Re: [Samba] Problem with ntlm autentication in squid
On 10/04/2013 08:26 AM, Silvio Aparecido wrote:
Hi
I'm having a little problem after logging into domain via samba, after a
few minutes the squid no longer authenticates the users through single
sign on and keeps asking for authentication in the browser without stopping.
below is my settings and error logs.*
**
smb.conf*
[global]
workgroup = SALE
netbios name = utmadm
server string = PROXY SERVER
load printers = no
log file = /var/log/samba34/log.%m
pid directory = /var/run/samba34
max log size = 500
realm = sale.br
security = ads
auth methods = winbind
winbind separator = |
encrypt passwords = yes
winbind cache time = 300
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
idmap uid = 1-5
idmap gid = 1-5
local master = no
os level = 233
domain master = no
preferred master = no
domain logons = no
wins server = 192.168.8.202
dns proxy = no
ldap ssl = no
client use spnego = no
server signing = auto
client signing = auto
log level = 3 auth:10 winbind:10
*
krb5.conf*
[libdefaults]
default_realm = SALE.BR
clockskew = 300
[realms]
SALE.BR = {
kdc = 192.168.0.1
default_domain = domain.local
admin_server = 192.168.0.1
}
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
[domain_realm]
.domain.local = DOMAIN.LOCAL
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 1
*squid.conf*
# Do not edit manually !
http_port 192.168.0.1:8080
icp_port 0
pid_filename /var/run/squid.pid
cache_effective_user proxy
cache_effective_group proxy
error_directory /usr/local/etc/squid/errors/English
icon_directory /usr/local/etc/squid/icons
visible_hostname localhost
cache_mgr admin@localhost
access_log /var/squid/logs/access.log
cache_log /var/squid/logs/cache.log
referer_log /var/squid/logs/referer.log
logfile_rotate 0
cache_store_log none
shutdown_lifetime 3 seconds
# Allow local network(s) on interface(s)
acl localnet src 192.168.0.0/255.255.255.0
uri_whitespace strip
dns_nameservers 208.67.222.222
cache_mem 8 MB
maximum_object_size_in_memory 32 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
cache_dir ufs /var/squid/cache 100 16 256
minimum_object_size 0 KB
maximum_object_size 4 KB
offline_mode off
cache_swap_low 90
cache_swap_high 95
url_rewrite_program /usr/local/bin/redirector
url_rewrite_children 50
# Setup some default acls
acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 5080
3128 1025-65535 5080 81 80 443 21 20
acl sslports port 443 563 5080 5080 81 80 443 21 20
acl manager proto cache_object
acl purge method PURGE
acl connect method CONNECT
acl dynamic urlpath_regex cgi-bin \?
acl unrestricted_hosts src /var/squid/acl/unrestricted_hosts.acl
acl whitelist dstdom_regex -i /var/squid/acl/whitelist.acl
cache deny dynamic
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports
# Always allow localhost connections
http_access allow localhost
request_body_max_size 0 KB
reply_body_max_size 0 deny all
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
delay_access 1 allow all
# Custom options
tcp_outgoing_address 192.168.0.1
auth_param ntlm keep_alive on
# These hosts do not have any restrictions
http_access allow unrestricted_hosts
# Always allow access to whitelist domains
http_access allow whitelist
auth_param ntlm program /usr/local/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 45
auth_param basic program /usr/local/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic casesensitive off
authenticate_cache_garbage_interval 10 seconds
auth_param basic children 45
auth_param basic realm Please enter your credentials to access the proxy
auth_param basic credentialsttl 600 minutes
acl password proxy_auth REQUIRED
http_access allow unrestricted_hosts
http_access allow password localnet
# Default block all to be sure
http_access deny all
My winbind_privileged
drwxr-x--- 2 root proxy 512B Oct 2 10:00 winbindd_privileged
Error logs:
[2013/10/01 19:39:44, 0]
utils/ntlm_auth.c:833(manage_squid_ntlmssp_request)
NTLMSSP BH: NT_STATUS_ACCESS_DENIED
2013/10/01 19:39:44| authenticateNTLMHandleReply: Error validating user
via NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED'
Login for user [SALE]\[wellington.gomes]@[TI-06] failed due to
[Access denied]
2013/10/01 19:37:35| authenticateNTLMHandleReply: Error validating user
via NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED'
[2013/10/01 19:37:35, 0]
utils/ntlm_auth.c:833(manage_squid_ntlmssp_request)
NTLMSSP BH: NT_STATUS_ACCESS_DENIED
[Samba] Failover
