Re: [Samba] Samba 4 as member server
Hi Steve, when I start samba without the 'server services' optinion I get: At this time the 'samba' binary should only be used for either: 'server role = active directory domain controller' or to access the ntvfs file server with 'server services= +smb' oder the rpc proxy with 'dcerpc endpoint servers = remote' You should start start smbd/nmbd/winbindd instead for domain member an standalone file server tasks But there are no smb/nmbd/winbindd binaries. Klaus Am 05.08.2013 23:01, schrieb steve: On Mon, 2013-08-05 at 22:25 +0200, Klaus Rörig wrote: I cannot the member server working. My smb.conf: Hi Leave the domain and remove the .tdb files in /var/lib/smb. Then rejoin with this: [global] workgroup = VERWALTUNG security = ads realm = VERWALTUNG.LEIBNIZ-REMSCHEID.DE encrypt passwords = true idmap config *:backend = tdb idmap config *:range = 70001-8 idmap config VERWALTUNG:backend = ad idmap config VERWALTUNG:schema_mode = rfc2307 idmap config VERWALTUNG:range = 500-4 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes [verwaltung] path = /srv/shares read only = no Start it with: smbd; winbindd Prolly not perfect, but should get you a bit close. hth Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 as member server
On Tue, 2013-08-06 at 09:21 +0200, Klaus Rörig wrote: But there are no smb/nmbd/winbindd binaries. Hi Oh, I see. The Ubuntu packages must only be for AD then. Sorry, I missed that you only wanted ntvfs. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 as member server
OK, than I have to use the Samba 3.6 packages shipped with Ubuntu. Anything special I have to care about? Am 06.08.2013 09:33, schrieb steve: On Tue, 2013-08-06 at 09:21 +0200, Klaus Rörig wrote: But there are no smb/nmbd/winbindd binaries. Hi Oh, I see. The Ubuntu packages must only be for AD then. Sorry, I missed that you only wanted ntvfs. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 using existing DNS and LDAP
Hi, I have been using Samba3 (and 2) for years, with an openLDAP backend for authentication. This is working fine, my directory includes a number of local settings for my specific needs. Now I would like to move to Samba4. I understand that Samba4 comes with its own DNS and LDAP servers. By provisioning Samba4 with --dns-backend=NONE and including the necessary to my existing DNS zone, is that enough to get rid of the DNS server included with Samba4? What kind of updates does Samba need to perform to DNS? The one at the provisioning and the machine name that join the domain (this is already taken care of by DHCP). Is there anything I oversee? Now regarding LDAP, is there a way to tell Samba to replicate the directory from my existing openLDAP? Best regards, Olivier -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] TLS between winbind and openldap
Hi, I found a possible workaround to my issue myself. It seems to be working. After reading one more time about ldap.conf I tried to export environment variables to set my private key and my certificate. This seems to be working on both debian 6 and debian 7: I dommented out TLS_KEY and TLS_CERT in /root/ldaprc and checked that winbind cannot work with OpenLDAP in debug mode, as expected. I edited /etc/defaults/winbind and added the following lines export LDAPTLS_CERT=/etc/ssl/certs/omv-domain-local.crt export LDAPTLS_KEY=/etc/ssl/private/omv-domain-local.key I restarted winbind with the command line service winbind restart. Now wbinfo -i user is working and I get an uid for the user. I will check further to ensure there is no more related issue. 2013/8/5 thierry DeTheGeek detheg...@gmail.com Hi, I'm working hard to setup winbind and openLDAP work together with TLS My networks contains: - a windows server 2008 R2 domain controller - a debian 6 based file server (openmediavault v0.4) running OpenLDAP 2.4.23 and Samba v3.5.6 - a debian 7 computer running winbind 3.6.6 I want to let OpenLDAP store SID = uig/gid mapping to ensure constant uid and gid for users on all linux based computers and then use both CIFS and NFS. I'm trying to solve my issue on openmediavault (debian 6) only for now, because I get the exact same issue when trying to establish communication between winbind 3.6.6 (on debian 7) and OpenLDAP (on Debian 6). I created a self signed certificate authority with openssl and created a private key and a certificate for te file server. I used the same certificate authority