Re: [Samba] [PATCH] Fix Samba 4.1.0 join Windows 2003 Server with BIND9_DLZ
On Mon, 2013-10-14 at 07:42 -0300, Jacó Ramos wrote: > I type... > > tar zxvf samba-4.1.0.tar.gz > cd samba-4.1.0 > patch -p1 < 0001-provision-Do-not-set-dns-HOSTNAME-password-during-ad.patch > ./configure > make > make install > > This procedure is correct? As has been pointed out elsewhere, the patch is incorrect. Try this one instead: https://attachments.samba.org/attachment.cgi?id=9210 Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] using samba 4 as plugin replacement for samba 3
On Mon, 2013-10-14 at 08:22 +0200, Daniel Müller wrote: > THIS WILL NOT WORK: can I simply give samba 4 a copy of the old smb.conf > file? Except for the parameters that were removed (security=share, security=server in particular), it really should work. If it does not, please file a bug with exact directions to reproduce. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] [homes] support in Samba 4.x
On Mon, 2013-10-14 at 13:06 +0200, Daniel Müller wrote: > First of all no more [homes] but [home]!! If you can please demonstrate a configuration that worked with Samba 3.x and fails with Samba 4.0 regarding [homes] support, we would very much like to fix it. There has been no intentional change in this area. It is actually also meant to work on our AD DC, but I know a number of folks don't use it because a [home] share works better with ADUC (because that creates the home directory). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [PATCH] Fix Samba 4.1.0 join Windows 2003 Server with BIND9_DLZ
On Mon, 2013-10-14 at 09:35 +0200, Samuel Cabrero wrote: > Hi Jacó, > > we had the same problem and this patch worked for us: > > https://attachments.samba.org/attachment.cgi?id=9210 > > Cheers. Thanks, can you prepare it as a signed off git commit with 'git commit -s' so I can apply it with all the right author stuff etc? Thanks, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] execute permissions missing after upgrade to Samba 4
On Sun, 2013-10-13 at 15:39 +0200, Frantisek Hanzlik wrote: > After upgrading from samba-3.6.12 to samba-4.0.9 (Fedora 17 i686 -> > Fedora 19 i686, smb.conf stayed same) I see weird behavior - windows > client can not run executable files due to insufficient permissions. > However, when I in Linux set (with 'chmod u+x,g+x ...') execution bit > for these files, all is fine and windows client can run their. > It seems for me as samba4 (contrary to samba3) now check x bit for > some 'Read-And-Execute' (or how are executables called from windows) > and deny access although client has all other rights (read and write) > to this .exe file. > Data are stored on ext4 volume which is mounted with 'user_xattr acl' > option. My smb.conf look as (some IMO unimportant items omitted from > 'testparm -s' output): > > [global] > logon script = %m.bat > logon path = > domain logons = Yes > os level = 63 > preferred master = Yes > domain master = Yes > wins support = Yes > idmap config * : backend = tdb > ea support = Yes > map archive = No > map readonly = no > store dos attributes = Yes > > [info] > comment = Data info > path = /home/DATA/info > read list = @info > write list = @info > force group = info > create mask = 0770 > directory mask = 0771 > force create mode = 0660 > force directory mode = 02770 > - > > How is possible solve this issue? Win client self did not set x bit > on executables (e.g. when I from windows client extract ZIP archive > with executables, they have no x-bit set). Should Samba4 itself set > 'Read-And-Execute' rights, either by settin x bit or by setting these > rights in extended attributes? See the new parameter in Samba 4.0.10 'acl allow execute always' Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problems joining Samba4 domain
On Sun, 2013-10-13 at 14:29 +0100, Rowland Penny wrote: > Just how closely did you follow the webpage you posted in your OP? , it > seems to be using the standard samba4 packages from Ubuntu, which if I > remember correctly are broken. Also there is a howler on the webpage you > posted, you are advised to create a share called [global] , this is the > standard top share that you will find in any smb.conf. > > I would advise you to compile samba4 yourself, it is easy, see here: > https://wiki.samba.org/index.php/Build_Samba > > I would also suggest that you use the latest tarball (4.1.0) I totally agree. We are only now getting current Samba 4.0 packages into Debian unstable, and Ubuntu's package, particularly on 12.04 is very, very old. Start with current code, and then get network traces and log files if you still have issues. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] using samba 4 as plugin replacement for samba 3
On Fri, 2013-10-11 at 17:00 +0200, Klaus Hartnegg wrote: > Hi, > > when I don't want to switch to Active Directory, but don't want to be > stuck on version 3.6 either, can I simply give samba 4 a copy of the old > smb.conf file? Yes. > Will it be able to store all windows acl's in extended attributes, or is > this improvement only available in combination with letting it run as > active directory domain controller? You can load acl_xattr as a vfs module without being an AD DC, it's just on by default in that case. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [PATCH] Fix Samba 4.1.0 join Windows 2003 Server with BIND9_DLZ
On Sat, 2013-10-12 at 12:35 -0700, Mauricio Alvarez wrote: > Is there any chance the problem I am having (drsuapi.DsBindInfoFallBack' > object has no attribute 'supported_extensions') is related to this patch? No. Sorry, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] HTML docs and the removal of SWAT in 4.1
On Fri, 2013-10-11 at 15:17 -0400, Charles Marcus wrote: > On 2013-10-11 9:49 AM, samba-requ...@lists.samba.org > wrote: > > REMOVED COMPONENTS > > == > > > > The Samba Web Administration Tool (SWAT) has been removed. > > Details why SWAT has been removed can be found on the samba-technical > > mailing > > list: > > > > https://lists.samba.org/archive/samba-technical/2013-February/090572.html > > Just curious what was decided about this comment (he has a very > excellent point): > > "I have yet to make the jump to Samba4, so I have not seen the version of > SWAT designed for it. > > For me, the primary benefit of SWAT in Samba3 was the ability to use the > help link for any parameter to see what that parameter did, what the > default was, and what its proper syntax was. For reference, I ran "man > smb.conf". Viewing full screen, I pressed the "Page Down" key 34 times > and was still in the 1st third of the alphabetical listing of > parameters. It's no small wonder that I never used "man smb.conf" to > configure Samba. SWAT was my friend. > > So, if Samba4 has anywhere near the number of parameters as Samba3, I > would be greatly disappointed to see SWAT go away entirely. An html > version of the samba-doc package that contained all parameters with > links to their definitions/descriptions would be a welcome and suitable > replacement. You can search the manpage with the normal pager commands (eg /directory). No matter if we would have liked to keep SWAT around, it was simply not maintained, and fixing the CVE issues only introduced other issues. HTML documentation should be generated by running 'make htmlman' in the docs-xml directory, but some of this seems to have bitrotted, at least in my brief testing. Patches to have HTML manpages generated by our main buildsystem (see docs-xml/wscript_build and buildtools/wafsamba/wafsamba.py) are most welcome. Andrew Bartlett Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4.0.10 - 4.1.0 - master can no longer join existing Win2003 domain?
On Fri, 2013-10-11 at 10:54 -0700, Mauricio Alvarez wrote: > Hello, > >I can NO LONGER join the existing win 2003 domain (functional level win > 2003, I also have installed Group Policy Client Side Extensions for Windows > Server 2003). > > I am running on Ubuntu Server 13.04. I have tried Samba 4.0.10, 4.1.0 and > also, in desperation, samba-master. > > I managed to join the domain with samba 4.0.8 (not sure if it was .8 or .9, > it was in mid-September), downloaded via git, compiled and followed the wiki. > > All was running OK for some time, until I found out it wan no longer > replicating. Then I noticed WERR_VERSION_MISMATCH errors when running drs > showrepl. > > Since I was no longer able to demote the Samba4 DC, I decided to manualy > delete from the Win2003, delete the samba4 directories and start over. > > Now when I try join the domain it fails with > ERROR(): uncaught exception - > 'drsuapi.DsBindInfoFallBack' object has no attribute 'supported_extensions' To make any progress we need the full backtrace. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] HTML docs and the removal of SWAT in 4.1
On Fri, 2013-10-11 at 15:17 -0400, Charles Marcus wrote: > On 2013-10-11 9:49 AM, samba-requ...@lists.samba.org > wrote: > > REMOVED COMPONENTS > > == > > > > The Samba Web Administration Tool (SWAT) has been removed. > > Details why SWAT has been removed can be found on the samba-technical > > mailing > > list: > > > > https://lists.samba.org/archive/samba-technical/2013-February/090572.html > > Just curious what was decided about this comment (he has a very > excellent point): > > "I have yet to make the jump to Samba4, so I have not seen the version of > SWAT designed for it. > > For me, the primary benefit of SWAT in Samba3 was the ability to use the > help link for any parameter to see what that parameter did, what the > default was, and what its proper syntax was. For reference, I ran "man > smb.conf". Viewing full screen, I pressed the "Page Down" key 34 times > and was still in the 1st third of the alphabetical listing of > parameters. It's no small wonder that I never used "man smb.conf" to > configure Samba. SWAT was my friend. > > So, if Samba4 has anywhere near the number of parameters as Samba3, I > would be greatly disappointed to see SWAT go away entirely. An html > version of the samba-doc package that contained all parameters with > links to their definitions/descriptions would be a welcome and suitable > replacement. You can search the manpage with the normal pager commands (eg /directory). No matter if we would have liked to keep SWAT around, it was simply not maintained, and fixing the CVE issues only introduced other issues. HTML documentation should be generated by running 'make htmlman' in the docs-xml directory, but some of this seems to have bitrotted, at least in my brief testing. Patches to have HTML manpages generated by our main buildsystem (see docs-xml/wscript_build and buildtools/wafsamba/wafsamba.py) are most welcome. Andrew Bartlett Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] [PATCH] Fix Samba 4.1.0 join Windows 2003 Server with BIND9_DLZ
On Fri, 2013-10-11 at 12:06 -0300, Jacó Ramos wrote:
> Hi guys,
>
> When run join in DC
>
> root@samba4:~# samba-tool domain join jacoramos.net.br DC -Uadministrador
> --realm=jacoramos.net.br --dns-backend=BIND9_DLZ
> Finding a writeable DC for domain 'jacoramos.net.br'
> Found DC win2003.jacoramos.net.br
> Password for [WORKGROUP\administrador]:
> workgroup is JACORAMOS
> realm is jacoramos.net.br
> checking sAMAccountName
> Adding CN=SAMBA4,OU=Domain Controllers,DC=jacoramos,DC=net,DC=br
> Adding
> CN=SAMBA4,CN=Servers,CN=Primeiro-site-padrao,CN=Sites,CN=Configuration,DC=jacoramos,DC=net,DC=br
> Adding CN=NTDS
> Settings,CN=SAMBA4,CN=Servers,CN=Primeiro-site-padrao,CN=Sites,CN=Configuration,DC=jacoramos,DC=net,DC=br
> Adding SPNs to CN=SAMBA4,OU=Domain Controllers,DC=jacoramos,DC=net,DC=br
> Setting account password for SAMBA4$
> Enabling account
> Adding DNS account CN=dns-SAMBA4,CN=Users,DC=jacoramos,DC=net,DC=br with
> dns/ SPN
> Join failed - cleaning up
> checking sAMAccountName
> Deleted CN=SAMBA4,OU=Domain Controllers,DC=jacoramos,DC=net,DC=br
> Deleted CN=NTDS
> Settings,CN=SAMBA4,CN=Servers,CN=Primeiro-site-padrao,CN=Sites,CN=Configuration,DC=jacoramos,DC=net,DC=br
> Deleted
> CN=SAMBA4,CN=Servers,CN=Primeiro-site-padrao,CN=Sites,CN=Configuration,DC=jacoramos,DC=net,DC=br
> ERROR(ldb): uncaught exception - LDAP error 53 LDAP_UNWILLING_TO_PERFORM -
> <052D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0
> > <>
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
> return self.run(*args, **kwargs)
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", line
> 552, in run
> machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
> File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
> 1169, in join_DC
> ctx.do_join()
> File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
> 1072, in do_join
> ctx.join_add_objects()
> File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
> 616, in join_add_objects
> ctx.samdb.add(msg)
> root@samba4:~#
Sorry about that. Try the attached patch.
Andrew Bartlett
--
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
>From db44a43564a5a994184986e5bf5d059512ff5695 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett
Date: Sun, 13 Oct 2013 07:40:58 +1300
Subject: [PATCH] provision: Do not set dns-HOSTNAME password during add
Windows servers do not accept password set using clearTextPassword (a
samba only thing), so change it after the creation using the standard routines.