Hi guys, I have a domain with Samba 4.0.5 domain controllers and also a failover DRBD shared disk, where the active DC controlls the access to the disk. DOMAINC01 - 10.48.16.150 DOMAINC02 - 10.48.16.151 DOMAINCHA - 10.48.16.155 this would be the failover IP, which works perfectly on Windows XP clients. I can see the shares, just like on DOMAINC01 or DOMAINC02 and if the users has the proper credentials they can write open etc. But when I try to do the same on a Windows 7 client I simply get an error message You dont have the proper rights to open the directory I guess because of the DOMAINCHA virtual controller is not in the AC, but shall I add a computer to the AC so my win7 clients could open the available shares? Thanks, Robert -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] [3.6.8] XP fails with error 1326
Hello I've googled and experimented for the past few hours but am still stuck trying to simply share a temporary directory in read-only with anyone on the LAN. Here's the smb.conf I'm using: == /etc/samba# cat smb.conf [global] workgroup = WORKGROUP encrypt passwords = yes ;wins support = yes ;log level = 1 ;max log size = 1000 ;read only = no guest account = nobody ;[homes] ;browsable = no ;map archive = yes [test] path = /tmp browsable = yes read only = yes guest ok = yes ;public = yes == Neither smbd nor nmbd show any error in the log files, so I guess things are fine on this end. But the share isn't displayed in XP's NetHood and net view returns this: System error 1326 has occurred. Logon failure: unknown user name or bad password. Any idea what could prevent XP from reading the share? Thank you. -- View this message in context: http://samba.2283325.n4.nabble.com/3-6-8-XP-fails-with-error-1326-tp4654631.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [3.6.8] XP fails with error 1326
Does the unix level nobody account exist? Does it work with Win 7 clients? On 10/07/13 11:08, Winfried wrote: Hello I've googled and experimented for the past few hours but am still stuck trying to simply share a temporary directory in read-only with anyone on the LAN. Here's the smb.conf I'm using: == /etc/samba# cat smb.conf [global] workgroup = WORKGROUP encrypt passwords = yes ;wins support = yes ;log level = 1 ;max log size = 1000 ;read only = no guest account = nobody ;[homes] ;browsable = no ;map archive = yes [test] path = /tmp browsable = yes read only = yes guest ok = yes ;public = yes == Neither smbd nor nmbd show any error in the log files, so I guess things are fine on this end. But the share isn't displayed in XP's NetHood and net view returns this: System error 1326 has occurred. Logon failure: unknown user name or bad password. Any idea what could prevent XP from reading the share? Thank you. -- View this message in context: http://samba.2283325.n4.nabble.com/3-6-8-XP-fails-with-error-1326-tp4654631.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [3.6.8] XP fails with error 1326
On 07/10/13 16:08, Winfried wrote: Hello I've googled and experimented for the past few hours but am still stuck trying to simply share a temporary directory in read-only with anyone on the LAN. Here's the smb.conf I'm using: == /etc/samba# cat smb.conf [global] workgroup = WORKGROUP encrypt passwords = yes ;wins support = yes ;log level = 1 ;max log size = 1000 ;read only = no guest account = nobody ;[homes] ;browsable = no ;map archive = yes [test] path = /tmp browsable = yes read only = yes guest ok = yes ;public = yes == Neither smbd nor nmbd show any error in the log files, so I guess things are fine on this end. But the share isn't displayed in XP's NetHood and net view returns this: System error 1326 has occurred. Logon failure: unknown user name or bad password. Any idea what could prevent XP from reading the share? Thank you. -- View this message in context: http://samba.2283325.n4.nabble.com/3-6-8-XP-fails-with-error-1326-tp4654631.html Sent from the Samba - General mailing list archive at Nabble.com. Hi, I think you need to add these two lines to [global]: security = user map to guest = Bad User Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] wbinfo -i domain_username issue
Hi,
I'm going to set up a samba4 member server joined in a existing AD
Domain (2003). I don't need a DC controller, but a simply file server
where (mostly) windows client will access to some share. so I'm gonna to
follow
https://wiki.samba.org/index.php/Samba4/Domain_Member
distro is Ubuntu 12.04.03 amd64
I compiled...