to create an other key and certificate for my debian 7 computer. OpenLDAP uses his key and is configured to check clients certificates. winbind on the same computer uses the same key and certificate to communicate with openLDAP and is configured to check the openLDAP's certificate. When running winbind in interactive debug mode everything is running file and wbinfo -i user is able to allocate an uid to the user. an other try shows the uid assigned is effectively retrived from openLDAP. The command line I'm using to test winbind is : winbindd -F -i -d idmap:10. I tried also to run openLDAP in debug mode with the command line slapd -d 1. the logs produced show that openLDAP and winbind work together with encryption in both directions. When I run winbind daemon with the command line service winbind start, the TLS connection cannot be initiated and I cannot allocate a uid to any user using wbinfo -i user. Let's see the configuration files (domain name obsfucated) : ##cn=config.ldif dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcLogLevel: none olcPidFile: /var/run/slapd/slapd.pid olcToolThreads: 1 structuralObjectClass: olcGlobal entryUUID: e61f99ae-9076-1032-9144-9f2ad5621c65 creatorsName: cn=config createTimestamp: 20130803105505Z olcTLSCACertificateFile: /etc/ssl/certs/ca-certificates.crt olcTLSCertificateKeyFile: /etc/ssl/private/omv-domain-local.key olcTLSCertificateFile: /etc/ssl/certs/omv-domain-local.crt olcTLSVerifyClient: demand entryCSN: 20130803125708.704922Z#00#000#00 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20130803125708Z ##smb.conf #=== Global Settings === [global] workgroup = DOMAIN server string = %h server include = /etc/samba/dhcp.conf dns proxy = no log level = 0 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 syslog only = yes panic action = /usr/share/samba/panic-action %d encrypt passwords = true passdb backend = tdbsam obey pam restrictions = yes unix password sync = no passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes socket options = TCP_NODELAY IPTOS_LOWDELAY guest account = nobody load printers = no disable spoolss = yes printing = bsd printcap name = /dev/null unix extensions = yes wide links = no create mask = 0777 directory mask = 0777 use sendfile = no null passwords = no local master = yes time server = no wins support = no password server = * realm = DOMAIN.LOCAL security = ads allow trusted domains = no ; ; samba 3.5.6 idmap configuration ; idmap backend = ldap:ldap://omv.domain.local ldap admin dn = cn=winbind-idmap,dc=domain,dc=local ldap idmap suffix = ou=Idmap ldap suffix = dc=domain,dc=local ldap ssl = start tls ldap debug level = 4 ldap debug threshold = 1 idmap uid = 16777216-5000 idmap gid = 16777216-5000 idmap config * : backend = ldap idmap config * : ldap_url = ldap://omv.domain.local idmap config * : ldap_anon = no idmap config * : ldap_base_dn = ou=Idmap,dc=domain,dc=local idmap config * : ldap_user_dn = cn=winbind-idmap,dc=domain,dc=local idmap config * : range =
Re: [Samba] Samba 4 as member server
On Tue, 2013-08-06 at 10:57 +0200, Klaus Rörig wrote: OK, than I have to use the Samba 3.6 packages shipped with Ubuntu. Anything special I have to care about? Hi, no, but as you have only a few clients, it may be simpler to use the dc itself as file server, especially as you have specified ntvfs. If you want rfc2307 from winbind though, you'll have to either build samba 4.0.x from source on a separate box and use smbd or use the Ubuntu 3.6 packages, also on a separate box. If you're OK with ntvfs and you only have win7 clients, I'd go with the single DC/fileserver and forget about rfc2307. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 as member server
Hi, it seems that the ntvfs module is not working on Ubuntu, I get lots of error messages about this. I don't see Samba4 servers on network neighborhood, so users cannot browses shares but I do see Samba3 servers, so I have to get Samba3 working with Samba4. Or I have to build Samba4 by myself. Klaus Am 06.08.2013 11:59, schrieb steve: On Tue, 2013-08-06 at 10:57 +0200, Klaus Rörig wrote: OK, than I have to use the Samba 3.6 packages shipped with Ubuntu. Anything special I have to care about? Hi, no, but as you have only a few clients, it may be simpler to use the dc itself as file server, especially as you have specified ntvfs. If you want rfc2307 from winbind though, you'll have to either build samba 4.0.x from source on a separate box and use smbd or use the Ubuntu 3.6 packages, also on a separate box. If you're OK with ntvfs and you only have win7 clients, I'd go with the single DC/fileserver and forget about rfc2307. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 as member server
