed-by: Stefan Metzmacher me...@samba.org --- Summary of changes: python/samba/dbchecker.py |2 +- selftest/knownfail |1 - source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 568 ++- source4/torture/drs/python/delete_object.py | 278 ++- 4 files changed, 698 insertions(+), 151 deletions(-) Changeset truncated at 500 lines: diff --git a/python/samba/dbchecker.py b/python/samba/dbchecker.py index e88f876..8b175c2 100644 --- a/python/samba/dbchecker.py +++ b/python/samba/dbchecker.py @@ -271,7 +271,7 @@ newSuperior: %s % (str(from_dn), str(to_rdn), str(to_base))) handle a missing target DN (both GUID and DN string form are missing)
