Re: [Samba] Cisco ISE unable to retrieve AD group list from samba 4 server
Am 02.10.2013 21:53, schrieb Jeremy Allison: On Wed, Oct 02, 2013 at 11:38:21AM +0200, Andreas Oster wrote: Hi all, I have run into a problem with our samba4 setup. I have successfully joined a Cisco ISE v1.1.4 (Identity Service Engine) test machine to the samba4 AD. User authentication does work but unfortunately the ISE is unable to fetch the AD groups from the domain controller. In the samba logs I get the following error message when initiating the group fetch: [2013/10/02 10:21:37.605554, 0] ../source4/cldap_server/cldap_server.c:54(cldapd_request_handler) Invalid CLDAP request type 16 from ipv4:10.250.12.218:51136 LDAP request type 16 == LDAP_TAG_AbandonRequest which we don't handle in the cldap request handler. That's why you're getting the error. Jeremy. Hello Jeremy, thank you very much for your fast response. Any chance that this request type will be added ? Thanks Andreas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SAMBA + open LDAP + password hashing
Many thanks for the answer, you solved a doubt I had for a long time. What do you mean when you say other than kerberos ? Can you point me to some documentation or how to for setting up samba + kerberos + ldap? Thanks *Alberto Aldrigo* Il 02/10/13 20:57, Andrew Bartlett ha scritto: On Wed, 2013-10-02 at 11:46 +0200, Alberto Aldrigo | Ca' Tron RE wrote: Hi everybody, I'm running an Ubuntu server as fileserver for Osx clients using netatalk and now I need to add support to samba for windows clients. Every user has an account on open LDAP user base and every account has a password stored using SSHA hashing. I would like to know if I can use the same user base with samba and how to configure it to use ssha instead of NT/LM or if there is an alternative. No, there is no alternative (other than Kerberos). The encryption types are incompatible. Andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] write problem from mac osx 10.8.5 clients to samba 4
Hi I have setup a samba 4 DC with mixed client environment. My problem is that the mac osx client are unable to write to a samba 4 share. I tested mac osx clients on a normal windows 7 share and it works fine I tested mac osx clients on a samba 3.5 .. share and everything works fine. As i am in a professional environment and all the windows clients are already binded to the samba 4 domain i can not step back to samba3. My mac osx clients are binded and im able to view/edit active directory from the mac. My only issue is that i can not write to the samba 4 shares. i have verified all about permissions, and my thought is that mac osx confuses unix and acl rights. Is there a workaround or a special thing to do regarding UID map GUID map please be aware that i'm not a mac specialist, but have to handlwith it because of professional reasons. i am searching a solution for weeks now and really need some help ! Kind regards -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Should I forget sssd ?
On Tue, 2013-10-01 at 17:06 +1100, m...@electronico.nc wrote: Le 01/10/2013 16:44, steve a écrit : Hi It looks as though the ad backend is broken in 1.11.1. At least I can't get it going with a similar sssd.conf: https://lists.fedorahosted.org/pipermail/sssd-devel/2013-September/016892.html I rolled back to 1.10.0 and it's fine. Re: your question. If you can get away without having Linux clients in the domain, then yes, you can forget sssd entirely. HTH and good luck, Steve Ah !!! This makes sense to my life ( https://lists.fedorahosted.org/pipermail/sssd-devel/2013-September/016892.html ) ! I was wondering if I won't go back to sheeps and cows ;-) Will try sssd 1.10.0 ! (Yes Ubuntu host is actually the only Linux 'client' in the domain) Thanks again (posting 48 hours earlier would have save my soul during this time) Nicolas Hi The bug in 1.11.1 has been fixed by the Red Hat guys: [PATCH] AD: properly intitialize GC from ad_server option --- src/providers/ad/ad_common.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c index 700ac03..ab62d64 100644 --- a/src/providers/ad/ad_common.c +++ b/src/providers/ad/ad_common.c @@ -441,7 +441,7 @@ _ad_servers_init(TALLOC_CTX *mem_ctx, } sdata-gc = true; -ret = be_fo_add_server(bectx, fo_service, list[i], 0, sdata, primary); +ret = be_fo_add_server(bectx, fo_gc_service, list[i], 0, sdata, primary); if (ret ret != EEXIST) { DEBUG(SSSDBG_FATAL_FAILURE, (Failed to add server\n)); goto done; -- 1.7.7.6 HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] write problem from mac osx 10.8.5 clients to samba 4
I'm not sure if this is still an issue in modern versions of OS X, but in past you have had to disable unix extensions on the server if UID/GIDs didn't match up with what the client had. It really sucks that there's not another workaround, especially for off-domain Macs. Personally, I've been running netatalk for OS X clients. While it sucks to have to maintain another service, the OS X SMB driver has always been pretty awful and the improvement in performance has been well worth the cost. On Thu, Oct 3, 2013 at 8:04 AM, Athan DE JONG athan.dej...@yahoo.fr wrote: Hi I have setup a samba 4 DC with mixed client environment. My problem is that the mac osx client are unable to write to a samba 4 share. I tested mac osx clients on a normal windows 7 share and it works fine I tested mac osx clients on a samba 3.5 .. share and everything works fine. As i am in a professional environment and all the windows clients are already binded to the samba 4 domain i can not step back to samba3. My mac osx clients are binded and im able to view/edit active directory from the mac. My only issue is that i can not write to the samba 4 shares. i have verified all about permissions, and my thought is that mac osx confuses unix and acl rights. Is there a workaround or a special thing to do regarding UID map GUID map please be aware that i'm not a mac specialist, but have to handlwith it because of professional reasons. i am searching a solution for weeks now and really need some help ! Kind regards -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] name mangling makes 8.3 unreadable unlike Windows fileserver
Hi, I'm cross-posting here from serverfault.com in case anyone can help. I just found a similar question on askubuntu.com also without an answer. Switched recently from W2K3 to Samba4.0.9/CentOS6.4 for our fileshare for WinXP clients. Have an ancient (1995!) piece of software that uses 8.3 filename format. After the switch, long filenames became useless in the context of the File-Open dialog box. Instead of the first few characters, we get maybe 1 character the same if we're lucky, which in a directory of thousands makes it impossible to find. For example, instead of S:\Air conditioning control system becoming S:\AIRCON~1 like it would before, it's displayed in this program as S:\A51FHG~S. In our directory of client identifiers with their contact names appended, formerly directory mangling would leave enough characters intact that client identifiers could still be used. Not anymore. None of the settings in the docs seem to talk about this exact problem. In fact, they seem to show it the way we were used to. Our smb.conf doesn't use any of the settings because the defaults seem to be what we want, according to the docs. Any hints? (If you want to answer on serverfault feel free: http://serverfault.com/questions/543320/samba-name-mangling-too-mangled-to-be-practical ) Thanks for any help, Kev -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] create_local_nt_token_from_info3 not pulling supplementary UNIX groups