On Tue, 2013-08-06 at 12:36 +0200, Klaus Rörig wrote: Hi, it seems that the ntvfs module is not working on Ubuntu, I get lots of error messages about this. I don't see Samba4 servers on network neighborhood, so users cannot browses shares but I do see Samba3 servers, so I have to get Samba3 working with Samba4. Or I have to build Samba4 by myself. Klaus Hi I don't think you can have (or would want?) network neighbourhood with AD. It may be best to have real shares and control access using ACL's or smb.conf. If you can, I really would advise building s4 from source: 4.0.8 for both DC and file server and using samba for the DC and smbd for the file server. It takes longer but it's easy to do and you can be sure to have the latest version. If you want to stick with Ubuntu then I see the s4 DC and separate s3 file server the best way to go. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 as member server
Hi! I set up s3 on the fileserver now but I cannot connect to my share. 'wbinfo -u' lists all user 'wbinfo-g' lists all groups getent also list the queried user. But when I try to connect from Win7 to my s3 share, it asks for creds but does not accept any. I cannot see any log entries. What's wrong now? Klaus Am 06.08.2013 12:58, schrieb steve: On Tue, 2013-08-06 at 12:36 +0200, Klaus Rörig wrote: Hi, it seems that the ntvfs module is not working on Ubuntu, I get lots of error messages about this. I don't see Samba4 servers on network neighborhood, so users cannot browses shares but I do see Samba3 servers, so I have to get Samba3 working with Samba4. Or I have to build Samba4 by myself. Klaus Hi I don't think you can have (or would want?) network neighbourhood with AD. It may be best to have real shares and control access using ACL's or smb.conf. If you can, I really would advise building s4 from source: 4.0.8 for both DC and file server and using samba for the DC and smbd for the file server. It takes longer but it's easy to do and you can be sure to have the latest version. If you want to stick with Ubuntu then I see the s4 DC and separate s3 file server the best way to go. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 as member server
On Tue, 2013-08-06 at 14:34 +0200, Klaus Rörig wrote: Hi! I set up s3 on the fileserver now but I cannot connect to my share. 'wbinfo -u' lists all user 'wbinfo-g' lists all groups getent also list the queried user. But when I try to connect from Win7 to my s3 share, it asks for creds but does not accept any. I cannot see any log entries. What's wrong now? Hi Too general without knowing a bit more: Who is logged in on the Win7 box? Is the Win7 box joined to the domain? What are the permissions on /srv and /srv/share? Can the user access the share if logged in on the file server? Can the user access the share using smbclient? Does the share appear as a folder in explorer? What does the windows security tab give for the share? Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 as member server
Hi! Authentication works when I set 'password server = server01', but then testparm complains: WARNING: The setting 'security=ads' should NOT be combined with the 'password server' parameter. (by default Samba will discover the correct DC to contact automatically). But Samba doesn't. DNS is working: host -t srv _kerberos._tcp _kerberos._tcp.verwaltung.leibniz-remscheid.de has SRV record 0 100 88 server01.verwaltung.leibniz-remscheid.de. host server01 server01.verwaltung.leibniz-remscheid.de has address 192.168.20.200 Klaus On Tue, Aug 6, 2013 at 5:13 PM, steve st...@steve-ss.com wrote: On Tue, 2013-08-06 at 14:34 +0200, Klaus Rörig wrote: Hi! I set up s3 on the fileserver now but I cannot connect to my share. 'wbinfo -u' lists all user 'wbinfo-g' lists all groups getent also list the queried user. But when I try to connect from Win7 to my s3 share, it asks for creds but does not accept any. I cannot see any log entries. What's wrong now? Hi Too general without knowing a bit more: Who is logged in on the Win7 box? Is the Win7 box joined to the domain? What are the permissions on /srv and /srv/share? Can the user access the share if logged in on the file server? Can the user access the share using smbclient? Does the share appear as a folder in explorer? What does the windows security tab give for the share? Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] TLS between winbind and openldap