Andrew Bartlett
Signed-off-by: Andrew Bartlett
---
python/samba/join.py | 1 -
python/samba/provision/__init__.py | 6 ++
source4/setup/provision_dns_add_samba.ldif | 1 -
3 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/python/samba/join.py b/python/samba/join.py
index 9cac8f5..c52ffdb 100644
--- a/python/samba/join.py
+++ b/python/samba/join.py
@@ -608,7 +608,6 @@ class dc_join(object):
{"DNSDOMAIN": ctx.dnsdomain,
"DOMAINDN": ctx.base_dn,
"HOSTNAME" : ctx.myname,
- "DNSPASS_B64": b64encode(ctx.dnspass),
"DNSNAME" : ctx.dnshostname}))
for changetype, msg in recs:
assert changetype == ldb.CHANGETYPE_NONE
diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py
index d8f353f..a31132a 100644
--- a/python/samba/provision/__init__.py
+++ b/python/samba/provision/__init__.py
@@ -1127,6 +1127,12 @@ def setup_self_join(samdb, admin_session_info, names, fill, machinepass,
"DNSNAME" : '%s.%s' % (
names.netbiosname.lower(), names.dnsdomain.lower())
})
+samdb.setpassword("(&(objectClass=user)(samAccountName=dns-%s))"
+ % ldb.binary_encode(names.hostname),
+ dnspass,
+ force_change_at_next_login=False,
+ username="dns-%s"
+ % names.hostname)
def getpolicypath(sysvolpath, dnsdomain, guid):
diff --git a/source4/setup/provision_dns_add_samba.ldif b/source4/setup/provision_dns_add_samba.ldif
index 7fb2e78..82f
Re: [Samba] Multiple A records on my parent domain name are confusing hosts
On Tue, 2013-10-08 at 10:23 -0700, Scott Goodwin wrote: > I'm using Samba 4.0.9, Bind 9.9.4 w/ dlz > > My domain is example.com > My Samba4 server is myserver.example.com > myserver has two nics: 10.10.10.5 and 192.168.10.2 > My externally hosted web site is www.example.com, and is hosted at > 123.123.123.123 > I have an A and CNAME in DNS like so: > > @ A 123.123.123.123 > www CNAME example.com. > > The above allows internal web browsers to access the external site via > www.example.com or example.com. This works great. > > The problem is that every ten minutes when samb's dns update happens, it > keeps putting the following two entries in, which points internal hosts to > the dns server, instead of the externally hosted web site: > @ A 10.10.10.5 > @ A 192.168.10.2 > > > Why do these keep showing up? I'm sure there is a place that the info is > coming from, but I don't know where, and I desperately need to prevent this > from happening. I mean, don't get me wrong, I realize what the records > mean, but what I'm trying to do is prevent them from repopulating and > preventing my internal hosts from browsing the web site. I didn't have > this problem when I could edit the bind files directly, but now that I'm > using bind_dlz for samba, I'm a little lost. The issue is that Samba controls that name, and tries to set it to match the network interfaces of the DC, because AD clients may (few actually do, in this specific case) use this name to find a DC. See dns_update_list. I suggest breaking the CNAME and not using example.com to find your website internally. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba_upgradedns output
On Wed, 2013-10-09 at 13:22 -0700, Scott Goodwin wrote: > When I run: > # samba_upgradedns --dns-backend=BIND9_DLZ > I get the following: > lpcfg_load: refreshing parameters from /etc/samba/smb.conf > params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" > Reading domain information > lpcfg_load: refreshing parameters from /etc/samba/smb.conf > params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" > DNS accounts already exist > No zone file /var/lib/samba/private/dns/MYDOMAIN.COM.zone > DNS records will be automatically created > DNS partitions already exist > Adding dns-earl account > See /var/lib/samba/private/named.conf for an example configuration include > file for BIND > and /var/lib/samba/private/named.txt for further documentation required for > secure DNS updates > Finished upgrading DNS > > What does the line "No zone file > /var/lib/samba/private/dns/MYDOMAIN.COM.zone" mean? Or rather, I know what > it means, but what is the file itself supposed to do? > In all the Samba4 documentation, I don't see any indication on where this > file is supposed to be created. I even see references here: > https://wiki.samba.org/index.php/Dns-backend_bind#Interaction_with_AppArmor_or_SELinux > (the > SELinux settings) where this file is mentioned, but no other indication > anywhere on what its purpose is, or what should be in it. I mean, > obviously, it's a zone file, but for what? Aren't the zones kept in the tdb > files now? Is this a relic from the BIND9_FLATFILE backend, and the > documentation hasn't been updated? Patches to the script to clarify this most welcome. A script that was originally only for upgrades from FLATFILE to DLZ was extended, and it should now check for the partition first, before looking for a flat-file. Certainly it shouldn't suggest it is re-generating DNS when it won't do that. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba release series
On Fri, 2013-10-11 at 11:27 +0200, Karolin Seeger wrote: > On Fri, Oct 11, 2013 at 10:17:31AM +0100, Rowland Penny wrote: > > On 11/10/13 09:55, Karolin Seeger wrote: > > >Hi, > > > > > >with today's release of Samba 4.1.0, Samba 4.0 has been turned into the > > >maintenance mode and Samba 3.6 into the security fixes only mode. > > >Samba 3.5 is officially unsupported now. > > > > > >For more details on the modi and other release planning information, > > >please see > > > > > > https://wiki.samba.org/index.php/Samba_Release_Planning > > > > > >Cheers, > > >Karolin > > > > > HI, My, but the release page has gone posh ;-) but shouldn't the > > 'started' column really be 'released' and I think a few of the boxes > > require filling in > > Sure, will do that as soon as possible. While we are talking about the release pages, I wonder with the new colour table on that page, should we remove the Branch policy page, and just fold the text into this page? That way, we don't have two pages to keep updated. (I'm happy to do it, just wanted to ask first). Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 4 DC slow users bulk load
On Mon, 2013-10-07 at 23:46 +0300, Nikos Mitas wrote: > sorry, but can you give me more details about 'full build tree' ? What I was suggesting is that the perf.data file isn't something I can use directly. I need you to run 'perf report -g' on it, and do some of the investigation, because it relies on system-specific symbols. I hope this is clearer. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] git folder moved : waf : The top source directory has moved. Please run distclean and reconfigure // OK
On Wed, 2013-10-09 at 08:37 +1100, m...@electronico.nc wrote: > I tried : > > make distclean > > -> > >> WAF_MAKE=1 python ./buildtools/bin/waf distclean > >> project '/media/data/git/samba4/bin' cannot be removed > >> 'distclean' finished successfully (0.015s) > > > > sudo make distclean > > -> > >> WAF_MAKE=1 python ./buildtools/bin/waf distclean > >> 'distclean' finished successfully (0.000s) > > but 'make' still displays the same error ... so still looking for help > > ... TIA > > Nicolas > Turned out that bin directory couldn't be deleted by the script. > sudo rm -R bin > allowed compilation to complete This typically happens due to 'sudo make install', which creates root-owned files during the relink. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [SPAM] Re: Problem with squid+ntlm+samba
On Thu, 2013-10-10 at 11:05 -0300, Silvio Aparecido wrote: > On 10/07/2013 04:30 PM, Andrew Bartlett wrote: > > What does wbinfo -P show? > wbinfo -p > Ping to winbindd succeeded > > > Are you correctly joined to the domain. > net ads testjoin > Join is OK > > > Can you authenticate using wbinfo as root, and then as squid? What do > > the winbind logs show? > in this server i just connect as root, using wbinfo -a I receive this > message > > plaintext password authentication succeeded > challenge/response password authentication succeeded > > But, in few minutos this connection is droped and I can't login again in > domain, > unless I restart samba > [2013/10/10 10:37:43, 5] > winbindd/winbindd_cm.c:1806(set_dc_type_and_flags_connect) >set_dc_type_and_flags_connect: domain CARTHOMSNO > [2013/10/10 10:37:43, 5] > winbindd/winbindd_cm.c:1815(set_dc_type_and_flags_connect) >set_dc_type_and_flags_connect: Could not bind to PI_DSSETUP on domain > CARTHOMSNO: (NT_STATUS_ACCESS_DENIED) > [2013/10/10 10:37:43, 5] > winbindd/winbindd_cm.c:1862(set_dc_type_and_flags_connect) >set_dc_type_and_flags_connect: Could not bind to PI_LSARPC on domain > CARTHOMSNO: (NT_STATUS_ACCESS_DENIED) > [2013/10/10 10:37:43, 10] winbindd/winbindd_dual.c:125(async_request) >Sending request to child pid 23705 (domain=CARTHOMSNO) > [2013/10/10 10:37:43, 10] > winbindd/winbindd_cache.c:2667(cache_retrieve_response) >Retrieving response for pid 23705 Which version is this. Can you try the latest (4.0.10, or 4.1 due later today)? Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 and squid ntlm auth
On Thu, 2013-10-10 at 16:36 +0100, Julian Pilfold-Bagwell wrote: > Hi List, > > Looking for assistance with a squid authentication problem against Samba 4. > > The squid proxy we're using worked fine on our old Samba 3 domain with > 500+ users but keeps freezing on our new Samba 4 domain. I've joined > the proxy using net ads join and the samba 4 network is a clean build as > we wanted to leave any baggage from the old one behind. > > What we now have is a situation where Samba 4 authenticates squid using > NTLM perfectly up until around 120 users are using it. Once we get above > 120, it starts to down and as we approach 140 it dies altogether. At > this point, we restart samba and it works perfectly well for a period of > about 5 minutes with the 140+ users connected at which point it will > either slow to a crawl then fall over or sometimes will just fall over. > > The network has three Samba 4 Domain controllers. replication works > across the three and at any given time, they are running at around 25% > CPU load and consuming around 500MB of RAM. All three are 3GHz, quad > core Xeons with between 4 and 12GB of RAM. > > The odd thing is that at no point when Samba seems to be hanging, do we > lose access to shares on our fileserver and I also have Owncloud > authenticating via a read only LDAP proxy which is caching. The really > odd thing is that I'm not seeing any obvious messages on either squid, > the samba 3 install or the DCs that points towards any major problem. > Given the numbers issue, I thought maybe I was hitting a ulimit wall but > the hard and soft limits are both unlimited. > > Does anyone have a similar setup and any info on where to go from here, > i.e. which logs to check, etc.? > > The OS details are as follows: > > DC1 and DC1 - centos 6.4 Samba 4.0.10 (compiled from source) with > internal DNS > DC3 - Debian Squeeze with Samba 4.0.10 (compiled from source) with Bind > 9.8 with dlz > Squid proxy - Debian squeeze with Squid 2.7 Stable 9.2 from .deb package My guess is that the single thread that is doing the lookups in the sam.ldb and the subsequent authentication is choking on the constant barrage of NTLM authentication traffic. You might want to look into using kerberos, rather than NTLM authentication, now you have an AD domain. This will not need to place load on the DC for each page load. However, we should cope with lots of authentication, so if you have the skill, running 'perf record -g PID' on the busy PID could be quite illuminating, once analyzed with 'perf report -g'. Please don't try and mail me the perf.data output (it needs the build tree and symbols), but examine it and tell me where the CPU is being used and what callers responsible for it (screen-shots are OK in this specific instance). Also, just have a look at a wireshark trace of the success and failure modes, and see if you can show a difference. If the traces are not massive, these you can mail to me. Either way, the wireshark 'service response time' over DCE/RPC would be particularly interesting to see. I hope this helps, Andrew Bartlett Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] GPO Permissions _AGAIN_
On Thu, 2013-10-10 at 16:42 +0100, Alex Matthews wrote: > Hi all, > > Just a quick follow up. > I found a GPO entitled 'sysvol share compatibility' which has the > following blurb: > > This setting controls whether or not the Sysvol share created by the Net > Logon service on a domain controller (DC) should support compatibility > in file sharing semantics with earlier applications. > When this setting is enabled, the Sysvol share will honor file sharing > semantics that grant requests for exclusive read access to files on the > share even when the caller has only read permission. > When this setting is disabled or not configured, the Sysvol share will > grant shared read access to files on the share when exclusive access is > requested and the caller has only read permission. > By default, the Sysvol share will grant shared read access to files on > the share when exclusive access is requested. > Note: The Sysvol share is a share created by the Net Logon service for > use by Group Policy clients in the domain. The default behavior of the > Sysvol share ensures that no application with only read permission to > files on the sysvol share can lock the files by requesting exclusive > read access, which might prevent Group Policy settings from being > updated on clients in the domain. When this setting is enabled, an > application that relies on the ability to lock files on the Sysvol share > with only read permission will be able to deny Group Policy clients from > reading the files, and in general the availability of the Sysvol share > on the domain will be decreased. > > The last part is the most interesting (after 'Note:'). Is this how samba > works too when it comes to providing the sysvol share? In Samba, sysvol is not special. It may well need to be, as the issue you describe certainly sounds plausible. Can you file a bug, and work with us to see how we might create a fix for this? Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem with Classic-Migration and Sernet Samba4 Packages
On Thu, 2013-10-10 at 13:18 +0200, Achim Gottinger wrote: > Hi, > > I'm testing an classic migration from samba3/openldap to samba4 on > debian wheezy. Last time i did this i used an self compiled samba4 > installation. I followed the howto and used openldap with an cloned db > on my new server. Now I try the same with sernet's samba4 packages. But > sernet-samba-ad does already provide ldap and slapd services and also > has ldap-server and slapd in "Breaks" so installing slapd is not possible. > As an quick workaround I edited /var/lib/dpkg/status and removed > ldap-server and slap from the sernet-samba-ad "Breaks" definitions and > remove ldap and slapd from the line "Provides:" in > /etc/init.d/serner-samba-ad. Aftewards slapd installed without errors. > Thought i post this here, since slapd can also be used as an ldap proxy > in conjunction with samba4. Please provide that feedback back to SerNET. I also don't think the packages should be described as breaking each other. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Delay in vendor packages for Samba 4.0
On Thu, 2013-10-10 at 16:56 +0200, Klaus Hartnegg wrote: > Hi, > Standard procedure seems to be to compile it yourself, that wasn't the > case with samba 3. How long do you expect will vendors like ubuntu need > until they include samba 4? Right now the authors of the ubuntu server > manual obviously haven't noticed that samba 4 exists. The lack of packaging by debian-based vendors of the full Samba 4.0 is a concern, but is addressed by: - the packages in debian experimental, soon to be in debian unstable - the packages provided by sernet Presumably the Debian packages will be picked up by Ubuntu at some point, but you would need to ask them as to what determines their priorities here. The Samba Team does not control what version distributors choose to package, but I have personally worked extensively with the Debian Samba packaging team to assist in their packaging work. Fedora shipped Samba 4.0 as soon as it was released, but does not ship the Active Directory domain controller. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 3 EOL ?