Can anyone with knowledge about this issue offer any comment? Somebody has to have an idea about it, good or bad. Thanks, Brian On 9/11/2013 2:20 PM, Brian H. Nelson wrote: I'm trying to solve this issue I'm having where using 'valid users = +unixgroup' just plain doesn't work. I can't find any /documented/ reason why this is so, but nevertheless, it seems to be the case. This is with samba 3.6.18, but seems to exist in all of 3.6.x and most or all of 3.5.x and perhaps earlier as well (see bug #6681). From what I can tell, the underlying reason it doesn't work is because create_local_nt_token_from_info3 doesn't seem to populate the user's token with local UNIX /supplementary/ group SIDs (S-1-22-2-xxx). I'm not sure exactly why this is the case; the code is a bit complicated. Ironically, if the user is explicitly mapped (username map in smb.conf) then it *does* work. This seems to be because an explicitly-mapped user will follow a different code path and end up using create_token_from_username which /does/ pull local UNIX groups. I don't understand why there is a difference in behavior between explicit and implicit mapping. (Implicit mapping meaning DOMAIN\name maps to local user 'name' via idmap_nss, or some other facility). I would think that either case should ultimately end with the same result. This seems like a very major and long-standing problem to just be a bug. As such I feel like I'm missing something. Can a dev or somebody with a better understanding of the code fill me in? Here are some reference links that sound related: https://bugzilla.samba.org/show_bug.cgi?id=6681 http://marc.info/?l=sambam=135879161014066w=2 http://marc.info/?l=sambam=120886782118153w=2 Thanks, Brian -- Brian H. Nelson Data Security Analyst I IT Infrastructure Engineering Youngstown State University bhnelson[at]ysu[dot]edu -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] write problem from mac osx 10.8.5 clients to samba 4
Hey Athan, I was able to deploy OSX in a samba4 environment. Here is my procedure: go to System Preferences User and Groups and create a new account with admin privileges. This will be developed into a default profile for domain users. Log out and in with the user. Open Keychain Access and delete Login Spend some time opening all the applications on the operating system, registering all welcome prompts, and performing all necessary updates/changes. ***THIS MAY BE WHAT YOU'RE LOOKING FOR*** Go back to System Preferences User and Groups. Right-click the appropriate account Advanced Options: set the Home Directory to smb://[REALM_OF_DC]/$USER Open a terminal: sudo rm /Users/[new_default_account]/Library/Caches/* sudo rm -rf /System/Library/User\ Template/English.lproj/* cd /System/Library/User\ Template/English.lproj/ sudo rsync -rav /Users/[new_default_account]/ . (that's a period, so you're copying into the present working directory above) Apple Recent items Clear Menu Reboot into your normal Admin account. Disk utility repair disk permissions Delete the account that's been set up. As Admin, let's bind to the domain controller. Head back to Users and Groups and head to Login Options. Edit Network Account Server Open Directory Utility Active Directory Bind to your active directory FQDN. Under User Experience, uncheck both Create mobile account at login and Force local home directory on startup disk. The one other clincher, I think, was going to the ADUC snap-in and mapping the home directory for all users. On Thu, Oct 3, 2013 at 6:04 AM, Athan DE JONG athan.dej...@yahoo.fr wrote: Hi I have setup a samba 4 DC with mixed client environment. My problem is that the mac osx client are unable to write to a samba 4 share. I tested mac osx clients on a normal windows 7 share and it works fine I tested mac osx clients on a samba 3.5 .. share and everything works fine. As i am in a professional environment and all the windows clients are already binded to the samba 4 domain i can not step back to samba3. My mac osx clients are binded and im able to view/edit active directory from the mac. My only issue is that i can not write to the samba 4 shares. i have verified all about permissions, and my thought is that mac osx confuses unix and acl rights. Is there a workaround or a special thing to do regarding UID map GUID map please be aware that i'm not a mac specialist, but have to handlwith it because of professional reasons. i am searching a solution for weeks now and really need some help ! Kind regards -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] name mangling makes 8.3 unreadable unlike Windows fileserver
On 03.10.2013 16:17, Kevin Field wrote: Have an ancient (1995!) piece of software that uses 8.3 filename format. After the switch, long filenames became useless in the context of the File-Open dialog box. Instead of the first few characters, we get maybe 1 character the same if we're lucky, which in a directory of thousands makes it impossible to find. For example, instead of S:\Air conditioning control system becoming S:\AIRCON~1 like it would before, it's displayed in this program as S:\A51FHG~S. In Samba3 this could be changed by increasing the value mangle prefix. This works only if mangling method is changed to hash2. I don't know how one can lookup if this still works in samba 4. Most documentation seems to be completely unaware that samba 4 is out. But beware that I got duplicate filenames after changing this value. Windows prevents duplicates, Samba does not. hope this helps, Klaus -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Experience getting winbind Active Directory login on a Samba 4 domain controller
Hey, all, I had a lot of trouble getting login working for Active Directory users on a Red Hat Enterprise Linux Samba 4 Active Directory domain controller. Here are some things I learned that I hope will be useful to someone: 1. The official build and deployment guidance (https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO) does not address SELinux. Every other guide I read on the web said to turn SELinux off. I have to have SELinux enabled in my environment. Learning to identify and address the problems caused me a lot of pain, mostly because I didn't know about some amazing tools that are available to help. When I followed the Samba4/Winbind instructions (https://wiki.samba.org/index.php/Samba4/Winbind) to allow login on the AD DC, I got all kinds of errors, with console login, SSH, and graphical login (GDM) all failing. When I finally determined that SELinux was preventing login, much became clear. To see if SELinux is causing you problems, first determine if SELinux is running: # sestatus If SELinux is enforcing, it may cause you issues. If the audit daemon (auditd) is running, SELinux will log its denials. This will save you a lot of effort trying to configure SELinux, as I'll demonstrate a little later. You can confirm if SELinux is causing you problems by attempting to log in as an AD user and then grepping the audit log file. My audit log is in /var/log/audit/audit.log. # grep denied /var/log/audit/audit.log If SELinux is enforcing and you get output, SELinux is likely causing you problems. Try temporarily putting SELinux into permissive mode and try logging in again. # setenforce 0 # [attempt to log in on console interface] If you can now log in, SELinux is the culprit. The SELinux audit2allow application will help you create an SELinux module with the appropriate permissions to allow login. With SELinux in permissive mode, attempt to log in using all of the methods you're going to allow an AD user to use (console, SSH, and graphical login in my case). In permissive mode, SELinux will not deny access, but it will log what it would have done. (It's important to do this login step in permissive mode, because otherwise you'll have to do multiple rounds of module creation; you'll only get past the first denial on every round.) # cd /tmp # grep denied /var/log/audit/audit.log selinuxloginfails # audit2allow -M samba4 -I selinuxloginfails # semodule -i samba4 # setenforce 1 Test logging in on each of the interfaces. After doing this step I was able to log in as an AD user on the console, but not SSH (due to some security configurations in my sshd.conf file that I won't go into here) or the graphical login. Even on the console, I got some strange errors after I logged in: login: testuser Password: id: cannot find name for user id 318 id: cannot find name for user id 318 id: cannot find name for user id 318 could not get database information for UID of current process: User ??? unknown or no memory to allocate password entry [I have no name!