Did you try using LDAPS (ldap over SSL, typically on port 636.) I can't speak specifically about it with winbind BUT I have found that in other situations LDAPS creates less headaches with CA cert issues. On 08/06/13 05:27, thierry DeTheGeek wrote: Hi, I found a possible workaround to my issue myself. It seems to be working. After reading one more time about ldap.conf I tried to export environment variables to set my private key and my certificate. This seems to be working on both debian 6 and debian 7: I dommented out TLS_KEY and TLS_CERT in /root/ldaprc and checked that winbind cannot work with OpenLDAP in debug mode, as expected. I edited /etc/defaults/winbind and added the following lines export LDAPTLS_CERT=/etc/ssl/certs/omv-domain-local.crt export LDAPTLS_KEY=/etc/ssl/private/omv-domain-local.key I restarted winbind with the command line service winbind restart. Now wbinfo -i user is working and I get an uid for the user. I will check further to ensure there is no more related issue. 2013/8/5 thierry DeTheGeek detheg...@gmail.com Hi, I'm working hard to setup winbind and openLDAP work together with TLS My networks contains: - a windows server 2008 R2 domain controller - a debian 6 based file server (openmediavault v0.4) running OpenLDAP 2.4.23 and Samba v3.5.6 - a debian 7 computer running winbind 3.6.6 I want to let OpenLDAP store SID = uig/gid mapping to ensure constant uid and gid for users on all linux based computers and then use both CIFS and NFS. I'm trying to solve my issue on openmediavault (debian 6) only for now, because I get the exact same issue when trying to establish communication between winbind 3.6.6 (on debian 7) and OpenLDAP (on Debian 6). I created a self signed certificate authority with openssl and created a private key and a certificate for te file server. I used the same certificate authority to create an other key and certificate for my debian 7 computer. OpenLDAP uses his key and is configured to check clients certificates. winbind on the same computer uses the same key and certificate to communicate with openLDAP and is configured to check the openLDAP's certificate. When running winbind in interactive debug mode everything is running file and wbinfo -i user is able to allocate an uid to the user. an other try shows the uid assigned is effectively retrived from openLDAP. The command line I'm using to test winbind is : winbindd -F -i -d idmap:10. I tried also to run openLDAP in debug mode with the command line slapd -d 1. the logs produced show that openLDAP and winbind work together with encryption in both directions. When I run winbind daemon with the command line service winbind start, the TLS connection cannot be initiated and I cannot allocate a uid to any user using wbinfo -i user. Let's see the configuration files (domain name obsfucated) : ##cn=config.ldif dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcLogLevel: none olcPidFile: /var/run/slapd/slapd.pid olcToolThreads: 1 structuralObjectClass: olcGlobal entryUUID: e61f99ae-9076-1032-9144-9f2ad5621c65 creatorsName: cn=config createTimestamp: 20130803105505Z olcTLSCACertificateFile: /etc/ssl/certs/ca-certificates.crt olcTLSCertificateKeyFile: /etc/ssl/private/omv-domain-local.key olcTLSCertificateFile: /etc/ssl/certs/omv-domain-local.crt olcTLSVerifyClient: demand entryCSN: 20130803125708.704922Z#00#000#00 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20130803125708Z ##smb.conf #=== Global Settings === [global] workgroup = DOMAIN server string = %h server include = /etc/samba/dhcp.conf dns proxy = no log level = 0 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 syslog only = yes panic action = /usr/share/samba/panic-action %d encrypt passwords = true passdb backend = tdbsam obey pam restrictions = yes unix password sync = no passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes socket options = TCP_NODELAY IPTOS_LOWDELAY guest account = nobody load printers = no disable spoolss = yes printing = bsd printcap name = /dev/null unix extensions = yes wide links = no create mask = 0777 directory mask = 0777 use sendfile = no null passwords = no local master = yes time server = no wins support = no password server = * realm = DOMAIN.LOCAL security = ads allow trusted domains = no ; ; samba 3.5.6 idmap configuration ; idmap backend = ldap:ldap://omv.domain.local ldap admin dn = cn=winbind-idmap,dc=domain,dc=local ldap idmap suffix = ou=Idmap ldap suffix = dc=domain,dc=local ldap ssl = start tls ldap debug level = 4 ldap debug threshold = 1 idmap uid = 16777216-5000 idmap gid = 16777216-5000 idmap config * : backend = ldap idmap config * : ldap_url = ldap://omv.domain.local idmap config * : ldap_anon = no idmap