On Thu, 2013-10-10 at 17:00 +0200, Klaus Hartnegg wrote: > Hi, > > The page >https://wiki.samba.org/index.php/Samba_Release_Planning > doesn't really tell the date until samba 3 will receive security > updates. It seems that it could end already in 9 months. I find it > unlikely that most users will have switched by that time. The 9 month > rule is fine for a switch from 3.x to 3.x+1, but the switch from 3 to 4 > is special. Please consider a longer support. The switch from 3 to 4 is not special. That is why longer support won't be required. If you are not interested in the new AD features, then Samba 4.0 is just the next generation of the same file server code that you find in Samba 3.6. Think of it like a 3.7 in that respect. Also, Samba 3.6 already has a very, very long support life, because Samba 4.0 took quite some time to finally release. I hope this clarifies things, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 4 DC slow users bulk load
On Mon, 2013-10-07 at 22:52 +0300, Nikos Mitas wrote: > Hello again, > > all three samba4 DC's have 16 GB RAM each and 2 sockets with 4 cores each > (total 8 cores each) the three DC's and the identity manager are in the > same VLAN. > > but today i noticed that during bulk load only one core is busy 100% and > the rest are idle. i was unable to run samba under TDB_NO_FSYNC=1 today. > maybe tomorrow. > > this is the link for the perf.data file: > http://www.sendspace.com/file/9g46ll > this is my smb.conf: The pref.data file isn't any use to me without your full build tree, so the best way to use it is to then run 'perf report -g' and investigate where the highest CPU users are, and what calls them. (it is curses-based tool). The 100% busy CPU is because the LDAP server is single-threaded, so that isn't really unexpected. I hope this helps you make some more progress chasing this down. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem with squid+ntlm+samba
On Wed, 2013-10-02 at 10:47 -0300, Silvio Aparecido wrote: > Hello, > > first, sorry by duplicated email, my last have write errors > > I'm having a little problem after logging into domain via samba, after a > few minutes the squid no longer authenticates the users through single > sign on and keeps asking for authentication in the browser without stopping. > Error logs: > > [2013/10/01 19:39:44, 0] > utils/ntlm_auth.c:833(manage_squid_ntlmssp_request) >NTLMSSP BH: NT_STATUS_ACCESS_DENIED > 2013/10/01 19:39:44| authenticateNTLMHandleReply: Error validating user > via NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED' > >Login for user [SALE]\[wellington.gomes]@[TI-06] failed due to > [Access denied] > 2013/10/01 19:37:35| authenticateNTLMHandleReply: Error validating user > via NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED' > [2013/10/01 19:37:35, 0] > utils/ntlm_auth.c:833(manage_squid_ntlmssp_request) >NTLMSSP BH: NT_STATUS_ACCESS_DENIED > > [2013/10/01 19:36:52, 10] utils/ntlm_auth.c:2190(manage_squid_request) >NTLMSSP BH: NT_STATUS_ACCESS_DENIED > > [2013/10/01 10:30:12, 3] utils/ntlm_auth.c:329(check_plaintext_auth) >NT_STATUS_ACCESS_DENIED: Access denied (0xc022) What does wbinfo -P show? Are you correctly joined to the domain. Can you authenticate using wbinfo as root, and then as squid? What do the winbind logs show? Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Failover
On Mon, 2013-10-07 at 15:36 +0200, Sandbox wrote: > Hi guys, > > > I have a domain with Samba 4.0.5 domain controllers and also a failover > DRBD shared disk, where the "active" DC controlls the access to the disk. > DOMAINC01 - 10.48.16.150 > DOMAINC02 - 10.48.16.151 > DOMAINCHA - 10.48.16.155 << this would be the failover IP, which works > perfectly on Windows XP clients. > I can see the shares, just like on DOMAINC01 or DOMAINC02 and if the users > has the proper credentials they can write open etc. > But when I try to do the same on a Windows 7 client I simply get an error > message " You dont have the proper rights to open the directory" > I guess because of the DOMAINCHA "virtual" controller is not in the AC, but > shall I add a computer to the AC so my win7 clients could open the > available shares? Please don't use DRDB with Samba as an AD DC. You don't need it (you should have two DRS replicating DCs). The reason I am so strongly against this is that I had to work very hard to recover a corrupt database at such a site. We suspect that barriers were either not enabled or not passed down to the OS in this case, followed by a unexpected loss of power. The corrupt database was then perfectly mirrored to the DRDB clone, resulting in two corrupt mirrors. DRS replication likely would have detected the corruption (because the database would not have been valid) and failed the replica, saving the data. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 4 DC slow users bulk load
On Sun, 2013-10-06 at 13:48 +0300, Nikos Mitas wrote: > Hello, > > i have successfully installed samba 4 on three vmware VM's and everything > works fine (join pc to domain, user login, dns updates, ntp), > but i am facing some performance problems during users bulk loading. > my environment: > > 1st DC: RedHat Linux v6.4,samba 4.1rc4,dns 9.9.3P2,ntp > 2nd DC:RedHat Linux v6.4,samba 4.1rc4,dns 9.9.3P2,ntp > 3rd DC:RedHat Linux v6.4,samba 4.1rc4,ntp > > > to bulk load the users (around 20.000 accounts) i am using IBM Tivoli > Identity Manager to automatically create the AD accounts into Samba > but the performance is poor. 120 users per hour at most. > > Any ideas what to check or what needs to be tuned? We need to work out what specifically is slow, so we can deal with it. If you can capture the ldap server task under 'perf record -g -p PID' that might give some clues. It shouldn't take 30 seconds to add a user, but at this size many O(n^2) things blow up badly, and we may need to re-investigate better approaches in some cases. Also, ensure you have plenty of memory, and for the period of the import, run samba under TDB_NO_FSYNC=1. This makes samba unsafe against a poweroff event (equivalent to linking with libeatmydata), so don't use this in production, but it will make things much, much faster for the initial import. Andrew Bartlett Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SAMBA + open LDAP + password hashing
On Thu, 2013-10-03 at 09:41 +0200, Alberto Aldrigo | Ca' Tron RE wrote: > Many thanks for the answer, you solved a doubt I had for a long time. > What do you mean when you say "other than kerberos" ? > Can you point me to some documentation or how to for setting up samba + > kerberos + ldap? > Thanks The easiest way to do Samba + kerberos + ldap is to set up Samba as an AD DC. That said, I shouldn't have mentioned Kerberos in the context of your original query, as it still has the same issues of needing those password types, which you don't have. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SAMBA + open LDAP + password hashing
On Wed, 2013-10-02 at 11:46 +0200, Alberto Aldrigo | Ca' Tron RE wrote: > Hi everybody, > > I'm running an Ubuntu server as fileserver for Osx clients using > netatalk and now I need to add support to samba for windows clients. > > Every user has an account on open LDAP user base and every account has > a password stored using SSHA hashing. > I would like to know if I can use the same user base with samba and how > to configure it to use ssha instead of NT/LM or if there is an alternative. No, there is no alternative (other than Kerberos). The encryption types are incompatible. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] problem server WIN 2003 R2 - samba HP-UX
On Wed, 2013-09-25 at 14:25 +0200, Stefania Rampini wrote: > Hello all, > > I am running Samba 2.2.8a Stop right here. This version is so long un-supported and out of date it just isn't even funny. Please upgrade to a supported release, preferably Samba 4.0. Your issue almost certainly relates to the lack of 'smb signing' support in that release, but so many other things have changed in the past dozen years that it could really be anything. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4: where are ACLs stored?
On Tue, 2013-10-01 at 13:48 +0530, Partha Sarathi wrote: > I hope you shoud use the below parameter under all share sections to > get the NTACL working. > > > vfs objects = acl_xattr, Indeed, you would expect that to be needed. However, we put that in to the smb.conf 'by magic' whenever we see 'server role = active directory domain controller'. Frankly I think it should be the default, except for the fact that we didn't want to change it for upgrading users. We used the 'new' server role as a chance to at least make it a default for this important use case. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] /etc/passwd backend
On Tue, 2013-10-01 at 05:42 +, Miroslav Kolar wrote: > Hi Andrew, > > Thanks a lot for your answer! > > I understand your point. This is actually the way I want to go. > But before doing so, I need to migrate my users from /etc/passwd to LDB. I'd > like to do it without letting them know and a need to ask them to change > their password. NO, unless you have an smbpasswd file already. However see also tools like pam_smbpass, which can be made to work with ldb, if you want to do a migration over time. The different encryption schemes used are sadly just incompatible. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4: where are ACLs stored?
On Thu, 2013-09-26 at 16:12 +0200, Klaus Hartnegg wrote: > Hi, > > most file access rights sync between ACLs of linux and the security tab > of windows file properties, but not all. Where are the other infos stored? > > I tried in linux 'getfattr -d' and 'samba-tool ntacl get', but neither > output changed when using windows to add individual right for a user > that already has rights inherited from the parent directory. Windows > remembers every detail of these changes, even after a reboot, so it must > be stored somewhere. > > I'm concerned that backups might be incomplete when part of the access > rights are hidden somewhere else. Will 'cp -a' really copy everything? Can you show me your smb.conf? Thanks, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] /etc/passwd backend
On Mon, 2013-09-30 at 13:46 +, Miroslav Kolar wrote: > Hello, > > I would like to understand if it's possible to use /etc/passwd and > /etc/shadow like backend for LDB. > If not, would it be possible to use samba-tool or something similar to create > the new user with password hash in MD5? > > Is there perhaps an API to Samba4 which can be used for user management, > especially creating/modifying users when password is MD5 hash? You should instead use nss_winbind to have the system query the users from our ldb for nsswitch. That way, we do not have two databases to keep 'in sync'. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Understanding the difference of lock/state/cache directory
On Sun, 2013-09-29 at 01:07 +0200, Marc Muehlfeld wrote: > Hello, > > in Samba 3 I had all TDBs on one place configured through "lock > directory". Now I saw that Samba 4 split the location of the database > files into lock/state/cache directory. > > > *Question 1*: The manpage says "state directory" is for persistent and > "cache directory" for non-persistent data. Ok. That's clear. But what is > stored in the "lock directory" and what is the reason why its content > isn't placed in one of the other two directories? locks are for things that can (and should) go away at shutdown. cache is for things that are handy to have, but can be re-generated without major cost (which makes it fiddly, as you then get to your next question) > *Question 2*: Why is the "winbindd_cache.tdb" stored in the state > directory? Isn't it just a cache file? The issue is that if this is treated as cache, and destroyed, then offline logins fail after a reboot on a system that chooses to purge such cache files. I think there may also be some other persistent data in there as well (others I hope will clarify). At least that is how I understand the issue. See also the FHS: http://www.pathname.com/fhs/pub/fhs-2.3.html#PURPOSE33 Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4, ZFS and FreeBSD
On Thu, 2013-09-26 at 14:55 +1000, Petros wrote: > Hi all, > I am in the process of finding the best way to use Samba4 as an AD > under FreeBSD and ZFS. > > The following is based on own research, google, mail archives, a bit > of source code etc. So please correct me if I am wrong. > > 1. ZFS is using NFSv4 ACLs. > 2. NFSv4 ACLs are modelled with NTFS (Windows) ACLs in mind. > 3. Samba4 started with a new ntvfs file server but that was abandoned > (or delayed?) to get samba4 released > 4. Samba4 was released with s3fs as a default (the "old" Samba3 smbd) > 5. s3fs is relying on POSIX ACLs which are not implemented on ZFS > 6. There is a libsunacl library, a wrapper around FreeBSD ZFS NFSv4 ACLs > I can install an experimental module but cannot provision AD with s3fs. > 7. The provisioning with ntvfs seems to work > > For me, there are two uncertainties: > a) Will be ntvfs supported in the future? Or will it be the default later? No, and No. We support the ntvfs file server with the existing functionality, but are not developing it. Essentially we are keeping it as a technology demonstration, as well not breaking any existing users. > b) Will s3fs gain support for NFSv4 ACLs? smbd has NFSv4 ACLs > If a) is the case, I am happy to proceed with using ntvfs. > > If b) is the case, I may try to use ZFS on volume management level > (for samba4 jails only, I am running other "stuff" on the FreeBSD > boxes with ZFS). > > I may create ZFS volumes and create UFS volumes, with POSIX support. > > Later I may revert them to ZFS, if s3fs provides ZFS NFSv4 ACL support. > > The other option would be to run it with ntvfs for now, switching to > s3fs when it is "ZFS ready". > > I do not know who has any plans in any directions. Of course, "Solaris > people" (Oracle, illumos) may have interests and plans in this area too. > > I am happy to become a FreeBSD beta tester for any kind of FreeBSD ZFS > support. But I am afraid I am not good enough to code it myself. I am > a sysadmin who reads C code frequently, it does not make me a good > coder.. The issue is essentially that the python-based provision code need to detect the use of zfs, load the zfsacl module in the generated smb.conf, and instead of testing simple posix ACLs, proceed to setting a full NT ACL when we create the sysvol share. Thanks, -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] S4-Winbind dumping core on password
On Tue, 2013-09-17 at 15:31 -0700, S Murthy Kambhampaty wrote: > Samba4-winbind (sernet-samba-4.0.9) on RHEL 6.4 dumps core on password > authentication for a domain user (su/sudo), and so domain password > authentication fails. The machine is a standalone server in a Windows AD > (2008R2) domain. Are you able to reproduce this with winbindd running under valgrind? eg: valgrind --trace-children=yes winbindd Thanks, -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 adding an index to sam.ldb
On Tue, 2013-09-17 at 17:05 -0500, Bo Kersey wrote: > Anyone have a clue as to how I set the fINDEXED attrib? I have an > additional attribute in samba4 ldap that I need indexed. > You need to set the additional flag fATTINDEX into searchFlags where fATTINDEX is value 1: #define SEARCH_FLAG_ATTINDEX0x001 So, just add one to the existing value in the schema attribute, and you will find it indexed. Let me know if you have more trouble. > > - Original Message - > > > From: "Bo Kersey" > > > To: "Andrew Bartlett" > > > Sent: Sunday, September 15, 2013 7:53:49 AM > > > Subject: Re: [Samba] samba4 adding an index to sam.ldb > > > > > > Andrew, > > > I'm not sure where to find that part of the schema... > > > > > > This is what I find for othermailbox > > > dn: CN=Other-Mailbox,CN=Schema,CN=Configuration, > > > objectClass: top > > > objectClass: attributeSchema > > > cn: Other-Mailbox > > > instanceType: 4 > > > whenCreated: 20130913000849.0Z > > > whenChanged: 20130913000849.0Z > > > uSNCreated: 1011 > > > attributeID: 1.2.840.113556.1.4.651 > > > attributeSyntax: 2.5.5.12 > > > isSingleValued: FALSE > > > uSNChanged: 1011 > > > showInAdvancedViewOnly: TRUE > > > adminDisplayName: Other-Mailbox > > > adminDescription: Other-Mailbox > > > oMSyntax: 64 > > > searchFlags: 0 > > > lDAPDisplayName: otherMailbox > > > name: Other-Mailbox > > > objectGUID: bd150920-231c-437c-a5a4-726c2c136708 > > > schemaIDGUID: 0296c123-40da-11d1-a9c0-f80367c1 > > > attributeSecurityGUID: e48d0154-bcf8-11d1-8702-00c04fb96050 > > > systemOnly: FALSE > > > objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration, > > > distinguishedName: CN=Other-Mailbox,CN=Schema,CN=Configuration, > > > > > > And when I grep through the other objects at this level, I don't find an > > > fINDEXED attrib or any /index/i attribs that make sense for that matter. > > > > > > Thanks! > > > Bo > > > > > > > > > > > > - Original Message - > > > > From: "Andrew Bartlett" > > > > To: "Bo Kersey" > > > > Cc: samba@lists.samba.org > > > > Sent: Saturday, September 14, 2013 5:46:21 PM > > > > Subject: Re: [Samba] samba4 adding an index to sam.ldb > > > > > > > > On Sat, 2013-09-14 at 09:10 -0500, Bo Kersey wrote: > > > > > I have a large installation >20k users. We're using samba4 for AD > > > > > Authentication, and also email address validation. I'm trying to edit > > > > > the > > > > > @INDEXLIST in sam.ldb to add an index on otherMailbox to speed up > > > > > searches > > > > > (0.05 sec for indexed, vs 2.5 sec for non-indexed searches) I'm > > > > > finding > > > > > that when I use ldbedit to do this, it appears to add the additional > > > > > @IDXATTR. However, when I go back and check via ldbsearch, the > > > > > attribute > > > > > is not there. Seems to be failing silently... How do I debug this? > > > > > > > > > > > > > We override that list with a list from the fINDEXED attribute in the > > > > schema. Just modify that and the new index will be created. > > > > > > > > I'm also keen to hear more about how you have gone with an installation > > > > that large, as there are not many installations as large as yours, and > > > > it will help us advise others. > > > > > > > > Thanks! > > > > > > > > Andrew Bartlett > > > > > > > > -- > > > > Andrew Bartlett > > > > http://samba.org/~abartlet/ > > > > Authentication Developer, Samba Team http://samba.org > > > > > > > > > > > > > > > > > > -- > > > Bo Kersey > > > VirCIO - managed network solutions > > > 4314 Avenue C > > > Austin, TX 78751 > > > phone: (512)374-0500 > > > > > > If it is free, you are the product. > > > > > > > > > > -- > > Bo Kersey > > VirCIO - managed network solutions > > 4314 Avenue C > > Austin, TX 78751 > > phone: (512)374-0500 > > > > > > -- > Bo Kersey > VirCIO - managed network solutions > 4314 Avenue C > Austin, TX 78751 > phone: (512)374-0500 > -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] On Machine Accounts
On Sun, 2013-09-15 at 11:53 -0700, Yannick Gingras wrote: > On 09/14/2013 05:33 PM, Andrew Bartlett wrote: > > On Fri, 2006-10-06 at 12:32 -0400, Yannick Gingras wrote: > >> [...] > > You can't do a domain logon without a machine account. You could set > > them up as just standalone workstation however. > > > > Andrew Bartlett > > > > Andrew, > while I appreciate you taking the time to answer this question, I have > to confess that this was a problem that I had 7 years ago and that I am > no longer in charge of these machines. :-) > Wishing you an excellent day, Oops. Folks still seem to be asking the same question, not matter what decade. :-) That shows how far back my samba mailbox goes! I clearly scrolled to the wrong year... Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 upgradeprovision
On Fri, 2013-09-13 at 16:28 -0700, Robert Watson wrote: > I have the latest samba4 4.2 git running on centos6.4 but when I originally > provisioned it I didn't include the --use-rfc2307 for AD posix attributes. > I'd like to map certain AD users to unix users so should I do a samba-tool > upgradeprovision --use-rfc2307 to add this option? You can set the magic setting 'idmap_ldb:use rfc2307=yes' in the smb.conf, what you won't get is the NIS server objects that allows ADUC to display the uidNumber and gidNumber. I've seen reference to a windows tool to turn on a NIS server, perhaps it works remotly against Samba. Otherwise, I asked a user on IRC to consider plumbing in the code that adds these objects (a python function) into a new 'samba-tool domain enablerfc2307' (or similar) command. I've not heard any progress yet however. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] On Machine Accounts
On Fri, 2006-10-06 at 12:32 -0400, Yannick Gingras wrote: > I have a few (~20) workstations dual booted with GNU/Linux and Windows > XP. When configuration changes on these systems (about once a month) > I deploy a full disk image with UDPcast [1]. Unlike recent versions > of Norton Ghost, UDPcast have no post-deploy option to change the > machine name and/or trust account. Most of the time those systems are > running on GNU/Linux and only occasionally will two of those be > running Windows at the same time. > > [1]: http://www.udpcast.linux.lu/ > > The file server is a Debian GNU/Linux system running LDAP, NFS and > Samba. Since I deploy new images often I would like to avoid any > manual setup on each system. On GNU/Linux I can auto-detect the > hostname early in the boot process and set it transparently. I > haven't found a way to do that on Windows though. Authentication with > Samba running as a PDC is working fine and pam is set to keep the > GNU/Linux and Samba passwords in sync. > > The only part that annoys me with this setup is the machine accounts. > Is the machine account. Is it possible to configure Samba to > completely ignore the machine account? Would there be major problems > in doing this? So far I don't see any advantage in using a machine > account. All the user accounts are password protected and the Samba > server only allows connection from a narrow IP range. You can't do a domain logon without a machine account. You could set them up as just standalone workstation however. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Network Neighbourhood samba 4
On Fri, 2013-09-13 at 17:29 +, Eduardo Sotomayor wrote:
> When you say, there is not network neighbourhood in samba 4 you mean that:
>
> 1: all the workstations show in the network neighbourhood except the domain
> controller.
>
>
> 2: There is absolutly nothing in the network neighbourhod, no workstations
> nor DC.
2). The master browser code in smbd does not collect names because the
netbios server in the AD DC does not have the browsing code in it. We
would like to add that, but it just is a matter of a developer finding
it to be a personal (or employer) priority. (Sadly on the AD DC, there
isn't spare developer time just floating around).
Andrew Bartlett
--
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 adding an index to sam.ldb
On Sat, 2013-09-14 at 09:10 -0500, Bo Kersey wrote: > I have a large installation >20k users. We're using samba4 for AD > Authentication, and also email address validation. I'm trying to edit the > @INDEXLIST in sam.ldb to add an index on otherMailbox to speed up searches > (0.05 sec for indexed, vs 2.5 sec for non-indexed searches) I'm finding that > when I use ldbedit to do this, it appears to add the additional @IDXATTR. > However, when I go back and check via ldbsearch, the attribute is not there. > Seems to be failing silently... How do I debug this? > We override that list with a list from the fINDEXED attribute in the schema. Just modify that and the new index will be created. I'm also keen to hear more about how you have gone with an installation that large, as there are not many installations as large as yours, and it will help us advise others. Thanks! Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 consumes more CPU
On Mon, 2013-08-26 at 22:39 +0530, Prema wrote: > Dear Andrew, > > As per your suggestion , I have attached the gdb log of the samba and smbd > process log running in the single server mode. > Also when I noted in the perf top, libndr.so consumes the maximum cpu. > I noticed that it happens soon after sometime the samba process is started > and the CPU is filled up. > Since the samba process occupies 100% atleast two or more CPUs out of 8 CPU > , the clients are not able to get authenticate to the server. > Kindly go through the logs and suggest what can be done to lessen the CPU > consumption. Digging into the libndr issue some more: Sadly I can't use the perf.data without your full build tree, so I'm going to need you to do some more digging on this side of things. Can you show me what exact code in libndr is spinning? (That is, dig into the perf screen) Then, can you re-run it under 'perf record -g -p '? And then show me the output of perf report -g, expanding the first function call stacks to find out what is the eventual high-level caller of the spinning routine. This may give us the critical clues we need. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Disable password complexity does not work?
On Mon, 2013-09-02 at 11:15 -0700, Gregory Sloop wrote: > IIRC, GPO's can't be used to configure Password CR on an S4 server. > [Well you can do it, but it isn't enforced properly...] > > I'm not sure what would happen in a mixed S4 and Windows server AD > domain. > > Again, that's IIRC - but I think that's the case. That is correct on both counts, we do not honour it currently (GSoC project to do this is in progress), but if a windows DC changes the AD database to match the GPO, we will honour that. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Odd Samba 4 ("4.2.0pre1-GIT-b505111"; actually only using client) behaviour #2 - "accept: Software caused connection abort".
On Sun, 2013-08-25 at 18:50 +0100, Tris Mabbs wrote:
> Probably should have posted this to "samba-technical" in the
> first place, so re-posting in case anyone has any useful ideas .
>
>
>
> From: Tris Mabbs
>
> Sent: 12 August 2013 23:08
> To: 'samba@lists.samba.org'
> Subject: Odd Samba 4 ("4.2.0pre1-GIT-b505111"; actually only using client)
> behaviour #2 - "accept: Software caused connection abort".
>
>
>
> Good day oh technical ones .
>
>
>
> I was running Samba 4 (client only, not using it as a DC so
> effectively running Samba 3 code from the Samba 4 tree) and, other than a
> little "Gotcha!" regarding decoding Kerberos PACs, it was all working
> perfectly.
>
> Then recently I had to upgrade, to "4.2.0pre1-GIT-b505111"
> (I had to upgrade the OS on the server running Samba - 'twas "OpenSolaris"
> and is now "Solaris 11.1") so I recompiled it all up and installed afresh
> (so no ".tdb"s from the previous installation or anything).
>
>
>
> But here's a funny thing (#2). The log file gets absolutely
> ridiculous numbers of messages thus:
>
>
>
> Aug 12 22:45:01 Gateway smbd[16327]: [ID 702911 daemon.error] [2013/08/12
> 22:45:01.731562, 0] ../source3/smbd/server.c:556(smbd_accept_connection)
>
> Aug 12 22:45:01 Gateway smbd[16327]: [ID 702911 daemon.error] accept:
> Software caused connection abort
>
> Aug 12 22:45:03 Gateway smbd[16327]: [ID 702911 daemon.error] [2013/08/12
> 22:45:03.556423, 0] ../source3/smbd/server.c:556(smbd_accept_connection)
>
> Aug 12 22:45:03 Gateway smbd[16327]: [ID 702911 daemon.error] accept:
> Software caused connection abort
>
> Aug 12 22:45:03 Gateway smbd[16327]: [ID 702911 daemon.error] [2013/08/12
> 22:45:03.556688, 0] ../source3/smbd/server.c:556(smbd_accept_connection)
>
> Aug 12 22:45:03 Gateway smbd[16327]: [ID 702911 daemon.error] accept:
> Software caused connection abort
>
>
>
> And so on. These will come in spurts; there won't be any
> such messages for several minutes then a whole load will come along all at
> once. Rather like busses .
>
> I will catch "smbd" in the act at some point though, and
> when I do I'll follow-up with a system call trace to show exactly what is
> happening when this message gets triggered. It will, of course, be
> something bizarrely Solaris specific (you didn't set the
> "SO_DONT_RANDOMLY_ABORT_CONNECTIONS" socket() option, did you? Tsk tsk tsk
> .).
I think that's probably the right track :-)
The code here is triggered when poll() indicates that the socket is
reaable. This socket should only be readable when a new connection is
being made, and accept() should succeed.
In the source4/smbd/process_single.c code equivalent to this, there is
this helpful hint:
/* accept an incoming connection. */
status = socket_accept(listen_socket, &connected_socket);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0,("single_accept_connection: accept: %s\n",
nt_errstr(status)));
/* this looks strange, but is correct.
We can only be here if woken up from select, due to
an incoming connection.
We need to throttle things until the system clears
enough resources to handle this new socket.
If we don't then we will spin filling the log and
causing more problems. We don't panic as this is
probably a temporary resource constraint */
sleep(1);
return;
}
So, my only conclusion is that your box momentarily does not have the
resources to accept the connection, and because there isn't the sleep()
in the source3 code, it prints this in a loop until the resources become
available.
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 Member Server not working
On Wed, 2013-08-28 at 20:11 -0300, Carlos Alberto Borges Garcia wrote: > Hi, > > I have one Samba4 server running as Active Directory Domain Controller. > It's working like a charm. > > So I needed to add another server to be a Member Server (File Server). > > The server is running samba-4.0.9. > > Configured and compiled ok: > > ./configure --prefix=/usr/local/samba --sysconfdir=/etc > --localstatedir=/var --mandir=/usr/man --bindir=/usr/bin > --sbindir=/usr/sbin --libdir=/lib --enable-fhs --with-ads > --with-shared-modules=idmap_ad,pam > > Installed ok. > > Kerberos OK. > I can run kinit and klist > > root@MYNETSRV08:/etc/samba# kinit Administrator > Password for administra...@mynet.net: > root@MYSRV08:/etc/samba# > > root@MYNETSRV08:/etc/samba# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: administra...@mynet.net > > Valid startingExpires Service principal > 28/08/2013 19:59 29/08/2013 05:59 krbtgt/mynet@mynet.net > renew until 29/08/2013 19:59 > root@MYNETSRV08:/etc/samba# > > My SMB.CONF is below: > > [global] > >workgroup = MYNET >security = ADS >realm = MYNET.NET >encrypt passwords = yes > >idmap config *:backend = tdb >idmap config *:range = 70001-8 >idmap config MYNET:backend = ad >idmap config MYNET:schema_mode = rfc2307 > >idmap config MYNET:range = 500-4 > >winbind nss info = rfc2307 >winbind trusted domains only = no >winbind use default domain = yes >winbind enum users = yes >winbind enum groups = yes > > [test] >path = /mnt/files >read only = no > > > > I can add my server to domain: > > root@PCOSRV08:/etc/samba# net ads join -U administrator > Enter administrator's password: > Using short domain name -- MYNET > Joined 'MYNETSRV08' to dns domain 'mynet.net' > root@MYNETSRV08:/etc/samba# > > libnss_winbind.so is in the right place: > > root@MYNETSRV08:/etc/samba# ls /lib/libnss_winbind.so* > /lib/libnss_winbind.so /lib/libnss_winbind.so.2 > > The libs are loaded fine: > > root@MYNETSRV08:/etc/samba# ldconfig -v | grep libnss > libnss_hesiod.so.2 -> libnss_hesiod-2.13.so > libnss_compat.so.2 -> libnss_compat-2.13.so > libnss_dns.so.2 -> libnss_dns-2.13.so > libnss_ldap.so.2 -> libnss_ldap.so.2 > libnss_nis.so.2 -> libnss_nis-2.13.so > libnss_nisplus.so.2 -> libnss_nisplus-2.13.so > libnss_files.so.2 -> libnss_files-2.13.so > libnss_wins.so -> libnss_wins.so.2 > libnss_winbind.so -> libnss_winbind.so.2 > libnss_hesiod.so.2 -> libnss_hesiod-2.13.so > libnss_compat.so.2 -> libnss_compat-2.13.so > libnss_dns.so.2 -> libnss_dns-2.13.so > libnss_nis.so.2 -> libnss_nis-2.13.so > libnss_nisplus.so.2 -> libnss_nisplus-2.13.so > libnss_files.so.2 -> libnss_files-2.13.so > root@MYNETSRV08:/etc/samba# > > I added winbind to my nsswitch.conf > > passwd: compat winbind > group: compat winbind > > I can start the daemon without issues: > > smbd > nmbd > winbindd > > "wbinfo -u" list all my domain users > > "wbinfo -g" list all my domain groups > > > Here is the problems: > > When I run "getent passwd", it lists only the local users. For performance reasons, by default we do not list users in the AD domain. See winbind enum users in your smb.conf > When I run "id Administrator", it returns "No such user". You need to use 'id MYNET\\administrator' > If I try to access the share defined in smb.conf, the server does not > recognizes my user/password. Can you give more detail on this part of the issue, and include logs etc? Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 consumes more CPU
On Mon, 2013-08-26 at 22:39 +0530, Prema wrote: > > > Dear Andrew, > > > As per your suggestion , I have attached the gdb log of the samba and > smbd process log running in the single server mode. > > Also when I noted in the perf top, libndr.so consumes the maximum cpu. > I noticed that it happens soon after sometime the samba process is > started and the CPU is filled up. > > Since the samba process occupies 100% atleast two or more CPUs out of > 8 CPU , the clients are not able to get authenticate to the server. > > Kindly go through the logs and suggest what can be done to lessen the > CPU consumption. Sadly the gdb backtrace does not happen to be from the point that is consuming the CPU, if that really is in libndr. It is in both cases in a poll() loop. Are you using the internal DNS server? If so, please change to using DLZ_BIND9 using the samba_upgradedns script, and see if that helps. I have had a more successful investigation with another user that indicates an issue there, trigged by double-processing of secure DNS updates from clients in our DNS server. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Add Win2008R2 DC to Samba4 domain
On Tue, 2013-08-20 at 10:30 -0500, Kristofer Pettijohn wrote: > Has anyone successfully added a Win2008R2 DC to a Samba4 domain? > > The issue I am encountering is the sysvol/netlogon shares are not > created. I can manually create them and copy files, but as soon as I > demote/forcefully remove the Samba4 server, the Win2008R2 server > refuses to serve requests for the domain. I cannot even manage it > through ADUC. Indeed, you will need to replicate the sysvol and netlogon shares manually, we simply don't support those replication protocols at this point. In terms of the Win2008R2 server not taking over the Samba domain, perhaps DNS is not configured on that DC, or the DNS configuration for the domain was stored in the replicated database (the bind9 flat file solution). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba-tool classicupgrade throws uncaught exception
On Tue, 2013-08-20 at 11:33 -0700, Scott Goodwin wrote: > Update: > Upon further investigation, the group with SID ending in -1057 is my Domain > Admins group, which is mapped to unix group "smbadmins". SID ending in > -1066 (see my original posting) is Domain Users, which I have mapped to > unix group "users". > I suspect that if I remove these two mappings, the classic upgrade may > succeed, at which point I can re-add them. > > Two things: > 1) Is it a problem that my Domain Admins and Domain Users groups do not > have the standard NT4 domain suffixes (I think Domain Admins typically ends > with -512. Can't remember what the suffix for Domain Users is, but it isn't > -1066). Yes. > 2) Is there a way to remove these mappings from the .tdb files I have > copied over to the new server? I know I can remove the mapping from my old > server, then re-copy the tdb files over, then re-add the mapping on my > samba3 server, but the Domain Users mapping would impact users (I'm pretty > sure), and I want to avoid that if possible. So, I'm hoping there is a way > to manually edit the tdb's in the test environment where my samba4 server > is, or some tool that can assist in such. The 'Samba3' tools still work in Samba 4.0, so if you put the files in the 'expected' locations on in the new server, then you should be able to just edit them there, as if it was the original server. Then upgrade. I hope this helps, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Is kerberos authentication against AD possible without joining the domain?
On Tue, 2013-08-20 at 09:43 -0500, Les Mikesell wrote: > On Mon, Aug 19, 2013 at 10:29 PM, Andrew Bartlett wrote: > > > > OK. > > > >> Most (maybe not all) of the windows boxes are already logged > >> into the domain as the appropriate user, but I don't care if those > >> domain credentials are used or not. > > > > You need to join the domain to do this reliably. > > Joining the domain isn't going to happen. The choices are some sort > of security=server setup or copies of local passwords on a bunch of > linux servers. You may have to resort to that, or ask to join the domain just the same as any laptop, desktop or member server. Typically in AD every user in the domain has the right to join a small number of machines without needing the administrator password. I realize that organizational politics are more complex that that, but this remains my advise. > > In the past we would suggest folks use 'security=server' for this > > situation, where you want to 'pass though' authentication to another > > server, but it is not only insecure (again total trust), but is now much > > less reliable with modern clients, due to NTLMv2. We removed > > security=server in Samba 4.0. > > I'm using whatever CentOS 6.x ships - currently seems to be 3.6.9. > Does that mean security=server should work with kerberos? (It doesn't > with whatever authconfig puts in the smb.conf file...). authconfig does not configure Samba, as far as I'm aware. security=server is sill a supported feature in that release, but it is known that it does not work with many modern clients. > > You cannot accept a kerberos ticket without joining the domain, as you > > can't decrypt it, even if you wanted to just trust it, it is an opaque > > blob until decrypted. > > All I want is the password check without having to maintain copies of > the password file. And I'm already accepting it for ssh access, so I > don't see what I'd lose if samba accepts it too. I know what you want, and I'm telling you that we dropped this feature for good reason. Additionally, because Samba does not accept plain text passwords, we cannot simply use Kerberos in the same way pam_krb5 does. Use of security=server is at your own risk, both in terms of security and in terms of configuring clients not to send NTLMv2 to the Samba server. I hope this clarifies things. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Is kerberos authentication against AD possible without joining the domain?
On Mon, 2013-08-19 at 18:22 -0500, Les Mikesell wrote: > On Mon, Aug 19, 2013 at 5:40 PM, Andrew Bartlett wrote: > > >> On CentOS (and presumably RHEL), the authconfig tool can set up > >> kerberos authentication via PAM so that locally added users can be > >> authenticated at the shell/ssh level if the password they use succeeds > >> for the matching user name in Active Directory - and this works > >> without joining the linux box to the domain. Now I'd like those > >> linux users to be able to map their home directories from a windows > >> box using that same password. Is this possible without joining the > >> linux host to the active directory domain? I don't care if they have > >> to re-enter the password instead of using their domain credentials > >> directly, I just don't want to have to maintain a local password on > >> the linux side for people who already exist in AD. And I don't want > >> to join the domain. > > > > As you have found out, you can to this with pam_krb5 but you have no > > assurance that the AD DC is indeed the AD DC, as there is no local > > cryptographic material (the machine account password) with which to > > verify the ticket. If 'something' issues a ticket, then the user will > > be authenticated. This is not secure. > > All I want is a check that the password the user gave is correct. If > it is good enough for ssh it should be good enough for samba service. > (And it's all on a firewalled private network so not particularly > exposed). > > > That is why windows workstations and linux workstations should both be > > joined to the domain. > > You need admin credentials for that - and the people managing the AD > are all in a different group in a different office. > > > As to, one way or other using this password to map a directory, look > > into things like pam_mount. The login will have generated a kerberos > > credentials cache. This doesn't change on being part of the domain or > > not. > > I want to go the other direction - that is to have the samba server on > the linux box serving the user's home directories to their windows > desktop boxes using the same credentials as they'd use for shell > logins. OK. > Most (maybe not all) of the windows boxes are already logged > into the domain as the appropriate user, but I don't care if those > domain credentials are used or not. You need to join the domain to do this reliably. In the past we would suggest folks use 'security=server' for this situation, where you want to 'pass though' authentication to another server, but it is not only insecure (again total trust), but is now much less reliable with modern clients, due to NTLMv2. We removed security=server in Samba 4.0. You cannot accept a kerberos ticket without joining the domain, as you can't decrypt it, even if you wanted to just trust it, it is an opaque blob until decrypted. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Is kerberos authentication against AD possible without joining the domain?
On Mon, 2013-08-19 at 17:17 -0500, Les Mikesell wrote: > On CentOS (and presumably RHEL), the authconfig tool can set up > kerberos authentication via PAM so that locally added users can be > authenticated at the shell/ssh level if the password they use succeeds > for the matching user name in Active Directory - and this works > without joining the linux box to the domain. Now I'd like those > linux users to be able to map their home directories from a windows > box using that same password. Is this possible without joining the > linux host to the active directory domain? I don't care if they have > to re-enter the password instead of using their domain credentials > directly, I just don't want to have to maintain a local password on > the linux side for people who already exist in AD. And I don't want > to join the domain. As you have found out, you can to this with pam_krb5 but you have no assurance that the AD DC is indeed the AD DC, as there is no local cryptographic material (the machine account password) with which to verify the ticket. If 'something' issues a ticket, then the user will be authenticated. This is not secure. That is why windows workstations and linux workstations should both be joined to the domain. As to, one way or other using this password to map a directory, look into things like pam_mount. The login will have generated a kerberos credentials cache. This doesn't change on being part of the domain or not. I hope this helps, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 with LDAP proxy in DMZ
On Thu, 2013-08-08 at 17:14 +0100, Julian Pilfold-Bagwell wrote: > Hi All, > > I'm setting up a Samba AD domain which works perfectly with the WIn 7 > server tools and so far everything is going fine. What has me stumped > is setting up an LDAP proxy in our DMZ against which I can authenticate > our email and web services. > > I've got port 389 open on my main Samba 4 DC and if I use the domain > administrator account to bind the proxy, everything works. In order to > give a degree of separation however, I've created a user called > ldapbindacc and have used the server remote admin tools to delegate > control of the directory server to that user with read only access to > user and group details. When I try to access the directory using this > account, I get the following error message (the password is definitely > correct): > > # ldapsearch -LLL -H ldap://127.0.0.1 -b > 'dc=bordengrammar,dc=kent,dc=sch,dc=uk' -D > 'cn=ldapbindacc,cn=Users,dc=bordengrammar,dc=kent,dc=sch,dc=uk' -W > '(sAMAccountName=Test.User)' > Enter LDAP Password: > ldap_bind: Invalid credentials (49) > additional info: Simple Bind Failed: NT_STATUS_LOGON_FAILURE > > As I'm moving fro Samba 3 to 4, my AD knowledge is limited so I've been > patching things together from various howto's. Has anyone succeeded in > this who can give me some tips. Try just setting the DN as ldapbind...@bordengrammer.kent.sch.uk (AD allows these kind of DNs for binds). Otherwise, just turn up the logging on the Samba side and see what it says. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Upgrade
On Fri, 2013-08-09 at 11:49 +0200, Sandbox wrote: > Hi Guys, > > Well I made a bad decision and installed Samba4 from zentyal repo, I would > like to upgrade it, is it enough to backup all files from %installation > folder%/private directory and then copy into the newly installed version's > private folder? Ensure you also move the sysvol tree, the lock, locks and state dirs and the etc/smb.conf file, and keep the xattrs. Essentially find the new location for all the files, and move them to match. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Need support
On Sat, 2013-08-10 at 04:37 -0400, Scott Lovenberg wrote: > On Aug 10, 2013, at 4:22, Andrew Bartlett wrote: > > > On Sat, 2013-08-10 at 03:19 -0400, Scott Lovenberg wrote: > >> On Aug 5, 2013, at 0:09, ketut.nur...@dexagroup.com wrote: > >> > >>> dear Samba team, > >>> > >>> Today we have used samba ver. 3 as primary domain controller at my > >>> company. To improve the Samba technology and feature to support our > >>> business , we want to upgrade to Samba 4. > >>> > >>> Is there any tools or support to provide upgrade solution from Samba 3 to > >>> samba 4 ? > >>> > >>> For the information current Samba version we are used and running on > >>> Mandriva : > >>> samba-common-3.0.23b-7mdv2007.0 > >>> samba-server-3.0.23b-7mdv2007.0 > >>> samba-smbldap-tools-3.0.23b-7mdv2007.0 > >>> samba-client-3.0.23b-7mdv2007.0 > >>> samba-doc-3.0.23b-7mdv2007.0 > >>> > >>> Any suggestion or support please contact me. > >> > >> Although no longer technically supported, the upgrade provision script has > >> done well for many people. Have you considered trying it in a virtual > >> environment? > > > > The upgradeprovision script is not for upgrades from Samba 3.x or > > classic domains, it is about old (very old) databases from the 4.0 alpha > > series. Use of the samba-tool domain classicupgrade command remains and > > will remain fully supported. > > Sorry, Andrew, you are correct. I meant classicupgrade instead of > upgradeprovision (to be fair, it's 4:30 AM on this side of the pond :)) > > Although I thought that classic upgrade still had some issues to be worked > out, IIRC from the mailing list/IRC discussions. Am I mistaken? Due to the range of possible source configurations the classicupgrade code may fail. Most of these failures are due to what I consider invalid configuration of the old classic domain, but which were not detected previously, as we had not validation tool in the past. That said, we can and should work around these and the other remaining issues, and patches are very much welcome. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Upgrading Samba 3 DC to a Samba 4.0 AD DC
On Mon, 2013-08-05 at 11:09 +0700, ketut.nur...@dexagroup.com wrote: > dear Samba team, > > Today we have used samba ver. 3 as primary domain controller at my > company. To improve the Samba technology and feature to support our > business , we want to upgrade to Samba 4. > > Is there any tools or support to provide upgrade solution from Samba 3 to > samba 4 ? See https://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTO Thanks, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Need support
On Sat, 2013-08-10 at 03:19 -0400, Scott Lovenberg wrote: > On Aug 5, 2013, at 0:09, ketut.nur...@dexagroup.com wrote: > > > dear Samba team, > > > > Today we have used samba ver. 3 as primary domain controller at my > > company. To improve the Samba technology and feature to support our > > business , we want to upgrade to Samba 4. > > > > Is there any tools or support to provide upgrade solution from Samba 3 to > > samba 4 ? > > > > For the information current Samba version we are used and running on > > Mandriva : > > samba-common-3.0.23b-7mdv2007.0 > > samba-server-3.0.23b-7mdv2007.0 > > samba-smbldap-tools-3.0.23b-7mdv2007.0 > > samba-client-3.0.23b-7mdv2007.0 > > samba-doc-3.0.23b-7mdv2007.0 > > > > Any suggestion or support please contact me. > > > > Although no longer technically supported, the upgrade provision script has > done well for many people. Have you considered trying it in a virtual > environment? The upgradeprovision script is not for upgrades from Samba 3.x or classic domains, it is about old (very old) databases from the 4.0 alpha series. Use of the samba-tool domain classicupgrade command remains and will remain fully supported. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] security.NTACL Not Being Set Using LXC Containers
On Thu, 2013-08-08 at 22:54 +0100, chris.ha...@proporta.com wrote: > On Thu, 08 Aug 2013 22:28:46 +0100, chris.ha...@proporta.com wrote: > > Hi, > > > > My Samba 3.6.6 file server isn't setting the security.NTACL extended > > attribute. It can set the user.DOSATTRIB without any issue. This > > appears to be an LXC container issue, as outside the container I can > > set this using the setfattr command without issue, whereas I can't do > > this inside. > > > > Despite this not being a Samba issue, I was wondering whether anybody > > has any encountered problems like this; and whether anyone could > > offer > > me their experience or advice? > > This can be worked around by allowing CAP_SYS_ADMIN; see the > lxc.cap.drop declarations in your container configuration. Not > necessarily a good idea, though as it appears to decrease the degree of > container isolation from the host system. > > I don't believe there's any way to request that Samba use a different > namespace, though. The only other option would be to not use the > filesystem at all. > > Does anyone know how NTACLs in XATTR compare to using 'vfs objects = > xattr_tdb' or any other options that I'm unaware of? Using the TDB backend is a very poor second choice, because if something other than Samba adds/deletes files, the inode-related entry may be either be left dangling, or may suddenly apply to a different file. We saw this in 'make test' where we have to use this, and it isn't pretty. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How to use --simple-bind-dn in samba-tool
On Fri, 2013-08-09 at 10:43 +0700, Olivier Nicole wrote: > Thank's Andrew, > > > > For the record, for other non-AD servers that don't do SASL and so can't > > use -U, --simple-bind-dn takes a DN, so cn=admin,dc=example,dc=com might > > be the admin DN on an OpenLDAP server. > > I tried: > > samba-tool user setpassword tata --newpassword=Ghij-1919 -d 10 -H > ldap://fbsd35.cs.ait.ac.th/ > --simple-bind-dn=cs=administrator,dc=cs,dc=ait,dc=ac,dc=th > > But it is still giving me the same error, so I suspect the DN is not correct. > > I could not find any documentation saying what the DN should be. Perhaps I need to be clearer: DO NOT USE --simple-bind-dn against an AD server. USE -U administrator Additionally, your DN above has a typo, cs=administrator rather than cn=administrator. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 and squid with NTLM auth
On Wed, 2013-08-07 at 15:57 +0600, Eugene M. Zheganin wrote: > Hi. > > Samba-4.0.7 > FreeBSD 10.0-CURRENT > > Besides serving files I'm using Samba to authenticate users in the > Windows AD with squid. > After having issues with samba 3.6.16 I decided to see if samba4 will > fit me more. I was surprised, but I found that Samba 4 is fully > functional in my environment and is nearly production-ready. > > After that I tried to setup squid to use samba for NTLM authentication. > I found something that may be a bug, but may be also a misconfiguration > of some sort. In short words - it doesn't work. > To describe what's not working, I should say that in my configuration > squid is authorizing user in two stages: > - ntlm_auth is authenticating user > - external squid helper is authorizing user's access to an URL using a > supplied by ntlm_auth name and the group membership information from the AD. > > It turns out that for some reason ntlm_auth authenticates user just > fine, but then it is supplying squid with some sort of corrupted username: > > squid access log: > > 1375868558.129 1957 192.168.7.71 TCP_DENIED/403 2338 GET > http://www.ru/rus/index.php %a0%92%03\r%08 HI > ER_NONE/- text/html > > This [...] is actually my username - 'emz', but looks it's > authenticated by ntlm_auth. Squid also thinks that this username has > been just authenticated, and tries to look it's group membership > information. > > Squid cache log: > > support_member.cc(124): pid=12390 :2013/08/07 15:42:38| > kerberos_ldap_group: INFO: User ═.. > . is not member of group@domain Internet Users - Crystal@NULL > > Considering that everything is fine when using samba 3.5.x, I suppose > the answer is is samba software. > Is this some bug or a misconfiguration ? Certainly this looks like an missing NULL terminator, if if it as you describe. Can you operate ntlm_auth manually (operate one ntlm_auth in client mode, another in squid-2.5-ntlmssp mode and copy the blobs back and forth), and demonstrate it? This will avoid all the complexity of squid, and help isolate the issue. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 empty password
On Wed, 2013-08-07 at 13:56 +, Fink Oliver wrote: > Hello, > > We are trying to setup a SAMBA-Server with users that have empty passwords. > > We are using: > Samba 4.0.8 > Kernel 3.10.5 > Slackware 14.0 x64 > > When we set a password the login successes! > > That's what we get when trying to login: > Kerberos: Looking for ENC-TS pa-data -- media1@BC > [2013/08/07 13:31:46, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Failed to decrypt PA-DATA -- media1@BC (enctype > aes256-cts-hmac-sha1-96) error Decrypt integrity check failed for checksum > type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96 > [2013/08/07 13:31:46, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Failed to decrypt PA-DATA -- media1@BC This means the KDC had a different hash to the one the user encrypted the time with. Aside from the flag 'ACB_NOPWREQ' (which does *not* mean no password required, it actually means no password requirements, ie no minimum length), the KDC doesn't know the length (even zero length) of the password, it just performs calculations based on the stored hash. How did you set the 'empty' password in Samba? Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Debian Package Updates
On Wed, 2013-08-07 at 17:58 +0100, Dominic Evans wrote: > On 5 August 2013 01:28, Andrew Bartlett wrote: > > On Fri, 2013-08-02 at 14:41 +0100, Dominic Evans wrote: > >> The debian package of samba4 is still sitting at 4.0.3 in > >> experimental. Please could someone (Andrew?) upload an updated package > >> now that we are up to 4.0.7? > >> > >> http://packages.qa.debian.org/s/samba4.html > > > > We have toiled mightily, and have new experimental packages. They are > > stuck in the NEW queue, and have been for a month: > > http://ftp-master.debian.org/new.html > > > > (This is because we have additional package names, as part of the merge > > with the 'samba' package). > > So the new packages have now made it into experimental > http://packages.qa.debian.org/s/samba/news/20130806T230018Z.html > > However, it isn't obvious what the upgrade step(s) should be from an > existing `samba4` install to these packages. They don't appear to have > specified Conflicts/Replaces with the samba4 packages, and it appears > like a `sudo apt-get install -t experimental samba` would be partially > installing alongside the existing samba4 binaries? We do have conflicts/Replaces set, and when the bulk of the packaging work was done this was tested upgrading from both. From here, the best approach would be to tell us what errors you get, and we can add some more as required. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How to use --simple-bind-dn in samba-tool
On Wed, 2013-08-07 at 17:16 +0700, Olivier Nicole wrote: > Hi, > > I understand that using options -H and --simple-bind-dn one could run > samba-tool remotely. > > But how should I specify the DN to use for simple bind? > > I tried many syntaxes: > cn=Administrator > cn=Administrator@domain > domain > all with the Administrator password, but it always fail with: > Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS - Failed: NT_STATUS_LOGON_FAILURE> <> > Failed to connect to 'ldap://fbsd35.cs.ait.ac.th/' with backend 'ldap': (null) > > Can I use the command ldapsearch (from openLdap distribution) to access > the LDAP directory maintained by Samba? > > If yes, what is the syntax in term of binding? In general, you shouldn't need --simple-bind-dn, because Samba supports much more secure ways to authenticated, such as NTLM and Kerberos. Just specify -U administrator For the record, for other non-AD servers that don't do SASL and so can't use -U, --simple-bind-dn takes a DN, so cn=admin,dc=example,dc=com might be the admin DN on an OpenLDAP server. (this applies more to the ldb* commands that samba-tool, which probably shouldn't show this option except it comes from common code). I hope this helps, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 and DFS replication
On Mon, 2013-08-05 at 17:24 -0500, Kristofer Pettijohn wrote: > I realize that Samba 4 doesn't yet support DFS replication. But my > question is if Samba 4 as an AD server supports DFS replication within > the environment. For example, if all we have are Samba 4 servers for > AD domain controllers, and we have 2+ Windows servers doing DFS > between each other (where the Samba 4 file server isn't involved at > all), is that supported? That should be fine, we just don't implement that protocol yet. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Joining DC
On Mon, 2013-08-05 at 16:03 +1200, Andrew Bartlett wrote:
> On Fri, 2013-08-02 at 13:58 +1000, Alex Ferrara wrote:
> > I am having some trouble joining a new samba4 server as a DC. I am pretty
> > sure this stems from trying to use OpenChange and subsequently removing it.
> > The new samba4 machine is running 4.0.7 and the existing is running 4.0.1.
> > I am a little hesitant to do an in-place upgrade of the last working DC, so
> > I wanted a replica to fall back on in case things go bad.
>
> > On the existing DC logs
> >
> > [2013/08/02 13:53:04, 0]
> > ../source4/rpc_server/drsuapi/getncchanges.c:220(get_nc_changes_build_object)
> > ../source4/rpc_server/drsuapi/getncchanges.c:220: Failed to find
> > attribute in schema for attrid 2786216 mentioned in replPropertyMetaData of
> > CN=Recipient Update Service
> > (DOMAIN)\0ADEL:cbf078d9-a0ff-4609-a05b-743816af619d,CN=Deleted
> > Objects,CN=Configuration,DC=domain,DC=local
>
> This is really interesting. We are fighting with this in our automated
> testing, but we assumed it was due to runtime schema changes. Presuming
> you have restarted Samba since the last schema change, this points as a
> more sinister issue.
>
> Can you take a clone of this sever, and on an isolated network upgrade
> this to git master, and try to join another git master server to it?
>
> If that fails in the same way, we may wish to get a dump of this object
> (and potentially the database via a secure route) so we can investigate
> further.
Can you show me the output of 'dbcheck --cross-ncs' with this patch?
Please do this on a backup of the domain.
Don't run dbcheck --fix because I know the test and fix is at least
partially bogus, but I'm just curious to see what this shows up.
Thanks,
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz
>From 172888cf867739bd69f17789c49a2e1710ffe478 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett
Date: Mon, 5 Aug 2013 19:13:15 +1200
Subject: [PATCH] dbcheck: FIXME Try and find replication metadata that does
not match the sent objects
The issue with the test is that if an attribute is deleted, then it needs to be in the metadata, but not have any
values. The important test should actually be that we can at least translate each metadata entry.
Andrew Bartlett
---
python/samba/dbchecker.py | 52 +++--
1 file changed, 46 insertions(+), 6 deletions(-)
diff --git a/python/samba/dbchecker.py b/python/samba/dbchecker.py
index 8b175c2..0317824 100644
--- a/python/samba/dbchecker.py
+++ b/python/samba/dbchecker.py
@@ -606,6 +606,19 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
"Failed to fix metadata for attribute %s" % attr):
self.report("Fixed metadata for attribute %s" % attr)
+def fix_extra_metadata(self, dn, attr):
+'''remove replPropertyMetaData elements for a single attribute for a
+object. This is used to fix extra replPropertyMetaData elements'''
+res = self.samdb.search(base = dn, scope=ldb.SCOPE_BASE, attrs = [attr],
+controls = ["search_options:1:2", "show_recycled:1"])
+msg = res[0]
+nmsg = ldb.Message()
+nmsg.dn = dn
+nmsg[attr] = ldb.MessageElement([], ldb.FLAG_MOD_REPLACE, attr)
+if self.do_modify(nmsg, ["relax:0", "provision:0", "show_recycled:1"],
+ "Failed to remove extra metadata for not-existing attribute %s" % attr):
+self.report("Removed extra metadata for attribute %s" % attr)
+
def ace_get_effective_inherited_type(self, ace):
if ace.flags & security.SEC_ACE_FLAG_INHERIT_ONLY:
return None
@@ -900,6 +913,12 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
if attrname == 'dn':
continue
+flag = self.samdb_schema.get_systemFlags_from_lDAPDisplayName(attrname)
+if (not flag & dsdb.DS_FLAG_ATTR_NOT_REPLICATED
+and not flag & dsdb.DS_FLAG_ATTR_IS_CONSTRUCTED
+and not self.samdb_schema.get_linkId_from_lDAPDisplayName(attrname)):
+list_attrs_seen.append(str(attrname).lower())
+
if str(attrname).lower() == 'replpropertymetadata':
list_attrs_from_md = self.process_metadata(obj[attrname])
got_repl_property_meta_data = True
@@ -956,12 +975,6 @@ newSuperior: %s""&qu
Re: [Samba] Samba4 domain trust
On Fri, 2013-08-02 at 13:31 +0200, Peter Beck wrote: > Hi there, > > I know domain trusts are currently not finished (as far as I know you > can trust a Samba4 > domain but not the other way). Is that still correct ? It is. > And my main question: Does it matter if it is a Samba4-Only Domain or > Samba4/Windows DC domain ? Not really - the Samba DC just won't know much about the trust. > In my case it's Samba4 only with two different domains i would like to > trust each other... The big issue is that we need to change over the winbind to allow this, once that's done, the rest won't be too hard. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem to demote samba4 dc
On Fri, 2013-08-02 at 08:34 -0300, Jonis Maurin Ceará wrote: > But what roles Andrew? > All 5 roles are already on windows DC. What's those 2 left roles and how > can we transfer? What I'm saying is just follow whatever advise Microsoft gives for using their GUI tools to remove a dead DC from the AD domain. It shouldn't matter that it's a Samba DC. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] [PATCH] Allow dbcheck to fix Rid Set records
On Sun, 2013-07-28 at 16:14 +0200, Achim Gottinger wrote:
> Hi,
>
> I updated my two samba DC's from 4.0.3 to serner 4.0.7. Both servers run
> debian wheezy and the add was created at the beginning of the year with
> an classic upgrade to version 4.0.0.
> Recent release notes do not provide information about required upgrade
> tasks. So i ran.
> samba-tool dbcheck --reset-well-known-acls. On the first DC it found a
> few errors about missong members in computer groups whom where fixable
> with samba-tool dbcheck --reset-well-known-acls --fix.
> On my second DC however one issue remains.
>
> >samba-tool dbcheck --reset-well-known-acls
> Checking 336 objects
> Not fixing nTSecurityDescriptor on CN=RID Set,CN=DC1,OU=Domain
> Controllers,DC=domain,DC=local
> Please use --fix to fix these errors
> Checked 336 objects (1 errors)
>
> >samba-tool dbcheck --reset-well-known-acls --fix
> Checking 336 objects
> Fix nTSecurityDescriptor on CN=RID Set,CN=DC1,OU=Domain
> Controllers,DC=domain,DC=local? [y/N/all/none] y
> Failed to fix attribute nTSecurityDescriptor : (65, "objectclass_attrs:
> at least one mandatory attribute ('rIDNextRID') on entry 'CN=RID
> Set,CN=DC1,OU=Domain Controllers,DC=domain,DC=local' wasn't specified!")
> Checked 336 objects (1 errors)
The attached patch should resolve this issue. Let me know if it helps.
Thanks,
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz
>From 9f0c60b6d4b4c4538e05bb1b6ee0247b9f85ccbc Mon Sep 17 00:00:00 2001
From: Andrew Bartlett
Date: Mon, 5 Aug 2013 16:39:08 +1200
Subject: [PATCH] dsdb: Allow dbcheck to modify objects missing required
attributes
Signed-off-by: Andrew Bartlett
---
source4/dsdb/samdb/ldb_modules/objectclass_attrs.c | 16
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c b/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c
index 316dcf8..f290afa 100644
--- a/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c
+++ b/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c
@@ -421,10 +421,18 @@ static int attr_handler2(struct oc_context *ac)
if (found_must_contain[0] != NULL &&
ldb_msg_check_string_attribute(msg, "isDeleted", "TRUE") == 0) {
- ldb_asprintf_errstring(ldb, "objectclass_attrs: at least one mandatory attribute ('%s') on entry '%s' wasn't specified!",
- found_must_contain[0],
- ldb_dn_get_linearized(msg->dn));
- return LDB_ERR_OBJECT_CLASS_VIOLATION;
+ /*
+ * We allow this for dbcheck to fix the rest of this broken
+ * entry (which may not be broken if the attribute is
+ * ridNextRid on the Rid Set, which can be legitimatly
+ * missing)
+ */
+ if (!ldb_request_get_control(ac->req, DSDB_CONTROL_DBCHECK)) {
+ ldb_asprintf_errstring(ldb, "objectclass_attrs: at least one mandatory attribute ('%s') on entry '%s' wasn't specified!",
+ found_must_contain[0],
+ ldb_dn_get_linearized(msg->dn));
+ return LDB_ERR_OBJECT_CLASS_VIOLATION;
+ }
}
if (isSchemaAttr) {
--
1.7.10.4
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Need support
On Mon, 2013-08-05 at 11:14 +0700, Ketut DXM wrote: > dear Samba team, > > Today we have used samba ver. 3 as primary domain controller at my company. > To improve the Samba technology and feature to support our business , we want > to upgrade to Samba 4. > > Is there any tools or support to provide upgrade solution from Samba 3 to > samba 4 ? > > For the information current Samba version we are used and running on Mandriva > : > samba-common-3.0.23b-7mdv2007.0 > samba-server-3.0.23b-7mdv2007.0 > samba-smbldap-tools-3.0.23b-7mdv2007.0 > samba-client-3.0.23b-7mdv2007.0 > samba-doc-3.0.23b-7mdv2007.0 See: https://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTO Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Joining DC
On Fri, 2013-08-02 at 13:58 +1000, Alex Ferrara wrote: > I am having some trouble joining a new samba4 server as a DC. I am pretty > sure this stems from trying to use OpenChange and subsequently removing it. > The new samba4 machine is running 4.0.7 and the existing is running 4.0.1. I > am a little hesitant to do an in-place upgrade of the last working DC, so I > wanted a replica to fall back on in case things go bad. > On the existing DC logs > > [2013/08/02 13:53:04, 0] > ../source4/rpc_server/drsuapi/getncchanges.c:220(get_nc_changes_build_object) > ../source4/rpc_server/drsuapi/getncchanges.c:220: Failed to find attribute > in schema for attrid 2786216 mentioned in replPropertyMetaData of > CN=Recipient Update Service > (DOMAIN)\0ADEL:cbf078d9-a0ff-4609-a05b-743816af619d,CN=Deleted > Objects,CN=Configuration,DC=domain,DC=local This is really interesting. We are fighting with this in our automated testing, but we assumed it was due to runtime schema changes. Presuming you have restarted Samba since the last schema change, this points as a more sinister issue. Can you take a clone of this sever, and on an isolated network upgrade this to git master, and try to join another git master server to it? If that fails in the same way, we may wish to get a dump of this object (and potentially the database via a secure route) so we can investigate further. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Joining DC
On Sun, 2013-08-04 at 16:03 -0500, Mike Ray wrote: > Alex- > > A few things: > > 1) Don't run DCs on the same domain with different versions of Samba. Either > add in another 4.0.1 DC and replicate, or use the backup tool to create a > copy of the database first. While I can understand the advise, this should work, just as we work with different versions of AD. Particularly after the 4.0 release. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Debian Package Updates
On Fri, 2013-08-02 at 14:41 +0100, Dominic Evans wrote: > The debian package of samba4 is still sitting at 4.0.3 in > experimental. Please could someone (Andrew?) upload an updated package > now that we are up to 4.0.7? > > http://packages.qa.debian.org/s/samba4.html We have toiled mightily, and have new experimental packages. They are stuck in the NEW queue, and have been for a month: http://ftp-master.debian.org/new.html (This is because we have additional package names, as part of the merge with the 'samba' package). Once that's in, I expect a 4.0.7 will follow shortly. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] [PATCH] Re: "./configure" LDAP checks failing on AIX
On Thu, 2013-08-01 at 11:10 +0200, Gilles Pion wrote:
> 2013/7/31 Andrew Bartlett
> >
> > Very interesting! That we certainly can fix, thanks for the heads-up!
>
> I've also filed a bug on that issue:
> https://bugzilla.samba.org/show_bug.cgi?id=10047
If I've understood you correctly, the attached patch should resolve the
issue.
If you can confirm, then if I can have a team member review and/or push
this for me, that would be great. We can then backport it to 4.0 and
4.1 for the next releases of those branches.
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz
>From de14f0f120ae04190d46e554511b4939b7938508 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett
Date: Fri, 2 Aug 2013 15:28:51 +1200
Subject: [PATCH] build: Add ldap.h and lber.h to checks for configure
functions
Based on the suggestion by Gilles Pion , this apparently fixes detection of
LDAP on some AIX configurations.
Andrew Bartlett
Signed-off-by: Andrew Bartlett
---
source3/wscript |6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/source3/wscript b/source3/wscript
index 3c0145b..10e4fa0 100644
--- a/source3/wscript
+++ b/source3/wscript
@@ -627,8 +627,10 @@ msg.msg_acctrightslen = sizeof(fd);
conf.CHECK_VARIABLE('LBER_OPT_LOG_PRINT_FN',
define='HAVE_LBER_LOG_PRINT_FN', headers='lber.h')
-conf.CHECK_FUNCS_IN('ldap_init ldap_init_fd ldap_initialize ldap_set_rebind_proc', 'ldap')
-conf.CHECK_FUNCS_IN('ldap_add_result_entry', 'ldap')
+conf.CHECK_FUNCS_IN('ldap_init ldap_init_fd ldap_initialize ldap_set_rebind_proc', 'ldap',
+headers='ldap.h lber.h')
+conf.CHECK_FUNCS_IN('ldap_add_result_entry', 'ldap',
+headers='ldap.h')
# Check if ldap_set_rebind_proc() takes three arguments
if conf.CHECK_CODE('ldap_set_rebind_proc(0, 0, 0)',
--
1.7.10.4
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Turnkey Samba 4 Solutions?
On Wed, 2013-07-31 at 09:42 -0400, Steve Ligett wrote: > H - I'm a Resara Server user - Resara Server was a turnkey Samba 4 system. > I have been lurking on this list, trying to decide what way to go for the > future. I've seen some post regarding moving from Resara, but I'm not sure > if I want to "get my hands dirty" - I've enjoyed the simplicity of Resara. > Are there any other turnkey Samba solutions? Or simple cookbook solutions? The HOWTO is our standard 'cookbook'. While it has grown, we do intend it to be a 'turnkey' solution - once you run provision, you should have a working domain. https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem to demote samba4 dc
On Wed, 2013-07-31 at 15:10 +0200, Davy HUBERT wrote: > Hi all, > > I recently migrated our samba 3 domain to an AD domain using Samba 4 > classic upgrade tool. Well, every seems to work fine since i'm still > alive ;) . > > > I promoted a Windows 2k8 box as a new DC of this domain and I transfer > the 5 FSMO roles to it. > > Now I would like to demote the Samba4 DC but when I tried I got this > message : > > # samba-tool domain demote > ERROR: Current DC is still the owner of 2 role(s), use the role command > to transfer roles to another DC > > When check the fsmo roles status via "samba-tool fsmo show" it confirms > that the Samba 4 DC doesn't own anything. > > How can I manage to demote the Samba 4 box ? The best option would be to turn off the Samba DC, and then use ADUC on Windows and tell it that the Samba DC is permanently off-line. The roles can be seized from there. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Slow FIND_FIRST2 response
On Tue, 2013-07-30 at 12:56 -0400, Ryan Bair wrote: > I'm running Samba 4.0.7 on CentOS 6.4 running double duty as DC and file > server. > > OS X clients are taking a _long_ time to list long directories. One > directory with 10K entries is taking 3-4 minutes to display the entries in > Finder. > > I captured a few seconds worth of packets and noticed that it's doing three > requests per file: > 1. NTCreateAndX - just opens the file > 2. Close > 3. FIND_FIRST2 - to look for the resource fork > > The first two happen extremely fast, the 3rd one is the kicker. Samba is > taking about 0.025 seconds to return a response to the client (usually no > such file status). Multiple that by 10K requests and you have a few minutes > on your hands. > > I'm guessing the problem is that Samba must honor case-insensitivity for > the lookup which is likely an expensive operation. Is there anyway to speed > this up? Do you use resource forks on your share at all? If not, if the client can use streams for the xattrs (I think it can) then using xattrs to back these not-actually-used resource forks may well be much faster, as this is based on the file handle. Try: vfs objects = streams_xattr (if you use resource forks, then they may not fit, in which case perhaps try vfs objects = streams_depot, which uses a magic directory, but is less tidy and less efficient). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 - classicupgrade - problem - passdb.error uncaught exception - Cannot load backend methods for 'ldapsam:ldap://localhost' backend NT_STATUS_CANT_ACCESS_DOMAIN_INFO
On Wed, 2013-07-31 at 15:41 +0530, itsaheb wrote: > Thanks Andrew for your reply. > > > This time i have setup Samba4 on new test server but im still getting > the same error message: > > > # /usr/local/samba/bin/samba-tool domain classicupgrade > --dbdir=/samba3/ --use-xattrs=yes > --realm=mydomain.com /samba3/smb.conf --dns-backend=BIND9_DLZ This is clearly your issue: > smbldap_search_domain_info: Problem during LDAPsearch: Timed out If your LDAP server is timing out, there is no hope Samba can upgrade this domain. You need to work out why this happens. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] "./configure" LDAP checks failing on AIX
On Tue, 2013-07-30 at 11:47 +0200, Gilles Pion wrote:
> Note that with the following fix to ".source3/wscript" the check is
> successfull,
>
> replaced
> conf.CHECK_FUNCS_IN('ldap_init ldap_init_fd ldap_initialize
> ldap_set_rebind_proc', 'ldap')
> conf.CHECK_FUNCS_IN('ldap_add_result_entry', 'ldap')
>
> by
> conf.CHECK_FUNCS_IN('ldap_init ldap_init_fd ldap_initialize
> ldap_set_rebind_proc', 'ldap',
> headers='ldap.h lber.h')
> conf.CHECK_FUNCS_IN('ldap_add_result_entry', 'ldap',
> headers='ldap.h')
Very interesting! That we certainly can fix, thanks for the heads-up!
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] "./configure" LDAP checks failing on AIX
On Tue, 2013-07-30 at 11:47 +0200, Gilles Pion wrote:
> Note that with the following fix to ".source3/wscript" the check is
> successfull,
>
> replaced
> conf.CHECK_FUNCS_IN('ldap_init ldap_init_fd ldap_initialize
> ldap_set_rebind_proc', 'ldap')
> conf.CHECK_FUNCS_IN('ldap_add_result_entry', 'ldap')
>
> by
> conf.CHECK_FUNCS_IN('ldap_init ldap_init_fd ldap_initialize
> ldap_set_rebind_proc', 'ldap',
> headers='ldap.h lber.h')
> conf.CHECK_FUNCS_IN('ldap_add_result_entry', 'ldap',
> headers='ldap.h')
Very interesting! That we certainly can fix, thanks for the heads-up!
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 Slow Performance
On Wed, 2013-07-31 at 10:07 +0800, Kinglok, Fong wrote: > On 29 Jul, 2013, at 1:13 PM, Andrew Bartlett wrote: > > > On Sat, 2013-07-27 at 23:20 +0800, Kinglok, Fong wrote: > >> Dear all, > >> > >> After using samba 3 for two years, I have just spent totally one week > >> finishing setting up a samba 4 file system in my working school. > >> There are about 200 computers, 80+ staff, 1000 students and 10 > >> printers. The AD was properly setup, mandatory profile and one GPO > >> policy (which is printer download trust) is effective for all users. > >> Logon script is for mapping four shares and 10 printers from the file > >> server. Also, I have setup two additional DCs (with AD replication > >> and DHCP server) for two other subnets in the hope to speed up the > >> logon process. > >> > >> The benefits of Samba 4 are clear: more robust file serving > >> (supporting the windows ACL), speedy printing (with the help of point > >> and printer driver) and administration of AD through with windows > >> remote admin tool. However, logon speed is just far from good. > >> > >> In the days of Samba 3.6, users can logon the system within 20 > >> seconds, even with more than 80 users logon in the same time (two > >> classes students login during computer lesson). Now, with only one > >> user logging in (who is me), it takes nearly 60 seconds to do the > >> logon. I have tried disabling drive and printer mapping in logon > >> script and applying a registry hack (note 1) shorten the profile > >> waiting time in windows 7 client side but it makes no difference in > >> logon speed. > >> > >> I have taken a look on the document in sambaXP 2013: > >> http://sambaxp.org/fileadmin/user_upload/SambaXP2013-DATA/thu/track1/Matthieu_Patou-Smaller_Faster_Scalier.pdf > >> > >> and two thread in samba-technical mailing list: > >> https://lists.samba.org/archive/samba-technical/2013-January/089755.html > >> https://lists.samba.org/archive/samba-technical/2013-May/092332.html > >> > >> It seems that samba team is doing some great work in spotting the > >> unindexed search in LDB as one of block in performance. > > > > It is one block, but it is the one we expect to really hit at around > > 1, not 1000-2000. As Richard has indicated, what we need from you > > is an indication of what operation is slow. Timeouts of this order > > indicate something different to a slow database - they indicate things > > like DNS timeing out. > > > > Once you work out which specific operation is blocking, we can > > investigate more - be it in regards to your network, or our code, we > > don't mind either way, but we need to work out which to look into. > > > > Andrew Bartlett > > > > -- > > Andrew Bartlett > > http://samba.org/~abartlet/ > > Authentication Developer, Samba Team http://samba.org > > Samba Developer, Catalyst IT http://catalyst.net.nz > > > > > > > Thank you all for responding. > > In these days, I am trying hard to understand the reason of the delay in > logon. > > Following your advice, I've done some test on > 1. Profile deploying > 2. GPO > > For the first one, I try using roaming profile for one testing user, it turns > out 7 seconds to logon the system. It seems that the culprit of the delay is > in the my old mandatory profile. > For the second one, I try disable all GPO (I only enable point and printer > driver trust and folder redirection), turning it on / off does not change the > logon time significantly. > > So, I try digging into how to create mandatory profile properly once again. > Here I found: > http://oakdome.com/k5/tutorials/windows-7-mandatory-roaming-profile.php > > By following the link's instruction, I found it needs 20 seconds in logon. I > hope I can further decrease the logon time (anyone got a hint?) > > I will keep updating the list if I found something worth sharing. Thanks for getting back to us. It sounds like this is mostly a client-side delay than a Samba issue. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] NT4 clients
On Tue, 2013-07-30 at 21:25 -0400, Ryan Bair wrote: > Understood. The machine I'm trying to connect is just a member, not a > DC. This is something which was well supported in earlier versions of > Windows with AD (NT4 didn't die overnight), and reportedly still works > in 2012. I'm not expecting any Kerberos to come out of NT4, nor do I > see any. > > The issue is that the Samba DC is fulfilling a TGS request when it > really should not. I spelled this out in a bit more detail a few > messages back. What I need you to do is show how this is different with Windows 2008, rather than Samba 4.0 as an AD DC. Then I might be able to assist, otherwise, the only 'buggy' part of this would seem to be the new security behavior of Windows 7, which you may be able to disable. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] NT4 clients
On Tue, 2013-07-30 at 05:33 -0400, Ryan Bair wrote: > Hi Andrew, > > > To clarify, it is the Win7 client sending the TGS request to the DC > and the DC responds positively. I now have a more complete > understanding of what's going on: > > > 1. Win7 initiates a session with NT4. Nothing interesting. > > 2. Win7 sends the negotiate protocol response. Of note, we state that > we support extended security. > > 3. NT4 responds that it does not support extended security. More > precisely, when NT4 dinosaurs roamed the earth, that bit was likely > still reserved. > > 4. Win7 issues a TGS request to the _DC_ to see if the host with that > name really doesn't support extended security, or if the NT4 machine > is trying to subject it to some sort of elaborate ruse. (i) > > 5. DC responds positively to the TGS req. (!!!) > > 6. Win7 closes the connection, and displays the error to the user. > > > i. The notes on http://msdn.microsoft.com/en-us/library/cc246806.aspx > state: > <94> Section 3.2.5.2: When the server completes negotiation and > returns the CAP_EXTENDED_SECURITY flag as not set, Windows-based SMB > clients query the Key Distribution Center (KDC) to verify whether a > service ticket is registered for the given security principal name > (SPN). If the query indicates that the SPN is registered with the KDC, > then the SMB client terminates the connection and returns an > implementation-specific security downgrade error to the caller. > > > Since the Samba DC replies that the SPN is available (by fulfilling > the request), I'm assuming we're triggering this documented behavior > in the Win7 client. Indeed. > Also of note, `klist` on the client has an entry for cifs/nt4test > which `setspn -Q cifs/nt4test` confirms does not exist. I can't > confirm the behavior in #5 is a bug, but it certainly seems suspect. The cifs/nt4test SPN is implicit, from the implicit host/nt4test SPN that comes from nt4test being the machine's name. The issue for us as a KDC is that there is no flag that I know of that can be set to say that this domain member should not be issued a ticket, and the downgrade protection is an important part of the security of the network. (that protection isn't useful if the member server can still negotiate for only NTLM without protection, but waiting for that is for another day). Have you tested and shows windows behaves any differently? Finally, as a workaround try connecting to the machine by IP or by a name the KDC doesn't know. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Error on classic upgrade - valid group
On Tue, 2013-07-23 at 20:41 -0300, Jonis Maurin Ceará wrote: > Hi. > > I'm trying to convert from s3 to s4 using classic upgrade. I have LDAP > backend and i'm getting this error: > > Ignoring group 'pgrd' S-1-5-21-511255529-1355219746-1726288727-3007 listed > but then not found: Unable to enumerate group members, > (-1073741596,NT_STATUS_INTERNAL_DB_CORRUPTION) > > > The problem is that this group is valid and almost all our users are in > this group, so i can't just ignore. Brownsing my ldap i can find and see > this group and this SID. What could be wrong? How are they members of this group? The thing that Samba's classicupgrade code does that the operational Samba 3.x DC didn't do by default is set 'ldapsam:trusted = yes'. This means that if you were using groupOfNames based groups, we might not read that correctly in our internal handler, but nss_ldap would have, if configured. It's just a guess, but somewhere to start. Otherwise, perhaps look at this group and see if there is anything different about it? Can you show me the LDIF? Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Does anyone think a mini-Samba server would be useful?
On Wed, 2013-07-24 at 11:19 -0700, Paul D. DeRocco wrote: > I'm working on a couple of Yocto Project based embedded projects, one using > a Gumstix Overo board and the other using an Intel Atom motherboard. Both > need a simple Samba server, which isn't included in the standard build. The > only existing Yocto-compatible recipe for Samba is an OpenEmbedded one for > version 3.6.8. I was quite surprised to find that adding Samba almost > tripled the size of my Atom build. I understand that version 4 is quite a > bit smaller, but we're still talking many tens of megabytes of stuff. > > I would think there would be lots of people in my boat, who are doing > embedded systems and who would like to include a really simple SMB file > server. For instance, a data acquisition system needs to record large > amounts of data to a local disk, and then provide access to it over a > network so people can bring it into Matlab or other tools. A CNC machine > tool system needs a way to have Gerber or other files loaded into them. A > media server needs to be able to serve up video or audio files. Any embedded > device needs to have a way of being fed configuration data, or having its > firmware upgraded. > > The requirements for such a system are much smaller than what Samba > provides: > > * It only needs to serve files, not printers or other resources. > I wonder if there's a way to build such a mini-Samba out of the existing > Samba code base. It's certainly way above my abilities, but it may be > something that someone on the Samba team could do without mounting a major > development effort. How many other people would find such a system useful? One thing we have found when developing Samba is that very quickly we find that one thing depends on another. It isn't easy to 'just do the basics'. Indeed, the AD DC isn't actually that large, compared with so much else that we need. That isn't to say that for example printing comes free - and I think there even is an option to disable that code - but a 'cut down samba' isn't free either. Much of the bulk comes from library code we have come to depend on across the whole sever. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] AD DC and the Guest account
On Thu, 2013-07-25 at 17:07 +0200, i...@bugblatterbeast.de wrote: > I'm using samba4.0.1 and it works very well in general. Unfortunately > I'm missing something like "map to guest = bad user" and I can't get > the Guest account to work. Is there any way to set up some public > shares on an AD DC ? > > [global] > workgroup = DOMAIN > realm = DOMAIN.LOCAL > netbios name = HOST > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbind, ntp_signd, kcc, dnsupdate > > logon path = \\%L\profiles\%U > logon home = \\%L\%U\.9xprofile > logon drive = U: > > printcap name = /dev/null > load printers = no > printing = bsd > > interfaces = eth0 > guest ok = yes > security = user > map to guest = bad user In general they are a bad idea on the DC, and I can't recall right now if we just talked about the patch to have it based on enabling the Guest account in the sam, or did the work. Certainly when matching windows (which I would like to do for this, but understand the desire to also have the smb.conf option work) the correct way is to see if Guest is enabled. Otherwise, it is a known issue, so at least don't feel bad about hitting it. Sorry, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] "./configure" LDAP checks failing on AIX
On Thu, 2013-07-25 at 14:40 +, Gilles Pion wrote: > Samba version 4.0.7 > Aix 6.1 > Compiler: IBM xlc > > Last lines of "./configure" output: > Checking for ldap_init : not found > Checking for ldap_init_fd : not found > Checking for ldap_initialize : not found > Checking for ldap_set_rebind_proc : not found > Checking for ldap_add_result_entry : ok > Checking whether ldap_set_rebind_proc takes 3 arguments : ok > Active Directory support not available: LDAP support ist not available. > /wscript:760: error: Active Directory support not found. > Use --without-ads for building without Active Directory support. > > > Reason (verified) > the generated "test.c" file user in configure checks doesn't have the > required > ldap include: > #include > > > I've not found a "clean" way to patch configure to fix this > > Anyone able to help? Where is ldap.h on your system. It may be enough to just specify CFLAGS="-I/usr/local/openldap/include" ./configure (if that is where ldap.h is). If we have found ldap.h, it will be added to those tests. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 - classicupgrade - problem - passdb.error uncaught exception - Cannot load backend methods for 'ldapsam:ldap://localhost' backend NT_STATUS_CANT_ACCESS_DOMAIN_INFO
On Tue, 2013-07-30 at 10:27 +0530, itsaheb wrote: > Even after cleaning etc and private directories im still getting the same > error: > > > Provisioning > convert_string_talloc: Conversion not supported.*pdb_init_ldapsam: > WARNING: Could not get domain info, nor add one to the > domain. We cannot work reliably without it.* > pdb backend ldapsam:ldap://localhost did not correctly init (error was > NT_STATUS_CANT_ACCESS_DOMAIN_INFO) > ERROR(): uncaught exception - Cannot load backend > methods for 'ldapsam:ldap://localhost' backend > (-1073741606,NT_STATUS_CANT_ACCESS_DOMAIN_INFO) > I think you may have cleaned too much, or not have the right settings - this means that the ldap server listning on port 389 localhost does not have a copy of your Samba3 domain. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] NT4 clients
On Mon, 2013-07-29 at 19:29 -0400, Ryan Bair wrote: > Yes, AD has explicit support for pre-2000 clients. > > WINS is alive and well and name resolution is working. > > I really think the bogus TGS reply is messing things up, but I'd like to > have someone more knowledgeable confirm the behavior is incorrect. NT4 doesn't know about Kerberos, I think any TGS traffic is highly likely a red herring. Are you really sure the client is issuing it, and you have not additional software installed on the NT4 machine? Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 Slow Performance
On Sat, 2013-07-27 at 23:20 +0800, Kinglok, Fong wrote: > Dear all, > > After using samba 3 for two years, I have just spent totally one week > finishing setting up a samba 4 file system in my working school. > There are about 200 computers, 80+ staff, 1000 students and 10 > printers. The AD was properly setup, mandatory profile and one GPO > policy (which is printer download trust) is effective for all users. > Logon script is for mapping four shares and 10 printers from the file > server. Also, I have setup two additional DCs (with AD replication > and DHCP server) for two other subnets in the hope to speed up the > logon process. > > The benefits of Samba 4 are clear: more robust file serving > (supporting the windows ACL), speedy printing (with the help of point > and printer driver) and administration of AD through with windows > remote admin tool. However, logon speed is just far from good. > > In the days of Samba 3.6, users can logon the system within 20 > seconds, even with more than 80 users logon in the same time (two > classes students login during computer lesson). Now, with only one > user logging in (who is me), it takes nearly 60 seconds to do the > logon. I have tried disabling drive and printer mapping in logon > script and applying a registry hack (note 1) shorten the profile > waiting time in windows 7 client side but it makes no difference in > logon speed. > > I have taken a look on the document in sambaXP 2013: > http://sambaxp.org/fileadmin/user_upload/SambaXP2013-DATA/thu/track1/Matthieu_Patou-Smaller_Faster_Scalier.pdf > > and two thread in samba-technical mailing list: > https://lists.samba.org/archive/samba-technical/2013-January/089755.html > https://lists.samba.org/archive/samba-technical/2013-May/092332.html > > It seems that samba team is doing some great work in spotting the > unindexed search in LDB as one of block in performance. It is one block, but it is the one we expect to really hit at around 1, not 1000-2000. As Richard has indicated, what we need from you is an indication of what operation is slow. Timeouts of this order indicate something different to a slow database - they indicate things like DNS timeing out. Once you work out which specific operation is blocking, we can investigate more - be it in regards to your network, or our code, we don't mind either way, but we need to work out which to look into. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Upgrading samba3 to samba4 on a new server, and running them both at the same time
On Tue, 2013-07-23 at 09:46 -0700, Scott Goodwin wrote: > What I'm trying to avoid is having to physically set up a test network that > is completely isolated from our live samba3 network, in order to test > everything out. If I can run them both on the same network, it would be so > much easier for me. (Our server closet is pretty small, and the thought of > physically wiring up a different switch with test workstations, etc, is not > something I want to do if at all possible). Use a test network. Once clients see an AD DC, they won't like the old server, particularly for NT System Policies, or if they change their machine account passwords. Additionally, the DCs will fight over the PDC role netbios name. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 join new DC: No RID Set DN - Failed to add RID Set
On Tue, 2013-07-23 at 20:38 +0100, Jonathan Hunter wrote:
> Hi,
>
> In time honoured fashion I am replying to my own post, as I think I have
> figured out a workaround to my issue. Hopefully this will help others -
> here's what I did.
>
> On 22 July 2013 22:01, Jonathan Hunter wrote:
>
> > Now, I try to join the new server (CentOS 6.4 clean install; Samba 4.0.7
> > from source), but I get the following:
> >
> [...]
>
> > ERROR(ldb): uncaught exception - LDAP error 53 LDAP_UNWILLING_TO_PERFORM
> > - <2035: ../source4/dsdb/samdb/ldb_modules/ridalloc.c:517: No RID Set
> > DN - Failed to add RID Set CN=RID Set,CN=EXISTING-DC,OU=Domain
> > Controllers,DC=mydomain,DC=org - objectclass: object class 'rIDSet' is
> > system-only, rejecting creation of 'CN=RID Set,CN=EXISTING-DC,OU=Domain
> > Controllers,DC=mydomain,DC=org'!> <>
> >
>
> >
> After some careful googling, and trying to figure out what the heck a RID
> Set was, and why it couldn't be added, I discovered it was a property of a
> domain controller, and I think I should really have one against my existing
> DC - but I didn't.
>
> First step was ADSI Edit, to create it - but then I discovered that whilst
> ADSI Edit can create many things, a RID Set is not one of them.
>
> Second step was LDIFDE, I exported the RID Set from my other DC (in the
> other site), edited the LDIF to make a new RID Set for my existing DC - but
> couldn't import it ("The server is unwilling to process the request")
>
> Finally I hit upon the plan of transferring the RIDAllocationMaster FSMO
> role across between the DCs:
>
> second-existing-dc# samba-tool fsmo seize --role=rid
> Attempting transfer...
> FSMO transfer of 'rid' role successful
> ERROR: Failed to initiate role seize of 'rid' role: objectclass: modify
> message must have elements/attributes!
>
> The transfer was successful, but some kind of error occurred.. (!)
The error is a red herring, resolved in current versions. There wasn't
actually an error :-)
> But, I was able to transfer the role back to the first DC - and this time,
> a RID Set finally appeared in AD! I did, however, get exactly the same
> error. This happened however many times I transfer the role, and for any
> role (I tried all of them :-))
>
> existing-dc# samba-tool fsmo seize --role=rid
> Attempting transfer...
> FSMO transfer of 'rid' role successful
> ERROR: Failed to initiate role seize of 'rid' role: objectclass: modify
> message must have elements/attributes!
>
> Still.. I have now been able to successfully join my domain - which does
> solve my initial problem, so I'm happy there at least.
>
> (Interestingly, my shiny new DC does not have a RID Set.. I'm not yet sure
> if this is good, or bad! :))
A DC should ask for a RID set to be created shortly after starting up,
and certainly an attempt to create users is made.
Andrew Bartlett
--
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Win 2003 DC Demotion
On Tue, 2013-07-23 at 06:49 -0500, Garth Keesler wrote: > All, > > I've posted a few times about this but without response so it seems that > not many folks are trying to do this. So, before I spend many more hours > on this trying to make it work, a simple yes or no question: > > Has anyone successfully demoted a Win 2003 PDC without error after > joining a Samba 4.x DC to it? > > That's it. I'm primarily interested in "yes" responses but I'll take > what I can get. It would help if you can describe the errors you get when this fails for you. It certainly is meant to work. Thanks, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Building with debug symbols and different optimisation levels
On Thu, 2013-07-18 at 11:54 +0100, Edward Robbins wrote: > Hello, > I would like to build samba at different optimisation levels with debug > symbols, in order to test a static analysis tool I have developed. I have > found the configure option "--enable-developer", which I presume enables > debug symbols and sets optimisation to O0, and "--enable-debug" (is the > difference between these two options just the warning levels?), however I > would also like to be able to enable debug symbols and set the optimisation > level to O2. > > I've been searching but cannot find a way to do this in the build system, I > can't even find where the optimisation level is set, however, I am > unfamiliar with waf. Is there a (even hacky) way to do this? Just pass whatever CFLAGS you desire to the ./configure wrapper, and they will be used. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 - error during classicupgrade
On Mon, 2013-07-15 at 10:01 +0200, Stéphane PURNELLE wrote: > My main Administrator account is "Administrateur" because my > workstations language is french. > > "Administrator" account is for server (Windows 2003 and Windows 2008) > > I have two administrator accounts for according to profile and > language. > > If you log a french profile on a english workstation, profile will be > modify for add english menu (Accessoires <-> accessories)... and this > is not good. > > I already tried to modify python script for ignore "-500" test but > when script read my "administrator" account, script hang because > administrator alread exist (created by full provision I suppose) Just rename 'Administrator' to 'English Administrator' and then after then upgrade, rename 'administrator' to "Administrateur". Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 - error during classicupgrade
On Tue, 2013-07-09 at 14:49 +0200, Stéphane PURNELLE wrote: > Hi all, > > I found the problem, unsupported character in displayName prjLeudi+, > samba don't like the charecter + in displayName. The bug here is that we should have escaped this value before we put it into the DN. > Next problem: SID on user Administrator. > > samba-tool classicupgrade don't terminate correcly because I saw that > Administrator user don't have the correct SID (ending -500). > > We have 2 administrator user (in french and in english) : > > Administrateur > Administrator > > SID S-1-5-21-4023731279-819928261-1073345436-500 is on user > Administrateur. > > How can I force samba to by pass this test ? What is happening here is that we simply ignore the -500 user from your import, and then re-add the administrator. The issue is that we add it in english, so if you have a second administrator (a bad idea in my view) it will collide. Just remove that from the import source before you start. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] WARNING to those running Samba on OpenIndiana or other Illumos based systems with > 16 groups
On Wed, 2013-04-24 at 10:31 +1000, Andrew Bartlett wrote: > Just a heads-up, because this bug took me absolutely ages to chase down, > and I want to save others the same pain. > > Samba is perhaps the most prominent reason why you might find a user in > more than 16 groups on a Unix system, and so this bug may at first > appear to be a 'Samba issue' (that certainly is why it found it's way to > my attention :-) > > https://www.illumos.org/issues/3691 > > In short, unless the group list we supply to setgroups() is sorted, if > there are more than 16 groups, the Illumos kernel fails to honour some > of the groups. Presumably there is a bisection search being done. > > The symptom for Samba users is that as a user is added to more groups, > they loose access to folders they previously had access too. > > Attached is a total hack that appears to resolve the issue, but the real > fix needs to be in glibc or the kernel. Just as a follow-up, if you experience this please also see https://www.illumos.org/issues/3577 and https://bugzilla.samba.org/show_bug.cgi?id=7588 for WORKAROUNDS if you cannot fix/change your host OS. There is a patch for nss_winbind and smbd attached to that bug, both of which are required to ensure both Samba and other unix applications see all the windows groups. As we have now had success getting this fixed upstream I've not had time to get back to applying these to Samba when we run on Solaris, but the view was that for the small cost of a qsort we probably should. If a DENY ACL is involved, this may also be a SECURITY issue, which is how we finally got the route cause addressed upstream. Thanks, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] About NAS versus Samba
On Fri, 2013-07-12 at 11:55 -0300, Fernando Lozano wrote: > Hi Andrew, > > > I work on a NAS product myself, and at this vendor and my previous > > vendor Samba 4.0 as an AD DC was all I ever needed to use to test the > > AD integration features of the NAS. Thanks, Andrew Bartlett > Please tell me which product this is, so I can contact the local > reseller. :-) You can send me in pvt if you think it would not be > ethical to advertise your employee on the list. > If I someone tell me "this product works" I can by knowing if something > bad happens it's something I can solve. Sometimes the management > interface for a product won't let you do things the embebed software > could do, so I don't want to risk a product without someone telling me > "this one worked for me". My point was more that Samba 4.0 as an AD DC really is AD, certainly for as much as a NAS cares about. As discussed, most of these devices are Samba based anyway, and Samba talks very well to our Samba AD DC. The difference is with Samba's 'classic' domain mode (Samba 3.x), because we use a different config option for that. Some vendors do not expose this functionality. That said, it isn't a secret that I work on the NETGEAR ReadyNAS. Previously I worked on the now discontinued Cisco Small Buisness NAS product. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4.0.6 update - login issues
On Sat, 2013-07-13 at 14:23 -0500, Kristofer Pettijohn wrote: > Is it possible that this may be related to and fixed by the patch in > this bug: https://bugzilla.samba.org/show_bug.cgi?id=9820 I really need you to tell me that, not the other way around. It seems unlikely however, but you are of course free to test. Sorry, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 KCC
On Thu, 2013-07-11 at 03:42 -0500, Kristofer wrote: > Is the KCC in Samba4 set up to honor site links? > > I set up a few site links between sites (hub-spoke model), but Samba still > appears to be replicating everything everywhere from each domain controller. > > Am I missing something? One of our outstanding tasks is to replace our KCC with a new prototype developed in python. I don't know if it understands sites, but it was designed rather than what we have now, which was just put in place as a stop-gap. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