@server]$ This bring me to thing-I've-learned-2: 2. Even if mandatory access controls (SELinux) are configured correctly, discretionary access controls can make your life difficult. The default umask on my system is 077, so when I built and installed Samba 4 the files were owned by root, and only root could access them. When I followed the Samba4/winbind guidance, I linked to the libraries that were installed in /usr/local/samba/lib, but the directory permissions would not allow applications running under other user permissions to access the libraries. In this case, id and whoami both failed to get data about the AD user, even after login succeeded, because they were running as the user (testuser) instead of root. Not only could they not access the libraries, but they couldn't access the winbind daemon, either. On the console, this mostly just means that it shows you as user I have no name!, but the X server just completely failed to log me in, even though the user authenticated correctly. The gdm login interface would succeed, but X would shut down immediately and kick back to the gdm login prompt. So I had to modify the permissions on directories leading to the relevant files: # chmod 755 /usr/local/samba /usr/local/samba/var /usr/local/samba/var/run /usr/local/samba/var/run/winbindd # chmod -R 755 /usr/local/samba/lib This allowed me to log in on gdm and addressed the problem of no user name on the console after login. If you still have trouble after running these steps, log in on the console as an AD user and run strace on id and whoami. Pay special attention to errors that say ENOACCES. For X (gdm) debugging, check the ~/.xsession-errors file for the user you tried to log in as. Jared -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] client hangs
All, I've exhausted myself on this issue. Our samba server has been up and running for ages without any issues. About 6 weeks ago quite suddenly we began having intermittent clients hangs network wide and I'm at a loss to find the issue. The users have so named them the windows explorer status bar of death. It has been extremely disruptive when it happens. Looking at the logs at the time of the event there doesn't seems to be anything particularly unusual anywhere. It's as if all is well in the world at every level. Network is quiet, file server is fine, samba server is fine, but client attempts to access a resource on a shared drive either by saving, or just simply clicking on a folder on the shared drive can takes minutes to complete. Anyone else suddently experiencing this? Clients are mostly windows7. Though even the mac clients as well as the linux clients are seeing the slowness. Running samba: samba-3.0.33-3.39.el5_8 Centos5 x86_64 I know I'm not providing much here, but I simply can't find anything relevant to send. -- Sincerely, Doug Tucker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] client hangs
On 03.10.2013 17:20, Doug Tucker wrote: client attempts to access a resource on a shared drive either by saving, or just simply clicking on a folder on the shared drive can takes minutes to complete. Is it reproducable by clicking the same folder again after rebooting the client? Do you have the same antivirus software on Win and Mac? I've seen such behaviour years ago after an antivirus update when accessing a remote directory with a certain powerpoint file in it, that suddenly took minutes to scan. The scan can take place already when going into that directory, even when not clicking on the specific file. Klaus -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] client hangs
Virus scanning was one of the early suspects. For no real reason though as nothing had changed. The macs and linux clients though are affected and neither have virus software installed. That's a huge frustrating point about it. It's is completely and wildly random. I can't reproduce it at all, I can only see it when it happens if someone calls and I run down there really quick. The only common thing being that when it's happening to 1, it's happening to all. And during the time it takes to reboot, it probably would have cleared up anyway. Yesterday during a bad hang a user called, so I immediately tried to smbmount my home directory (I usually just have it mounted) and it hung for quite a while, then returned resource unavailable. The server seemed completely fine though. About 2 minutes later after the caller said it cleared up I was able to mount it. Looking at the server everything seemed fine. I could ping the server. I could telnet to 139 and 445, so they were listening. Load was less than 1. The file server seemed fine. Communication between the 2 was fine. It seems like an internal issue with samba somehow but samba itself hasn't been updated since this started happening (it was already at the latest version for the distro). Sincerely, Doug Tucker On 10/03/2013 11:00 AM, Klaus Hartnegg wrote: On 03.10.2013 17:20, Doug Tucker wrote: client attempts to access a resource on a shared drive either by saving, or just simply clicking on a folder on the shared drive can takes minutes to complete. Is it reproducable by clicking the same folder again after rebooting the client? Do you have the same antivirus software on Win and Mac? I've seen such behaviour years ago after an antivirus update when accessing a remote directory with a certain powerpoint file in it, that suddenly took minutes to scan. The scan can take place already when going into that directory, even when not clicking on the specific file. Klaus -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Use LDAP for passwords ONLY
I am trying to figure out if I can setup samba to verify only passwords against LDAP and keep everything else local. Anyone know how to set this up? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Use LDAP for passwords ONLY
We are using pGina (pgina.org) for lab logins. pGina is a pluggable authentication system, similar to PAM except for Windows. pGina allows us to separate the user authentication from the account information. User credentials are checked against LDAP, MySQL, or other authentication source. If credentials are correct, the computer is logged in with a pre-defined windows account. Hope this helps. Tony --- CONFIDENTIALITY WARNING: Pseudo-legal disclaimers do not buy you or your employer any legal recourse for leaked information. E-mail messages should never contain privileged or confidential information. Always treat e-mail as public. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Garey Sent: Thursday, October 03, 2013 11:18 AM To: samba@lists.samba.org Subject: [Samba] Use LDAP for passwords ONLY I am trying to figure out if I can setup samba to verify only passwords against LDAP and keep everything else local. Anyone know how to set this up? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] client hangs