Re: [Samba] Samba 4 as member server
How does your /etc/krb5.conf file look? On Tue, Aug 6, 2013 at 2:21 PM, Klaus Rörig kroe...@gmail.com wrote: Hi! Authentication works when I set 'password server = server01', but then testparm complains: WARNING: The setting 'security=ads' should NOT be combined with the 'password server' parameter. (by default Samba will discover the correct DC to contact automatically). But Samba doesn't. DNS is working: host -t srv _kerberos._tcp _kerberos._tcp.verwaltung.leibniz-remscheid.de has SRV record 0 100 88 server01.verwaltung.leibniz-remscheid.de. host server01 server01.verwaltung.leibniz-remscheid.de has address 192.168.20.200 Klaus On Tue, Aug 6, 2013 at 5:13 PM, steve st...@steve-ss.com wrote: On Tue, 2013-08-06 at 14:34 +0200, Klaus Rörig wrote: Hi! I set up s3 on the fileserver now but I cannot connect to my share. 'wbinfo -u' lists all user 'wbinfo-g' lists all groups getent also list the queried user. But when I try to connect from Win7 to my s3 share, it asks for creds but does not accept any. I cannot see any log entries. What's wrong now? Hi Too general without knowing a bit more: Who is logged in on the Win7 box? Is the Win7 box joined to the domain? What are the permissions on /srv and /srv/share? Can the user access the share if logged in on the file server? Can the user access the share using smbclient? Does the share appear as a folder in explorer? What does the windows security tab give for the share? Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 internal DNS - how to modify SOA record
Hello, I have the very same problem, does anybody know a way? I am thinking of converting to BIND, modifying and then converting it back to Internal DNS implementation. Hello. How could one modify a SOA record in rc3? For example, NS part (not NS record) of SOA record points to an absent Windows server. This effectively breaks DNS updates, since there is no such server and if corresponding A record is added, update requests from clients will come unsigned. Editing it directly via LDAP breaks Samba (some sort of checksum/hash?) MMC snap-in says Zone not loaded by DNS server, so it is not possible to use it either. samba-tool dns add|delete|update can't operate on SOA record. Maybe someone could give a link to some document describing dnsRecord, so one could forge a valid record and just change dnsRecord in DC=@ using some LDAP tool? Thanks in advance. -- Best regards, Dmitry Khromov -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 internal DNS - how to modify SOA record
How could one modify a SOA record in rc3? For example, NS part (not NS record) of SOA record points to an absent Windows server. This effectively breaks DNS updates, since there is no such server and if corresponding A record is added, update requests from clients will come unsigned. Editing it directly via LDAP breaks Samba (some sort of checksum/hash?) MMC snap-in says Zone not loaded by DNS server, so it is not possible to use it either. samba-tool dns add|delete|update can't operate on SOA record. Maybe someone could give a link to some document describing dnsRecord, so one could forge a valid record and just change dnsRecord in DC=@ using some LDAP tool? I have the very same problem, does anybody know a way? I am thinking of converting to BIND, modifying and then converting it back to Internal DNS implementation. I doubt that will do the job. As I recall, I forged the dnsRecord manually (record's structure description could be found on the MSDN) and ldbmodify'ed the corresponding ldb on every DC (Samba should not be run). Alternatively, you may just capture the conversation between Samba and MMC snap-in - the value you need is being sent in clear text. Regards, - Dmitry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 using existing DNS and LDAP