./configure --libdir=/lib/x86_64-linux-gnu --with-ads
--with-shared-modules=idmap_ad,pam --enable-old-ctdb
make... make install...
everything was fine.
/usr/local/samba/etc/smb.conf :
[global]
log level = 3
workgroup = SHORTDOMAIN
security = ADS
realm = FQDN_DOMAIN
encrypt passwords = yes
password server = fqdn_server1 fqdn_server2
idmap config *:backend = tdb
idmap config *:range = 70001-8
idmap config SHORTDOMAIN:backend = ad
idmap config SHORTDOMAIN:schema_mode = rfc2307
idmap config SHORTDOMAIN:range = 500-4
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
[test]
path = /dati/test
read only = no
and /etc/krb5.conf :
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = FQDN_DOMAIN
dns_lookup_realm = true
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[realms]
FQDN_DOMAIN = {
kdc = fqdn_server1
admin_server = fqdn_server1
default_domain = FQDN_DOMAIN
}
[domain_realm]
.arpa.veneto.it = FQDN_DOMAIN
arpa.veneto.it = FQDN_DOMAIN
/etc/nsswitch.conf
passwd: files winbind
group: files winbind
net ads join was fine ...
and here we are... wbinfo -u and -g are fine
but...wbinfo -i domain_username fails with this error :
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user domain_username
and getent passwd ...show me only local users...
This problem, it seem quite near at
http://www.mail-archive.com/samba@lists.samba.org/msg127228.html
but I really have to switch this fileserver to DC conf ?! I'm working
with an idea of 2/3 DC controller (samba4 or w2kx), more other samba4
fileserver (as this)
I tried many times.. re-compiling etc... I'm bit confused... what am I
missing ?
thx in advance
Alessio Tomelleri
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] wbinfo -i domain_username issue
On Mon, 2013-10-07 at 18:07 +0200, Alessio Tomelleri wrote: idmap config *:backend = tdb idmap config *:range = 70001-8 idmap config SHORTDOMAIN:backend = ad idmap config SHORTDOMAIN:schema_mode = rfc2307 idmap config SHORTDOMAIN:range = 500-4 winbind nss info = rfc2307 Hi This configuration suggests that your rfc2307 attributes are stored in AD. Are you sure your users and groups have uidNumber and/or gidNumber attributes set under their respective DN's? If not, then winbind has nothing to retrieve for the getent command. Oh, and kill any nscd for the moment. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Fwd: RE: [3.6.8] XP fails with error 1326
Original Message Subject:RE: [Samba] [3.6.8] XP fails with error 1326 Date: Mon, 7 Oct 2013 12:46:04 -0500 From: JUAN EDUARDO DELGADILLO CHAVEZ j...@idec.edu.mx To: gaiseric.van...@gmail.com Re: [Samba] [3.6.8] XP fails with error 1326 Did you create the smb user and password? You must create users with smbpasswd –a username to connect to the share *De:*samba-boun...@lists.samba.org mailto:samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org mailto:samba-boun...@lists.samba.org] *En nombre de *Gaiseric Vandal *Enviado el:* lunes, 07 de octubre de 2013 10:21 a.m. *Para:* samba@lists.samba.org mailto:samba@lists.samba.org *Asunto:* Re: [Samba] [3.6.8] XP fails with error 1326 Does the unix level nobody account exist? Does it work with Win 7 clients? On 10/07/13 11:08, Winfried wrote: Hello I've googled and experimented for the past few hours but am still stuck trying to simply share a temporary directory in read-only with anyone on the LAN. Here's the smb.conf I'm using: == /etc/samba# cat smb.conf [global] workgroup = WORKGROUP encrypt passwords = yes ;wins support = yes ;log level = 1 ;max log size = 1000 ;read only = no guest account = nobody ;[homes] ;browsable = no ;map archive = yes [test] path = /tmp browsable = yes read only = yes guest ok = yes ;public = yes == Neither smbd nor nmbd show any error in the log files, so I guess things are fine on this end. But the share isn't displayed in XP's NetHood and net view returns this: System error 1326 has occurred. Logon failure: unknown user name or bad password. Any idea what could prevent XP from reading the share? Thank you. -- View this message in context: http://samba.2283325.n4.nabble.com/3-6-8-XP-fails-with-error-1326-tp4654631.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba __ Información de ESET Endpoint Antivirus, versión de la base de datos de firmas de virus 8886 (20131007) __ El mensaje fue verificado por ESET Endpoint Antivirus. http://www.eset-la.com __ Información de ESET Endpoint Antivirus, versión de la base de datos de firmas de virus 8886 (20131007) __ El mensaje fue verificado por ESET Endpoint Antivirus. http://www.eset-la.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Failover