I see a lot of this in the logs, but can't determine if it really means anything: Oct 2 09:45:28 agentsmith2 smbd[21954]: getpeername failed. Error was Transport endpoint is not connected Oct 2 09:45:28 agentsmith2 smbd[25948]: write_data: write failure in writing to client 129.119.104.44. Error Connection reset by peer Oct 2 09:45:28 agentsmith2 smbd[25971]: write_data: write failure in writing to client 129.119.105.246. Error Connection reset by peer Oct 2 09:45:28 agentsmith2 smbd[25883]: write_data: write failure in writing to client 129.119.103.96. Error Connection reset by peer Oct 2 09:45:28 agentsmith2 smbd[25987]: getpeername failed. Error was Transport endpoint is not connected Oct 2 09:45:28 agentsmith2 smbd[25988]: getpeername failed. Error was Transport endpoint is not connected Oct 2 09:45:28 agentsmith2 smbd[25986]: getpeername failed. Error was Transport endpoint is not connected Oct 2 09:45:29 agentsmith2 smbd[25985]: getpeername failed. Error was Transport endpoint is not connected Oct 2 09:45:29 agentsmith2 smbd[25989]: getpeername failed. Error was Transport endpoint is not connected Oct 2 09:45:29 agentsmith2 smbd[25704]: write_data: write failure in writing to client 129.119.105.119. Error Broken pipe Oct 2 09:45:29 agentsmith2 smbd[21702]: write_data: write failure in writing to client 129.119.105.139. Error Connection reset by peer Oct 2 09:45:29 agentsmith2 smbd[21954]: [2013/10/02 09:45:29, 0] lib/util_sock.c:write_data(568) Oct 2 09:45:29 agentsmith2 smbd[25948]: [2013/10/02 09:45:29, 0] lib/util_sock.c:send_smb(767) Oct 2 09:45:29 agentsmith2 smbd[25971]: [2013/10/02 09:45:29, 0] lib/util_sock.c:send_smb(767) Oct 2 09:45:29 agentsmith2 smbd[25883]: [2013/10/02 09:45:29, 0] lib/util_sock.c:send_smb(767) Oct 2 09:45:29 agentsmith2 smbd[25987]: [2013/10/02 09:45:29, 0] lib/util_sock.c:get_peer_addr(1232) Oct 2 09:45:29 agentsmith2 smbd[25988]: [2013/10/02 09:45:29, 0] lib/util_sock.c:get_peer_addr(1232) Oct 2 09:45:29 agentsmith2 smbd[25986]: [2013/10/02 09:45:29, 0] lib/util_sock.c:get_peer_addr(1232) Oct 2 09:45:29 agentsmith2 smbd[25985]: [2013/10/02 09:45:29, 0] lib/util_sock.c:get_peer_addr(1232) Oct 2 09:45:29 agentsmith2 smbd[25989]: [2013/10/02 09:45:29, 0] lib/util_sock.c:get_peer_addr(1232) Oct 2 09:45:29 agentsmith2 smbd[25704]: [2013/10/02 09:45:29, 0] lib/util_sock.c:send_smb(767) Oct 2 09:45:29 agentsmith2 smbd[21702]: [2013/10/02 09:45:29, 0] lib/util_sock.c:send_smb(767) Oct 2 09:45:29 agentsmith2 smbd[21954]: write_data: write failure in writing to client 129.119.103.85. Error Connection reset by peer Oct 2 09:45:29 agentsmith2 smbd[25948]: Error writing 60 bytes to client. -1. (Connection reset by peer) Oct 2 09:45:29 agentsmith2 smbd[25971]: Error writing 60 bytes to client. -1. (Connection reset by peer) Oct 2 09:45:29 agentsmith2 smbd[25883]: Error writing 60 bytes to client. -1. (Connection reset by peer) Oct 2 09:45:29 agentsmith2 smbd[25987]: getpeername failed. Error was Transport endpoint is not connected Oct 2 09:45:29 agentsmith2 smbd[25988]: getpeername failed. Error was Transport endpoint is not connected Oct 2 09:45:29 agentsmith2 smbd[25986]: getpeername failed. Error was Transport endpoint is not connected Oct 2 09:45:30 agentsmith2 smbd[25985]: getpeername failed. Error was Transport endpoint is not connected Oct 2 09:45:30 agentsmith2 smbd[25989]: getpeername failed. Error was Transport endpoint is not connected Sincerely, Doug Tucker On 10/03/2013 11:11 AM, Doug Tucker wrote: Virus scanning was one of the early suspects. For no real reason though as nothing had changed. The macs and linux clients though are affected and neither have virus software installed. That's a huge frustrating point about it. It's is completely and wildly random. I can't reproduce it at all, I can only see it when it happens if someone calls and I run down there really quick. The only common thing being that when it's happening to 1, it's happening to all. And during the time it takes to reboot, it probably would have cleared up anyway. Yesterday during a bad hang a user called, so I immediately tried to smbmount my home directory (I usually just have it mounted) and it hung for quite a while, then returned resource unavailable. The server seemed completely fine though. About 2 minutes later after the caller said it cleared up I was able to mount it. Looking at the server everything seemed fine. I could ping the server. I could telnet to 139 and 445, so they were listening. Load was less than 1. The file server seemed fine. Communication between the 2 was fine. It seems like an internal issue with samba somehow but samba itself hasn't been updated since this started happening (it was already at the latest version for the distro). Sincerely, Doug Tucker On 10/03/2013 11:00 AM, Klaus Hartnegg wrote: On 03.10.2013 17:20, Doug
Re: [Samba] client hangs
On Thu, Oct 03, 2013 at 12:03:39PM -0500, Doug Tucker wrote: I see a lot of this in the logs, but can't determine if it really means anything: Oct 2 09:45:28 agentsmith2 smbd[21954]: getpeername failed. Error was Transport endpoint is not connected Oct 2 09:45:28 agentsmith2 smbd[25948]: write_data: write failure in writing to client 129.119.104.44. Error Connection reset by peer Oct 2 09:45:28 agentsmith2 smbd[25971]: write_data: write failure in writing to client 129.119.105.246. Error Connection reset by peer Oct 2 09:45:28 agentsmith2 smbd[25883]: write_data: write failure in writing to client 129.119.103.96. Error Connection reset by peer Oct 2 09:45:28 agentsmith2 smbd[25987]: getpeername failed. Error was Transport endpoint is not connected Oct 2 09:45:28 agentsmith2 smbd[25988]: getpeername failed. Error was Transport endpoint is not connected Oct 2 09:45:28 agentsmith2 smbd[25986]: getpeername failed. Error was Transport endpoint is not connected Oct 2 09:45:29 agentsmith2 smbd[25985]: getpeername failed. Error was Transport endpoint is not connected Oct 2 09:45:29 agentsmith2 smbd[25989]: getpeername failed. Error was Transport endpoint is not connected Oct 2 09:45:29 agentsmith2 smbd[25704]: write_data: write failure in writing to client 129.119.105.119. Error Broken pipe Oct 2 09:45:29 agentsmith2 smbd[21702]: write_data: write failure in writing to client 129.119.105.139. Error Connection reset by peer All this is saying is that the client disconnected - smbd doesn't know why. I'd start suspecting a network failure somewhere. Check switches, cables and other hardware. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Use LDAP for passwords ONLY
Hoover, Tony hoover at sal.ksu.edu writes: We are using pGina (pgina.org) for lab logins. pGina is a pluggable authentication system, similar to PAM except for Windows. pGina allows us to separate the user authentication from the account information. User credentials are checked against LDAP, MySQL, or other authentication source. If credentials are correct, the computer is logged in with a pre-defined windows account. Hope this helps. Tony That's interesting, but I would like Samba to use the LDAP server rather than the Windows client itself. Trying to avoid install on/modifying the windows clients. Too many of them. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Use LDAP for passwords ONLY
Hello, Am 03.10.2013 18:17, schrieb Garey: I am trying to figure out if I can setup samba to verify only passwords against LDAP and keep everything else local. Can you be a bit more specific what you intend to do? Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Use LDAP for passwords ONLY
Marc Muehlfeld samba at marc-muehlfeld.de writes: Hello, Am 03.10.2013 18:17, schrieb Garey: I am trying to figure out if I can setup samba to verify only passwords against LDAP and keep everything else local. Can you be a bit more specific what you intend to do? Regards, Marc I want all group and user info local on the samba server, but verify passwords against LDAP. So the only thing LDAP is used for is verify the password. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Use LDAP for passwords ONLY