Hi Olivier, I had a similar situation for many of my clients, and I am not anywhere near the end of it yet. I can offer some of my experience though. The upgrade procedure is documented in https://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTO and I ended up using --dns-backend=BIND9_DLZ. If you want to set up an AD domain controller then DNS is really important. As far as the other ldap things, the classic upgrade does not pull in anything that doesn't have samba attributes. I ended up creating some things from scratch after the fact. Sent from my iPhone On 06/08/2013, at 7:08 PM, Olivier Nicole olivier.nic...@cs.ait.ac.th wrote: Hi, I have been using Samba3 (and 2) for years, with an openLDAP backend for authentication. This is working fine, my directory includes a number of local settings for my specific needs. Now I would like to move to Samba4. I understand that Samba4 comes with its own DNS and LDAP servers. By provisioning Samba4 with --dns-backend=NONE and including the necessary to my existing DNS zone, is that enough to get rid of the DNS server included with Samba4? What kind of updates does Samba need to perform to DNS? The one at the provisioning and the machine name that join the domain (this is already taken care of by DHCP). Is there anything I oversee? Now regarding LDAP, is there a way to tell Samba to replicate the directory from my existing openLDAP? Best regards, Olivier -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Debian Package Updates
Hi Andrew, Would it be possible to upload the packages to the samba team ppa? Sent from my iPhone On 05/08/2013, at 10:28 AM, Andrew Bartlett abart...@samba.org wrote: On Fri, 2013-08-02 at 14:41 +0100, Dominic Evans wrote: The debian package of samba4 is still sitting at 4.0.3 in experimental. Please could someone (Andrew?) upload an updated package now that we are up to 4.0.7? http://packages.qa.debian.org/s/samba4.html We have toiled mightily, and have new experimental packages. They are stuck in the NEW queue, and have been for a month: http://ftp-master.debian.org/new.html (This is because we have additional package names, as part of the merge with the 'samba' package). Once that's in, I expect a 4.0.7 will follow shortly. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 internal DNS - how to modify SOA record
On 08/06/2013 02:34 PM, Rustam K. wrote: Hello, I have the very same problem, does anybody know a way? I am thinking of converting to BIND, modifying and then converting it back to Internal DNS implementation. Did you had a look at samba-tool dns update to do this ? Kai has a good experience in DNS related things in Samba I just put him in this thread just in case he has some insights. Matthieu. Hello. How could one modify a SOA record in rc3? For example, NS part (not NS record) of SOA record points to an absent Windows server. This effectively breaks DNS updates, since there is no such server and if corresponding A record is added, update requests from clients will come unsigned. Editing it directly via LDAP breaks Samba (some sort of checksum/hash?) MMC snap-in says Zone not loaded by DNS server, so it is not possible to use it either. samba-tool dns add|delete|update can't operate on SOA record. Maybe someone could give a link to some document describing dnsRecord, so one could forge a valid record and just change dnsRecord in DC=@ using some LDAP tool? Thanks in advance. -- Matthieu Patou Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 using existing DNS and LDAP
On 08/06/2013 02:08 AM, Olivier Nicole wrote: Hi, I have been using Samba3 (and 2) for years, with an openLDAP backend for authentication. This is working fine, my directory includes a number of local settings for my specific needs. Now I would like to move to Samba4. I understand that Samba4 comes with its own DNS and LDAP servers. By provisioning Samba4 with --dns-backend=NONE and including the necessary to my existing DNS zone, is that enough to get rid of the DNS server included with Samba4? Well you can use the bind-dlz plugins so that samba use bind instead of its own internal server. Another option is to configure your global DNS to use Samba as the source of authority just for the domain of your AD. What kind of updates does Samba need to perform to DNS? The one at the provisioning and the machine name that join the domain (this is already taken care of by DHCP). Is there anything I oversee? Now regarding LDAP, is there a way to tell Samba to replicate the directory from my existing openLDAP? No. Our LDAP Server support schema upgrade so if the stuff that you have in your OL has a schema that is compatible to Samba you can update Samba's schema and then load the data by export/import in Samba. Another way of doing is by using overlays in OL to present in the desired way the information coming from both OL and Samba 4. Matthieu. Best regards, Olivier -- Matthieu Patou Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 8b1a214 s3-netlogon: Connecting with the system token should be sufficient. via 4520787 s3-rpc_server: Grant the system token full access. via 0ede70c libcli: Add security_token_system_privilege(). from eb50fb8 FSCTL_GET_SHADOW_COPY_DATA: Don't return 4 extra bytes at end http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 8b1a2144feddc12e818938f025d3ab62f3e3426b Author: Andreas Schneider a...@samba.org Date: Tue Aug 6 11:10:04 2013 +0200 s3-netlogon: Connecting with the system token should be sufficient. Signed-off-by: Andreas Schneider a...@samba.org Reviewed-by: Günther Deschner g...@samba.org Autobuild-User(master): Günther Deschner g...@samba.org Autobuild-Date(master): Tue Aug 6 18:22:06 CEST 2013 on sn-devel-104 commit 4520787080b84cd25034bb340513b15de6df1eb0 Author: Andreas Schneider a...@samba.org Date: Wed Jul 31 16:49:36 2013 +0200 s3-rpc_server: Grant the system token full access. Signed-off-by: Andreas Schneider a...@samba.org Reviewed-by: Günther Deschner g...@samba.org commit 0ede70c51af54212c700fb1791e2a192e412d851 Author: Andreas Schneider a...@samba.org Date: Tue Aug 6 13:26:53 2013 +0200 libcli: Add security_token_system_privilege(). Signed-off-by: Andreas Schneider a...@samba.org Reviewed-by: Günther Deschner g...@samba.org --- Summary of changes: libcli/security/privileges.c| 13 + libcli/security/privileges.h| 10 ++ source3/rpc_server/netlogon/srv_netlog_nt.c |2 -- source3/rpc_server/srv_access_check.c | 24 ++-- 4 files changed, 41 insertions(+), 8 deletions(-) Changeset truncated at 500 lines: diff --git a/libcli/security/privileges.c b/libcli/security/privileges.c index adb67c1..d2731c3 100644 --- a/libcli/security/privileges.c +++ b/libcli/security/privileges.c @@ -422,6 +422,19 @@ bool security_token_has_privilege(const struct security_token *token, enum sec_p return false; } +bool security_token_system_privilege(const struct security_token *token) +{ + if (token == NULL) { + return false; + } + + if (token-privilege_mask == (uint64_t)~0) { + return true; + } + + return false; +} + /* set a bit in the privilege mask */ diff --git a/libcli/security/privileges.h b/libcli/security/privileges.h index a65dbdf..eb3ab5e 100644 --- a/libcli/security/privileges.h +++ b/libcli/security/privileges.h @@ -89,6 +89,16 @@ const char *sec_privilege_name_from_index(int idx); */ bool security_token_has_privilege(const struct security_token *token, enum sec_privilege privilege); + +/** + * @brief Check if the security token has system privileges. + * + * @param[in] tokenThe token to check. + * + * @return True if the token has system privileges, false if not. + */ +bool security_token_system_privilege(const struct security_token *token); + /* set a bit in the privilege mask */ diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c index 4f66dfe..53eff5f 100644 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c @@ -698,12 +698,10 @@ static NTSTATUS get_md4pw(struct samr_Password *md4pw, const char *mach_acct, goto out; } - become_root(); status = samr_find_machine_account(mem_ctx, h, mach_acct, SEC_FLAG_MAXIMUM_ALLOWED, domain_sid, user_rid, user_handle); - unbecome_root(); if (!NT_STATUS_IS_OK(status)) { goto out; } diff --git a/source3/rpc_server/srv_access_check.c b/source3/rpc_server/srv_access_check.c index f667d7b..3efc75b 100644 --- a/source3/rpc_server/srv_access_check.c +++ b/source3/rpc_server/srv_access_check.c @@ -54,6 +54,21 @@ NTSTATUS access_check_object( struct security_descriptor *psd, struct security_t NTSTATUS status = NT_STATUS_ACCESS_DENIED; uint32 saved_mask = 0; bool priv_granted = false; + bool is_system = false; + bool is_root = false; + + /* Check if we are are the system token */ + if (security_token_is_system(token) + security_token_system_privilege(token)) { + is_system = true; + } + + /* Check if we are root */ + if (geteuid() == sec_initial_uid()) { + is_root = true; + } + + /* Check if we are root */ /* check privileges; certain SAM access bits should be overridden by privileges (mostly having to do with creating/modifying/deleting @@