On Mon, 2013-10-07 at 15:36 +0200, Sandbox wrote: Hi guys, I have a domain with Samba 4.0.5 domain controllers and also a failover DRBD shared disk, where the active DC controlls the access to the disk. DOMAINC01 - 10.48.16.150 DOMAINC02 - 10.48.16.151 DOMAINCHA - 10.48.16.155 this would be the failover IP, which works perfectly on Windows XP clients. I can see the shares, just like on DOMAINC01 or DOMAINC02 and if the users has the proper credentials they can write open etc. But when I try to do the same on a Windows 7 client I simply get an error message You dont have the proper rights to open the directory I guess because of the DOMAINCHA virtual controller is not in the AC, but shall I add a computer to the AC so my win7 clients could open the available shares? Please don't use DRDB with Samba as an AD DC. You don't need it (you should have two DRS replicating DCs). The reason I am so strongly against this is that I had to work very hard to recover a corrupt database at such a site. We suspect that barriers were either not enabled or not passed down to the OS in this case, followed by a unexpected loss of power. The corrupt database was then perfectly mirrored to the DRDB clone, resulting in two corrupt mirrors. DRS replication likely would have detected the corruption (because the database would not have been valid) and failed the replica, saving the data. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem with squid+ntlm+samba
On Wed, 2013-10-02 at 10:47 -0300, Silvio Aparecido wrote: Hello, first, sorry by duplicated email, my last have write errors I'm having a little problem after logging into domain via samba, after a few minutes the squid no longer authenticates the users through single sign on and keeps asking for authentication in the browser without stopping. Error logs: [2013/10/01 19:39:44, 0] utils/ntlm_auth.c:833(manage_squid_ntlmssp_request) NTLMSSP BH: NT_STATUS_ACCESS_DENIED 2013/10/01 19:39:44| authenticateNTLMHandleReply: Error validating user via NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED' Login for user [SALE]\[wellington.gomes]@[TI-06] failed due to [Access denied] 2013/10/01 19:37:35| authenticateNTLMHandleReply: Error validating user via NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED' [2013/10/01 19:37:35, 0] utils/ntlm_auth.c:833(manage_squid_ntlmssp_request) NTLMSSP BH: NT_STATUS_ACCESS_DENIED [2013/10/01 19:36:52, 10] utils/ntlm_auth.c:2190(manage_squid_request) NTLMSSP BH: NT_STATUS_ACCESS_DENIED [2013/10/01 10:30:12, 3] utils/ntlm_auth.c:329(check_plaintext_auth) NT_STATUS_ACCESS_DENIED: Access denied (0xc022) What does wbinfo -P show? Are you correctly joined to the domain. Can you authenticate using wbinfo as root, and then as squid? What do the winbind logs show? Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Failover
2013-10-07 21:11 keltezéssel, Andrew Bartlett írta: On Mon, 2013-10-07 at 15:36 +0200, Sandbox wrote: Hi guys, I have a domain with Samba 4.0.5 domain controllers and also a failover DRBD shared disk, where the active DC controlls the access to the disk. DOMAINC01 - 10.48.16.150 DOMAINC02 - 10.48.16.151 DOMAINCHA - 10.48.16.155 this would be the failover IP, which works perfectly on Windows XP clients. I can see the shares, just like on DOMAINC01 or DOMAINC02 and if the users has the proper credentials they can write open etc. But when I try to do the same on a Windows 7 client I simply get an error message You dont have the proper rights to open the directory I guess because of the DOMAINCHA virtual controller is not in the AC, but shall I add a computer to the AC so my win7 clients could open the available shares? Please don't use DRDB with Samba as an AD DC. You don't need it (you should have two DRS replicating DCs). The reason I am so strongly against this is that I had to work very hard to recover a corrupt database at such a site. We suspect that barriers were either not enabled or not passed down to the OS in this case, followed by a unexpected loss of power. The corrupt database was then perfectly mirrored to the DRDB clone, resulting in two corrupt mirrors. DRS replication likely would have detected the corruption (because the database would not have been valid) and failed the replica, saving the data. Andrew Bartlett Hi, You misunderstood me, I don't use DRBD as database storage (only for users documents and stuffs) my servers database are sitting on their private place :) -- Kind regards: Robert -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 4 DC slow users bulk load
Hello again, all three samba4 DC's have 16 GB RAM each and 2 sockets with 4 cores each (total 8 cores each) the three DC's and the identity manager are in the same VLAN. but today i noticed that during bulk load only one core is busy 100% and the rest are idle. i was unable to run samba under TDB_NO_FSYNC=1 today. maybe tomorrow. this is the link for the perf.data file: http://www.sendspace.com/file/9g46ll this is my smb.conf: # Global parameters [global] workgroup = NKMITAS realm = nkmitas.gr netbios name = SAMBA4DC3 server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate [netlogon] path = /usr/local/samba/var/locks/sysvol/nkmitas.gr/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No thanks for your help On Oct 6, 2013 11:49 PM, Andrew Bartlett abart...@samba.org wrote: On Sun, 2013-10-06 at 13:48 +0300, Nikos Mitas wrote: Hello, i have successfully installed samba 4 on three vmware VM's and everything works fine (join pc to domain, user login, dns updates, ntp), but i am facing some performance problems during users bulk loading. my environment: 1st DC: RedHat Linux v6.4,samba 4.1rc4,dns 9.9.3P2,ntp 2nd DC:RedHat Linux v6.4,samba 4.1rc4,dns 9.9.3P2,ntp 3rd DC:RedHat Linux v6.4,samba 4.1rc4,ntp to bulk load the users (around 20.000 accounts) i am using IBM Tivoli Identity Manager to automatically create the AD accounts into Samba but the performance is poor. 120 users per hour at most. Any ideas what to check or what needs to be tuned? We need to work out what specifically is slow, so we can deal with it. If you can capture the ldap server task under 'perf record -g -p PID' that might give some clues. It shouldn't take 30 seconds to add a user, but at this size many O(n^2) things blow up badly, and we may need to re-investigate better approaches in some cases. Also, ensure you have plenty of memory, and for the period of the import, run samba under TDB_NO_FSYNC=1. This makes samba unsafe against a poweroff event (equivalent to linking with libeatmydata), so don't use this in production, but it will make things much, much faster for the initial import. Andrew Bartlett Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 4 DC slow users bulk load
On Mon, 2013-10-07 at 22:52 +0300, Nikos Mitas wrote: Hello again, all three samba4 DC's have 16 GB RAM each and 2 sockets with 4 cores each (total 8 cores each) the three DC's and the identity manager are in the same VLAN. but today i noticed that during bulk load only one core is busy 100% and the rest are idle. i was unable to run samba under TDB_NO_FSYNC=1 today. maybe tomorrow. this is the link for the perf.data file: http://www.sendspace.com/file/9g46ll this is my smb.conf: The pref.data file isn't any use to me without your full build tree, so the best way to use it is to then run 'perf report -g' and investigate where the highest CPU users are, and what calls them. (it is curses-based tool). The 100% busy CPU is because the LDAP server is single-threaded, so that isn't really unexpected. I hope this helps you make some more progress chasing this down. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 4 DC slow users bulk load
sorry, but can you give me more details about 'full build tree' ? 2013/10/7 Andrew Bartlett abart...@samba.org On Mon, 2013-10-07 at 22:52 +0300, Nikos Mitas wrote: Hello again, all three samba4 DC's have 16 GB RAM each and 2 sockets with 4 cores each (total 8 cores each) the three DC's and the identity manager are in the same VLAN. but today i noticed that during bulk load only one core is busy 100% and the rest are idle. i was unable to run samba under TDB_NO_FSYNC=1 today. maybe tomorrow. this is the link for the perf.data file: http://www.sendspace.com/file/9g46ll this is my smb.conf: The pref.data file isn't any use to me without your full build tree, so the best way to use it is to then run 'perf report -g' and investigate where the highest CPU users are, and what calls them. (it is curses-based tool). The 100% busy CPU is because the LDAP server is single-threaded, so that isn't really unexpected. I hope this helps you make some more progress chasing this down. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 51c612e Remove check_col from generated DCE/RPC dissectors.
from c952e11 smbd: Remove byte_range_lock-read_only
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 51c612e4de9e52bf1967172728bb2dc7b63f9cd7
Author: Matthieu Patou m...@matws.net
Date: Sun Oct 6 01:31:35 2013 -0700
Remove check_col from generated DCE/RPC dissectors.
This is a backport of
http://anonsvn.wireshark.org/viewvc?view=revisionrevision=52313
Bug 8804 (https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8804).
Signed-off-by: Matthieu Patou m...@matws.net
Reviewed-by: Andrew Bartlett abartl...@samba.org
Autobuild-User(master): Matthieu Patou m...@samba.org
Autobuild-Date(master): Mon Oct 7 08:09:51 CEST 2013 on sn-devel-104
---
Summary of changes:
pidl/lib/Parse/Pidl/Wireshark/NDR.pm |8
1 files changed, 4 insertions(+), 4 deletions(-)
Changeset truncated at 500 lines:
diff --git a/pidl/lib/Parse/Pidl/Wireshark/NDR.pm
b/pidl/lib/Parse/Pidl/Wireshark/NDR.pm
index 9c49931..1151dc0 100644
--- a/pidl/lib/Parse/Pidl/Wireshark/NDR.pm
+++ b/pidl/lib/Parse/Pidl/Wireshark/NDR.pm
@@ -534,12 +534,12 @@ sub Function($$$)
if (not defined($fn-{RETURN_TYPE})) {
} elsif ($fn-{RETURN_TYPE} eq NTSTATUS) {
$self-pidl_code(offset = dissect_ntstatus(tvb, offset, pinfo,
tree, drep, hf\_$ifname\_status, status);\n);
- $self-pidl_code(if (status != 0 check_col(pinfo-cinfo,
COL_INFO)));
+ $self-pidl_code(if (status != 0));
$self-pidl_code(\tcol_append_fstr(pinfo-cinfo, COL_INFO, \,
Error: %s\, val_to_str(status, NT_errors, \Unknown NT status 0x%08x\));\n);
$return_types{$ifname}-{status} = [NTSTATUS, NT Error];
} elsif ($fn-{RETURN_TYPE} eq WERROR) {
$self-pidl_code(offset = dissect_ndr_uint32(tvb, offset,
pinfo, tree, drep, hf\_$ifname\_werror, status);\n);
- $self-pidl_code(if (status != 0 check_col(pinfo-cinfo,
COL_INFO)));
+ $self-pidl_code(if (status != 0));
$self-pidl_code(\tcol_append_fstr(pinfo-cinfo, COL_INFO, \,
Error: %s\, val_to_str(status, WERR_errors, \Unknown DOS error
0x%08x\));\n);
$return_types{$ifname}-{werror} = [WERROR, Windows
Error];
@@ -549,12 +549,12 @@ sub Function($$$)
my $return_dissect = dissect_ndr_
.Parse::Pidl::Typelist::enum_type_fn($type-{DATA});
$self-pidl_code(offset = $return_dissect(tvb, offset,
pinfo, tree, drep, hf\_$ifname\_$fn-{RETURN_TYPE}_status, status););
- $self-pidl_code(if (status != 0
check_col(pinfo-cinfo, COL_INFO)));
+ $self-pidl_code(if (status != 0));
$self-pidl_code(\tcol_append_fstr(pinfo-cinfo,
COL_INFO, \, Status: %s\, val_to_str(status,
$ifname\_$fn-{RETURN_TYPE}\_vals, \Unknown . $fn-{RETURN_TYPE} . error
0x%08x\));\n);
$return_types{$ifname}-{$fn-{RETURN_TYPE}._status}
= [$fn-{RETURN_TYPE}, $fn-{RETURN_TYPE}];
} elsif ($type-{DATA}-{TYPE} eq SCALAR) {
$self-pidl_code(offset =
dissect_ndr_$fn-{RETURN_TYPE}(tvb, offset, pinfo, tree, drep,
hf\_$ifname\_$fn-{RETURN_TYPE}_status, status););
- $self-pidl_code(if (status != 0
check_col(pinfo-cinfo, COL_INFO)));
+ $self-pidl_code(if (status != 0));
$self-pidl_code(\tcol_append_fstr(pinfo-cinfo,
COL_INFO, \, Status: %d\, status);\n);
$return_types{$ifname}-{$fn-{RETURN_TYPE}._status}
= [$fn-{RETURN_TYPE}, $fn-{RETURN_TYPE}];
}
--
Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-0-test updated
The branch, v4-0-test has been updated via 5b0caf4 VERSION: Bump version number up to 4.0.11... via 55c51b8 VERSION: Disable git snapshots for the 4.0.10 release. via 6b120a5 WHATSNEW: Update release date. from 825aadb WHATSNEW: Add latest changes since 4.0.9. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test - Log - commit 5b0caf4a0b9ea141a912c356abe200c3499ad852 Author: Karolin Seeger ksee...@samba.org Date: Mon Oct 7 10:47:15 2013 +0200 VERSION: Bump version number up to 4.0.11... and re-enable git snapshots. Signed-off-by: Karolin Seeger ksee...@samba.org commit 55c51b864a32d7b66240b4a9fb9162906861b1d7 Author: Karolin Seeger ksee...@samba.org Date: Mon Oct 7 10:46:08 2013 +0200 VERSION: Disable git snapshots for the 4.0.10 release. Signed-off-by: Karolin Seeger ksee...@samba.org commit 6b120a594bdd387251866e04b7f0d2e8140bcdf3 Author: Karolin Seeger ksee...@samba.org Date: Mon Oct 7 10:45:14 2013 +0200 WHATSNEW: Update release date. Signed-off-by: Karolin Seeger ksee...@samba.org --- Summary of changes: VERSION |2 +- WHATSNEW.txt |2 +- 2 files changed, 2 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 02c79f3..eb74a75 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=0 -SAMBA_VERSION_RELEASE=10 +SAMBA_VERSION_RELEASE=11 # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index b6d0c72..3b9462b 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,6 +1,6 @@ == Release Notes for Samba 4.0.10 - October 1, 2013 + October 8, 2013 == -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-1-test updated
The branch, v4-1-test has been updated via 82d6a43 doc: Update documentation of pam_winbind krb5 support. via 5a55cb6 s3-winbind: Add support for the kernel krb5 keyring buffer. via 58038f6 s3-winbind: Don't set a default directory for DIR. via 996415f Revert Support UPN_DNS_INFO in the PAC from 76c4a51 Merge tag 'samba-4.1.0rc4' into v4-1-test http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-1-test - Log - commit 82d6a4354d3b4a6cc9e70ccfb21d7b604bed179b Author: Andreas Schneider a...@samba.org Date: Tue Sep 10 09:43:32 2013 +0200 doc: Update documentation of pam_winbind krb5 support. Signed-off-by: Andreas Schneider a...@samba.org Reviewed-by: Guenther Deschner g...@samba.org Autobuild-User(master): Günther Deschner g...@samba.org Autobuild-Date(master): Tue Sep 10 15:35:20 CEST 2013 on sn-devel-104 The last 3 patches address bug #10132 - pam_winbindd should support the KEYRING ccache type. Autobuild-User(v4-1-test): Karolin Seeger ksee...@samba.org Autobuild-Date(v4-1-test): Mon Oct 7 12:21:29 CEST 2013 on sn-devel-104 commit 5a55cb636fa50e96000ea6a00960cc34e00e26a1 Author: Andreas Schneider a...@samba.org Date: Tue Sep 10 09:30:04 2013 +0200 s3-winbind: Add support for the kernel krb5 keyring buffer. Signed-off-by: Andreas Schneider a...@samba.org Reviewed-by: Guenther Deschner g...@samba.org commit 58038f6b26b5363f07d6e4a3fac6db461f9bca2c Author: Andreas Schneider a...@samba.org Date: Tue Sep 10 09:28:50 2013 +0200 s3-winbind: Don't set a default directory for DIR. There is not default so you should always have to specify a directory in the config file. Signed-off-by: Andreas Schneider a...@samba.org Reviewed-by: Guenther Deschner g...@samba.org commit 996415fa84d22021fcbd7db8fa21bb8dbacca125 Author: Stefan Metzmacher me...@samba.org Date: Thu Oct 3 15:14:58 2013 +0200 Revert Support UPN_DNS_INFO in the PAC This reverts commit a6be8a97f705247c1b1cbb0595887d8924740a71. We fail (often) to parse a krb5pac type 12 buffer due to the incomplete change which came in via a6be8a97f705247c1b1cbb0595887d8924740a71. This change came into master and has only been released in RCs so no regression to published 4.0.x releases. We should revert this for 4.1 for now until we can make it work in all cases (see work on this in https://git.samba.org/?p=gd/samba/.git;a=shortlog;h=refs/heads/master-krb5pac_type12). Without this revert the entire PAC parsing may fail which can effect serious implications (krb5 smb session setup not working). Bug: https://bugzilla.samba.org/show_bug.cgi?id=10178 Signed-off-by: Günther Deschner g...@samba.org Reviewed-by: Stefan Metzmacher me...@samba.org Autobuild-User(master): Stefan Metzmacher me...@samba.org Autobuild-Date(master): Thu Oct 3 17:08:46 CEST 2013 on sn-devel-104 (cherry picked from commit 8b51eabf319689d45ce1f8492c4372b49eecb794) --- Summary of changes: docs-xml/manpages/pam_winbind.conf.5.xml | 26 +- librpc/idl/krb5pac.idl | 16 +++- source3/winbindd/winbindd_pam.c |4 ++-- 3 files changed, 26 insertions(+), 20 deletions(-) Changeset truncated at 500 lines: diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml index be7f684..725e809 100644 --- a/docs-xml/manpages/pam_winbind.conf.5.xml +++ b/docs-xml/manpages/pam_winbind.conf.5.xml @@ -106,16 +106,24 @@ termkrb5_ccache_type = [type]/term listitempara - When pam_winbind is configured to try kerberos authentication by - enabling the parameterkrb5_auth/parameter option, it can - store the retrieved Ticket Granting Ticket (TGT) in a credential - cache. The type of credential cache can be controlled with this - option. The supported values are: parameterFILE/parameter - and parameterDIR/parameter (when the DIR type is supported - by the system's Kerberos library). In case of FILE a credential + When pam_winbind is configured to try kerberos authentication + by enabling the parameterkrb5_auth/parameter option, it can + store the retrieved Ticket Granting Ticket (TGT) in a + credential cache. The type of credential cache can be + controlled with this option. The supported values are: + parameterKEYRING/parameter (when supported by the system's + Kerberos library and Kernel), parameterFILE/parameter and + parameterDIR/parameter (when the DIR type is supported by + the
autobuild: intermittent test failure detected
The autobuild test system has detected an intermittent failing test in the current master tree. The autobuild log of the failure is available here: http://git.samba.org/autobuild.flakey/2013-10-08-0057/flakey.log The samba3 build logs are available here: http://git.samba.org/autobuild.flakey/2013-10-08-0057/samba3.stderr http://git.samba.org/autobuild.flakey/2013-10-08-0057/samba3.stdout The source4 build logs are available here: http://git.samba.org/autobuild.flakey/2013-10-08-0057/samba.stderr http://git.samba.org/autobuild.flakey/2013-10-08-0057/samba.stdout The top commit at the time of the failure was: commit 51c612e4de9e52bf1967172728bb2dc7b63f9cd7 Author: Matthieu Patou m...@matws.net Date: Sun Oct 6 01:31:35 2013 -0700 Remove check_col from generated DCE/RPC dissectors. This is a backport of http://anonsvn.wireshark.org/viewvc?view=revisionrevision=52313 Bug 8804 (https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8804). Signed-off-by: Matthieu Patou m...@matws.net Reviewed-by: Andrew Bartlett abartl...@samba.org Autobuild-User(master): Matthieu Patou m...@samba.org Autobuild-Date(master): Mon Oct 7 08:09:51 CEST 2013 on sn-devel-104