On Thursday, October 3, 2013 12:56 PM CDT, Garey gareysmi...@sbcglobal.net wrote: Marc Muehlfeld samba at marc-muehlfeld.de writes: Hello, Am 03.10.2013 18:17, schrieb Garey: I am trying to figure out if I can setup samba to verify only passwords against LDAP and keep everything else local. Can you be a bit more specific what you intend to do? Regards, Marc I want all group and user info local on the samba server, but verify passwords against LDAP. So the only thing LDAP is used for is verify the password. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba LDAP still will need a username to go with the password. Could you tell us exactly why you want users local instead of in LDAP? -- Donny B. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Use LDAP for passwords ONLY
Donny Brooks dbrooks at mdah.state.ms.us writes: Hello, Am 03.10.2013 18:17, schrieb Garey: I am trying to figure out if I can setup samba to verify only passwords against LDAP and keep everything else local. Can you be a bit more specific what you intend to do? Regards, Marc I want all group and user info local on the samba server, but verify passwords against LDAP. So the only thing LDAP is used for is verify the password. LDAP still will need a username to go with the password. Could you tell us exactly why you want users local instead of in LDAP? Large corporate LDAP server that keeps passwords. Just want to use it for passwords so users don't have another one to keep track of. But I need to control the users who can access the server and local groups that set their rights to information. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Use LDAP for passwords ONLY
If you have an existing LDAP structure, there will still be a separate field for the Windows password. For samba 3.x, you can specify either an local backend or an ldap backend. You can not specify some attributes in ldap but not others. If you want to set up Samba to use LDAP backend you will need to have some admin privileges to on the LDAP server. On 10/03/13 14:32, Garey wrote: Donny Brooks dbrooks at mdah.state.ms.us writes: Hello, Am 03.10.2013 18:17, schrieb Garey: I am trying to figure out if I can setup samba to verify only passwords against LDAP and keep everything else local. Can you be a bit more specific what you intend to do? Regards, Marc I want all group and user info local on the samba server, but verify passwords against LDAP. So the only thing LDAP is used for is verify the password. LDAP still will need a username to go with the password. Could you tell us exactly why you want users local instead of in LDAP? Large corporate LDAP server that keeps passwords. Just want to use it for passwords so users don't have another one to keep track of. But I need to control the users who can access the server and local groups that set their rights to information. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] name mangling makes 8.3 unreadable unlike Windows fileserver
On Thu, Oct 03, 2013 at 10:17:18AM -0400, Kevin Field wrote: Hi, I'm cross-posting here from serverfault.com in case anyone can help. I just found a similar question on askubuntu.com also without an answer. Switched recently from W2K3 to Samba4.0.9/CentOS6.4 for our fileshare for WinXP clients. Have an ancient (1995!) piece of software that uses 8.3 filename format. After the switch, long filenames became useless in the context of the File-Open dialog box. Instead of the first few characters, we get maybe 1 character the same if we're lucky, which in a directory of thousands makes it impossible to find. For example, instead of S:\Air conditioning control system becoming S:\AIRCON~1 like it would before, it's displayed in this program as S:\A51FHG~S. In our directory of client identifiers with their contact names appended, formerly directory mangling would leave enough characters intact that client identifiers could still be used. Not anymore. None of the settings in the docs seem to talk about this exact problem. In fact, they seem to show it the way we were used to. Our smb.conf doesn't use any of the settings because the defaults seem to be what we want, according to the docs. Any hints? This is the mangling method that changed to hash2 (gives better protection against duplicates). Use the smb.conf parameter mangling method = hash to change it back to the way it used to be. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Cisco ISE unable to retrieve AD group list from samba 4 server
On Thu, Oct 03, 2013 at 08:53:19AM +0200, Andreas Oster wrote: Am 02.10.2013 21:53, schrieb Jeremy Allison: On Wed, Oct 02, 2013 at 11:38:21AM +0200, Andreas Oster wrote: Hi all, I have run into a problem with our samba4 setup. I have successfully joined a Cisco ISE v1.1.4 (Identity Service Engine) test machine to the samba4 AD. User authentication does work but unfortunately the ISE is unable to fetch the AD groups from the domain controller. In the samba logs I get the following error message when initiating the group fetch: [2013/10/02 10:21:37.605554, 0] ../source4/cldap_server/cldap_server.c:54(cldapd_request_handler) Invalid CLDAP request type 16 from ipv4:10.250.12.218:51136 LDAP request type 16 == LDAP_TAG_AbandonRequest which we don't handle in the cldap request handler. That's why you're getting the error. Jeremy. Hello Jeremy, thank you very much for your fast response. Any chance that this request type will be added ? I don't know what the CLDAP request is supposted to do (although I could look this up) - I'll let LDAP experts reply first. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Folder disappears on rename
I have Samba 4.0.9 installed under Ubuntu 12.04. It's configured as a domain member, with a Windows 2008R2 server being the DC. All workstations are running Windows 7. One of my users is reporting problems in the following scenario: 1) She creates a folder in one of the Samba shares, and places a number of documents there. 2) She closes all open documents and closes Windows Explorer 3) Another user on another workstation subsequently renames the folder as part of the work flow process to indicate it has been reviewed. 4) The original user then navigates to where the renamed folder should be and cannot find it, either under the original name or the new name. Refreshing doesn't help. 5) After a period of time, typically 3-5 minutes but in one case around 30 minutes, the folder reappears under the new name. The window of time between steps 2 and 4 is typically fairly small, as in an hour or less. The problem is intermittent. In the 30-minute case I was able to get on to my own Win7 workstation and look at the network share, and I saw the folder under the new name. I then checked with the user and she reported she still couldn't see it after a refresh, though it appeared shortly (minutes) thereafter. As diagnostic steps, I've asked the user to try a) logging off; b) rebooting; but we don't have results of those tests yet. I considered that this might be related to bug 10174 https://bugzilla.samba.org/show_bug.cgi?id=10174, but the original user is making sure she doesn't have any files or folders open before the rename occurs. Questions: 1) Is this a known issue? 2) Is anyone else experiencing this? 3) Does anyone have any fixes or workarounds? Thanks in advance for any advice you might have. -Brian Martin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] client hangs
Already been down that path. I can't find a network issue anywhere. Our samba server itself is set up with a bonded interface which attaches to 2 different cards in the switch. I've pulled each ethernet cable to see the results and there is no ping loss or interruption of any sort and shutting down the port at the logical level I see the same result. I monitor all of the switches and routers in our network with opennms and cannot find there, or in any of the logs any network interruption anywhere. Additionally samba seems to be the only server affected. We have 50 or so linux servers on the network that aren't experiencing any file server interruption. As for the samba server itself, I moved some clients over to our backup and the problem follows them. Sincerely, Doug Tucker On 10/03/2013 12:11 PM, Jeremy Allison wrote: On Thu, Oct 03, 2013 at 12:03:39PM -0500, Doug Tucker wrote: I see a lot of this in the logs, but can't determine if it really means anything: Oct 2 09:45:28 agentsmith2 smbd[21954]: getpeername failed. Error was Transport endpoint is not connected Oct 2 09:45:28 agentsmith2 smbd[25948]: write_data: write failure in writing to client 129.119.104.44. Error Connection reset by peer Oct 2 09:45:28 agentsmith2 smbd[25971]: write_data: write failure in writing to client 129.119.105.246. Error Connection reset by peer Oct 2 09:45:28 agentsmith2 smbd[25883]: write_data: write failure in writing to client 129.119.103.96. Error Connection reset by peer Oct 2 09:45:28 agentsmith2 smbd[25987]: getpeername failed. Error was Transport endpoint is not connected Oct 2 09:45:28 agentsmith2 smbd[25988]: getpeername failed. Error was Transport endpoint is not connected Oct 2 09:45:28 agentsmith2 smbd[25986]: getpeername failed. Error was Transport endpoint is not connected Oct 2 09:45:29 agentsmith2 smbd[25985]: getpeername failed. Error was Transport endpoint is not connected Oct 2 09:45:29 agentsmith2 smbd[25989]: getpeername failed. Error was Transport endpoint is not connected Oct 2 09:45:29 agentsmith2 smbd[25704]: write_data: write failure in writing to client 129.119.105.119. Error Broken pipe Oct 2 09:45:29 agentsmith2 smbd[21702]: write_data: write failure in writing to client 129.119.105.139. Error Connection reset by peer All this is saying is that the client disconnected - smbd doesn't know why. I'd start suspecting a network failure somewhere. Check switches, cables and other hardware. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] client hangs
Additionally, this has happened from time to time (again, no idea what it means exactly), but it doesn't necessarily correllate with when users are seeing the hang. Any idea if this is fatal? Oct 3 08:31:57 agentsmith2 kernel: INFO: task smbd:26597 blocked for more than 120 seconds. Oct 3 08:31:57 agentsmith2 kernel: echo 0 /proc/sys/kernel/hung_task_timeout_secs disables this message. Oct 3 08:31:57 agentsmith2 kernel: smbd D 80157f0a 0 26597 6359 26677 26482 (NOTLB) Oct 3 08:31:57 agentsmith2 kernel: 81172b963af8 0082 81183f0db400 884cfe7a Oct 3 08:31:57 agentsmith2 kernel: 8115f9621888 0009 81183fbd70c0 810c3ff110c0 Oct 3 08:31:57 agentsmith2 kernel: 0001fafb7157cdc0 0909 81183fbd72a8 00113fb24bf8 Oct 3 08:31:57 agentsmith2 kernel: Call Trace: Oct 3 08:31:57 agentsmith2 kernel: [884cfe7a] :sunrpc:xprt_end_transmit+0x2c/0x39 Oct 3 08:31:57 agentsmith2 kernel: [8006ed98] do_gettimeofday+0x40/0x90 Oct 3 08:31:57 agentsmith2 kernel: [80029172] sync_page+0x0/0x43 Oct 3 08:31:57 agentsmith2 kernel: [800637de] io_schedule+0x3f/0x67 Oct 3 08:31:57 agentsmith2 kernel: [800291b0] sync_page+0x3e/0x43 Oct 3 08:31:57 agentsmith2 kernel: [80063a0a] __wait_on_bit+0x40/0x6e Oct 3 08:31:57 agentsmith2 kernel: [800355f7] wait_on_page_bit+0x6c/0x72 Oct 3 08:31:57 agentsmith2 kernel: [800a3cfd] wake_bit_function+0x0/0x23 Oct 3 08:31:57 agentsmith2 kernel: [800482e8] pagevec_lookup_tag+0x1a/0x21 Oct 3 08:31:57 agentsmith2 kernel: [8004a2d0] wait_on_page_writeback_range+0x62/0x133 Oct 3 08:31:57 agentsmith2 kernel: [800ca3ee] filemap_write_and_wait+0x26/0x31 Oct 3 08:31:57 agentsmith2 kernel: [8852cc9c] :nfs:nfs_setattr+0x8e/0xfc Oct 3 08:31:57 agentsmith2 kernel: [8000d01d] do_lookup+0x8f/0x24b Oct 3 08:31:57 agentsmith2 kernel: [8000d57f] dput+0x2c/0x114 Oct 3 08:31:57 agentsmith2 kernel: [8000a7b9] __link_path_walk+0xf10/0xf39 Oct 3 08:31:57 agentsmith2 kernel: [8002d0f6] mntput_no_expire+0x19/0x89 Oct 3 08:31:57 agentsmith2 kernel: [8000e4a2] current_fs_time+0x3b/0x40 Oct 3 08:31:57 agentsmith2 kernel: [8000ec03] link_path_walk+0xac/0xb8 Oct 3 08:31:57 agentsmith2 kernel: [8002cf2d] notify_change+0x145/0x2f5 Oct 3 08:31:57 agentsmith2 kernel: [800e401f] do_utimes+0x106/0x129 Oct 3 08:31:57 agentsmith2 kernel: [8000d73b] inotify_inode_queue_event+0xad/0xe8 Oct 3 08:31:57 agentsmith2 kernel: [80016bbf] vfs_write+0x13f/0x174 Oct 3 08:31:57 agentsmith2 kernel: [800e407e] sys_futimesat+0x3c/0x4b Oct 3 08:31:57 agentsmith2 kernel: [8005d116] system_call+0x7e/0x83 Oct 3 08:31:57 agentsmith2 kernel: Oct 3 08:31:57 agentsmith2 kernel: INFO: task smbd:29945 blocked for more than 120 seconds. Oct 3 08:31:57 agentsmith2 kernel: echo 0 /proc/sys/kernel/hung_task_timeout_secs disables this message. Oct 3 08:31:57 agentsmith2 kernel: smbd D 80157f0a 0 29945 6359 29946 29942 (NOTLB) Oct 3 08:31:57 agentsmith2 kernel: 8115f260fd98 0082 8115f260fd48 8000d01d Oct 3 08:31:57 agentsmith2 kernel: 8115f260fd58 000a 8102ae715040 810c3fea7040 Oct 3 08:31:57 agentsmith2 kernel: 0001fb0e52713c02 0002b635 8102ae715228 000fca752ca8 Oct 3 08:31:57 agentsmith2 kernel: Call Trace: Oct 3 08:31:57 agentsmith2 kernel: [8000d01d] do_lookup+0x8f/0x24b Oct 3 08:31:57 agentsmith2 kernel: [8000a7b9] __link_path_walk+0xf10/0xf39 Oct 3 08:31:58 agentsmith2 kernel: [80063c63] __mutex_lock_slowpath+0x60/0x9b Oct 3 08:31:58 agentsmith2 kernel: [80063cad] .text.lock.mutex+0xf/0x14 Oct 3 08:31:58 agentsmith2 kernel: [8852c9bb] :nfs:nfs_getattr+0x45/0xd9 Oct 3 08:31:58 agentsmith2 kernel: [80028f4a] vfs_stat_fd+0x32/0x4a Oct 3 08:31:58 agentsmith2 kernel: [800671cf] do_page_fault+0x4cc/0x842 Oct 3 08:31:58 agentsmith2 kernel: [80023cc3] sys_newstat+0x19/0x31 Oct 3 08:31:58 agentsmith2 kernel: [8005ddf9] error_exit+0x0/0x84 Oct 3 08:31:58 agentsmith2 kernel: [8005d116] system_call+0x7e/0x83 Oct 3 08:31:58 agentsmith2 kernel: Sincerely, Doug Tucker On 10/03/2013 12:11 PM, Jeremy Allison wrote: On Thu, Oct 03, 2013 at 12:03:39PM -0500, Doug Tucker wrote: I see a lot of this in the logs, but can't determine if it really means anything: Oct 2 09:45:28 agentsmith2 smbd[21954]: getpeername failed. Error was Transport endpoint is not connected Oct 2 09:45:28 agentsmith2 smbd[25948]: write_data: write failure in writing to client 129.119.104.44. Error Connection reset by peer Oct 2 09:45:28 agentsmith2 smbd[25971]: write_data: write failure in writing
Re: [Samba] client hangs
On Thu, Oct 03, 2013 at 02:07:05PM -0500, Doug Tucker wrote: Already been down that path. I can't find a network issue anywhere. Our samba server itself is set up with a bonded interface which attaches to 2 different cards in the switch. I've pulled each ethernet cable to see the results and there is no ping loss or interruption of any sort and shutting down the port at the logical level I see the same result. I monitor all of the switches and routers in our network with opennms and cannot find there, or in any of the logs any network interruption anywhere. Additionally samba seems to be the only server affected. We have 50 or so linux servers on the network that aren't experiencing any file server interruption. As for the samba server itself, I moved some clients over to our backup and the problem follows them. Then you need to look at the clients. All smbd knows is that the client disconnected. It doesn't know why. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] client hangs
I wasn't suggesting that those were issues, I was asking if it was. It sounds like that probably has nothing to do with the issue going on and is just normal disconnects. I thought a windows update may have gone in as this literally just started occurring suddenly about 6 weeks ago. But alas, mac and linux clients see the same issue. Sincerely, Doug Tucker On 10/03/2013 02:42 PM, Jeremy Allison wrote: On Thu, Oct 03, 2013 at 02:07:05PM -0500, Doug Tucker wrote: Already been down that path. I can't find a network issue anywhere. Our samba server itself is set up with a bonded interface which attaches to 2 different cards in the switch. I've pulled each ethernet cable to see the results and there is no ping loss or interruption of any sort and shutting down the port at the logical level I see the same result. I monitor all of the switches and routers in our network with opennms and cannot find there, or in any of the logs any network interruption anywhere. Additionally samba seems to be the only server affected. We have 50 or so linux servers on the network that aren't experiencing any file server interruption. As for the samba server itself, I moved some clients over to our backup and the problem follows them. Then you need to look at the clients. All smbd knows is that the client disconnected. It doesn't know why. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Folder disappears on rename
On Thu, Oct 03, 2013 at 11:57:21AM -0700, Brian Martin wrote: I have Samba 4.0.9 installed under Ubuntu 12.04. It's configured as a domain member, with a Windows 2008R2 server being the DC. All workstations are running Windows 7. One of my users is reporting problems in the following scenario: 1) She creates a folder in one of the Samba shares, and places a number of documents there. 2) She closes all open documents and closes Windows Explorer 3) Another user on another workstation subsequently renames the folder as part of the work flow process to indicate it has been reviewed. 4) The original user then navigates to where the renamed folder should be and cannot find it, either under the original name or the new name. Refreshing doesn't help. 5) After a period of time, typically 3-5 minutes but in one case around 30 minutes, the folder reappears under the new name. The window of time between steps 2 and 4 is typically fairly small, as in an hour or less. The problem is intermittent. In the 30-minute case I was able to get on to my own Win7 workstation and look at the network share, and I saw the folder under the new name. I then checked with the user and she reported she still couldn't see it after a refresh, though it appeared shortly (minutes) thereafter. As diagnostic steps, I've asked the user to try a) logging off; b) rebooting; but we don't have results of those tests yet. I considered that this might be related to bug 10174 https://bugzilla.samba.org/show_bug.cgi?id=10174, but the original user is making sure she doesn't have any files or folders open before the rename occurs. No, that isn't a related issue. 10174 is a correctness issue that I'm not sure affects any real application (although of course you never know with Windows apps. :-). 1) Is this a known issue? 2) Is anyone else experiencing this? 3) Does anyone have any fixes or workarounds? It's not known to the developers. It looks like a failure of change notify, but you'd have to drill down much deeper with wireshark traces to look into it. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Experience getting winbind Active Directory login on a Samba 4 domain controller
On Thu, Oct 03, 2013 at 09:25:30AM -0600, Jacobson, Jared M @ CSG - CSW wrote: Hey, all, I had a lot of trouble getting login working for Active Directory users on a Red Hat Enterprise Linux Samba 4 Active Directory domain controller. Here are some things I learned that I hope will be useful to someone: Thanks for this write up. Have you thought about adding it to the wiki ? Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] name mangling makes 8.3 unreadable unlike Windows fileserver
On 2013-10-03 2:38 PM, Jeremy Allison wrote: On Thu, Oct 03, 2013 at 10:17:18AM -0400, Kevin Field wrote: Hi, I'm cross-posting here from serverfault.com in case anyone can help. I just found a similar question on askubuntu.com also without an answer. Switched recently from W2K3 to Samba4.0.9/CentOS6.4 for our fileshare for WinXP clients. Have an ancient (1995!) piece of software that uses 8.3 filename format. After the switch, long filenames became useless in the context of the File-Open dialog box. Instead of the first few characters, we get maybe 1 character the same if we're lucky, which in a directory of thousands makes it impossible to find. For example, instead of S:\Air conditioning control system becoming S:\AIRCON~1 like it would before, it's displayed in this program as S:\A51FHG~S. In our directory of client identifiers with their contact names appended, formerly directory mangling would leave enough characters intact that client identifiers could still be used. Not anymore. None of the settings in the docs seem to talk about this exact problem. In fact, they seem to show it the way we were used to. Our smb.conf doesn't use any of the settings because the defaults seem to be what we want, according to the docs. Any hints? This is the mangling method that changed to hash2 (gives better protection against duplicates). Use the smb.conf parameter mangling method = hash to change it back to the way it used to be. Jeremy. Thanks Jeremy! I'm not sure how I missed that in the docs. Anyway, it is much, much better than before, but still not exactly like Windows. For example, we have two folders beginning with C-FZP. Instead of C-FZPD~1 and C-FZPP~1, which in our context is exactly enough to tell which one we want, it's a bit (or in this case...a byte) more aggressive in hashing and makes it C-FZP~59 and C-FZP~A5, so that we can no longer tell and have to guess. Oh but wait, now I see: The minimum value is 1 and the maximum value is 6. mangle prefix is effective only when mangling method is hash2. This does exactly what we want! And now I also see how I think I missed it: this parameter isn't in the NAME MANGLING section. Thanks! Kev -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] name mangling makes 8.3 unreadable unlike Windows fileserver
On Thu, Oct 03, 2013 at 07:14:35PM -0400, Kevin Field wrote: Thanks Jeremy! I'm not sure how I missed that in the docs. Anyway, it is much, much better than before, but still not exactly like Windows. For example, we have two folders beginning with C-FZP. We're never going to give the same mangled names as Windows, as our mangling algorithms are different. We don't depend on having full access to all directory entries when we create them. Instead of C-FZPD~1 and C-FZPP~1, which in our context is exactly enough to tell which one we want, it's a bit (or in this case...a byte) more aggressive in hashing and makes it C-FZP~59 and C-FZP~A5, so that we can no longer tell and have to guess. Oh but wait, now I see: The minimum value is 1 and the maximum value is 6. mangle prefix is effective only when mangling method is hash2. This does exactly what we want! And now I also see how I think I missed it: this parameter isn't in the NAME MANGLING section. Well, glad you got it working anyway :-). Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SAMBA + open LDAP + password hashing
On Thu, 2013-10-03 at 09:41 +0200, Alberto Aldrigo | Ca' Tron RE wrote: Many thanks for the answer, you solved a doubt I had for a long time. What do you mean when you say other than kerberos ? Can you point me to some documentation or how to for setting up samba + kerberos + ldap? Thanks The easiest way to do Samba + kerberos + ldap is to set up Samba as an AD DC. That said, I shouldn't have mentioned Kerberos in the context of your original query, as it still has the same issues of needing those password types, which you don't have. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4 install packages for Ubuntu 10
Hello, I want to upgrade my current samba 3.7 that I compiled, to samba 4, and wondered if I can get binaries compatible with Ubuntu 10? Sent from my iPhone -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 8b51eab Revert Support UPN_DNS_INFO in the PAC from 8f201fe Remove dead code. Now we have no SWAT we don't use the invalid_services array or associated counter. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 8b51eabf319689d45ce1f8492c4372b49eecb794 Author: Stefan Metzmacher me...@samba.org Date: Thu Oct 3 15:14:58 2013 +0200 Revert Support UPN_DNS_INFO in the PAC This reverts commit a6be8a97f705247c1b1cbb0595887d8924740a71. We fail (often) to parse a krb5pac type 12 buffer due to the incomplete change which came in via a6be8a97f705247c1b1cbb0595887d8924740a71. This change came into master and has only been released in RCs so no regression to published 4.0.x releases. We should revert this for 4.1 for now until we can make it work in all cases (see work on this in https://git.samba.org/?p=gd/samba/.git;a=shortlog;h=refs/heads/master-krb5pac_type12). Without this revert the entire PAC parsing may fail which can effect serious implications (krb5 smb session setup not working). Bug: https://bugzilla.samba.org/show_bug.cgi?id=10178 Signed-off-by: Günther Deschner g...@samba.org Reviewed-by: Stefan Metzmacher me...@samba.org Autobuild-User(master): Stefan Metzmacher me...@samba.org Autobuild-Date(master): Thu Oct 3 17:08:46 CEST 2013 on sn-devel-104 --- Summary of changes: librpc/idl/krb5pac.idl | 16 +++- 1 files changed, 7 insertions(+), 9 deletions(-) Changeset truncated at 500 lines: diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl index 0fce16b..8a6540c 100644 --- a/librpc/idl/krb5pac.idl +++ b/librpc/idl/krb5pac.idl @@ -37,20 +37,18 @@ interface krb5pac [size_is(num_transited_services)] lsa_String *transited_services; } PAC_CONSTRAINED_DELEGATION; - typedef [public,bitmap32bit] bitmap { - UDI_ACCT_HAS_NO_UPN = 0x0001 /* 1= User account has no UPN */ - } upn_dns_info_flags; - typedef struct { [value(2*strlen_m(upn_name))] uint16 upn_size; uint16 upn_offset; [value(2*strlen_m(domain_name))] uint16 domain_size; uint16 domain_offset; - upn_dns_info_flags flags; - uint32 padding; + uint16 unknown3; /* 0x01 */ + uint16 unknown4; + uint32 unknown5; [charset(UTF16)] uint8 upn_name[upn_size+2]; [charset(UTF16)] uint8 domain_name[domain_size+2]; - } PAC_UPN_DNS_INFO; + uint32 unknown6; /* padding */ + } PAC_UNKNOWN_12; typedef [public] struct { PAC_LOGON_INFO *info; @@ -66,7 +64,7 @@ interface krb5pac PAC_TYPE_KDC_CHECKSUM = 7, PAC_TYPE_LOGON_NAME = 10, PAC_TYPE_CONSTRAINED_DELEGATION = 11, - PAC_TYPE_UPN_DNS_INFO = 12 + PAC_TYPE_UNKNOWN_12 = 12 } PAC_TYPE; typedef struct { @@ -80,12 +78,12 @@ interface krb5pac [case(PAC_TYPE_LOGON_NAME)] PAC_LOGON_NAME logon_name; [case(PAC_TYPE_CONSTRAINED_DELEGATION)][subcontext(0xFC01)] PAC_CONSTRAINED_DELEGATION_CTR constrained_delegation; - [case(PAC_TYPE_UPN_DNS_INFO)] PAC_UPN_DNS_INFO upn_dns_info; /* when new PAC info types are added they are supposed to be done in such a way that they are backwards compatible with existing servers. This makes it safe to just use a [default] for unknown types, which lets us ignore the data */ [default] [subcontext(0)] DATA_BLOB_REM unknown; + /* [case(PAC_TYPE_UNKNOWN_12)] PAC_UNKNOWN_12 unknown; */ } PAC_INFO; typedef [public,nopush,nopull,noprint] struct { -- Samba Shared Repository
[SCM] CTDB repository - branch master updated - ctdb-2.4-65-g6182bd0
The branch, master has been updated via 6182bd0c19f215a997efe5272e633b1b1bd0c882 (commit) via 10aac42f30cc0d56dca42ece17d04ccbc321056d (commit) via 59bd4ede15a5958b87e0d253461eb9111885bd2f (commit) via 3296559c43e70f755fcf2c06677891e0319c8142 (commit) via 5619754343003016ede27014567dbb4701f97928 (commit) via 299fa487549e36572b757852d21471f9e23f6e8f (commit) via c5a7f2b4ff011e1393c4ff34864f85e6b472ff07 (commit) via 1585a8e275b0143e5e46311b3d5e9785119f735f (commit) via ae0d8f432ef98a72c85a6cd42c503b718bef0e4e (commit) via cd66282c635cf53386d8970b89c895076ea21cbd (commit) via 8cb1fbbfe88327c9c7ab68e8eded586dff611e57 (commit) via 1e7fca5cdc1d7205cf084e35aace1a5dc46ea294 (commit) via c9a9d14c91f203ce964a426a8a1e2c1715af2098 (commit) via 962eb63c6d500e29a03ae087757d81be449888c6 (commit) via 873b9cadbcc363a9e5f450b0a1feb1cf2ce1e6c9 (commit) via d94a10f93a0925b17458d009e60496b3d880 (commit) via 8b238852884004a56f76a1762199c338864d1249 (commit) from 713c9ecc791e3319a2d109838471833de5a158c8 (commit) http://gitweb.samba.org/?p=ctdb.git;a=shortlog;h=master - Log - commit 6182bd0c19f215a997efe5272e633b1b1bd0c882 Author: Martin Schwenke mar...@meltin.net Date: Wed Sep 18 14:27:03 2013 +1000 tests/tool: Remove references in libctdb in file and function names Main changes are: libctdb_test.c - ctdb_test_stubs.c ctdb_tool_libctdb.c - ctdb_functest.c ctdb_tool_stubby.c is gone, replaced with existing ctdb_test.c. Functions starting with libctdb_test_ now start with ctdb_test_stubs_. Signed-off-by: Martin Schwenke mar...@meltin.net Pair-programmed-with: Amitay Isaacs ami...@gmail.com commit 10aac42f30cc0d56dca42ece17d04ccbc321056d Author: Martin Schwenke mar...@meltin.net Date: Wed Sep 18 14:01:00 2013 +1000 tests/tool: Rework test programs so they no longer expect libctdb Instead, override controls using preprocessor magic. Signed-off-by: Martin Schwenke mar...@meltin.net commit 59bd4ede15a5958b87e0d253461eb9111885bd2f Author: Martin Schwenke mar...@meltin.net Date: Wed Sep 18 13:43:53 2013 +1000 tests/tool: Fix some comment typos Signed-off-by: Martin Schwenke mar...@meltin.net commit 3296559c43e70f755fcf2c06677891e0319c8142 Author: Martin Schwenke mar...@meltin.net Date: Wed Sep 18 13:40:52 2013 +1000 tools/ctdb: Stop return value from being clobbered in control_lvsmaster() ret is initialised too early and is clobbered by the call to ctdb_ctrl_getcapabilities(). Initialising it later means that the function returns -1 when no LVS master is found. Signed-off-by: Martin Schwenke mar...@meltin.net commit 5619754343003016ede27014567dbb4701f97928 Author: Martin Schwenke mar...@meltin.net Date: Wed Sep 18 13:40:10 2013 +1000 client: Fix some format string compiler warnings Signed-off-by: Martin Schwenke mar...@meltin.net commit 299fa487549e36572b757852d21471f9e23f6e8f Author: Amitay Isaacs ami...@gmail.com Date: Fri Aug 30 23:38:15 2013 +1000 common: Fix setting of debug level in the client code Signed-off-by: Amitay Isaacs ami...@gmail.com commit c5a7f2b4ff011e1393c4ff34864f85e6b472ff07 Author: Amitay Isaacs ami...@gmail.com Date: Sun Aug 25 21:44:59 2013 +1000 libctdb: Remove incomplete libctdb Signed-off-by: Amitay Isaacs ami...@gmail.com commit 1585a8e275b0143e5e46311b3d5e9785119f735f Author: Amitay Isaacs ami...@gmail.com Date: Tue Aug 27 14:46:08 2013 +1000 tools/ctdb: Pass memory context for returning nodes in parse_nodestring Signed-off-by: Amitay Isaacs ami...@gmail.com commit ae0d8f432ef98a72c85a6cd42c503b718bef0e4e Author: Amitay Isaacs ami...@gmail.com Date: Sun Aug 25 21:43:29 2013 +1000 tests: Do not use libctdb code in tests Signed-off-by: Amitay Isaacs ami...@gmail.com commit cd66282c635cf53386d8970b89c895076ea21cbd Author: Amitay Isaacs ami...@gmail.com Date: Thu Aug 29 17:22:38 2013 +1000 tools/ctdb: Do not use libctdb for commandline tool Signed-off-by: Amitay Isaacs ami...@gmail.com commit 8cb1fbbfe88327c9c7ab68e8eded586dff611e57 Author: Amitay Isaacs ami...@gmail.com Date: Fri Aug 23 16:52:24 2013 +1000 client: Add ctdb_ctrl_getdbseqnum() function Signed-off-by: Amitay Isaacs ami...@gmail.com commit 1e7fca5cdc1d7205cf084e35aace1a5dc46ea294 Author: Amitay Isaacs ami...@gmail.com Date: Fri Aug 23 16:52:02 2013 +1000 client: Add ctdb_ctrl_getdbstatistics() function Signed-off-by: Amitay Isaacs ami...@gmail.com commit c9a9d14c91f203ce964a426a8a1e2c1715af2098 Author: Amitay Isaacs ami...@gmail.com Date: Fri Aug 23 16:51:26 2013 +1000 client: Add ctdb_client_check_message_handlers() function Signed-off-by: