Re: [Samba] Request to an old post - Having problem with Samba Internal DNS
On Wed, 2013-02-20 at 10:53 +, Alex Matthews wrote: Hiya, I am also having problems with this. When samba starts I get tsig verify failures: [2013/02/20 10:49:05, 0] ../source4/smbd/server.c:369(binary_smbd_main) samba version 4.0.3 started. Copyright Andrew Tridgell and the Samba Team 1992-2012 [2013/02/20 10:49:06, 0] ../source4/smbd/server.c:475(binary_smbd_main) samba: using 'standard' process model [2013/02/20 10:49:07, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/sbin/samba_dnsupdate: ; TSIG error with server: tsig verify failure [2013/02/20 10:49:07, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/sbin/samba_dnsupdate: ; TSIG error with server: tsig verify failure [2013/02/20 10:49:07, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/sbin/samba_dnsupdate: ; TSIG error with server: tsig verify failure [2013/02/20 10:49:07, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/sbin/samba_dnsupdate: ; TSIG error with server: tsig verify failure [2013/02/20 10:49:07, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/sbin/samba_dnsupdate: ; TSIG error with server: tsig verify failure log level 3 = http://pastebin.com/ZJQR6hiJ Running dnsupdate shows it fails on the same records as above and dnsupdate --all-names fails on _ALL_ records. Is this correct behaviour? (I can't see that being the case) If not can someone suggest a way forward? This is a known issue, that produces this cosmetic error. We have a patch to fix it, but want to add tests to ensure it does not regress again in the future. Thanks, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] is there an equivalent to libjcifs for Python?
On Wed, 2013-02-20 at 14:49 +0100, Jean-Daniel wrote: Hi list, What tools in Python can I use to: - connect to a remote share - list the files - list the ACLS of the files - get the content Samba 4.0 ships with python bindings for our CIFS client, and can do exactly this. See source4/scripting/python/samba/netcmd/gpo.py for an example of how to use it (it does almost exactly this actually, in the context of GPO manipulation). Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 46ab33d build:autoconf: fix output of syslog-facility check from 3d29bb2 s3:rpc_client fix a crash http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 46ab33dc6753c135effedc204f3028a7e2bc2b1b Author: Björn Jacke b...@sernet.de Date: Wed Feb 20 19:57:24 2013 +0100 build:autoconf: fix output of syslog-facility check thanks to Thomas Bork for reporting! Signed-off-by: Bjoern Jacke b...@sernet.de Reviewed-by: Andrew Bartlett abart...@samba.org Autobuild-User(master): Andrew Bartlett abart...@samba.org Autobuild-Date(master): Thu Feb 21 00:00:06 CET 2013 on sn-devel-104 --- Summary of changes: source3/configure.in |5 - 1 files changed, 4 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/configure.in b/source3/configure.in index 594f4b9..56c9190 100644 --- a/source3/configure.in +++ b/source3/configure.in @@ -4512,12 +4512,15 @@ AC_ARG_WITH(syslog-facility, if test $withval = no ; then AC_MSG_ERROR([argument to --with-syslog-facility must be a string]) else + AC_MSG_RESULT([$withval]) if test $withval != yes ; then syslog_facility=$withval AC_DEFINE_UNQUOTED(SYSLOG_FACILITY,$syslog_facility, [syslog facility to log to]) fi fi -]) +], +AC_MSG_RESULT(no) +) # # check for experimental disk-quotas support -- Samba Shared Repository
Re: [Samba] ldap+kerberos+samba
On Mon, 2013-02-18 at 16:52 -0300, Friedrich Locke wrote: Dear list members, i am trying to get ldap + samba + kerberos working and have tried to make the proper configuration. Integrating samba + ldap was pretty easy, but getting kerberos to work seems a nightmare. Here it is what i tried (copy and pasted from my link client): harley@802-1x:/etc/samba$ kdestroy harley@802-1x:/etc/samba$ kinit har...@ufv.br's Password: harley@802-1x:/etc/samba$ klist Credentials cache: FILE:/tmp/krb5cc_1000 Principal: har...@ufv.br IssuedExpires Principal Feb 18 15:53:33 2013 Feb 18 19:53:33 2013 krbtgt/ufv...@ufv.br harley@802-1x:/etc/samba$ smbclient //802-1x.cpd.ufv.br/printers -k session setup failed: NT_STATUS_LOGON_FAILURE harley@802-1x:/etc/samba$ klist Credentials cache: FILE:/tmp/krb5cc_1000 Principal: har...@ufv.br IssuedExpires Principal Feb 18 15:53:33 2013 Feb 18 19:53:33 2013 krbtgt/ufv...@ufv.br Feb 18 15:53:44 2013 Feb 18 19:53:33 2013 cifs/802-1x.cpd.ufv...@ufv.br harley@802-1x:/etc/samba$ We can realize that smbclient is fetching the ticket to cifs service. But why NT_STATUS_LOGON_FAILURE ? Nothing appears on smbd logs. How is samba connected to the krb5 realm? What configuration options have you set to make it use a keytab? That all said, this kind of frustration is why I worked so hard on Samba 4.0 as an AD DC, because it provides the server-side integration of LDAP, Kerberos and the Domain protocols that allow Samba and windows member servers to join it, and for it to 'just work'. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 8adbd1c srv_epmapper.c: Fix typo. via 240df6c wb_samba3_cmd.c: Fix typo in comment. via b22b22d brlock_tdb.c: Fix typo in comment. via 75ca814 srv_netlog_nt.c: Fix typo in comment. via 6eb59eb brlock.c: Fix typo in comment. via 38cb141 vfs_gpfs: Fix typos in comments. via 2ed035b fault.c: Fix typo in comment. via 68b2e30 docs: Fix typo. from dcc94f0 s4-nbt: Ensure source4/ nbt client and server honour 'disable netbios' http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 8adbd1cf75492869f7fd1935eb211a070ef924cc Author: Karolin Seeger ksee...@samba.org Date: Mon Feb 18 10:25:09 2013 +0100 srv_epmapper.c: Fix typo. priviledge - privilege Signed-off-by: Karolin Seeger ksee...@samba.org Autobuild-User(master): Andrew Bartlett abart...@samba.org Autobuild-Date(master): Mon Feb 18 13:57:40 CET 2013 on sn-devel-104 commit 240df6c7b05e3c5c7be80d7607824147f360d64e Author: Karolin Seeger ksee...@samba.org Date: Mon Feb 18 10:05:23 2013 +0100 wb_samba3_cmd.c: Fix typo in comment. redundent - redundant Signed-off-by: Karolin Seeger ksee...@samba.org commit b22b22dccac6d3bdf7f02d9fe037a472df7956fd Author: Karolin Seeger ksee...@samba.org Date: Mon Feb 18 10:04:42 2013 +0100 brlock_tdb.c: Fix typo in comment. redundent - redundant Signed-off-by: Karolin Seeger ksee...@samba.org commit 75ca814f1efe435da018f7604865fda7ac59f712 Author: Karolin Seeger ksee...@samba.org Date: Mon Feb 18 10:03:51 2013 +0100 srv_netlog_nt.c: Fix typo in comment. redundent - redundant Signed-off-by: Karolin Seeger ksee...@samba.org commit 6eb59eb388ac7b98f7f7812e45ad4c8d333f03e8 Author: Karolin Seeger ksee...@samba.org Date: Mon Feb 18 10:02:51 2013 +0100 brlock.c: Fix typo in comment. redundent - redundant Signed-off-by: Karolin Seeger ksee...@samba.org commit 38cb1410f5107f42ddea9cbf9555adb273b35b18 Author: Karolin Seeger ksee...@samba.org Date: Mon Feb 18 10:01:21 2013 +0100 vfs_gpfs: Fix typos in comments. Signed-off-by: Karolin Seeger ksee...@samba.org commit 2ed035b5a064e21f57c89adc9c947ffa7721c600 Author: Karolin Seeger ksee...@samba.org Date: Mon Feb 18 09:59:52 2013 +0100 fault.c: Fix typo in comment. redundent - redundant Signed-off-by: Karolin Seeger ksee...@samba.org commit 68b2e30ae62d8a563cb7ee35e10c45fe0266c612 Author: Karolin Seeger ksee...@samba.org Date: Wed Feb 6 09:08:15 2013 +0100 docs: Fix typo. Signed-off-by: Karolin Seeger ksee...@samba.org --- Summary of changes: .../smbdotconf/printing/showaddprinterwizard.xml |2 +- lib/util/fault.c |2 +- prog_guide4.txt|6 +++--- source3/locking/brlock.c |2 +- source3/modules/vfs_gpfs.c |4 ++-- source3/rpc_server/epmapper/srv_epmapper.c | 10 +- source3/rpc_server/netlogon/srv_netlog_nt.c|2 +- source4/ntvfs/common/brlock_tdb.c |2 +- source4/winbind/wb_samba3_cmd.c|2 +- 9 files changed, 16 insertions(+), 16 deletions(-) Changeset truncated at 500 lines: diff --git a/docs-xml/smbdotconf/printing/showaddprinterwizard.xml b/docs-xml/smbdotconf/printing/showaddprinterwizard.xml index f6c1b90..f24bdb5 100644 --- a/docs-xml/smbdotconf/printing/showaddprinterwizard.xml +++ b/docs-xml/smbdotconf/printing/showaddprinterwizard.xml @@ -14,7 +14,7 @@ paraUnder normal circumstances, the Windows NT/2000 client will open a handle on the printer server with OpenPrinterEx() asking for Administrator privileges. If the user does not have administrative -access on the print server (i.e is not root or the priviledge +access on the print server (i.e is not root or has granted the SePrintOperatorPrivilege), the OpenPrinterEx() call fails and the client makes another open call with a request for a lower privilege level. This should succeed, however the APW diff --git a/lib/util/fault.c b/lib/util/fault.c index 4f8e8db..13d29db 100644 --- a/lib/util/fault.c +++ b/lib/util/fault.c @@ -76,7 +76,7 @@ static void fault_report(int sig) smb_panic(internal error); - /* smb_panic() never returns, so this is really redundent */ + /* smb_panic() never returns, so this is really redundant */ exit(1); } diff --git a/prog_guide4.txt b/prog_guide4.txt index c8c91c4..0a33284 100644 --- a/prog_guide4.txt +++ b/prog_guide4.txt @@ -267,7 +267,7 @@ parser where to find the following four variables, but they should In Samba3 there were unwritten rules about which
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 06780ae samba_upgradeprovision: Remove options to fix FS ACLs from cfebce3 s3:smbd: add debugging to close code (regarding disconnect of a durable) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 06780ae82281fb62a08d0c3604d2e679976756c2 Author: Andrew Bartlett abart...@samba.org Date: Sat Feb 16 08:51:51 2013 +1100 samba_upgradeprovision: Remove options to fix FS ACLs samba-tool ntacl sysvolreset handles this better, and makes this tool much less confusing internally. Andrew Bartlett Reviewed-by: Matthieu Patou m...@samba.org Autobuild-User(master): Andrew Bartlett abart...@samba.org Autobuild-Date(master): Tue Feb 19 06:06:41 CET 2013 on sn-devel-104 --- Summary of changes: source4/scripting/bin/samba_upgradeprovision | 427 +++--- source4/scripting/python/samba/upgradehelpers.py | 49 +--- 2 files changed, 205 insertions(+), 271 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/scripting/bin/samba_upgradeprovision b/source4/scripting/bin/samba_upgradeprovision index e2c57f2..570f783 100755 --- a/source4/scripting/bin/samba_upgradeprovision +++ b/source4/scripting/bin/samba_upgradeprovision @@ -186,12 +186,6 @@ parser.add_option(--debugchangesd, action=store_true, help=Print security descriptor differences) parser.add_option(--debugall, action=store_true, help=Print all available information (very verbose)) -parser.add_option(--resetfileacl, action=store_true, - help=Force a reset on filesystem acls in sysvol / netlogon share) -parser.add_option(--nontaclfix, action=store_true, - help=In full upgrade mode do not try to upgrade sysvol / netlogon acls) -parser.add_option(--fixntacl, action=store_true, - help=Only fix NT ACLs in sysvol / netlogon share) parser.add_option(--db_backup_only, action=store_true, help=Do the backup of the database in the provision, skip the sysvol / netlogon shares) parser.add_option(--full, action=store_true, @@ -1726,8 +1720,6 @@ if __name__ == '__main__': global defSDmodified defSDmodified = False -if opts.nontaclfix and opts.fixntacl: -message(SIMPLE, nontaclfix and fixntacl are mutally exclusive) # From here start the big steps of the program # 1) First get files paths paths = get_paths(param, smbconf=smbconf) @@ -1787,225 +1779,214 @@ if __name__ == '__main__': adm_session = admin_session(lp, str(names.domainsid)) # So we reget handle on objects # ldbs = get_ldbs(paths, creds, adm_session, lp) -if not opts.fixntacl: -if not sanitychecks(ldbs.sam, names): -message(SIMPLE, Sanity checks for the upgrade have failed. -Check the messages and correct the errors -before rerunning upgradeprovision) -ldbs.groupedRollback() -sys.exit(1) -# Let's see provision parameters -print_provision_key_parameters(names) - -# 5) With all this information let's create a fresh new provision used as -# reference -message(SIMPLE, Creating a reference provision) -provisiondir = tempfile.mkdtemp(dir=paths.private_dir, -prefix=referenceprovision) -result = newprovision(names, creds, session, smbconf, provisiondir, -provision_logger) -result.report_logger(provision_logger) - -# TODO -# 6) and 7) -# We need to get a list of object which SD is directly computed from -# defaultSecurityDescriptor. -# This will allow us to know which object we can rebuild the SD in case -# of change of the parent's SD or of the defaultSD. -# Get file paths of this new provision -newpaths = get_paths(param, targetdir=provisiondir) -new_ldbs = get_ldbs(newpaths, creds, session, lp) -new_ldbs.startTransactions() - -populateNotReplicated(new_ldbs.sam, names.schemadn) -# 8) Populate some associative array to ease the update process -# List of attribute which are link and backlink -populate_links(new_ldbs.sam, names.schemadn) -# List of attribute with ASN DN synthax) -populate_dnsyntax(new_ldbs.sam, names.schemadn) -# 9) -update_privilege(newpaths.private_dir, paths.private_dir) -# 10) -oem = getOEMInfo(ldbs.sam, str(names.rootdn)) -# Do some modification on sam.ldb -ldbs.groupedCommit() -new_ldbs.groupedCommit
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 2cf83f7 samba_upgradeprovision: Use tdb_util.tdb_copy not shutil.copy2 via 3c51e18 samba_upgradeprovision: Do not update privileges.ldb any more (unchanged since 2009) via 396df64 scripting: Make tdb_copy a common util function in samba.tdb_util via 2c2759e scripting: Make tdb_copy use the python subprocess module from 06780ae samba_upgradeprovision: Remove options to fix FS ACLs http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 2cf83f7c645e4b216cf6f23857fd72ec0e6ca7a6 Author: Andrew Bartlett abart...@samba.org Date: Sun Feb 17 18:15:52 2013 +1100 samba_upgradeprovision: Use tdb_util.tdb_copy not shutil.copy2 This is really important, because copying a file will both ignore locks held by another process and break any locks we hold (due to POSIX brain-damage regarding multiple fds on one file in a process). By leaving this to tdbbackup in a child, both of these issues are avoided. Andrew Bartlett Reviewed-by: Matthieu Patou m...@samba.org Autobuild-User(master): Andrew Bartlett abart...@samba.org Autobuild-Date(master): Tue Feb 19 07:48:18 CET 2013 on sn-devel-104 commit 3c51e18a0cd1cb4b54cd29e312abd7cc2c0fbc98 Author: Andrew Bartlett abart...@samba.org Date: Sun Feb 17 18:41:00 2013 +1100 samba_upgradeprovision: Do not update privileges.ldb any more (unchanged since 2009) This update was only a total oblitoration of the existing database and not a merge, and the shutil.copy would both disregard and break locks on the database that are held at this point. Andrew Bartlett Reviewed-by: Matthieu Patou m...@samba.org commit 396df64ef6f2c66c35989ecda3e564d5578fe9f3 Author: Andrew Bartlett abart...@samba.org Date: Sun Feb 17 18:14:06 2013 +1100 scripting: Make tdb_copy a common util function in samba.tdb_util This will allow samba_upgradeprovision to also call it. Andrew Bartlett Reviewed-by: Matthieu Patou m...@samba.org commit 2c2759e408d9c45c2aee0c2578f45edd246afec3 Author: Andrew Bartlett abart...@samba.org Date: Sun Feb 17 17:57:42 2013 +1100 scripting: Make tdb_copy use the python subprocess module This makes the code more robust to spaces in the file names (etc). Andrew Bartlett Reviewed-by: Matthieu Patou m...@samba.org --- Summary of changes: source4/scripting/bin/samba_upgradeprovision | 51 --- .../scripting/python/samba/provision/sambadns.py | 23 + source4/scripting/python/samba/tdb_util.py | 41 3 files changed, 66 insertions(+), 49 deletions(-) create mode 100644 source4/scripting/python/samba/tdb_util.py Changeset truncated at 500 lines: diff --git a/source4/scripting/bin/samba_upgradeprovision b/source4/scripting/bin/samba_upgradeprovision index 570f783..25c3ac2 100755 --- a/source4/scripting/bin/samba_upgradeprovision +++ b/source4/scripting/bin/samba_upgradeprovision @@ -40,6 +40,7 @@ import samba.getopt as options from base64 import b64encode from samba.credentials import DONT_USE_KERBEROS from samba.auth import system_session, admin_session +from samba import tdb_util from ldb import (SCOPE_SUBTREE, SCOPE_BASE, FLAG_MOD_REPLACE, FLAG_MOD_ADD, FLAG_MOD_DELETE, MessageElement, Message, Dn, LdbError) @@ -1470,7 +1471,7 @@ def simple_update_basesamdb(newpaths, paths, names): :param names: List of key provision parameters message(SIMPLE, Copy samdb) -shutil.copy(newpaths.samdb, paths.samdb) +tdb_util.tdb_copy(newpaths.samdb, paths.samdb) message(SIMPLE, Update partitions filename if needed) schemaldb = os.path.join(paths.private_dir, schema.ldb) @@ -1482,31 +1483,19 @@ def simple_update_basesamdb(newpaths, paths, names): os.mkdir(samldbdir) os.chmod(samldbdir, 0700) if os.path.isfile(schemaldb): -shutil.copy(schemaldb, os.path.join(samldbdir, +tdb_util.tdb_copy(schemaldb, os.path.join(samldbdir, %s.ldb%str(names.schemadn).upper())) os.remove(schemaldb) if os.path.isfile(usersldb): -shutil.copy(usersldb, os.path.join(samldbdir, +tdb_util.tdb_copy(usersldb, os.path.join(samldbdir, %s.ldb%str(names.rootdn).upper())) os.remove(usersldb) if os.path.isfile(configldb): -shutil.copy(configldb, os.path.join(samldbdir, +tdb_util.tdb_copy(configldb, os.path.join(samldbdir, %s.ldb%str(names.configdn).upper())) os.remove(configldb) -def update_privilege(ref_private_path, cur_private_path): -Update the privilege
[Samba] PROPOSAL: Remove SWAT in Samba 4.1
As most of you would have noticed, we have now had 3 CVE-nominated security issues for SWAT in the past couple of years. At the same time, while I know many of our users use SWAT, we just don't have anybody to maintain it inside the Samba Team. Kai has made a valiant effort to at least apply the XSS and CSRF guidelines when folks make security reports, but by his own admission he isn't a web developer - none of us are! There are many other parts of Samba that have not been substantially maintained in years, but few have the level of security exposure that SWAT does (most are bits of library and utility code that we apply elsewhere, but which just quietly does it's own job). The issue isn't that we can't write secure code, but that writing secure Web code where we can't trust the authenticated actions of our user's browser is a very different modal to writing secure system code. Frankly it just isn't our area. Therefore, it was suggested on a private list that we just drop SWAT. I want to start a public discussion on that point, prompted by http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700729 which reminds us why we didn't apply the specific CSRF hardening we applied in 4.0.2 to SWAT in the first place. Thanks, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] PROPOSAL: Remove SWAT in Samba 4.1
On Sun, 2013-02-17 at 20:52 -0500, Nico Kadel-Garcia wrote: On Sun, Feb 17, 2013 at 7:02 PM, Andrew Bartlett abart...@samba.org wrote: As most of you would have noticed, we have now had 3 CVE-nominated security issues for SWAT in the past couple of years. Has webmin kept up to date with the latest structural changes in smb.conf? I'll admit that I've long preferred the webmin module structure over the dedicated add-on structures of swat. It seems webmin has much the same challenges, perhaps because it's a package of a similar age. Or web security is just hard... http://www.webmin.com/security.html smb.conf hasn't changed structure in a long time, but we do add/remove options each release. Neither is likely to do the AD DC stuff very well right now. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via dcc94f0 s4-nbt: Ensure source4/ nbt client and server honour 'disable netbios' from 6dfb35f Fallback to the internal resolver on EAI_FAIL. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit dcc94f093317ffa2bbbc776fb82657088eb63305 Author: Andrew Bartlett abart...@samba.org Date: Wed Feb 6 20:58:18 2013 +1100 s4-nbt: Ensure source4/ nbt client and server honour 'disable netbios' Reviewed-by: Stefan Metzmacher me...@samba.org Autobuild-User(master): Andrew Bartlett abart...@samba.org Autobuild-Date(master): Sun Feb 17 11:25:34 CET 2013 on sn-devel-104 --- Summary of changes: source4/libcli/resolve/resolve_lp.c |8 ++-- source4/nbt_server/nbt_server.c |5 + 2 files changed, 11 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/libcli/resolve/resolve_lp.c b/source4/libcli/resolve/resolve_lp.c index 69c05a2..92e11f0 100644 --- a/source4/libcli/resolve/resolve_lp.c +++ b/source4/libcli/resolve/resolve_lp.c @@ -32,9 +32,13 @@ struct resolve_context *lpcfg_resolve_context(struct loadparm_context *lp_ctx) for (i = 0; methods != NULL methods[i] != NULL; i++) { if (!strcmp(methods[i], wins)) { - resolve_context_add_wins_method_lp(ret, lp_ctx); + if (lpcfg_disable_netbios(lp_ctx) == false) { + resolve_context_add_wins_method_lp(ret, lp_ctx); + } } else if (!strcmp(methods[i], bcast)) { - resolve_context_add_bcast_method_lp(ret, lp_ctx); + if (lpcfg_disable_netbios(lp_ctx) == false) { + resolve_context_add_bcast_method_lp(ret, lp_ctx); + } } else if (!strcmp(methods[i], file)) { resolve_context_add_file_method_lp(ret, lp_ctx); } else if (!strcmp(methods[i], host)) { diff --git a/source4/nbt_server/nbt_server.c b/source4/nbt_server/nbt_server.c index 175ad5e..232fb9d 100644 --- a/source4/nbt_server/nbt_server.c +++ b/source4/nbt_server/nbt_server.c @@ -48,6 +48,11 @@ static void nbtd_task_init(struct task_server *task) return; } + if (lpcfg_disable_netbios(task-lp_ctx)) { + task_server_terminate(task, nbtd: 'disable netbios = yes' set in smb.conf, shutting down nbt server, false); + return; + } + task_server_set_title(task, task[nbtd]); nbtsrv = talloc(task, struct nbtd_server); -- Samba Shared Repository
Re: [Samba] Recommended Upgrade technique for 4.0.3 (was Re: Should I run dbcheck and sysvolreset when upgrading 4.0.0 to 4.0.3?)
On Sat, 2013-02-16 at 12:55 +1100, Andrew Bartlett wrote: On Fri, 2013-02-15 at 12:52 +1100, Andrew Bartlett wrote: On Thu, 2013-02-14 at 20:50 -0500, Thomas Simmons wrote: Thank you, Andrew. Just to be clear, you're saying I can upgrade to 4.0.3 (but do nothing after make install)? If it will make things worse in any way, I can stay at 4.0.0. Thanks, Thomas. It's fine to upgrade. That protects you against the security issue we fixed in 4.0.1, and makes a significant number of other fixes. My current testing shows that: samba_upgradeprovision --full dbcheck --cross-ncs [--fix [--yes]] Will break some ACLs on DNS, and not fix one of the ACLs on the DC's own LDAP object. The --full is important, without that the result is actually worse (as far as I can tell). I would like to make some progress on this before I recommend it as the final solution. It is however pretty close, and better than what is in the database right now. I retract any advise to run this tool. I hope to have patches soon, but for the moment it treats any beta or release version as being *before* alpha9. Essentially we have been caught out by a regex that never expected Samba to move beyond endless alphas :-) Please do not run samba_upgradeprovision under any circumstances, until I have tested patches to fix this. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 6dfb35f Fallback to the internal resolver on EAI_FAIL. from 05235d5 tdb: Fix a typo http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 6dfb35f3ff7ad2d2089c0a3e5eab342384e45e4c Author: Landon Fuller land...@bikemonkey.org Date: Sat Feb 16 22:57:40 2013 -0500 Fallback to the internal resolver on EAI_FAIL. On Linux, non-RFC 1034-complaint names (such as gc._msdsc.example.org) will result in the resolver returning the non-POSIX EAI_NODATA. In that case, the case statement here would fall back on the internal resolver, allowing resolution to complete successfully. On FreeBSD, the libc resolver uses the same validation code, but the POSIX result of EAI_FAIL is returned instead of EAI_NODATA. Since there was no case for this error code, no fallback to the internal resolver would occur. This led to replication failing on FreeBSD. Reviewed-by: Andrew Bartlett abart...@samba.org Autobuild-User(master): Andrew Bartlett abart...@samba.org Autobuild-Date(master): Sun Feb 17 07:06:36 CET 2013 on sn-devel-104 --- Summary of changes: source4/libcli/resolve/dns_ex.c |4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/libcli/resolve/dns_ex.c b/source4/libcli/resolve/dns_ex.c index bc64e8d..1226ed6 100644 --- a/source4/libcli/resolve/dns_ex.c +++ b/source4/libcli/resolve/dns_ex.c @@ -400,8 +400,10 @@ static void run_child_getaddrinfo(struct dns_ex_state *state, int fd) #ifdef EAI_NODATA case EAI_NODATA: #endif + case EAI_FAIL: + /* Linux returns EAI_NODATA on non-RFC1034-compliant names. FreeBSD returns EAI_FAIL */ case EAI_NONAME: - /* getaddrinfo() doesn't handle CNAME records */ + /* getaddrinfo() doesn't handle CNAME or non-RFC1034 compatible records */ run_child_dns_lookup(state, fd); return; default: -- Samba Shared Repository
Re: [Samba] [Samba 4.0] Floating KVNO
On Fri, 2013-02-15 at 10:22 +0100, Kaito Kumashiro wrote: On Fri, Feb 15, 2013 at 2:26 AM, Andrew Bartlett abart...@samba.org wrote: I'm using Samba 4.0.1 also to authenticate users via Kerberos. Once in a while however I have to regenerate a keytab, because for reasons unknown to me, the KVNO is increased by one. I'm not doing anything with an account the SPN is bound to. The KVNO seems to change automagically after few days and service cannot talk to the KDC unless I create a new keytab. What can cause the KVNO (and probably the keys) to change automagically? Is there a way to disable this? In AD, the KVNO is based on the replication metatdata, specifically the version number for the unicodePwd attribute. It should only change if that attribute is changed. What is the client in this case? I'm 100% positive the account with SPN has not been changed in any way by me or my co-workers. It's a computer account (CN=Computers), so I don't see a way any client could reset the password. On the other side is Postgres 9.2.2 (with GSSAPI). For example, yesterday it asked me politely to go away, because KDC returned KVNO 18 (what was shown in an error message) and keytab had KVNO 17 (what I confirmed with ktutil). Do you have more than one DC? Are you sure they are replicating correctly? Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Recommended Upgrade technique for 4.0.3 (was Re: Should I run dbcheck and sysvolreset when upgrading 4.0.0 to 4.0.3?)
On Fri, 2013-02-15 at 12:52 +1100, Andrew Bartlett wrote: On Thu, 2013-02-14 at 20:50 -0500, Thomas Simmons wrote: Thank you, Andrew. Just to be clear, you're saying I can upgrade to 4.0.3 (but do nothing after make install)? If it will make things worse in any way, I can stay at 4.0.0. Thanks, Thomas. It's fine to upgrade. That protects you against the security issue we fixed in 4.0.1, and makes a significant number of other fixes. My current testing shows that: samba_upgradeprovision --full dbcheck --cross-ncs [--fix [--yes]] Will break some ACLs on DNS, and not fix one of the ACLs on the DC's own LDAP object. The --full is important, without that the result is actually worse (as far as I can tell). I would like to make some progress on this before I recommend it as the final solution. It is however pretty close, and better than what is in the database right now. These are the ldapcmp results: Comparing: 'CN=ARES,OU=Domain Controllers,DC=release-4-0-0,DC=samba,DC=corp' [tdb:///data/samba/git/samba/st/provision/release-4-0-0_upgrade_reference/private/sam.ldb] 'CN=ARES,OU=Domain Controllers,DC=release-4-0-0,DC=samba,DC=corp' [tdb:///data/samba/git/samba/st/provision/release-4-0-0_upgrade_full/private/sam.ldb] ACEs found only in tdb:///data/samba/git/samba/st/provision/release-4-0-0_upgrade_reference/private/sam.ldb: (OA;;SW;Validated-DNS-Host-Name;;DA) (OA;;SW;Validated-DNS-Host-Name;;PS) ACEs found only in tdb:///data/samba/git/samba/st/provision/release-4-0-0_upgrade_full/private/sam.ldb: (OA;;SW;DNS-Host-Name-Attributes;;DA) (OA;;SW;DNS-Host-Name-Attributes;;PS) FAILED * Result for [DOMAIN]: FAILURE * Comparing [DNSDOMAIN] context... * Objects to be compared: 39 Comparing: 'DC=release-4-0-0.samba.corp,CN=MicrosoftDNS,DC=DomainDnsZones,DC=release-4-0-0,DC=samba,DC=corp' [tdb:///data/samba/git/samba/st/provision/release-4-0-0_upgrade_reference/private/sam.ldb] 'DC=release-4-0-0.samba.corp,CN=MicrosoftDNS,DC=DomainDnsZones,DC=release-4-0-0,DC=samba,DC=corp' [tdb:///data/samba/git/samba/st/provision/release-4-0-0_upgrade_full/private/sam.ldb] Difference in ACE count: = 27 = 28 ACEs found only in tdb:///data/samba/git/samba/st/provision/release-4-0-0_upgrade_reference/private/sam.ldb: (A;CI;RPWPCRCCDCLCRCWOWDSDDTSW;;;ED) ACEs found only in tdb:///data/samba/git/samba/st/provision/release-4-0-0_upgrade_full/private/sam.ldb: (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;ED) (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;LA) FAILED Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Thank-you to Samba developers
On Tue, 2013-02-12 at 08:22 -0500, Adam Tauno Williams wrote: On Mon, 2012-04-30 at 15:52 -0500, nicholas geovanis wrote: Here's a short quote from a work-related email I sent earlier today, announcing AD authentication from a linux VM. It expresses my awe at the folks who write and maintain Samba, and it's long overdue from me: It’s been 3 or 4 years since I configured Samba; it’s always a challenge for me, mainly due to my poor understanding of MSoft networking. +1 Samba I think often gets a bum wrap for 'complexity' by virtue of people just not understanding how MSoft intends it to work. Then when it works, It is crazy amazing how well it works out-of-the-box. I offer a silent prayer for those crazy Australians who originated it. The pain they must have endured in getting it to work boggles my mind. In that respect it may be the most impressive open-source project out there, and they haven’t slowed-down in the least. +1 BTW, they accept donations http://www.samba.org/samba/donations.html We do, but what helps even more are patches, wiki contributions and testing. BTW, Samba is much more a Global project these days, there are very few (it depends how you count us) active developers in Australia these days. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] map to guest = bad user ignored in Samba 4?
On Wed, 2013-02-13 at 10:33 +, Sebastian Arcus wrote: I would like to migrate some of my Samba 3.x domains to Samba 4. Part of the functionality of the current system is allowing some Windows XP Pro computers, which are not joined to the domain, access to some public shares on the Samba server. I tried using map to guest = bad user with Samba 4 - but it appears to be completely ignored and the Windows XP machine keeps on prompting for username/password when trying to access the server share. Has this option been dropped in Samba 4? Is there another way to accomplish the same? This sounds correct. This isn't currently supported against the AD DC. Guest access to the domain should be based on the 'guest' account being enabled, but this isn't hooked in either. Otherwise my Samba 4 domain seems to be working fine - and the Windows XP Pro machines which are joined to it can access the share fine. As a side note, I find it hard to figure out which smb.conf options are still available for Samba 4 and which are not. I've googled around and can't seem to find a wiki page or authoritative page. You have hit one of the areas where this isn't well documented. Sorry, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 binary
On Thu, 2013-02-14 at 00:15 +0100, ask-q-v...@gmx.net wrote: Hi, Does somebody can tell anything about an upcoming samba4 binary scheduling, especially for red hat enterprise resp. centos ? Because the alpha release of smb4 was comparatively pretty quick part of the official repositories. That would be up to the packagers, so you should ask your distribution for their plans. We hope as the next major release of distributions passes around that this situation will improve, or that others (like SerNet's enterprisesamba.org) will prepare appropriate packages. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] map to guest = bad user ignored in Samba 4?
On Wed, 2013-02-13 at 10:33 +, Sebastian Arcus wrote: I would like to migrate some of my Samba 3.x domains to Samba 4. Part of the functionality of the current system is allowing some Windows XP Pro computers, which are not joined to the domain, access to some public shares on the Samba server. I tried using map to guest = bad user with Samba 4 - but it appears to be completely ignored and the Windows XP machine keeps on prompting for username/password when trying to access the server share. Has this option been dropped in Samba 4? Is there another way to accomplish the same? The 'right' way is meant to be that you enable the guest account, but I'm pretty sure this is all just unimplemented in the AD DC mode right now. Please file a bug, or better still write up a patch :-) Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [Samba 4.0] Floating KVNO
On Thu, 2013-02-14 at 14:05 +0100, Kaito Kumashiro wrote: Hello I'm using Samba 4.0.1 also to authenticate users via Kerberos. Once in a while however I have to regenerate a keytab, because for reasons unknown to me, the KVNO is increased by one. I'm not doing anything with an account the SPN is bound to. The KVNO seems to change automagically after few days and service cannot talk to the KDC unless I create a new keytab. What can cause the KVNO (and probably the keys) to change automagically? Is there a way to disable this? In AD, the KVNO is based on the replication metatdata, specifically the version number for the unicodePwd attribute. It should only change if that attribute is changed. What is the client in this case? Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Recommended Upgrade technique for 4.0.3 (was Re: Should I run dbcheck and sysvolreset when upgrading 4.0.0 to 4.0.3?)
On Thu, 2013-02-14 at 18:51 -0500, Thomas Simmons wrote: Hello, Is it necessary or recommended to run 'samba-tool dbcheck --cross-ncs --fix' and 'samba-tool ntacl sysvolreset' when upgrading from 4.0.0 to 4.0.3? We are still trying to work out the safest upgrade path. In the short term, you don't need to do either, but to get the ACLs fixed, then eventually a dbcheck run will be required. We have hesitated to recommend this, as it may make it a little harder for us to have our 'samba_upgradeprovision' tool automatically correct some of the nTSecurityDescriptor values. (We had the wrong values in the provision template). The issue is that, frankly, the samba_upgradeprovision tool is an incredibly big hammer, is internally complex and finally it isn't working correctly in my tests. When run in --full mode, it does some complex manipulations to tell the difference between what a new provision would do, and what you have in the old one, and merge the difference. This is particularly hard to do for security descriptors. The alternative I'm leaning to is the simpler approach of a reset tool, that will reset some key security descriptors, and require the administrator to reinstate any specific changes they actually want. In summary, I don't have a recommended technique yet, but we hope to get one soon. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Recommended Upgrade technique for 4.0.3 (was Re: Should I run dbcheck and sysvolreset when upgrading 4.0.0 to 4.0.3?)
On Thu, 2013-02-14 at 20:50 -0500, Thomas Simmons wrote: Thank you, Andrew. Just to be clear, you're saying I can upgrade to 4.0.3 (but do nothing after make install)? If it will make things worse in any way, I can stay at 4.0.0. Thanks, Thomas. It's fine to upgrade. That protects you against the security issue we fixed in 4.0.1, and makes a significant number of other fixes. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] NTLMv2 with win2003 AD question
On Wed, 2013-02-06 at 12:20 +0800, 安静的风 wrote: Hi Thanks in advance. I know my question below is not really related with samba but I'm really confused, and you guys are expert on windows authentication, I really hope you have patience to read this and I'll appreciate any of your help. I learned a lot from this post http://lists.samba.org/archive/jcifs/2008-October/008227.html. I know that a man in the middle technique, like 'JCIFS NTLM HTTP Authentication Filter', will not work when using NTLMv2 and the only technique is using NetLogon. Am I right? Besides, a 'TargetInfo' field is necessary to calculate NTLMv2 response. However, I'm reading a proxy code these days and did some test on it. It uses the MITM technique, that is so say, proxy returns the challenge of SMB server(win2003 AD) to browser. just like what 'JCIFS NTLM HTTP Authentication Filter' does. Proxy uses 'SMB_COM_NEGOTIATE' and 'SMB_COM_SESSION_SETUP_ANDX' command to communicate with windows AD. The topology is like this: browser---proxy-win2003 AD NTLMv1 works fine and make sense indeed. But I find that NTLMv2 works when using win2k3 AD, unexpectedly. This doesn't make sense. using wireshark, I found that in 'Negoticate Flags', 'Negoticate Targe Info' field is not set. and NTLMv2 response is like this: NTLMv2 Response: D99AF0F6AE2B97. HMAC: D99AF0F6AE2B97... Header: 0x0101 Reserved: 0x Time: Feb 3, 2013 15:26:32.56250 Unknown: 0x Name: NetBIOS domain name Name type: NetBIOS domain name(2) Name Len: 0 Name: Name: End of list The target info field just has one item with empty value... This is really confused me. Is it a bug of win2k3 AD and make use of the bug?? When I'm using win2k8 AD, NTLMv2 doesn't work. Win2k8 AD returns an 'Invalid Parameter' message in 'SMB_COM_SESSION_SETUP_ANDX' response messge. BTY, the OS is win2k3 R2 Enterprise SP2 and win2k8 R2 Enterprise SP1. This looks like a reasonable analysis. If the client does not check the target information then the protections of NTLMv2 are indeed very limited. The same applies to the server. Samba currently matches Windows 2003 in this regard, and yes, with the new information we have in the AD DC (servicePrincipalName values), we should be able to enforce this properly. I would love a patch to do this in a way that matches windows behaviour, both for the client and server. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Upgrading from 4.0.0 to 4.0.3
On Tue, 2013-02-12 at 06:17 -0500, Thomas Simmons wrote: Forwarding this to the technical list for assistance. If it's not possible to upgrade from 4.0.0, is there any idea when an upgrade strategy will be available? So, what happened was this: We got 4.0.3 ready, thinking that the upgrade strategy was: samba_upgradeprovision samba-tool dbcheck [--fix [--yes]] The problem is, that in https://bugzilla.samba.org/show_bug.cgi?id=9267 this was contra-indicated - the user lost specific ACLs that they had set. We need to work out why that happened, and how to fix that. Sadly it all happened too late, so we got a bit stuck without an upgrade plan. Running the new code is fine, but ACLs won't be quite right until we fix the DB. It should even be possible to drop setting 'acl:search=false', but as we don't know for sure I really need to dig into this. This isn't helped by the fact that the samba_upgradeprovision tool is both amazing in what it does, and amazing in it's internal complexity. This is a tool that can work out (pretty well) what parts of the database were created by our provision tool, and what parts were altered later, and fix errors in that initial provisioning, given new defaults. Additional complexity also comes from the fact that 'samba-tool dbcheck' will alter the DB, and so make it potentially harder for samba_upgradeprovision to run correctly later. All in all, this is not how we would like it to be, but we hope we can work this all out soon. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Starting S4 in production
On Mon, 2013-02-11 at 09:54 +0100, Hervé Hénoch wrote: Hello, I would try to migrate S3 to S4 in production but these messages (in bold) blocks me to do this. I can authenticate users et computers yet !, So what does they mean ? Regards root@vspdc:~# /usr/local/samba/bin/samba-tool domain classicupgrade --dbdir=/root/smb3/varlib --dns-backend=BIND9_DLZ --use-xattrs=yes --realm=sc.isc84.org /root/smb3/etc/smb.conf Reading smb.conf Provisioning Exporting account policy Exporting groups *Severe DB error, sambaSamAccount can't miss the samba SIDattribute* Ignoring group 'Domain Users' S-1-5-21-1031258178-388409940-3248586695-513 listed but then not found: Unable to enumerate group members, (-1073741596,NT_STATUS_INTERNAL_DB_CORRUPTION) *Ignoring group 'Administrators' S-1-5-32-544 listed but then not found: Unable to enumerate members for alias, (-1073741487,NT_STATUS_NO_SUCH_ALIAS) Ignoring group 'Account Operators' S-1-5-32-548 listed but then not found: Unable to enumerate members for alias, (-1073741487,NT_STATUS_NO_SUCH_ALIAS) Ignoring group 'Print Operators' S-1-5-32-550 listed but then not found: Unable to enumerate members for alias, (-1073741487,NT_STATUS_NO_SUCH_ALIAS) Ignoring group 'Backup Operators' S-1-5-32-551 listed but then not found: Unable to enumerate members for alias, (-1073741487,NT_STATUS_NO_SUCH_ALIAS) Ignoring group 'Replicators' S-1-5-32-552 listed but then not found: Unable to enumerate members for alias, (-1073741487,NT_STATUS_NO_SUCH_ALIAS)* Exporting users Could not convert S-1-5-21-1031258178-388409940-3248586695-5444 to SID Skipping wellknown rid=500 (for username=root) Ignoring group memberships of 'nobody' S-1-5-21-1031258178-388409940-3248586695-2998: Unable to enumerate group memberships, *(-1073741596,NT_STATUS_INTERNAL_DB_CORRUPTION)* None of these errors are fatal - they are just invalid aspects of your passdb database that we were able to skip over harmlessly. For example, it does not matter that we could not list members of domain users as users a members of that group via their primary group ID. Similarly, as we already recreate the administrator account, the domain administrators group and the administrators alias, these being incorrect in your passdb is harmless. We skipped importing 'root' as we created a new 'administrator' account instead, and used the 'root' password. Even the 'missing sambaSID attribute' error can't be too much of a problem, as this cannot have been a working part of your existing domain anyway. If you have problems with your upgraded DC, diagnose them from what errors are directly produced - as the upgrade appears to have progressed fine! Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] file server
On Mon, 2013-02-11 at 10:53 +0100, Ali Bendriss wrote: Hello, I am using samba4 as AD DC and file sharing. I would like to setup a dedicated file server cluster on 2 nodes using ctdb to separate the role (authentication/file sharing), and join the cluster to the domain. I am not clear on which version of samba I sould use for the file server cluster : latest samba 3 + krb5 or latest samba 4 (using smbd and winbindd) ? both accept the clustering option --with-cluster-support. You may use whichever you feel comfortable with. The Samba 4.0 release is our latest production release of Samba, and all features found in Samba 3.6 are present, except for the very few that we announced as deprecated. This includes CTDB support. I'm glad to hear you wish to separate your file server from your DC. This is a good choice, and allows you to choose the version of Samba to use on both independently. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] S3 as domain member with S4
On Mon, 2013-02-11 at 11:00 +0100, Hervé Hénoch wrote: Hello How to set a S3 file server as a domain member with a S4 PDC server ? You can join Samba 3.x or Samba 4.0 as a domain member of a Samba 4.0 AD DC in the same way you would join any other AD domain. eg 'net ads join. See https://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#adssdm -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Strange winbindd messages
On Fri, 2013-02-08 at 11:50 -0500, John Center wrote: Hi Andrew, Thanks for getting back to me. On 02/07/2013 04:52 PM, Andrew Bartlett wrote: On Fri, 2013-02-08 at 08:43 +1100, Andrew Bartlett wrote: On Wed, 2013-01-23 at 11:59 -0500, John Center wrote: Hi, We are running samba v3.6.3 on Ubuntu 12.04 server. This is being used with FreeRADIUS for wireless authentication with AD. We just logged a set of messages from winbindd that I don't understand: Jan 23 10:35:28 as3 winbindd[25371]: [2013/01/23 10:35:28.056846, 0] rpc_client/cli_netlogon.c:677(rpccli_netlogon_set_trust_password) Jan 23 10:35:28 as3 winbindd[25371]: dcerpc_netr_ServerPasswordSet{2} failed: NT code 0xc2a5 Jan 23 10:35:28 as3 winbindd[26636]: [2013/01/23 10:35:28.105143, 0] rpc_client/cli_netlogon.c:671(rpccli_netlogon_set_trust_password) Jan 23 10:35:28 as3 winbindd[26636]: credentials chain check failed Jan 23 10:35:28 as3 winbindd[25518]: [2013/01/23 10:35:28.310288, 0] rpc_client/cli_netlogon.c:671(rpccli_netlogon_set_trust_password) Jan 23 10:35:28 as3 winbindd[25518]: credentials chain check failed Jan 23 10:36:28 as3 winbindd[25371]: [2013/01/23 10:36:28.121861, 0] rpc_client/cli_netlogon.c:671(rpccli_netlogon_set_trust_password) Jan 23 10:36:28 as3 winbindd[25371]: credentials chain check failed Authentications went through ok at 10:35:23 again at 10:35:29. We haven't seen them before, searching, I couldn't find much info. What do these messages mean? What would have caused them? Do we need to be concerned? Any help would be greatly appreciated. What is happening here is that we are trying and failing to change our machine account password. Can you try Samba 3.6.12 and see if the changes in the meantime have fixed this? Can winbindd change the machine account password? This isn't being done by us manually. Yes, it will do that every now and then. (I don't recall the frequency exactly). Looking into this some more these links suggest a server-side error: http://www.tek-tips.com/viewthread.cfm?qid=1487092 http://support.microsoft.com/kb/306091/en-us Looking at these links, are you suggesting that the DC database is being locked at this point in time, so when an auth request is being made, it fails? I don't really know what is going on, but it suggests a plausible reason why this might fail. The issue seems to me to be related to machine account changes, not authentication. Is there anything in the server event log to match this error? I'm trying to get access to the DC event logs to look into this. Thanks, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] NTLM autentication problems
On Fri, 2013-02-08 at 11:30 -0200, Natália Vaz wrote: I'm trying to configure Squid ntlm autentication on Samba4 DC. I followed Squid and Samba's documentation and i got success when I login with user natalia.silva, but if I log with natalia.vaz i get the error We would need much more detail than that. Do you mean to say that you can only log in as the user's samAccountName, but not as a userPrinicpalName? Currently, for NTLM authentication, we only accept samAccountName values. This may be a bug - if windows behaves differently, I'm very happy to fix it. If so, please file a bug in bugzilla. Thanks, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 : File server
On Mon, 2013-02-11 at 16:54 +0100, BOTZ Franck (Informaticien) - DDT 67/SG/MGI/CI wrote: Hi ! I have installed a DC with samba-tool command and it works perfectly ! Control AD with the 2003 tools is very amazing, thanks for the job ! So, my next step is to install a file server as a member of the AD and not as a DC I read carfully this one : https://wiki.samba.org/index.php/Samba4/Domain_Member Compiling samba : * ./configure --with-ads --with-shared-modules=idmap_ad --enable-debug --enable-selftest --prefix=/samba First of all why --with-ads ? It is not the default feature ? It is, but what this changes is that the compile will fail (prompting you to install some development headers, typically) if the right things are not found. The is very helpful, and long ago I promised to make that the default behaviour. Sadly I never got around to it. * make * make install The krb5.conf was fill with that : [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = DDCS67.INTRA dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } What is appsection ? It is not necessary in a DC wich sharing a directory. But why not. After that , the smb.conf I was wondering that the smb.conf must be fill by the hand. For the DC, running samba-tool command will generate a smb.conf. Before doing this I search the options of samba-tool and i find this : samba-tool domain join DDCS67 --realm=DDCS67.intra -U Administrator Password for [WORKGROUP\Administrator]: Joined domain DDCS67 (S-1-5-21-1814795784-576591386-2449700327) Fine, the domain is join !! And the server appear as a Computer in the MMC. Good ! Let's run /samba/sbin/samba The log are : At this time the 'samba' binary should only be used for either: 'server role = active directory domain controller' or to access the ntvfs file server with 'server services = +smb' or the rpc proxy with 'dcerpc endpoint servers = remote' You should start smbd/nmbd/winbindd instead for domain member and standalone file server tasks Is it me or i read the ntvfs is deprecatted ? So I run the/samba/sbin/smbd, but with no smb.conf the server does not start Tesparm give me : Load smb config files from /samba/etc/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) params.c:OpenConfFile() - Unable to open configuration file /samba/etc/smb.conf: Can i Genrate a valid smb.conf for a member with samba-tool ? I do apologise for this not being as integrated as you would expect. I'm very proud of the new level of ease of use found in 'samba-tool' and in the AD DC configuration. Sadly while this command will successfully join you to the domain, it does not currently generate the smb.conf. You don't need much, just set: [globals] server role = domain member workgroup = DDCS67 realm = DDCS67.intra BTW, while I've hooked up 'samba-tool' to work, the advertised command for joining a domain member is 'net ads join'. We are working to consolidate the code, but currently it is a different codebase. From my understanding however, it also will not generate the smb.conf. I hope this helps, and feel free to file a bug as fixing this should not be difficult. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] [PATCH] Fix classicupgrade error message (was Re: Classicupgrade not work)
On Mon, 2013-02-11 at 10:33 -0200, Jonis Maurin Ceará wrote: I'm trying to convert my samba3 domain to samba4 AD with samba-tool, but i'm getting an error and i can' t find anything about it on google. I've enabled the log level 4 on smb.conf and here's what i got: Home server: PANDORA init_sam_from_ldap: Entry found for user: DIRET-ESTAG$ Home server: PANDORA init_sam_from_ldap: Entry found for user: dsegato Home server: PANDORA init_sam_from_ldap: Entry found for user: lesley Home server: PANDORA ERROR(type 'exceptions.AttributeError'): uncaught exception - 'passdb.Samu' object has no attribute 'acct_flags' File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py, line 1318, in run useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs) File /usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py, line 722, in upgrade_from_samba3 % (user.acct_flags, username, [ I've copied my .tdb files to a new test server.also, i'm using ldap backend on s3. I do apologise, there is an error in the classicupgrade script which means that instead of printing an informative error, we print this backtrace. I also attach another fix I've had in my local tree for a while, to fix the error when we can't find the LDAP secrets. Please check this improves the error, and then if someone could review and/or push this to master I would appreciate it. Thanks, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org From bc6e7aaa73f52c449006b061c370e6c759c7620a Mon Sep 17 00:00:00 2001 From: Andrew Bartlett abart...@samba.org Date: Tue, 12 Feb 2013 09:20:03 +1100 Subject: [PATCH] samba-tool domain classicupgrade: Fix typo in error path for multiple account flags --- source4/scripting/python/samba/upgrade.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source4/scripting/python/samba/upgrade.py b/source4/scripting/python/samba/upgrade.py index e013d2c..02734cc 100644 --- a/source4/scripting/python/samba/upgrade.py +++ b/source4/scripting/python/samba/upgrade.py @@ -722,7 +722,7 @@ ACB_NORMAL (N, 0x%08X), ACB_WSTRUST (W 0x%08X), ACB_SVRTRUST (S 0x%08X) or ACB_D Please fix this account before attempting to upgrade again -% (user.acct_flags, username, +% (user.acct_ctrl, username, samr.ACB_NORMAL, samr.ACB_WSTRUST, samr.ACB_SVRTRUST, samr.ACB_DOMTRUST)) userdata[username] = user -- 1.7.11.7 From 3d6aaf2b8c8fe15deb400020e4b084071ea98094 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett abart...@samba.org Date: Tue, 15 Jan 2013 21:53:30 +1100 Subject: [PATCH 1/6] samba-tool domain classicupgrade: Print a better error when the ldap backend PW was not found --- source4/scripting/python/samba/upgrade.py | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/source4/scripting/python/samba/upgrade.py b/source4/scripting/python/samba/upgrade.py index d680a7c..e013d2c 100644 --- a/source4/scripting/python/samba/upgrade.py +++ b/source4/scripting/python/samba/upgrade.py @@ -598,7 +598,10 @@ def upgrade_from_samba3(samba3, logger, targetdir, session_info=None, if samba3.lp.get(passdb backend).split(:)[0].strip() == ldapsam: base_dn = samba3.lp.get(ldap suffix) ldapuser = samba3.lp.get(ldap admin dn) -ldappass = (secrets_db.get_ldap_bind_pw(ldapuser)).strip('\x00') +ldappass = secrets_db.get_ldap_bind_pw(ldapuser) +if ldappass is None: +raise ProvisioningError(ldapsam passdb backend detected but no LDAP Bind PW found in secrets.tdb for user %s. Please point this tool at the secrets.tdb that was used by the previous installation.) +ldappass = ldappass.strip('\x00') ldap = True else: ldapuser = None -- 1.7.11.7 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [PATCH] Fix classicupgrade error message (was Re: Classicupgrade not work)
On Tue, 2013-02-12 at 00:01 -0200, Jonis Maurin Ceará wrote: Tks Andrew!! Changes that you've made worked for that problem, but now i got a new oneand in this one i'm really stuck! Not even a field name. Sorry for the noise. I've fixed it up in this new patch, I hope. Revert the previous patch, and then apply this one. Thanks, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org From 22a1661a8312cbad99eb9fe016db4deefc11a9d1 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett abart...@samba.org Date: Tue, 12 Feb 2013 09:20:03 +1100 Subject: [PATCH] samba-tool domain classicupgrade: Fix typo in error path for multiple account flags --- source4/scripting/python/samba/upgrade.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source4/scripting/python/samba/upgrade.py b/source4/scripting/python/samba/upgrade.py index e013d2c..8371224 100644 --- a/source4/scripting/python/samba/upgrade.py +++ b/source4/scripting/python/samba/upgrade.py @@ -722,7 +722,7 @@ ACB_NORMAL (N, 0x%08X), ACB_WSTRUST (W 0x%08X), ACB_SVRTRUST (S 0x%08X) or ACB_D Please fix this account before attempting to upgrade again -% (user.acct_flags, username, +% (username, user.acct_ctrl, samr.ACB_NORMAL, samr.ACB_WSTRUST, samr.ACB_SVRTRUST, samr.ACB_DOMTRUST)) userdata[username] = user -- 1.7.11.7 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via efd60ae Fix some cut-and-paste and spelling in debug messages from f25debf Fix bug #9642 - vfs_afsacl.c won't build. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit efd60aeff7aac308d85b767cdf394dd866cce078 Author: Guenter Kukkukk ku...@samba.org Date: Tue Feb 12 05:37:09 2013 +0100 Fix some cut-and-paste and spelling in debug messages Signed-off-by: Guenter Kukkukk ku...@samba.org Reviewed-by: Andrew Bartlett abart...@samba.org Autobuild-User(master): Andrew Bartlett abart...@samba.org Autobuild-Date(master): Tue Feb 12 07:28:27 CET 2013 on sn-devel-104 --- Summary of changes: source4/auth/gensec/gensec_gssapi.c | 16 1 files changed, 8 insertions(+), 8 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 2b09665..e3bafe2 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -182,7 +182,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security) gensec_security-settings-lp_ctx, gensec_gssapi_state-smb_krb5_context); if (ret) { - DEBUG(1,(gensec_krb5_start: krb5_init_context failed (%s)\n, + DEBUG(1,(gensec_gssapi_start: smb_krb5_init_context failed (%s)\n, error_message(ret))); talloc_free(gensec_gssapi_state); return NT_STATUS_INTERNAL_ERROR; @@ -211,7 +211,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security) if (realm != NULL) { ret = gsskrb5_set_default_realm(realm); if (ret) { - DEBUG(1,(gensec_krb5_start: gsskrb5_set_default_realm failed\n)); + DEBUG(1,(gensec_gssapi_start: gsskrb5_set_default_realm failed\n)); talloc_free(gensec_gssapi_state); return NT_STATUS_INTERNAL_ERROR; } @@ -220,7 +220,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security) /* don't do DNS lookups of any kind, it might/will fail for a netbios name */ ret = gsskrb5_set_dns_canonicalize(gensec_setting_bool(gensec_security-settings, krb5, set_dns_canonicalize, false)); if (ret) { - DEBUG(1,(gensec_krb5_start: gsskrb5_set_dns_canonicalize failed\n)); + DEBUG(1,(gensec_gssapi_start: gsskrb5_set_dns_canonicalize failed\n)); talloc_free(gensec_gssapi_state); return NT_STATUS_INTERNAL_ERROR; } @@ -457,7 +457,7 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, min_stat = gsskrb5_set_send_to_kdc(send_to_kdc); if (min_stat) { - DEBUG(1,(gensec_krb5_start: gsskrb5_set_send_to_kdc failed\n)); + DEBUG(1,(gensec_gssapi_update: gsskrb5_set_send_to_kdc failed\n)); return NT_STATUS_INTERNAL_ERROR; } #endif @@ -484,7 +484,7 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, ret = gsskrb5_set_send_to_kdc(send_to_kdc); if (ret) { - DEBUG(1,(gensec_krb5_start: gsskrb5_set_send_to_kdc failed\n)); + DEBUG(1,(gensec_gssapi_update: gsskrb5_set_send_to_kdc failed\n)); return NT_STATUS_INTERNAL_ERROR; } #endif @@ -999,7 +999,7 @@ static size_t gensec_gssapi_max_input_size(struct gensec_security *gensec_securi max_input_size); if (GSS_ERROR(maj_stat)) { TALLOC_CTX *mem_ctx = talloc_new(NULL); - DEBUG(1, (gensec_gssapi_max_input_size: determinaing signature size with gss_wrap_size_limit failed: %s\n, + DEBUG(1, (gensec_gssapi_max_input_size: determining signature size with gss_wrap_size_limit failed: %s\n, gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state-gss_oid))); talloc_free(mem_ctx); return 0; @@ -1152,7 +1152,7 @@ static NTSTATUS gensec_gssapi_sign_packet(struct gensec_security *gensec_securit *sig = data_blob_talloc(mem_ctx, (uint8_t *)output_token.value, output_token.length); - dump_data_pw(gensec_gssapi_seal_packet: sig\n, sig-data, sig-length); + dump_data_pw(gensec_gssapi_sign_packet: sig\n, sig-data, sig-length); gss_release_buffer(min_stat, output_token
[Samba] Samba 4 talk from FOSDEM and linux.conf.au
On Thu, 2013-02-07 at 10:14 +0100, Andreas Schneider wrote: Hello, you should watch the entertaining talk about Samba 4 from Jeremey he gave at FOSDEM! http://video.fosdem.org/2013/maintracks/Janson/Samba4.webm I also spoke at two miniconfs this year about Samba 4.0. This talk is a 25 min talk about the features and progress with Samba 4.0: http://mirror.linux.org.au/linux.conf.au/2013/ogv/Samba_4.0.ogv This is a talk about autobuild and testing in Samba (50mins): http://mirror.linux.org.au/linux.conf.au/2013/ogv/Two_years_with_Sambas_autobuild.ogv These videos really do give a great overview of where we are at with Samba 4.0. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] fileserver.conf
On Sun, 2013-02-10 at 21:51 -0500, Fabian von Romberg wrote: I just did a samba-tool domain provision as AD DC. I read that if --use-ntvfs is not specified, samba4 will run as s3fs. I read also that a fileserver.conf should be generated, however I dont see that file. Is this important? Im running samba 4.0.3 We eliminated this file in recent Samba 4.0 versions (I think during the rc series), and instead apply the configuration changes internally. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via c932b13 Improve the configure tests for aio_suspend to get rid of warnings. Timur provided the wscript method, I added the configure.in correction. from 233b32b s3: Make SMB2_GETINFO multi-volume aware. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit c932b139c8d1fc0b6a357623fe4011edabb45422 Author: Richard Sharpe realrichardsha...@gmail.com Date: Fri Feb 8 19:56:56 2013 -0800 Improve the configure tests for aio_suspend to get rid of warnings. Timur provided the wscript method, I added the configure.in correction. Signed-off-by: Timur Bakeyev ti...@freebsd.org Signed-off-by: Richard Sharpe realrichardsha...@gmail.com Reviewed-by: Andrew Bartlett abart...@samba.org Autobuild-User(master): Andrew Bartlett abart...@samba.org Autobuild-Date(master): Sat Feb 9 09:24:06 CET 2013 on sn-devel-104 --- Summary of changes: source3/configure.in |2 +- source3/wscript |2 +- 2 files changed, 2 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/configure.in b/source3/configure.in index 031a33d..1b24ad6 100644 --- a/source3/configure.in +++ b/source3/configure.in @@ -5387,7 +5387,7 @@ int main() { struct aiocb a; return aio_cancel(1, a); }])], AC_MSG_CHECKING(for aio_suspend) AC_LINK_IFELSE([AC_LANG_SOURCE([#include aio.h -int main() { struct aiocb a; struct timespec t; return aio_suspend(a, 1, t); }])], +int main() { const struct aiocb * const [a[1]]; struct timespec t; return aio_suspend(a, 1, t); }])], [AC_DEFINE(HAVE_AIO_SUSPEND, 1, [Have aio_suspend]) AC_MSG_RESULT(yes)], [AC_MSG_RESULT(no)]) else diff --git a/source3/wscript b/source3/wscript index 84abf76..7a99dc1 100644 --- a/source3/wscript +++ b/source3/wscript @@ -471,7 +471,7 @@ return acl_get_perm_np(permset_d, perm); conf.CHECK_CODE('struct aiocb a; return aio_return(a);', 'HAVE_AIO_RETURN', msg='Checking for aio_return', headers='aio.h', lib='aio rt') conf.CHECK_CODE('struct aiocb a; return aio_error(a);', 'HAVE_AIO_ERROR', msg='Checking for aio_error', headers='aio.h', lib='aio rt') conf.CHECK_CODE('struct aiocb a; return aio_cancel(1, a);', 'HAVE_AIO_CANCEL', msg='Checking for aio_cancel', headers='aio.h', lib='aio rt') -conf.CHECK_CODE('struct aiocb a; struct timespec t; return aio_suspend(a, 1, t);', 'HAVE_AIO_SUSPEND', msg='Checking for aio_suspend', headers='aio.h', lib='aio rt') +conf.CHECK_CODE('const struct aiocb * const a[1]; struct timespec t; return aio_suspend(a, 1, t);', 'HAVE_AIO_SUSPEND', msg='Checking for aio_suspend', headers='aio.h', lib='aio rt') if not conf.CONFIG_SET('HAVE_AIO'): conf.DEFINE('HAVE_NO_AIO', '1') else: -- Samba Shared Repository
Re: [Samba] samba4 AD DC manually creating DNS records?
On Thu, 2013-02-07 at 13:49 -0600, Nick Semenkovich wrote: I'm trying to use a DNS server independent from Samba (non BIND, on a different machine/system). Please, please do not do this. It will only cause trouble. Instead, have your independent DNS server forward the Samba zone to Samba, where you can handle it with either the internal DNS server, or bind9 using the dlz module. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Strange winbindd messages
On Wed, 2013-01-23 at 11:59 -0500, John Center wrote: Hi, We are running samba v3.6.3 on Ubuntu 12.04 server. This is being used with FreeRADIUS for wireless authentication with AD. We just logged a set of messages from winbindd that I don't understand: Jan 23 10:35:28 as3 winbindd[25371]: [2013/01/23 10:35:28.056846, 0] rpc_client/cli_netlogon.c:677(rpccli_netlogon_set_trust_password) Jan 23 10:35:28 as3 winbindd[25371]: dcerpc_netr_ServerPasswordSet{2} failed: NT code 0xc2a5 Jan 23 10:35:28 as3 winbindd[26636]: [2013/01/23 10:35:28.105143, 0] rpc_client/cli_netlogon.c:671(rpccli_netlogon_set_trust_password) Jan 23 10:35:28 as3 winbindd[26636]: credentials chain check failed Jan 23 10:35:28 as3 winbindd[25518]: [2013/01/23 10:35:28.310288, 0] rpc_client/cli_netlogon.c:671(rpccli_netlogon_set_trust_password) Jan 23 10:35:28 as3 winbindd[25518]: credentials chain check failed Jan 23 10:36:28 as3 winbindd[25371]: [2013/01/23 10:36:28.121861, 0] rpc_client/cli_netlogon.c:671(rpccli_netlogon_set_trust_password) Jan 23 10:36:28 as3 winbindd[25371]: credentials chain check failed Authentications went through ok at 10:35:23 again at 10:35:29. We haven't seen them before, searching, I couldn't find much info. What do these messages mean? What would have caused them? Do we need to be concerned? Any help would be greatly appreciated. What is happening here is that we are trying and failing to change our machine account password. Can you try Samba 3.6.12 and see if the changes in the meantime have fixed this? Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Strange winbindd messages
On Fri, 2013-02-08 at 08:43 +1100, Andrew Bartlett wrote: On Wed, 2013-01-23 at 11:59 -0500, John Center wrote: Hi, We are running samba v3.6.3 on Ubuntu 12.04 server. This is being used with FreeRADIUS for wireless authentication with AD. We just logged a set of messages from winbindd that I don't understand: Jan 23 10:35:28 as3 winbindd[25371]: [2013/01/23 10:35:28.056846, 0] rpc_client/cli_netlogon.c:677(rpccli_netlogon_set_trust_password) Jan 23 10:35:28 as3 winbindd[25371]: dcerpc_netr_ServerPasswordSet{2} failed: NT code 0xc2a5 Jan 23 10:35:28 as3 winbindd[26636]: [2013/01/23 10:35:28.105143, 0] rpc_client/cli_netlogon.c:671(rpccli_netlogon_set_trust_password) Jan 23 10:35:28 as3 winbindd[26636]: credentials chain check failed Jan 23 10:35:28 as3 winbindd[25518]: [2013/01/23 10:35:28.310288, 0] rpc_client/cli_netlogon.c:671(rpccli_netlogon_set_trust_password) Jan 23 10:35:28 as3 winbindd[25518]: credentials chain check failed Jan 23 10:36:28 as3 winbindd[25371]: [2013/01/23 10:36:28.121861, 0] rpc_client/cli_netlogon.c:671(rpccli_netlogon_set_trust_password) Jan 23 10:36:28 as3 winbindd[25371]: credentials chain check failed Authentications went through ok at 10:35:23 again at 10:35:29. We haven't seen them before, searching, I couldn't find much info. What do these messages mean? What would have caused them? Do we need to be concerned? Any help would be greatly appreciated. What is happening here is that we are trying and failing to change our machine account password. Can you try Samba 3.6.12 and see if the changes in the meantime have fixed this? Looking into this some more these links suggest a server-side error: http://www.tek-tips.com/viewthread.cfm?qid=1487092 http://support.microsoft.com/kb/306091/en-us Is there anything in the server event log to match this error? Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 554ba5e ldb: Add more data test data for one level test cases via 9206eaa ldb: Add tests for the python api via 2dc9c07 dsdb-operational: rework the loop for attribute removal via 13b4815 ldb: Add more tests related to onelevel search via 057896a ldb: use strncmp instead of strcmp when comparing the val part via 87cbd94 ldb: make test output more readable via 75f422f ldb-tdb: Document ltdb_index_add1 for more clarity via 1e4e51f ldb-tdb: Fix a wrong parameter in ltdb_store via 2470b0f ldb_tdb: raise level of full index scan message so that it starts to be really visible via 1c0d348 dsdb-repl: make message more clearer via 7222ee0 replmetadata: raise msg level for conflict resolution so that we don't polute logs via fdca2f6 dsdb-repl: do not ask to add ref when doing getncchange for an exop via 123954d dsdb-cracknames: Fix potential double free and memory leaks from 64eba0a BUG 9633: Recursive mget should continue on EPERM. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 554ba5ebbf1d2e520883cfad6f8a2ed6eb9b2b0f Author: Matthieu Patou m...@matws.net Date: Tue Jan 8 00:09:32 2013 -0800 ldb: Add more data test data for one level test cases Reviewed-by: Andrew Bartlett abart...@samba.org Autobuild-User(master): Andrew Bartlett abart...@samba.org Autobuild-Date(master): Fri Feb 8 06:46:40 CET 2013 on sn-devel-104 commit 9206eaaf5dbacade3ccc79d5900d4b242730b2f3 Author: Matthieu Patou m...@matws.net Date: Tue Jan 8 00:28:03 2013 -0800 ldb: Add tests for the python api Reviewed-by: Andrew Bartlett abart...@samba.org commit 2dc9c072cbb9b857bf52e229573d92c9a70bdcf6 Author: Matthieu Patou m...@matws.net Date: Thu Dec 27 18:29:49 2012 -0800 dsdb-operational: rework the loop for attribute removal Instead of doing ldb_in_list size(operational_remove) * (attrs_user + attr_searched) * number of entries times to get the list of attributes to remove we construct this list before the search and then use it for every entries. Reviewed-by: Andrew Bartlett abart...@samba.org commit 13b481594585cdb079dcf9b8cf892f5094f44a16 Author: Matthieu Patou m...@matws.net Date: Sat Dec 29 21:48:46 2012 -0800 ldb: Add more tests related to onelevel search Reviewed-by: Andrew Bartlett abart...@samba.org commit 057896a090870ecec56ad0d2f960e55cef561e9e Author: Matthieu Patou m...@matws.net Date: Thu Dec 13 02:18:34 2012 -0800 ldb: use strncmp instead of strcmp when comparing the val part val part of a DN's component is DATA_BLOB and nothing insure that it will be finished by a '\0' Reviewed-by: Andrew Bartlett abart...@samba.org commit 87cbd9414bab2f0a71d71b2c145c11ee71acd573 Author: Matthieu Patou m...@matws.net Date: Sat Dec 29 16:42:28 2012 -0800 ldb: make test output more readable Reviewed-by: Andrew Bartlett abart...@samba.org commit 75f422fe1df7dd04aa46d5c77cbeb43d101c3ad6 Author: Matthieu Patou m...@matws.net Date: Mon Dec 17 01:45:30 2012 -0800 ldb-tdb: Document ltdb_index_add1 for more clarity Reviewed-by: Andrew Bartlett abart...@samba.org commit 1e4e51f4c913a3821d7ecbd0842280240917ae38 Author: Matthieu Patou m...@matws.net Date: Wed Dec 26 21:41:52 2012 -0800 ldb-tdb: Fix a wrong parameter in ltdb_store Reviewed-by: Andrew Bartlett abart...@samba.org commit 2470b0fe5f3facf7bb41acbdb3028e2d5daaf8da Author: Matthieu Patou m...@matws.net Date: Sun Jan 6 22:17:26 2013 -0800 ldb_tdb: raise level of full index scan message so that it starts to be really visible We don't want to have to set log level to 4 or 5 AND set the environment variable to be able to see those log messages Reviewed-by: Andrew Bartlett abart...@samba.org commit 1c0d3486a485cf01338dd5eff49ce847628d1b83 Author: Matthieu Patou m...@matws.net Date: Wed Jan 23 11:33:30 2013 -0800 dsdb-repl: make message more clearer Reviewed-by: Andrew Bartlett abart...@samba.org commit 7222ee0a245d340b526b8220d53c9ffd8c0c4dfa Author: Matthieu Patou m...@matws.net Date: Sat Jan 26 01:53:41 2013 -0800 replmetadata: raise msg level for conflict resolution so that we don't polute logs Reviewed-by: Andrew Bartlett abart...@samba.org commit fdca2f6ff47a389cb6300d3ea8327f8486de3c2a Author: Matthieu Patou m...@matws.net Date: Sat Jan 26 01:53:28 2013 -0800 dsdb-repl: do not ask to add ref when doing getncchange for an exop Reviewed-by: Andrew Bartlett abart...@samba.org commit 123954d94ee783bd241c89fa53fc902312176875 Author: Matthieu Patou m...@matws.net Date: Mon Dec 24 10:01:30 2012 -0800 dsdb-cracknames: Fix potential double free and memory leaks Reviewed-by: Andrew Bartlett
Re: [Samba] Solaris 11 can't join Active Directory Domain
On Wed, 2013-01-30 at 21:49 +0100, İhsan Doğan wrote: Hi, I'm running a Active Directory domain on Samba 4.0.1 and I'm trying to join a Solaris 11 machine this domain: # smbadm join -u Administrator DOMAIN After joining DOMAIN the smb service will be restarted automatically. Would you like to continue? [no]: yes Enter domain password: Locating DC in DOMAIN ... this may take a minute ... Joining DOMAIN ... this may take a minute ... failed to join DOMAIN: UNSUCCESSFUL Please refer to the system log for more information. In /var/adm/messages: Jan 30 21:33:34 host smbd[827]: [ID 232655 daemon.notice] ldap_modify: Insufficient access Jan 30 21:33:34 host smbd[827]: [ID 702911 daemon.notice] Workstation trust account update failed Windows 7 clients are able to join, but Solaris 11 fails. Kerberos seems to be fine: # kinit oskar Password for os...@domain.com: Warning: Your password will expire in 41 days on Wed Mar 13 19:44:52 2013 But if I run it for Administrator: # kinit Administrator Password for administra...@domain.com: Warning: Your password will expire in 41 days on Wed Mar 13 18:36:46 2013 kinit: no ktkt_warnd warning possible Any idea what is going wrong here? Does this work against a freshly provisioned Samba 4.0.3 domain? We fixed a lot of ACL related things with that release. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Searches under non-schema base DN returns schema objects?
On Wed, 2013-01-30 at 15:33 -0800, C. S. wrote: Upgraded to the tip of tree, and it no longer happens on the non-GC port, but still happens on the GC port. This is expected behaviour for the Global Catalog, but I'm glad to hear it is fixed up for the main port. What version were you running before you upgraded? Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Resetting a User Password From S3 or S4 Member Server
On Tue, 2013-02-05 at 18:45 -0500, Thomas Simmons wrote: Is it possible to reset a users password from a member server without knowing the current password? I was able to do this with S3, though it was not truly a member server - I configured the server in question to have direct access to OpenLDAP in smb.conf. In this case it would be a co-DC. I have a member server joined to my S4 domain and a user can change his or her own password via passwd, kpasswd or smbpasswd, however I would like to have the ability to reset a user's forgotten password from this server myself. Tools like 'samba-tool' can take -H on commands like 'samba-tool user setpassword -H ldap://foo'. There are also many other tools that can do this over many different protocols, including kpasswd, LDAP and SAMR. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Cannot logon Samba 4 via plaintext password
On Thu, 2013-02-07 at 03:12 +0900, TAKAHASHI Motonobu wrote: On Mon, 4 Feb 2013 17:32:29 +, Benjamin Huntsman bhunts...@mail2.cu-portland.edu wrote: There is no samba-tool binary in my build. I built 4.0.2 using the original build system, since the WAF-baed one doesn't work on AIX. Can the same effect be achieved through editing smb.conf? From: Daniel Müller muel...@tropenklinik.de Date: Tue, 05 Feb 2013 14:26:09 +0100 I do not think so. Why not just download samba4 gzipped from sama.org. unzip it and compile anew. You need this samba tool to administrate samba 4 No, samba-tool appears only when you compile Samba4 without --without-ad-dc option. Also if you compile Samba4 with same method as Samba3, then you can not see samba-tool. In any case, samba-tool does not control if we support plaintext passwords. That is only controlled from the smb.conf, and only makes sense on standalone servers. With the bug filed in the other branch of this thread, I'll see what went wrong with the code and how we can fix this. That said, I would be very glad to see the end of this support - plaintext passwords have been a bad idea from both a functional and security perspective for quite some time now. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] AD DC LDAP support for the 'password change' extended operation
On Mon, 2013-02-04 at 10:31 +0100, Luis Angel Fernandez Fernandez wrote: Hi! I'm trying to use the internal LDAP provided by Samba4 to store mail domains used by SOGo. I have two sets of users. Those used by Samba and created through samba-tool and those created under some ou I have made up. A few days ago I was able to change the latter users passwords using ldapadmin (a windows LDAP client) but today I am not. When I try to change a password I get an error message like RPC server unavailable. And I have another problem with LDAP. I have to use ldapadmin to change users' password because ldappasswd gives me this error: ldappasswd -d4 -h 192.168.0.137 cn=juan.lapuerta,ou=alisys.net ,dc=aliratiun,dc=tic ldap_build_search_req ATTRS: supportedSASLMechanisms SASL/GSSAPI authentication started SASL username: administra...@aliratiun.tic SASL SSF: 56 SASL data security layer installed. Result: Protocol error (2) Additional info: Extended Operation(1.3.6.1.4.1.4203.1.11.1) not supported But I think I read somewhere that that extended operation is supported. I can help on this part of the question: No, the extended operation is not supported - it remains a wishlist item that one of our developers was working on at some point, but has not progressed beyond that. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Able to join Samba client as MEMBER server to Windows 2008 R2 RWDC but not to RODC
On Mon, 2013-02-04 at 16:20 -0500, Matt Carey wrote: I'm trying to join a RHEL 5 client to a Windows 2008 R2 AD, I've tried both Samba 3.6.6 and 4.0.2. When pointing the client to a RWDC(wegsfes19123) I'm able to successfully join the client: I think this comes down to a fundamental misunderstanding of what an RODC can do. It is indeed 'read only'! You don't join Samba to a DC, you join Samba to a domain. If the RODC is the most favourable server to use for authentication after that, then we will use it, but we will need to contact a read-write DC from time to time. [root@vm-ae67a ~]# net ads join -U Administrator -d1 -Swegsfes19234 libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx out: struct libnet_JoinCtx account_name : NULL netbios_domain_name : 'DOMAIN' dns_domain_name : 'domain.com' forest_name : 'domain.com' dn : NULL domain_sid : * domain_sid : S-1-5-21-2999212452-478241430-698296220 modified_config : 0x00 (0) error_string : 'Failed to set account flags for machine account (NT_STATUS_NOT_SUPPORTED) ' domain_is_ad : 0x01 (1) result : WERR_NOT_SUPPORTED Failed to join domain: Failed to set account flags for machine account (NT_STATUS_NOT_SUPPORTED) You should allow Samba and krb5 to find the closest DC to use, and not force a particular server. This not only improves redundancy, it makes Samba much more likely to 'just work'. Remove all these configuration lines: Configuration files: [root@vm-ae67a ~]# grep -v -e ^# -e ^; /etc/samba/smb.conf | uniq [global] workgroup = DOMAIN password server = wegsfes19234.domain.com [root@vm-ae67a ~]# grep -v -e ^# -e ^; /etc/krb5.conf [libdefaults] dns_lookup_realm = false dns_lookup_kdc = false [realms] EXAMPLE.COM = { kdc = kerberos.example.com:88 admin_server = kerberos.example.com:749 default_domain = example.com } domain.com = { kdc = wegsfes19234.domain.com } DOMAIN.COM = { kdc = wegsfes19234.domain.com kdc = wegsfes19234.domain.com } That is, remove the kdc, dns_lookup_kdc and password server configuration options from smb.conf and krb5.conf files. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba support for RODC
On Fri, 2013-02-01 at 19:19 +, Gautam Balothia wrote: HI Samba Team, Can you please help me understanding the if i can join a samba3.x or 4.x as a member to Microsoft RODC server. This is a Windows 2008 RODC server. I have many issues while connecting samba to a RODC, looks like a common issue people are facing. I am able to connect 400 RHEL server using samba to Writable server but while connecting to RODC we have issues. Please let me know if you have any document available for this. You should not force Samba to connect to a specific server, in the smb.conf or krb5.conf. Instead, it is best to let Samba find and work with the best server it can locate for the task. That is, you join Samba to the domian, not a specific server. I can't rule out that there may still be issues if we naturally contact the RODC, but to debug that you need to get debug logs and a packet capture and work with us to uncover the underlying issue. https://wiki.samba.org/index.php/Capture_Packets Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 4c1527b s3:modules remove gpfs_getacl_alloc via 18bfcac s3:modules use vfs_gpfs_getacl in gpfsacl_get_posix_acl via 5388773 s3:modules use vfs_gpfs_getacl in gpfsacl_set_nt_acl_internal via 16940d8 s3:modules use vfs_gpfs_getacl in gpfs_get_nfs4_acl via 940b7ec s3:torture/vfstest add memreport option via 8e571fd s3:torture/vfstest implement sys_acl_blob_get_fd via de67655 s3:torture/vfstest implement sys_acl_blob_get_file via 0621991 s3:vfs_gpfs use non_posix_sys_acl_blob_get_*_helper via f1ff845 s3:vfs_gpfs add a generic vfs_gpfs_getacl function via d9075e1 s3:modules/vfs_gpfs add GPFS_GETACL_NATIVE define via b4be8d5 s3:modules/non_posix_acls: only stat if we do not have it cached via 7cd91ca s3:autoconf add non_posix_acls to NFS4ACL_OBJ via ea6ac28 s3:autoconf introduce NFS4ACL_OBJ via d7ad24a s3-waf:modules add non_posix_acls dependency to vfs_gpfs via 2a2dbf8 vfs: Add helper function for non posix ACL modules via e650a5f idl: Provide a common wrapper for the data to hash for a non-POSIX ACL via a133a98 selftest: add a test that demonstrates how new ACL blob code helps via f0e49b0 vfs_acl_common: Do not fetch the underlying NT ACL unless we need it via 4e8c895 vfs: Whitespace fix only to get_nt_acl_internal indentation via 25526ed vfs: Implement an improved vfs_acl_common that uses the hash of the system ACL via 6a5f65b vfs: Add helper function hash_blob_sha256 to vfs_acl_common.c from 5a8e049 Fix typo in warning message http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 4c1527b1ce26759dbb7470b23f9f83a391d99b30 Author: Christian Ambach a...@samba.org Date: Tue Jan 8 17:10:27 2013 +0100 s3:modules remove gpfs_getacl_alloc last caller has gone Signed-off-by: Christian Ambach a...@samba.org Reviewed-by: Andrew Bartlett abart...@samba.org Autobuild-User(master): Andrew Bartlett abart...@samba.org Autobuild-Date(master): Mon Feb 4 14:10:08 CET 2013 on sn-devel-104 commit 18bfcac810bed431d0ca33ad02508fd87df1c626 Author: Christian Ambach a...@samba.org Date: Tue Jan 8 17:10:10 2013 +0100 s3:modules use vfs_gpfs_getacl in gpfsacl_get_posix_acl as preparation to remove gpfs_getacl_alloc() Signed-off-by: Christian Ambach a...@samba.org Reviewed-by: Andrew Bartlett abart...@samba.org commit 5388773d4baf902d8dd70d046cacc5a15fa790d7 Author: Christian Ambach a...@samba.org Date: Tue Jan 8 17:07:09 2013 +0100 s3:modules use vfs_gpfs_getacl in gpfsacl_set_nt_acl_internal as preparation to remove gpfs_getacl_alloc() Signed-off-by: Christian Ambach a...@samba.org Reviewed-by: Andrew Bartlett abart...@samba.org commit 16940d8a8ecb46a6de9cf5c83da7d2f54030777b Author: Christian Ambach a...@samba.org Date: Tue Jan 8 16:54:16 2013 +0100 s3:modules use vfs_gpfs_getacl in gpfs_get_nfs4_acl as preparation to remove gpfs_getacl_alloc() Signed-off-by: Christian Ambach a...@samba.org Reviewed-by: Andrew Bartlett abart...@samba.org commit 940b7ec78c50c41a399bee2775cd008618baf8f8 Author: Christian Ambach a...@samba.org Date: Fri Nov 16 22:58:06 2012 +0100 s3:torture/vfstest add memreport option this will run a talloc_report_full on the talloc stackframe after each command Signed-off-by: Christian Ambach a...@samba.org Reviewed-by: Andrew Bartlett abart...@samba.org commit 8e571fd385334bc12ee5c5bdfd32b31ad2c4b4b8 Author: Christian Ambach a...@samba.org Date: Thu Nov 15 15:25:52 2012 +0100 s3:torture/vfstest implement sys_acl_blob_get_fd Signed-off-by: Christian Ambach a...@samba.org Reviewed-by: Andrew Bartlett abart...@samba.org commit de676555ab882bd110a2649555645d58abe2bfeb Author: Christian Ambach a...@samba.org Date: Thu Nov 15 15:19:07 2012 +0100 s3:torture/vfstest implement sys_acl_blob_get_file Signed-off-by: Christian Ambach a...@samba.org Reviewed-by: Andrew Bartlett abart...@samba.org commit 06219913abc4f1c3912b377b4a9521a11ad45886 Author: Christian Ambach a...@samba.org Date: Tue Oct 30 13:44:40 2012 +0100 s3:vfs_gpfs use non_posix_sys_acl_blob_get_*_helper use the helper functions to return the blob based on the raw GPFS ACL blob (if it is a NFSv4 ACL). If not, fall back to the POSIX ACL code Signed-off-by: Christian Ambach a...@samba.org Reviewed-by: Andrew Bartlett abart...@samba.org commit f1ff845720604fc32788a59ec9a1a128135efe35 Author: Christian Ambach a...@samba.org Date: Mon Nov 5 19:26:57 2012 +0100 s3:vfs_gpfs add a generic vfs_gpfs_getacl function in contrast to gpfs_getacl_alloc which always puts the ACL on talloc_tos(), this one allows
Re: [Samba] Samba Server Under Microsoft Windows Network
This is because as an AD DC we do not support net iOS browsing. This is normal, access the server by name and it will work fine. Fabian von Romberg fromberg...@hotmail.com wrote: Hi All, Im running a samba4 server. When I logged onto the server from a XP Machine and then I go to My Network Places - Microsoft Windows Network - Mydomain my samba4 server is not listed. What could be the reason? Should I set up anything on my XP machine? Your help will be appreciated. Thanks and regards, Fabian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 Authentication
On Sun, 2013-02-03 at 00:27 -0500, Fabian von Romberg wrote: Hi, when I logon from windows machine, the username is validated against samdb. How can user be validated against Kerberos5 (principals)? Clients of a Samba 4.0 AD DC will use kerberos for the domain login when network configurations permit it (such as correct DNS). This is validated by the KDC against the same database (samdb) that NTLM logins work against, to ensure consistent behaviour for the user. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Questions for minimal AD DC, DNS setup and Posix use
On Fri, 2013-02-01 at 10:50 +0200, Michael Wood wrote: Hi On 1 February 2013 04:18, Andrew Bartlett abart...@samba.org wrote: On Fri, 2013-02-01 at 07:45 +1100, Dewayne Geraghty wrote: [...] Andrew, I would like to avoid killing processes by not asking for them to start. :) Regards, Dewayne. Just start and stop 'samba' and ignore any other processes it may create as children, no matter what they may be named now and in the future. Currently those child processes are called 'samba' and 'smbd', but that may change. Well, adding server services = -s3fs, -winbind and commenting out any share definitions seems to stop smbd from starting, but I have no idea whether or not that will break anything. Michael, I know you are trying to address Dewayne's requirements, but please do not suggest untested combinations of server services. I say this because users tend to try out these things without understanding them, and only come back later to get us to come back and diagnose the breakage. I will address Dewayne's specific requirements in another mail. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba OpenLDAP Domain issue
On Thu, 2013-01-31 at 09:57 +0400, 25Dollar Tech wrote: Hello Team, I am using samba 3.6.3 in ubuntu as file server and also I have a domain controller in my organization both are different servers. I am able to register SAMBA as domain controller successfully, and I could see SAMBA Domain with SID populated in my OpenLDAP. But my problem is when I configure samba as file server. SAMBA is pulling the host name and registering to OpenLDAP as domain. Example My Domain name is test. My file server host name is fileserver01 I could see test and fileserver01 in my openldap with SID. why this is happening, since this is just configured as file server. and also I do not have winbind configured in my file server. below are my configuration details. Your file server should be joined to the domain as a domain member server, and not directly use passdb against the DC. You should then use nss_winbind or nss_ldap to get consistent user and group memberships with the DC. By connecting your Samba file server to the DC, it is confused as to if the password sore in ldap, which it has full control of, should belong to it or the DC, and the result will not be pretty. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Questions for minimal AD DC, DNS setup and Posix use
On Thu, 2013-01-31 at 16:55 +1100, Dewayne wrote: Our plan is to have one AD DC running in Head Office, RODC's at Branches and a second writeable DC at a contingency site. Fileshares will run on separate servers. The Windows 2003/2008 Servers use authentication services from samba4 and run applications. Our current environment is Samba-3.6.9 PDC,BDCs fileshares, openldap stores samba, posix and acts as heimdal backend - for SSO. My questions are: AD DC Are smbd and winbindd necessary on the AD DC. I would prefer to start samba with only what it needs to function. When I kill the smbd and winbindd processes, the kerberos, ldap dns functionality remain. How can I produce a minimal AD DC: 1) Do I need smbd to parse the smb.conf for samba4 to start correctly? on the AD DC, you start only 'samba'. We may start other binaries or provide services via plugins, but you only have to start 'samba'. 2) If not, is there a better way than kill -9 to achieve the result of samba4 without smbd, winbindd? You should just kill the parent 'samba' process and any child processes will notice this and go away. As you know, in general don't generally kill -9 stuff, as something may be in progress. I think tdb is safe for kill -9 these days, but it has always been best not to do this as a first choice. For readers new to RODC, this is useful: http://technet.microsoft.com/en-us/library/cc772234(v=ws.10).aspx DNS DNS is required in Samba4 AD DC as explained here http://blog.tridgell.net/?p=122 (Coming from a samba3 background, Tridge's article is informative). The internal DNS works like a dream. However the internal DNS doesn't slave to a master DNS, so --dns-backend=BIND9_DLZ is the best option for a complex environment using Windows servers as members or DC's. However: You can always forward to another DC, or have your complex DNS server point only a particular domain to Samba, say with a bind zone of type 'forward'. 3) For Samba4 AD DC to act purely as an authentication engine, within a UNIX only servers where PCs and WinServers are effectively desktops for users; can I use --dns-backend=NONE without loss of DRS or RODC functionality. (Or are these contradictory requirements). No, DNS is always required, even for our internal use. 4) If we need to redesign our DNS infrastructure, is it sufficient that a dhcp server, provide updates to bind9-DLZ (as a component of Samba4 AD DC)? There is discussion on the list about ways to make DHCP work. I would like to make this 'just work' using the normal TSIG code for both the bind9 and the internal server, but this remains a development task for an interested developer. (Warning, some crypto required). Posix In a Samba3 world, I rely upon smbldap-tools (http://gna.org/projects/smbldap-tools) to manipulate user/group information, including assignment of uidNumber/gidNumber that is unique to an individual, per IT audit instruction. I would greatly appreciate guidance on how to set/use posix on Samba4. I've spent 4 hours trolling the web and mailing list searches with hints or scripts, so 5) Do I need to manually add the ldap posixAccount object to each users' ldap record, or is there an option in samba-tool user create that I haven't found? Next issue is how to manage as the uidNumber/gidNumber content? {This was being worked: http://samba.2283325.n4.nabble.com/Enabling-idmap-ldb-use-rfc2307-yes-on-2-DCs-td4637386.html ?} Yes, samba-tool is tested as being able to manage this. 4.0.3 will be a little easier in this regard, the posixAccount/posixGroup requirement has been dropped. 6) Is there any mechanism that allows me to change the uid's being assigned to files that are created by Samba AD DC to being the same as pre-existing uid's used by Samba3. For example changing uid 320 to 1046, or gid 319 to 1001? Set those uid values on the LDAP directory using uidNumber and gidNumber, and set 'idmap_ldb:use rfc2307=yes'. Miscellaineous 7) Will the list of smb.conf options described in samba4 source folder source4/TODO be updated to reflect what appears in testparm -vss? It's a little confusing as to which takes precedence? Yes, this is confusing. Even the output of testparm -v and samba-tool testparm -v do not match up, and that TODO list refers mostly to the more limited capabilities of the ntvfs file server, which is available and supported, but is not the default. We essentially need to transform these details into manpage notes. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] unique index violation on objectGUID, CN=Deleted Objects, DC=samdom, DC=domain
On Thu, 2013-01-31 at 10:20 +0800, Ong Yu-Phing wrote: Some (unsuccessful) updates, I've tried with both latest git pull () and samba 4.0.2, both still encounter the same problem. According to MS documentation, seems like I can't really delete objects from the CN=Deleted Objects container, I have to wait for the tombstone garbage collection to get to work, which means I have to wait ~180 days from when the objects were actually deleted. Does anybody have any idea about how to delete these sooner (NB: the sysadmins thought we could just change tombstone TTL to 1 day, but MS explicitly states this is a bad idea... ) Samba treats having two objects with the same objectGUID as an impossibility, and has been coded with that as a fundamental assumption. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Questions for minimal AD DC, DNS setup and Posix use
On Fri, 2013-02-01 at 07:45 +1100, Dewayne Geraghty wrote: -Original Message- From: Michael Wood [mailto:esiot...@gmail.com] Sent: Friday, 1 February 2013 12:22 AM To: Andrew Bartlett Cc: Dewayne; samba@lists.samba.org Subject: Re: [Samba] Questions for minimal AD DC, DNS setup and Posix use Hi On 31 January 2013 13:56, Andrew Bartlett abart...@samba.org wrote: On Thu, 2013-01-31 at 16:55 +1100, Dewayne wrote: Our plan is to have one AD DC running in Head Office, RODC's at Branches and a second writeable DC at a contingency site. Fileshares will run on separate servers. The Windows 2003/2008 Servers use authentication services from samba4 and run applications. Our current environment is Samba-3.6.9 PDC,BDCs fileshares, openldap stores samba, posix and acts as heimdal backend - for SSO. My questions are: AD DC Are smbd and winbindd necessary on the AD DC. I would prefer to start samba with only what it needs to function. When I kill the smbd and winbindd processes, the kerberos, ldap dns functionality remain. How can I produce a minimal AD DC: 1) Do I need smbd to parse the smb.conf for samba4 to start correctly? on the AD DC, you start only 'samba'. We may start other binaries or provide services via plugins, but you only have to start 'samba'. 2) If not, is there a better way than kill -9 to achieve the result of samba4 without smbd, winbindd? You should just kill the parent 'samba' process and any child processes will notice this and go away. As you know, in general don't generally kill -9 stuff, as something may be in progress. I think tdb is safe for kill -9 these days, but it has always been best not to do this as a first choice. I think for the above two questions he's asking how to run the samba binary without it spawning irrelevant (to him) things like smbd and winbindd. -- Michael Wood esiot...@gmail.com Thanks Michael, I am looking for an AD DC (authentication) server, which as I observe doesn't require smbd and winbindd. These will run on a separate (fileserving) server(s). Andrew, I would like to avoid killing processes by not asking for them to start. :) Regards, Dewayne. Just start and stop 'samba' and ignore any other processes it may create as children, no matter what they may be named now and in the future. Currently those child processes are called 'samba' and 'smbd', but that may change. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How to query posix attributes from Samba 4?
On Tue, 2013-01-29 at 18:03 -0800, C. S. wrote: Hi folks, I'm trying to use sssd under CentOS 6.3 to query user/group information from samba 4.0.1. I have the posix attributes set on my user/group objects, however I don't seem to be able to query them unless I use the administrator account. With anonymous quires enabled, I'm not able to see anything below my basedn, and with acl:read=false set in smb.conf the attributes don't appear either. Try v4-0-test from GIT, or set 'acl:search=false' (I misspoke earlier) until you can install 4.0.3 due next week. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Ubuntu 12.04 Authentication by Samba4
On Wed, 2013-01-30 at 13:09 +0530, Vijay Thakur wrote: All Experts, I have installed and configured samba4 server in Centos 6.3 successfully. I am able to authenticate all MS Windows OS to join samba domain. Now i want to authenticate my Ubuntu 12.04 Desktop with Samba 4. Any one in the list will share their knowledge, so that i can implement it in my organization. With thanks in advance. Just join it like you would any other AD Domain. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 Winbind - is it really not possible to be sensible?
On Sat, 2013-01-26 at 12:46 +, Rob McCorkell wrote: If you provision/run with idmap_ldb:use rfc2307 then you can assign each user/group a uidNumber/gidNumber which then is/can be obeyed by samba/nslcd. Sorry, I should have made myself more clear. Our current setup uses the nslcd approach to get the UIDs and GIDs as mapped from the RID of each object. We then feed that back into the LDAP database (as uidNumber and gidNumber attributes) along with setting idmap_ldb:use rfc2307 so that Samba4 gets the same UIDs and GIDs as from mapping the RID. But this is very much a fudge, and it does not make sense that Winbind shouldn't support this form of RID mapping, even though previous versions did support it. We continue to support this, just not when we are an AD DC. If this bothers you, then do not use your AD DC as a file server, except for the required group policy files. This is one of the many reasons we recommend against combining these roles on sites with complex requirements. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Authentication With Kerberos
On Sun, 2013-01-27 at 11:48 -0500, Fabian von Romberg wrote: Hi All, Im thrying to setup a server with Samba4 with Kerberos. When I want to see list all shares with smbclient with samba authentication, everything works fine. But when I try to authenticate using Kerberos, I get and error. To be clear, is this Samba 4.0 as an AD DC, or as a member server in another AD domain? The command I execute is: smbclient -L localhost -k The error message from Samba is: using SPNEGO Selected protocol [8][NT LANMAN 1.0] GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96 SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE SPNEGO login failed: NT_STATUS_LOGON_FAILURE smbclient should never do kerberos to localhost because we can never know which localhost that is. If you have somehow registered a 'localhost' as a servicePrincipalName, then this is likely the cause of the issue. (This error indicates that the key you got from the KDC is not the key that the server has in it's secrets database/keytab.) Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] fail-over, redundancy, bdc, multi-dc-domain
On Tue, 2013-01-22 at 10:53 -0800, Gregory Sloop wrote: I'm aware of, at least generally, how one would have done a BDC/Redundant server under OpenLDAP Samba3. However, rolling your own multi-domain-controller was fairly daunting [for me] under Samba3 / OpenLDAP. I've been very interested in Samba4 for the more integrated nature of having LDAP/DNS/Samba all under one roof. [i.e. Fewer places where I can screw it up horribly.] Most of our users find that Samba 4.0 'just works' for them as an AD DC, even replicating to a second DC. However I'm also interested in how one can handle fail-over. I don't need something totally seamless and big-iron style. A backup box that would need some manual intervention would be fine. Just replicating to a second DC should be fine. You will need to manually replicate the sysvol share, but that shouldn't be hard. So, something like an rsync'd backup box where the shared files/accounts/etc are perhaps an hour out of date, and that would require 15 minutes to bring up as a primary would be an acceptable solution. I would not recommend just rsyncing anything, except the sysvol files. The reason is that rsync will not get a consistent snapshot of the databases. Joining a second DC will be much more seamless. That's not to say I wouldn't want something better, but that's kind of the low end of the acceptable scale. I've done some searches on the list and spent a while looking for examples but I don't easily find any. [Using searches with: samba4 bdc, redundant, backup, etc. There are a ton of very old articles on the list, but almost nothing I could find specifically on Samba4.] Could some kind soul point me either to: 1) Search terms more likely to produce results, or some discussion threads or 2) wiki/how-to's on how to accomplish something in the neighborhood on this subjet? The main HOWTO contains information on joining to an existing domain. That is what you need to do on your second DC. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 0f8ef5a selftest: Add test of upgradeprovision using the old alpha13 tree via 58d6d88 samba_upgradeprovision: detect dns_backend for the reference provision via b855df2 provision: setup names.dns_backend via 4752731 samba_upgradeprovision: fix the nTSecurityDescriptor on more containers (bug #9481) via 5cf9882 provision: fix nTSecurityDescriptor of containers in the DnsZones (bug #9481) via a477649 provision: fix nTSecurityDescriptor attributes of CN=*,${CONFIGDN} (bug #9481) via 1de5c2f provision: fix nTSecurityDescriptor of CN={LostAndFound,System},${DOMAINDN} (bug #9481) via 4775f9a provision: setup names.name_map['DnsAdmins'] via e0712a7 provision: introduce names.name_map = {} via ebb73f1 provision: add get_dns_{forest,domain}_microsoft_dns_descriptor() via d00fb6a provision: add get_config_ntds_quotas_descriptor() via 1207cbd provision: add get_{config,domain}_delete_protected*_descriptor() via 8880c2d schema.py: add optional name_map={} to get_schema_descriptor() via 27a99c6 provision: add optional name_map={} argument to get_*_descriptor() via d4653e9 provision: import/export get_dns_partition_descriptor() via b54b58e provision: setup names.dns{forest,domain}dn via f512483 samba_upgradeprovision: fix resetting of 'nTSecurityDescriptor' on schema objects via b5cafa3 samba_upgradeprovision: don't reset 'whenCreated' when resetting 'nTSecurityDescriptor' via ec466aa dbckecker: fix nTSecurityDescriptor values from before 4.0.0rc6 (bug #9481) via 38655a8 dsdb-descriptor: get_default_group() should always return the DAG sid (bug #9481) via cd5cb84 tests/sec_descriptor: the default owner behavior depends on domainControllerFunctionality (bug #9481) via 2413962 libcli/security: calculate INHERIT_ONLY correcty for AUDIT and ALARM aces (bug #9481) from b9f1c88 s4-process_single: Use pid,task_id as cluster_id in process_single just like process_prefork http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 0f8ef5a2c83e0496ef79c3d6f8b1188fdd1943a0 Author: Andrew Bartlett abart...@samba.org Date: Tue Jan 22 23:39:15 2013 +1100 selftest: Add test of upgradeprovision using the old alpha13 tree This ensures that upgradeprovision works as expected on a known good old database. Andrew Bartlett Reviewed-by: Stefan Metzmacher me...@samba.org Autobuild-User(master): Andrew Bartlett abart...@samba.org Autobuild-Date(master): Sun Jan 27 11:55:54 CET 2013 on sn-devel-104 commit 58d6d884cf8a8de5a1fa2dfd4a0cbacdff0d2483 Author: Stefan Metzmacher me...@samba.org Date: Fri Jan 25 09:36:47 2013 +0100 samba_upgradeprovision: detect dns_backend for the reference provision If we have a DomainDnsZone partition, we use BIND9_DLZ as backend and fix errors in the ForestDnsZone and DomainDnsZone partitions. Note: this should work fine also for SAMBA_INTERNAL. If the current setup doesn't use dns specific partitions (e.g. alpha13 setups) we pass dns_backend=BIND9_FLATFILE. Signed-off-by: Stefan Metzmacher me...@samba.org Reviewed-by: Andrew Bartlett abart...@samba.org commit b855df254de40d9de0b7f9042564f6d521ab1c5d Author: Stefan Metzmacher me...@samba.org Date: Fri Jan 25 09:36:47 2013 +0100 provision: setup names.dns_backend If we have a DomainDnsZone partition: - we use BIND9_DLZ as backend if a dns-netbiosname account is available - otherwise, we use SAMBA_INTERNAL else: - we use BIND9_FLATFILE if a dns or dns-netbiosname account is available - otherwise, we use NONE Signed-off-by: Stefan Metzmacher me...@samba.org Reviewed-by: Andrew Bartlett abart...@samba.org commit 4752731c2eb4abeb0b5da3e33aa3096786301a19 Author: Stefan Metzmacher me...@samba.org Date: Thu Dec 13 12:56:37 2012 +0100 samba_upgradeprovision: fix the nTSecurityDescriptor on more containers (bug #9481) Signed-off-by: Stefan Metzmacher me...@samba.org Reviewed-by: Andrew Bartlett abart...@samba.org commit 5cf98823cc804906833f7ea763f99de0147b0fee Author: Stefan Metzmacher me...@samba.org Date: Wed Jan 23 16:27:17 2013 +0100 provision: fix nTSecurityDescriptor of containers in the DnsZones (bug #9481) Signed-off-by: Stefan Metzmacher me...@samba.org Reviewed-by: Andrew Bartlett abart...@samba.org commit a477649e568577875be577c70a6b25cbeea6985a Author: Stefan Metzmacher me...@samba.org Date: Wed Jan 23 16:27:17 2013 +0100 provision: fix nTSecurityDescriptor attributes of CN=*,${CONFIGDN} (bug #9481) Signed-off-by: Stefan Metzmacher me...@samba.org Reviewed-by: Andrew Bartlett abart...@samba.org commit
Re: [Samba] migrating from Samba3 with tdbsam to samba4 AD server?
On Thu, 2013-01-24 at 21:47 -0800, Simon Matthews wrote: What's the best path to do this? I currently have a SAMBA3 domain controller using tdbsam and would like to migrate to Samba4 as an AD controller. I assume that this will require loading my existing user database into ldap. No, you just run 'samba-tool domain classicupgrade' and it does all the right things. See https://wiki.samba.org/index.php/Samba4/samba3upgrade/HOWTO Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [Samba 4] Issues with uidNumber and gidNumber in AD for Linux clients
On Thu, 2013-01-24 at 14:32 +0100, Fred F wrote: Thanks for your statement, Andrew. I know about winbind and we've used it in the past, but I remember there were some issues when dealing with POSIX ACLs and windbind. Now while winbind might work in some environments, I think it would be much nicer and cleaner to integrate Linux clients into a Samba AD domain with native Linux tools. The PAM part is very easy and works great already with Samba 4 and Linux clients using Kerberos. The only somewhat troublesome part is the NSS information (passwd/groups/shadow), which would also not really be an issue if Samba 4 properly implemented separation between users and groups in POSIX ACLs (#9521). This bug is closed as invalid for very good reason. There is not separation between users and groups in windows ACLs, once you have to handle groups owning files and SID History (users essentially becoming groups), and we have no choice but to match. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via c5db4eb bug9598: s4-process_single: Use pid,fd as cluster_id in process_single just like process_prefork from da35cd7 Avoid a very small memleak on talloc_tos() http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit c5db4eb9104f1a95220273ee2b0290d157053922 Author: Andrew Bartlett abart...@samba.org Date: Fri Jan 25 13:15:51 2013 +1100 bug9598: s4-process_single: Use pid,fd as cluster_id in process_single just like process_prefork This avoids two different process single servers (say LDAP and the RPC server) sharing the same server id. Fix-bug: https://bugzilla.samba.org/show_bug.cgi?id=9598 Reported-by: Matthieu Patou m...@matws.net Reviewed-by: Matthieu Patou m...@matws.net Signed-off-by: Andrew Bartlett abartl...@samba.org Autobuild-User(master): Andrew Bartlett abart...@samba.org Autobuild-Date(master): Fri Jan 25 12:00:04 CET 2013 on sn-devel-104 --- Summary of changes: source4/smbd/process_single.c | 11 --- 1 files changed, 8 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/smbd/process_single.c b/source4/smbd/process_single.c index 742eac1..ff67750 100644 --- a/source4/smbd/process_single.c +++ b/source4/smbd/process_single.c @@ -49,6 +49,7 @@ static void single_accept_connection(struct tevent_context *ev, { NTSTATUS status; struct socket_context *connected_socket; + pid_t pid = getpid(); /* accept an incoming connection. */ status = socket_accept(listen_socket, connected_socket); @@ -71,10 +72,14 @@ static void single_accept_connection(struct tevent_context *ev, talloc_steal(private_data, connected_socket); - /* The cluster_id(0, fd) cannot collide with the incrementing -* task below, as the first component is 0, not 1 */ + /* +* We use the PID so we cannot collide in with cluster ids +* generated in other single mode tasks, and, and won't +* collide with PIDs from process model standard because a the +* combination of pid/fd should be unique system-wide +*/ new_conn(ev, lp_ctx, connected_socket, -cluster_id(0, socket_get_fd(connected_socket)), private_data); +cluster_id(pid, socket_get_fd(connected_socket)), private_data); } /* -- Samba Shared Repository
Re: [Samba] generate keytab
On Thu, 2013-01-24 at 18:33 +0200, Hleb Valoshka wrote: Please! Don't write into private mail. Thanks. $ Samba-tool user create http-user --random-password $ Samba-tool spn add HTTP/www.nisled.org http-user Okay, you've got user http-user with principals http-u...@nisled.org and HTTP/www.nisled@nisled.org. $ Samba-tool domain exportkeytab --principal=HTTP/www.nisled.org http.keytab Here you export _only_ HTTP/www.nisled@nisled.org. $ kinit -k -t http.keytab http-user kinit: Key table entry not found while getting initial credentials Of cause, because you didn't export it. Can anyone help me? Export http-u...@nisled.org too. Exactly. While the Samba KDC is smart, and knows these are the same user, the keytab and krb5 client tools are dumb (very), they work on exact string matches, so you have export out exactly the name you want to kinit as, or kinit as HTTP/www.nisled@nisled.org. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] MS AD Tools
On Wed, 2013-01-23 at 18:18 -0600, Michael Ray wrote: Hello all, I'm in the process of trying to get Samba4 up and running as AD for my company. It's been a bumpy, but productive road. However, one thing that I'd like clarification on before we go live (which hopefully isn't too far out), is the use of MS Administrative Tools. The wiki mentioned using 'Users and Computers'. I have used that successfully; however there are several other things I'd like to use that appear to be missing functionality (e.g. 'Administrative Center' can't find the Active Directory Web Service, 'Users and Computers' can't get the Global Catalog). Are these things that have yet to be implemented or perhaps have I botched a configuration script somewhere? Unless you try really hard, a successful Samba AD DC install will do everything we can do out of the box. Many features remain unimplemented - we don't do web services for example. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [Samba 4] Issues with uidNumber and gidNumber in AD for Linux clients
On Wed, 2013-01-23 at 18:29 +0100, Fred F wrote: 2013/1/22 Gémes Géza g...@kzsdabas.hu: I don't agree, because users can be members of multiple groups, not just the group identified as their primary group Well, yes. That is not the point. Users can still be members of multiple groups (e.g. CN=Domain Admins,CN=Users,CN=DOMAIN), through the member attributes of the AD/LDAP nodes, but the actual issue here is that plain users do not show up in (CN=Domain Users,CN=Users,CN=DOMAIN), because Domain Users is set as the primary group directly. Additionally added groups show up on the Linux side as well, just not the primary group (with my approach). Any other thoughts? Isn't this scenario one of the most common usage scenarios ever? Serving both Windows and Linux? How come so little information is available about Samba4 with Linux clients? That is because there isn't anything special about Samba 4.0 as an AD DC with Linux clients that hasn't already been done for a Windows AD domain. The Samba Team recommends winbind as the AD client to use on Linux, because it handles these and many other details much better than just nss_ldap. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [PATCH] Re: Using samba4 with kerberos outside of an AD realm
On Mon, 2013-01-21 at 23:25 -0700, Kyle Brantley wrote: On 1/21/2013 9:14 PM, Kyle Brantley wrote: On 1/21/2013 8:46 PM, Andrew Bartlett wrote: On Mon, 2013-01-21 at 15:44 -0700, Kyle Brantley wrote: On 1/21/2013 3:15 PM, Andrew Bartlett wrote: On Mon, 2013-01-21 at 11:34 -0700, Kyle Brantley wrote: Hello -- I'm trying to run a samba4 server (note: Fedora packaged version, samba-4.0.0-174.fc18.x86_64) under a kerberos realm that isn't AD. This is a summation of the config that I'm using (works under samba 3.6): security = ADS passdb backend = tdbsam restrict anonymous = yes server signing = auto client signing = auto smb encrypt = auto realm = MYREALM.COM kerberos method = system keytab However, whenever I try to access the samba server, the client fails to connect. I can see that a ticket has been issued for cifs/hostn...@myrealm.com, but in /var/log/messages I get this: Jan 21 11:27:00 elastic smbd[1573]: [2013/01/21 11:27:00.675545, 0] ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob) Jan 21 11:27:00 elastic smbd[1573]: obtaining PAC via GSSAPI gss_get_name_attribute failed: The operation or option is not available or unsupported: No such file or directory Jan 21 11:27:07 elastic smbd[1574]: [2013/01/21 11:27:07.559656, 0] ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob) Jan 21 11:27:07 elastic smbd[1574]: obtaining PAC via GSSAPI gss_get_name_attribute failed: The operation or option is not available or unsupported: No such file or directory Jan 21 11:27:07 elastic smbd[1576]: [2013/01/21 11:27:07.643158, 0] ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob) Jan 21 11:27:07 elastic smbd[1576]: obtaining PAC via GSSAPI gss_get_name_attribute failed: The operation or option is not available or unsupported: No such file or directory Well, no kidding there is no PAC available, it's an MIT kerberos realm! :) Does anyone know what I need to be doing to get this working again? It is probably a bug in the reworked krb5 code. The code paths to support this are still there, but clearly something doesn't trigger correctly. The first thing to do would be to turn up the log level, to see what the real failure is (the mentioned message shouldn't actually be fatal). Then, once we rule out it being something else, it probably just needs a new test environment to be created in our 'make test' that tells our AD server to not send the PAC. This will allow this code path to be covered, and prevent regressions. Andrew Bartlett As far as I can tell, prior to accepting a connection: Full logs: http://averageurl.com/samba/samba-log.gz http://averageurl.com/samba/samba-strace-log.gz I've already changed the keys out, so I'm not too worried about what key data is actually in those logs. The logs were very helpful. The attached patch should fix it, or at least move the failure to somewhere else :-). Please file the bug, so we can get this into 4.0.2 Andrew Bartlett Thanks. I've filed the bug (https://bugzilla.samba.org/show_bug.cgi?id=9581) and am currently rebuilding samba with the patch applied. I'll let you know how it goes... --Kyle That worked great. I've been able to enumerate the shares and connect to them now. I validated with wireshark that the kerberos authentication was occurring, and it looks like everything functions now thanks to your previously attached patch. Metze, Can you get this into master? I'll try and follow-up with a testcase (setting the UF_NO_AUTH_DATA_REQUIRED on an account and doing a kerberos login) soon, but this much needs to get to 4.0.2 -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org From c4675579b4f42c1e05de7ae5741c5cd941039822 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett abart...@samba.org Date: Tue, 22 Jan 2013 14:45:14 +1100 Subject: [PATCH] gensec: Allow login without a PAC by default The sense of this test was inverted. We only want to take the ACCESS_DENIED error if gensec:require_pac=true. Andrew Bartlett --- auth/gensec/gensec_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c index d732213..64952b1 100644 --- a/auth/gensec/gensec_util.c +++ b/auth/gensec/gensec_util.c @@ -42,7 +42,7 @@ NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx, session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS; if (!pac_blob) { - if (!gensec_setting_bool(gensec_security-settings, gensec, require_pac, false)) { + if (gensec_setting_bool(gensec_security-settings, gensec, require_pac, false)) { DEBUG(1, (Unable to find PAC in ticket from %s, failing to allow access\n, principal_string
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 9aca528 Tests: Fix the display of test vars in screen --testenv via b1e2313 libcli-acl: add documentation via 65396ad drsuapi: Add documentation via d7bbd18 drepl-notify: change misleading message from 0a4a4ba devel-script: add options for RODC and partial replica for replicate flags http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 9aca52877a3f6f59887098ebb8e664922c8c7aad Author: Matthieu Patou m...@matws.net Date: Thu Jan 3 14:33:45 2013 -0800 Tests: Fix the display of test vars in screen --testenv The form bash -c echo important stuff blabla bla LD_LIBARY_PATH bash is not working in screen when it's working in xterm and the in_screen script already wrap all the command within a bash shell so there is no need to re-force bash as the echo will execute in a bash shell Signed-off-by: Matthieu Patou m...@matws.net Reviewed-by: Andrew Bartlett abart...@samba.org Autobuild-User(master): Andrew Bartlett abart...@samba.org Autobuild-Date(master): Tue Jan 22 13:03:52 CET 2013 on sn-devel-104 commit b1e231384a9245a191ef5e004544d7cafe17e036 Author: Matthieu Patou m...@matws.net Date: Sun Oct 14 01:01:08 2012 -0700 libcli-acl: add documentation Reviewed-by: Andrew Bartlett abart...@samba.org commit 65396adaad18821568f727a223c38c36a2b16291 Author: Matthieu Patou m...@matws.net Date: Sun Oct 14 01:04:51 2012 -0700 drsuapi: Add documentation Reviewed-by: Andrew Bartlett abart...@samba.org commit d7bbd182b33441a0a4e91c00a31de29b2b09f59a Author: Matthieu Patou m...@matws.net Date: Mon Oct 15 22:15:17 2012 -0700 drepl-notify: change misleading message Reviewed-by: Andrew Bartlett abart...@samba.org --- Summary of changes: libcli/security/access_check.c | 20 +++- selftest/selftest.pl| 15 --- source4/dsdb/repl/drepl_notify.c|2 +- source4/rpc_server/drsuapi/updaterefs.c | 21 ++--- 4 files changed, 46 insertions(+), 12 deletions(-) Changeset truncated at 500 lines: diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c index f0a7b66..936ffca 100644 --- a/libcli/security/access_check.c +++ b/libcli/security/access_check.c @@ -374,7 +374,25 @@ static const struct GUID *get_ace_object_type(struct security_ace *ace) return NULL; } -/* modified access check for the purposes of DS security +/** + * @brief Perform directoryservice (DS) related access checks for a given user + * + * Perform DS access checks for the user represented by its security_token, on + * the provided security descriptor. If an tree associating GUID and access + * required is provided then object access (OA) are checked as well. * + * @param[in] sd The security descritor against which the required + * access are requested + * + * @param[in] token The security_token associated with the user to + * test + * + * @param[in] access_desired A bitfield of rights that must be granted for the + * given user in the specified SD. + * + * If one + * of the entry in the tree grants all the requested rights for the given GUID + * FIXME + * tree can be null if not null it's the * Lots of code duplication, it will ve united in just one * function eventually */ diff --git a/selftest/selftest.pl b/selftest/selftest.pl index 4ac5aeb..639c8a2 100755 --- a/selftest/selftest.pl +++ b/selftest/selftest.pl @@ -849,13 +849,7 @@ if ($opt_testenv) { my $envvarstr = exported_envvars_str($testenv_vars); - my @term = (); - if ($ENV{TERMINAL}) { - @term = ($ENV{TERMINAL}); - } else { - @term = (xterm, -e); - } - my @term_args = (bash, -c, echo -e \ + my @term_args = (echo -e \ Welcome to the Samba4 Test environment '$testenv_name' This matches the client environment used in make test @@ -867,6 +861,13 @@ SMB_CONF_PATH=\$SMB_CONF_PATH $envvarstr \ LD_LIBRARY_PATH=$ENV{LD_LIBRARY_PATH} bash); + my @term = (); + if ($ENV{TERMINAL}) { + @term = ($ENV{TERMINAL}); + } else { + @term = (xterm, -e); + unshift(@term_args, (bash, -c)); + } system(@term, @term_args); diff --git a/source4/dsdb/repl/drepl_notify.c b/source4/dsdb/repl/drepl_notify.c index cd248d5..905fe5f 100644 --- a/source4/dsdb/repl/drepl_notify.c +++ b/source4/dsdb/repl/drepl_notify.c @@ -195,7 +195,7 @@ static void dreplsrv_notify_op_callback(struct tevent_req *subreq) ldb_dn_get_linearized(op-source_dsa-partition-dn), nt_errstr(status), win_errstr
Re: [Samba] Samba 3.5.6 : netlogon_creds_server_check errors in logs
On Mon, 2013-01-21 at 11:17 +0100, Jaymzwise Jaymzwise wrote: Hi, I have a Samba (v3.5.6) PDC with a LDAP backend. We have Windows XP and 7 workstations, everything seems to run smoothly but the following messages appear in the logs for each Windows 7 joined to the domain : Jan 21 10:45:13 srvlan smbd[2737]: [2013/01/21 10:45:13.722795, 0] rpc_server/srv_netlog_nt.c:714(_netr_ServerAuthenticate3) Jan 21 10:45:13 srvlan smbd[2737]: _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client HP8540P_13_NG machine account HP8540P_13_NG$ We can access samba shares from 7 workstations and users can authenticate on the domain but I would like to have clean logs. How can I resolve this problem ? I've looked into a similar error recently, and as far as I know this is all just normal. As far as I could pin it down, the client knows both the current and previous domain join pw, and will sometimes try the old domain join password. That is, as you noticed, no harm seems to come from these messages, despite them normally indicating a breakdown in the trust relationship. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Using samba4 with kerberos outside of an AD realm
On Mon, 2013-01-21 at 11:34 -0700, Kyle Brantley wrote: Hello -- I'm trying to run a samba4 server (note: Fedora packaged version, samba-4.0.0-174.fc18.x86_64) under a kerberos realm that isn't AD. This is a summation of the config that I'm using (works under samba 3.6): security = ADS passdb backend = tdbsam restrict anonymous = yes server signing = auto client signing = auto smb encrypt = auto realm = MYREALM.COM kerberos method = system keytab However, whenever I try to access the samba server, the client fails to connect. I can see that a ticket has been issued for cifs/hostn...@myrealm.com, but in /var/log/messages I get this: Jan 21 11:27:00 elastic smbd[1573]: [2013/01/21 11:27:00.675545, 0] ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob) Jan 21 11:27:00 elastic smbd[1573]: obtaining PAC via GSSAPI gss_get_name_attribute failed: The operation or option is not available or unsupported: No such file or directory Jan 21 11:27:07 elastic smbd[1574]: [2013/01/21 11:27:07.559656, 0] ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob) Jan 21 11:27:07 elastic smbd[1574]: obtaining PAC via GSSAPI gss_get_name_attribute failed: The operation or option is not available or unsupported: No such file or directory Jan 21 11:27:07 elastic smbd[1576]: [2013/01/21 11:27:07.643158, 0] ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob) Jan 21 11:27:07 elastic smbd[1576]: obtaining PAC via GSSAPI gss_get_name_attribute failed: The operation or option is not available or unsupported: No such file or directory Well, no kidding there is no PAC available, it's an MIT kerberos realm! :) Does anyone know what I need to be doing to get this working again? It is probably a bug in the reworked krb5 code. The code paths to support this are still there, but clearly something doesn't trigger correctly. The first thing to do would be to turn up the log level, to see what the real failure is (the mentioned message shouldn't actually be fatal). Then, once we rule out it being something else, it probably just needs a new test environment to be created in our 'make test' that tells our AD server to not send the PAC. This will allow this code path to be covered, and prevent regressions. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] [PATCH] Re: Using samba4 with kerberos outside of an AD realm
On Mon, 2013-01-21 at 15:44 -0700, Kyle Brantley wrote: On 1/21/2013 3:15 PM, Andrew Bartlett wrote: On Mon, 2013-01-21 at 11:34 -0700, Kyle Brantley wrote: Hello -- I'm trying to run a samba4 server (note: Fedora packaged version, samba-4.0.0-174.fc18.x86_64) under a kerberos realm that isn't AD. This is a summation of the config that I'm using (works under samba 3.6): security = ADS passdb backend = tdbsam restrict anonymous = yes server signing = auto client signing = auto smb encrypt = auto realm = MYREALM.COM kerberos method = system keytab However, whenever I try to access the samba server, the client fails to connect. I can see that a ticket has been issued for cifs/hostn...@myrealm.com, but in /var/log/messages I get this: Jan 21 11:27:00 elastic smbd[1573]: [2013/01/21 11:27:00.675545, 0] ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob) Jan 21 11:27:00 elastic smbd[1573]: obtaining PAC via GSSAPI gss_get_name_attribute failed: The operation or option is not available or unsupported: No such file or directory Jan 21 11:27:07 elastic smbd[1574]: [2013/01/21 11:27:07.559656, 0] ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob) Jan 21 11:27:07 elastic smbd[1574]: obtaining PAC via GSSAPI gss_get_name_attribute failed: The operation or option is not available or unsupported: No such file or directory Jan 21 11:27:07 elastic smbd[1576]: [2013/01/21 11:27:07.643158, 0] ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob) Jan 21 11:27:07 elastic smbd[1576]: obtaining PAC via GSSAPI gss_get_name_attribute failed: The operation or option is not available or unsupported: No such file or directory Well, no kidding there is no PAC available, it's an MIT kerberos realm! :) Does anyone know what I need to be doing to get this working again? It is probably a bug in the reworked krb5 code. The code paths to support this are still there, but clearly something doesn't trigger correctly. The first thing to do would be to turn up the log level, to see what the real failure is (the mentioned message shouldn't actually be fatal). Then, once we rule out it being something else, it probably just needs a new test environment to be created in our 'make test' that tells our AD server to not send the PAC. This will allow this code path to be covered, and prevent regressions. Andrew Bartlett As far as I can tell, prior to accepting a connection: Full logs: http://averageurl.com/samba/samba-log.gz http://averageurl.com/samba/samba-strace-log.gz I've already changed the keys out, so I'm not too worried about what key data is actually in those logs. The logs were very helpful. The attached patch should fix it, or at least move the failure to somewhere else :-). Please file the bug, so we can get this into 4.0.2 Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org From c4675579b4f42c1e05de7ae5741c5cd941039822 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett abart...@samba.org Date: Tue, 22 Jan 2013 14:45:14 +1100 Subject: [PATCH] gensec: Allow login without a PAC by default The sense of this test was inverted. We only want to take the ACCESS_DENIED error if gensec:require_pac=true. Andrew Bartlett --- auth/gensec/gensec_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c index d732213..64952b1 100644 --- a/auth/gensec/gensec_util.c +++ b/auth/gensec/gensec_util.c @@ -42,7 +42,7 @@ NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx, session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS; if (!pac_blob) { - if (!gensec_setting_bool(gensec_security-settings, gensec, require_pac, false)) { + if (gensec_setting_bool(gensec_security-settings, gensec, require_pac, false)) { DEBUG(1, (Unable to find PAC in ticket from %s, failing to allow access\n, principal_string)); return NT_STATUS_ACCESS_DENIED; -- 1.7.11.7 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 0a4a4ba devel-script: add options for RODC and partial replica for replicate flags via fa591a6 devel-scripts: ask with WRIT_REP by default via 0755b83 devel-getncchange: try to find the dest_dsa automatically via 7822952 security: Add documentation via c0638da libcli-security: Add documentation for object_tree_modify_access via 3b79774 dbcheck: look in hasMasterNCs as well for determining the instance type of a NC from abc0030 dsdb: Fix warning about unused var http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 0a4a4ba3f6b9748e3fccb546b284de565de2c8b5 Author: Matthieu Patou m...@matws.net Date: Mon Oct 29 22:12:33 2012 -0700 devel-script: add options for RODC and partial replica for replicate flags Reviewed-by: Andrew Bartlett abart...@samba.org Autobuild-User(master): Andrew Bartlett abart...@samba.org Autobuild-Date(master): Tue Jan 22 00:12:17 CET 2013 on sn-devel-104 commit fa591a6d3cf9182b6d49621c83a6c3fbfeab1ee7 Author: Matthieu Patou m...@matws.net Date: Mon Oct 29 21:43:14 2012 -0700 devel-scripts: ask with WRIT_REP by default Reviewed-by: Andrew Bartlett abart...@samba.org commit 0755b835cc4e474f752de1b8cc56a9a6da14a3cd Author: Matthieu Patou m...@matws.net Date: Tue Oct 23 22:12:08 2012 -0700 devel-getncchange: try to find the dest_dsa automatically Reviewed-by: Andrew Bartlett abart...@samba.org commit 7822952a11707ff8aaa415adef62082c158c2398 Author: Matthieu Patou m...@matws.net Date: Sat Oct 13 15:02:57 2012 -0700 security: Add documentation Names seems to be a bit cryptic and misleading (at least for me). So documenting them should remove at least partially this problem. Reviewed-by: Andrew Bartlett abart...@samba.org commit c0638dae6cbf8915e6a436d575562fc131ba772a Author: Matthieu Patou m...@matws.net Date: Sat Oct 13 15:28:08 2012 -0700 libcli-security: Add documentation for object_tree_modify_access Reviewed-by: Andrew Bartlett abart...@samba.org commit 3b7977419726a8630de828b634d669625ee358dd Author: Matthieu Patou m...@matws.net Date: Tue Oct 23 22:09:20 2012 -0700 dbcheck: look in hasMasterNCs as well for determining the instance type of a NC Forest of level 2000 don't hve the msDS-hasMasterNCs parameter Reviewed-by: Andrew Bartlett abart...@samba.org --- Summary of changes: libcli/security/object_tree.c | 14 +++- libcli/security/security.h |9 + source4/scripting/devel/getncchanges| 45 -- source4/scripting/python/samba/dbchecker.py | 12 ++- 4 files changed, 72 insertions(+), 8 deletions(-) Changeset truncated at 500 lines: diff --git a/libcli/security/object_tree.c b/libcli/security/object_tree.c index 3e5ee10..fd00068 100644 --- a/libcli/security/object_tree.c +++ b/libcli/security/object_tree.c @@ -104,8 +104,18 @@ struct object_tree *get_object_tree_by_GUID(struct object_tree *root, return result; } -/* Change the granted access per each ACE */ - +/** + * @brief Modify the tree to mark specified access rights as granted + * + * This function will modify the root and the child of the tree pointed by + * root, so that for each tree element the bits set in access_mask are + * marked as granted. + * + * @param[in] rootAn object_tree structure that we want to modify + * + * @param[in] access_mask A bitfield of access right that we want to mark as + * granted in the whole tree. + */ void object_tree_modify_access(struct object_tree *root, uint32_t access_mask) { diff --git a/libcli/security/security.h b/libcli/security/security.h index 659d341..6e4b172 100644 --- a/libcli/security/security.h +++ b/libcli/security/security.h @@ -89,6 +89,15 @@ #define SHARE_ALL_ACCESS FILE_GENERIC_ALL #define SHARE_READ_ONLY (FILE_GENERIC_READ|FILE_EXECUTE) +/** + * Remaining access is a bit mask of remaining access rights (bits) that have + * to be granted in order to fulfill the requested access. + * + * The GUID is optional, if specified it restricts this object tree and its + * childs to object/attributes that inherits from this GUID. + * For DS access an object inherits from a GUID if one of its class has this GUID + * in the schemaIDGUID attribute. + */ struct object_tree { uint32_t remaining_access; struct GUID guid; diff --git a/source4/scripting/devel/getncchanges b/source4/scripting/devel/getncchanges index d401c82..37ec18b 100755 --- a/source4/scripting/devel/getncchanges +++ b/source4/scripting/devel/getncchanges @@ -13,6 +13,7 @@ import samba.getopt as options from samba.dcerpc import drsuapi, misc from
Re: [Samba] Samba4 Integration With Google
On Sat, 2013-01-19 at 19:02 -0300, Ciro Iriarte wrote: 2013/1/16 Varoujan Avanessians vavanessi...@accoes.com Hello everone, In my Company we are going through a network redesign and Planning to retire our Novel edirectory, and Novel Servers and replace them with Samba4 (Over 150 Servers). We have setup a Samba4 test environment which seems to be working well so far. We are an organization with multiple locations and over 1200 users, we are also very heavy users of google apps. I have couple of questions that I need help with. 1- Is it possible to Integrate samba4 with Google Apps for Single sign-on, I know google has and application that Integrates Microsoft Active Directory with Google Apps, so I assume it should be possible with Samba4 too. Has anyone tried and used this feature with success? 2- We already have over 1200 accounts on Google. Is there a way to Import these user accounts into samba4? I would really appreciate any help in this matter and welcome any additional suggestions that you may have for a Project of this magnitude. -- *Varouj (V.J.) Avanessians | Sr. Linux Sys Administrator | ACCO Engineered Systems* 6265 San Fernando Rd | Glendale, California | 91201- 2214 (818)-730-5846 Mobile | (818)-244-6571 Main* * Well, having and LDAP directory as your Samba backend could help. GApps has an LDAP sync tool, the only downside is that it needs the password to be hashed with SHA1 or MD5 without salt (less secure). The two issues with this is the Samba 4.0 as an AD DC does not support an external LDAP backend, only the integrated one we provide. So, syncing would be against the internal LDAP server, which is fine. The bigger issue is that the password hash types just don't match, as far as I know. We would need to modify Samba to store (somewhere, perhaps we can use the userPassword attribute) this hashed password . Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem joining Samba 4 to an older Samba 4 alpha 17
On Fri, 2013-01-18 at 13:48 +0100, Daniel Hedblom wrote: 2013/1/18 Andrew Bartlett abart...@samba.org On Fri, 2013-01-18 at 10:11 +0100, Daniel Hedblom wrote: Hi there, Im trying to join a samba 4.0.1 server to an older samba 4 alpha 17 server. Whatever i do the join is interrupted but i dont know what goes wrong. Dns is double checked and correct as is most other stuff. How can i get a better view of what is happening than this? Can it be the source domain that contains erroneous objects? My goal is to move the old server to a new one, maybe there are a better way of doing this? Suggestions? Honestly, upgrading in place is the best way to do this. Backup the old DC, upgrade in place, and start the 4.0.1 release. The role transfer stuff isn't as reliable as we would like, whereas in-place is. Thanks for answering so fast. Im trying to move to a new hardware at the same time, and the server is not easily upgraded as its an Resara Server with their own packages of Samba4. Not so sure i would be successfull if i upgrade. I would very much prefer if i could move the machine and user accounts somehow without doing nasty stuff to the original server. OK, so what I would suggest is setting up a new server, with the data from Resara. The way I would do it is provision a new Samba4 install, but use the same hostname, SID, domain and realm as your old server. Use the --host-ip parameter to point at your old server's IP. Then copy all the samba files to the matching locations on the new server (the main purpose of the provision is to help you find all those locations). Files to look for include the private dir (all of it), the sysvol folder and your DNS zone. The run the commands suggested in the upgrade code: samba-tool dbcheck --fix samba-tool ntacl sysvolreset source4/scripting/bin/samba_upgradedns Finally give it the same IP (at the end of the process), and then start it up. It should work - if it doesn't, then power down the new machine, go back to your old Resara server while you work out what is wrong. This will configure Samba to use the internal DNS server (the new default) and hopefully will migrate your file-based DNS zone into the AD database. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem joining Samba 4 to an older Samba 4 alpha 17
On Fri, 2013-01-18 at 10:11 +0100, Daniel Hedblom wrote: Hi there, Im trying to join a samba 4.0.1 server to an older samba 4 alpha 17 server. Whatever i do the join is interrupted but i dont know what goes wrong. Dns is double checked and correct as is most other stuff. How can i get a better view of what is happening than this? Can it be the source domain that contains erroneous objects? My goal is to move the old server to a new one, maybe there are a better way of doing this? Suggestions? Honestly, upgrading in place is the best way to do this. Backup the old DC, upgrade in place, and start the 4.0.1 release. The role transfer stuff isn't as reliable as we would like, whereas in-place is. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 Integration With Google
On Wed, 2013-01-16 at 13:59 -0800, Varoujan Avanessians wrote: Hello everone, In my Company we are going through a network redesign and Planning to retire our Novel edirectory, and Novel Servers and replace them with Samba4 (Over 150 Servers). We have setup a Samba4 test environment which seems to be working well so far. We are an organization with multiple locations and over 1200 users, we are also very heavy users of google apps. I have couple of questions that I need help with. 1- Is it possible to Integrate samba4 with Google Apps for Single sign-on, I know google has and application that Integrates Microsoft Active Directory with Google Apps, so I assume it should be possible with Samba4 too. Has anyone tried and used this feature with success? I think that outputting the password sync would be a custom development task at this point. It will be a very useful feature for others too. 2- We already have over 1200 accounts on Google. Is there a way to Import these user accounts into samba4? The hard part will be getting the plaintext passwords. Otherwise, it is mostly a matter of just getting the data into AD-like LDIF files, and adding them. You might be able to instead upgrade your Novell domain into Samba 4.0's AD DC, if it currently backs a Samba 3.x 'classic' domain (or can be made to), or otherwise you should be able to get the plaintext pw from the Novell server with some work. I would really appreciate any help in this matter and welcome any additional suggestions that you may have for a Project of this magnitude. This certainly needs a lot of care. What you are proposing would be one of our larger deployments in terms of numbers of users, and is very large in terms of number of servers (almost certainly the largest, if you really want 150 DCs), and will be stretching our replication capabilities. I'll help you however I can, but you may wish to engage some professional support as well. I do wish you all the best. It is great to see folks taking Samba 4.0 as an AD DC to new and exciting places! Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problems with smbclient send netbios message
On Wed, 2013-01-16 at 13:11 -0200, José Colzani wrote: Hi. First, sorry by my bad english :) I had a samba 3.0 and use a script with smbclient to send messages to 30 computers in my laboratory. I upgrade to debian squeeze and samba 3.5 and now i dont use the script command. root@escort:~# echo Testando | smbclient -NM LAB5-01 -I 192.168.3.200 Type your message, ending it with a Control-D cli_message returned NT_STATUS_PIPE_BROKEN I finding in samba bugzilla this: https://bugzilla.samba.org/show_bug.cgi?id=7635 When i test with RH 5.9 with samba 3.0 this work, only with samba 3.5 dont work. [root@delorean ~]# smbclient --version Version 3.0.33-3.39.el5_8 [root@delorean ~]# echo Teste | smbclient -M LAB5-01 -I 192.168.3.200 Connected. Type your message, ending it with a Control-D sent 7 bytes Please, can anyone helpme? Try Samba 4.0. it is actually tested as part of 'make test' in the 4.0 release, so you may have better luck there. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] pam_smbpass.so on AIX
On Fri, 2013-01-18 at 19:20 +, Benjamin Huntsman wrote: Yet another odd one... I've got it set up now so that swat uses pam_smbpass.so, and once a user logs into swat at least once, it'll update their password in the passdb backend configured for Samba. But, I also need to ensure that when a user changes their password via passwd, it also gets updated. I added the following in /etc/security/login.cfg: usw: auth_type = PAM_AUTH and that makes telnetd, passwd, etc all go through pam. However, when I try to log in via telnet or run passwd, I get this in syslog.log: Jan 18 10:59:06 systst auth|security:debug login PAM: load_modules: /usr/lib/security/pam_aix Jan 18 10:59:06 systst auth|security:debug login PAM: load_function: successful load of pam_sm_authenticate Jan 18 10:59:06 systst auth|security:debug login PAM: load_modules: /opt/samba-4.0.0/lib/security/pam_smbpass.so Jan 18 10:59:06 systst auth|security:debug login PAM: open_module: /opt/samba-4.0.0/lib/security/pam_smbpass.so failed: A file or directory in the path name does not exist. Jan 18 10:59:06 systst auth|security:err|error login PAM: load_modules: can not open module /opt/samba-4.0.0/lib/security/pam_smbpass.so However, if I run swat, it'll load /opt/samba-4.0.0/lib/security/pam_smbpass.so just fine. No, it's not a typo, and yes, the module is present in that path. I don't know what to do. I need to deploy this tomorrow (Saturday), and the users need to be able to update their Samba passwords when they run passwd, etc. Replacing the system passwd program with a script that calls both from absolute paths is not a workable solution, though technically it would work. Anyway, any idea why swat can load pam_smbpass.so but not telnetd or passwd? Run ldd on the binary. it will show the unresolved library references. My guess is that things it relies on, are on in the standard library path for the system. Perhaps edit /etc/ld.so.conf to put opt/samba-4.0.0/lib in that path? Normally all that isn't required (we use -rpath when linking), but perhaps that's working for our binaries (eg swat), but not our plugins when loaded by telnet? Anyway, that's how I would start debugging this. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 Domain Account Lockout
On Fri, 2013-01-11 at 22:54 -0500, Chris Stoneburner wrote: First off, I apologize if this is a duplicate - I had some issues with the first email I tried to join this list with! I'm currently using samba4 as an AD DC (domain and forest are both configured with the samba-tool command to be at the 2008_R2 functional level) for both Windows and Linux systems. I've got the default password settings set using the samba-tool domain passwordsettings command and I have all the GPOs configured as I need them for clients. However, I would like to configure how the account lockout functions for the domain accounts. I read in the archive for this list that there isn't currently support for server side GPOs, so I'm not certain how to configure this, or if its even possible. My question with respect to samba is two fold: is it even POSSIBLE to have samba detect multiple failed login attempts to a domain account (e.g., the default domain administrator) and lock the account once a certain threshold has been reached and if so how is that configured? No, this is not yet implemented in the AD DC. Sorry, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 4 samba-tool user encrypted password
On Wed, 2013-01-16 at 10:41 +0100, sergio.conrad wrote: Hello, thanks with the good job with samba 4. I was wondering, is there a possibility to use an already encrypted password like sambaNTPassword or {SSHA} encrypted password with samba-tool user command ? We need the plaintext because we need to make not only arcfour-hmac-md5 key (the unicodePwd, the NT hash), but also AES keys and (if configured) DES keys. You can set only the unicodePwd if you must, to the NT hash value, but not a {SSHA} value. You cannnot currently do this via tools, but see discussions on this list for examples of code that can set the magic flags to allow this. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Switching between acl_tdb and acl_xattr
On Tue, 2013-01-15 at 23:14 +, Steve Tice wrote: Andrew Bartlett abartlet at samba.org writes: Using Samba 4.0.0, the python bindings or even samba-tool ntacl get/set would be quite a good choice here. We can read directly the NT ACL from the tdb and then set it using the xattr code. I'm very happy to help out if you have any more questions here, as we certainly do have a good range of tools that should be able to help you out. Andrew, here's a status update on my attempts to accomplish this. 1. Attempted to build the source4 tree provided with the source tarball for the samba-3.5.10-125.el6 package. The build did not complete, failing when it tried to link bin/wbinfo. The pertinent output from make was Linking bin/wbinfo bin/mergedobj/cli_auth.o: In function `netlogon_creds_copy': (.text+0x17e3): undefined reference to `dom_sid_dup' collect2: ld returned 1 exit status make: *** [bin/wbinfo] Error 1 2. Successfully built (everything) from a samba-4.0.0beta8 tarball. Would you expect the source4 tree from the samba-3.5.10-125.el6 tarball to build without error? If it did build cleanly, would it even include the tools you mentioned above? No, it would not. Is it reasonable to continue on this path with samba-4.0.0beta8? Please use the Samba 4.0.1 release tarball. Why are you trying beta8? Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4: no --use-ntvfs option on samba-tool ntacl sysvolcheck
On Mon, 2013-01-14 at 13:11 +, Dominic Evans wrote: In samba-tool, sysvolreset has options for either --use-ntvfs or --use-s3fs to set the permissions appropriately However, sysvolcheck does not have the same capability, and always attempts to verify in s3 vfs. Is this a known limitation in Samba 4.0.0 ? It shouldn't matter. The options are needed for writing, as while the ntvfs server reads and writes version 1, the VFS layer from smbd reads version 1, 2 (never used) as well as the current version 3. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Suggest Forest/Function Level ?
On Sat, 2013-01-12 at 09:09 +0100, Johannes Paechnatz wrote: Hello, I setup an ADS with Samba4 plus a W2K8_R2 Server. Should I raise the Forest/Function Level up to W2K8_R2? We want to use it with some of Win7 Clients, so what's your suggestion/advice? It won't affect the clients, but using the default functional level (2008 R2) is a good idea. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 domain classicupgrade conversion not supported
On Sat, 2013-01-12 at 15:37 +0100, Juan Asensio Sánchez wrote: Anyone? Error converting string to value for line: CurrentVersion ERROR(runtime): uncaught exception - (31, 'WERR_GENERAL_FAILURE') File /usr/local/samba/lib/python2.6/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib/python2.6/site-packages/samba/netcmd/domain.py, line 1318, in run useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs) File /usr/local/samba/lib/python2.6/site-packages/samba/upgrade.py, line 841, in upgrade_from_samba3 use_ntvfs=use_ntvfs, skip_sysvolacl=True) File /usr/local/samba/lib/python2.6/site-packages/samba/provision/__init__.py, line 2012, in provision setup_registry(paths.hklm, session_info, lp=lp) File /usr/local/samba/lib/python2.6/site-packages/samba/provision/__init__.py, line 939, in setup_registry reg.diff_apply(provision_reg) The connection to the LDAP server was closed I think the problem is: About to write CurrentVersion with type (null), length 3: 6.1 convert_string_talloc: Conversion not supported. Type null? Is normal the suffix hive=NONE? What is the conversion that generates the error? In short, your registry TDB has an unexpected string in it, so our conversion code breaks. We may not actually need this part of the conversion, and you may not need the values in the registry anyway. You could simply not provide that db, and we will skip it. Otherwise, hack the script to skip this step. If you could supply your actual database, we may be able to make the script more robust in the future. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Server Key [Re-] Generation after Install?
On Tue, 2013-01-15 at 14:44 -0500, Jeffrey Walton wrote: Hi All, I recently stood up a Linux server with Samba and wanted to re-generate any keys the Samba server might be using. I used an Entropy Key (http://www.entropykey.co.uk/), and I believe the PRNG is in good working order now. Could anyone point out what I should do to re-generate any keys required by the Samba server. (Similar to ssh-keygen for OpenSSH server keys). There isn't currently a tool to regenerate all the keys. What role is this server being used in? That will help me give you a suggestion as to what you might want to re-generate (if anything). Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Server Key [Re-] Generation after Install?
On Wed, 2013-01-16 at 07:57 -0500, Jeffrey Walton wrote: On Wed, Jan 16, 2013 at 6:41 AM, Andrew Bartlett abart...@samba.org wrote: On Tue, 2013-01-15 at 14:44 -0500, Jeffrey Walton wrote: Hi All, I recently stood up a Linux server with Samba and wanted to re-generate any keys the Samba server might be using. I used an Entropy Key (http://www.entropykey.co.uk/), and I believe the PRNG is in good working order now. Could anyone point out what I should do to re-generate any keys required by the Samba server. (Similar to ssh-keygen for OpenSSH server keys). There isn't currently a tool to regenerate all the keys. What role is this server being used in? That will help me give you a suggestion as to what you might want to re-generate (if anything). Member server. I was concerned about the machine keys for the S-Channel. Just re-join the domain if you are worried. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3 classicupgrade to Samba AD
On Wed, 2013-01-16 at 09:23 -0700, Max Olivas wrote: Is the workaround something I do or something that is fixed in the newer version? Thanks, Max Max Olivas moli...@northglenn.org 1/15/2013 6:54 AM Version 4.1.0pre1-GIT-94f11e9 on Ubuntu 12.04 LTS. Thanks, Max Andrew Bartlett abart...@samba.org 1/14/2013 3:01 PM On Mon, 2013-01-14 at 14:14 -0700, Max Olivas wrote: Hey All, Thanks for the feedback. I've cleaned up my .tdb files some and have moved farther with the upgrade command but I'm still getting errors. This is what I'm getting now: idmapping sid_to_xid failed for id[0]=S-1-5-32-544: NT_STATUS_NONE_MAPPED set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_OWNER. ERROR(runtime): uncaught exception - (-1073741734, 'NT_STATUS_INVALID_OWNER') File Looking more closely at the error, this is different. Is there more detail to the error than what you pasted? Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba-tool dbcheck produces wrong instancetype errors
On Tue, 2013-01-15 at 11:19 +, Chris Lewis wrote: On 11/01/13 12:22, Andrew Bartlett wrote: On Thu, 2013-01-10 at 16:50 +, Chris Lewis wrote: Hi All, I have joined a samba4 instance to en existing W2k8 AD domain as an additional domain controller. When I do samba-tool dbcheck I get (example) : ERROR: wrong instanceType 4 on CN=INVIEW-DC2,OU=Domain Controllers,DC=inview,DC=local, should be 0 Not changing instanceType from 4 to 0 on CN=INVIEW-DC2,OU=Domain Controllers,DC=inview,DC=local This happens for 644 out of 655 of the objects in directory. I have attempted to fix one or two less important objects and the error does not appear again. Before I go ahead and fix them all, I want to find out whether doing this would have any unwanted ramifications? Can anyone explain what causes these errors and if fixing them might break something? That's a very interesting question. 0 seems the wrong value, if you are a read-write DC. I suspect we are getting the domain join stuff wrong, so we then trigger this incorrectly in dbcheck. Andrew Bartlett Hi Andrew, For info: I did some further comparisons with the test environment and found that the production environment was set to Windows 2000 Domain Windows 2000 Forest functional levels. I changed the the domain functional level to windows 2003 (which the test environment was on), and re-added the additional domain controller. I then got no errors in the samba-tool dbcheck and this also seemed to fix another problem with replication I was experiencing. Thanks for the extra information. Can you please file a bug about this for me? Thanks, -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3 classicupgrade to Samba AD
On Mon, 2013-01-14 at 14:14 -0700, Max Olivas wrote: Hey All, Thanks for the feedback. I've cleaned up my .tdb files some and have moved farther with the upgrade command but I'm still getting errors. This is what I'm getting now: idmapping sid_to_xid failed for id[0]=S-1-5-32-544: NT_STATUS_NONE_MAPPED set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_OWNER. ERROR(runtime): uncaught exception - (-1073741734, 'NT_STATUS_INVALID_OWNER') File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py, line 1318, in run useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs) File /usr/local/samba/lib/python2.7/site-packages/samba/upgrade.py, line 926, in upgrade_from_samba3 result.names.domaindn, result.lp, use_ntvfs) File /usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py, line 1476, in setsysvolacl setntacl(lp,sysvol, SYSVOL_ACL, str(domainsid), use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=s4_passdb) File /usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py, line 154, in setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd) I see that sid is for the Administrators group but I'm not sure what I need to do to it to complete the upgrade command without errors? Any help is much appreciated. A workaround for this is in the 4.0.0 release. Are you running Samba 4.0.0? Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba-tool dbcheck produces wrong instancetype errors
On Thu, 2013-01-10 at 16:50 +, Chris Lewis wrote: Hi All, I have joined a samba4 instance to en existing W2k8 AD domain as an additional domain controller. When I do samba-tool dbcheck I get (example) : ERROR: wrong instanceType 4 on CN=INVIEW-DC2,OU=Domain Controllers,DC=inview,DC=local, should be 0 Not changing instanceType from 4 to 0 on CN=INVIEW-DC2,OU=Domain Controllers,DC=inview,DC=local This happens for 644 out of 655 of the objects in directory. I have attempted to fix one or two less important objects and the error does not appear again. Before I go ahead and fix them all, I want to find out whether doing this would have any unwanted ramifications? Can anyone explain what causes these errors and if fixing them might break something? That's a very interesting question. 0 seems the wrong value, if you are a read-write DC. I suspect we are getting the domain join stuff wrong, so we then trigger this incorrectly in dbcheck. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Switching between
On Fri, 2013-01-11 at 12:13 -0800, Jeremy Allison wrote: On Fri, Jan 11, 2013 at 07:07:26PM +, Steve Tice wrote: My organization is in the position of having to support full Windows ACLs on CIFS shares. We've been successfully utilizing Samba 3.5.10-125 and vfs_acl_tdb to accomplish that. However, the size of the resulting /var/lib/samba/state/file_ntacls.tdb[.unique-extension] file(s) has introduced some new problems for me to solve. In our environment, it seems on average each stored ACL causes file_ntacls.tdb to grow by almost 1000 bytes. That's what I've observed with my customers - YMMV. We have to support millions of files per server, and we've seen TDB files larger than 2 GB. Is there any server change I can make to reduce the storage demands of the acl_tdb module? Separately, we're considering switching from the acl_tdb module to the acl_xattr module. Do you know of any way to migrate or transfer the NTFS ACL data for each file from the TDB to an extended attribute? I'm trying to find a server-side solution to the migration problem. A client-side solution might be to rewrite each file (and resend the ACL data) after switching the Samba server configuration, but that puts a lot on the customers. There's no code in Samba to do this unless you're doing it via a client. You could write custom code to pull the data out of the tdb and re-store as EA's on the files, but that's outside the scope of the tools we provide. Using Samba 4.0.0, the python bindings or even samba-tool ntacl get/set would be quite a good choice here. We can read directly the NT ACL from the tdb and then set it using the xattr code. At a shell level, try something (untested) like: samba-tool ntacl get file then change the smb.conf setting and set it with samba-tool ntacl set file This should be enough, perhaps pointing at two different smb.conf files. Some other options that you shouldn't need, but I will describe are: --xattr-backend=tdb --use-ntvfs This combination might be handy, allowing you to directly read the NT ACL in the tdb, even when the smb.conf is configured to use the xattr. (Be warned, the comparison with the posix permissions to see which was set last will not be performed in this case). Also see the python API in samba.ntacls, which may allow you to implement a 'samba-tool ntacl migrate file' command. I'm very happy to help out if you have any more questions here, as we certainly do have a good range of tools that should be able to help you out. Jeremy will need to confirm (and your testing will be important) that the resulting database from 4.0.0 will be compatible with Samba 3.5. That said, we haven't deliberately changed anything about the on-disk format here, as far as I'm aware. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 Services for UNIX? [SOLVED]
On Wed, 2013-01-09 at 19:50 -0500, Robert Moggach wrote: ldbmodify -H /usr/local/samba/private/sam.ldb.d/DC\=DOMAIN.ldb -U administrator 03_smb_maps.ldif NEVER, EVER DO THIS. You now have a corrupt database. Please wipe the database, and start again, hopefully from a backup. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 as a RODC
On Wed, 2013-01-09 at 16:32 +0100, Jaymzwise Jaymzwise wrote: Hi ! Is it possible to join Samba4 as a RODC in an AD Domain (Windows 2K8 PDC) ? Yes. You will have to replicate the sysvol share manually however. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 internal DNS not responding to DNS requests
On Wed, 2013-01-09 at 09:47 -0500, fe...@epepm.cupet.cu wrote: I am not able to get the Samba4 internal DNS server to respond to DNS requests on the network. I am running Samba4 4.1.0pre1-GIT-c1fb37d on my CentOS 6.3 system. I followed the instructions here: https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO I configured Samba4 to use the internal DNS server. My Samba4 server is 192.168.0.13. Its full hostname is ubuntu-ad.allenlan.net. The realm is ALLENLAN.NET. The DNS testing section of the document passes: $host -t SRV _ldap._tcp.allenlan.net. _ldap._tcp.allenlan.net has SRV record 0 100 389 ubuntu-ad.allenlan.net. $host -t SRV _kerberos._udp.allenlan.net. _kerberos._udp.allenlan.net has SRV record 0 100 88 ubuntu-ad.allenlan.net. $host -t A ubuntu-ad.allenlan.net. ubuntu-ad.allenlan.net has address 192.168.0.13 I configured my Windows XP system with a DNS of 192.168.0.13 (Samba4 server). When I perform the Windows command nslookup ubuntu-ad.allenlan.net (or any variation of that) it reports: DNS request timed out. timeout was 2 seconds. *** Can't find server name for address 192.168.0.13: Timed out (above 3 messages repeat again) Default servers are not available Server: UnKnown Address: 192.168.0.13 The Windows system can ping the Samba4 server by IP address. Any help would be appreciated! More configuration information below. /etc/resolv.conf: domain allenlan.net nameserver 192.168.0.13 /usr/local/samba/etc/smb.conf: [global] workgroup = ALLENLAN realm = ALLENLAN.NET netbios name = UBUNTU-AD server role = active directory domain controller dns forwarder = 192.168.0.1 interfaces = 192.168.0.13 127.0.0.1 bind interfaces only = yes log level = 3 server services = smb, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns /etc/hosts: 192.168.0.13ubuntu-ad ubuntu-ad.allenlan.net 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 $hostname ubuntu-ad.allenlan.net That was the reason I switched to bind9. The internal dns server used to keep connections open, without closing old ones, until reaching the limit of max files... I don't know wether it's been already fixed or not. But it doesn't happen with bind. This topic is been in the list before. Yes, we fixed that (with a timeout). Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 3a7c277 s3-lib: Use new strict directory create function in create_pipe_sock(). via 1aa0503 Use the new directory_create_or_exist_strict() function. via 6039388 util: Add a strict directory_create_or_exist function. via 5d721de s3:smb2_negprot: set the 'remote_proto' value via 4d1fd0b samba_dnsupdate: set KRB5_CONFIG for nsupdate command via 8d9a77f s4:lib/messaging: terminate the irpc_servers_byname() result with server_id_set_disconnected() (bug #9540) from 2cc6f9c libnet-vampire: reports Exops as they rather than sync on some partitions http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 3a7c2777ee0de37d758fe81d67d6836a8354825e Author: Andreas Schneider a...@samba.org Date: Wed Jan 9 09:02:54 2013 +0100 s3-lib: Use new strict directory create function in create_pipe_sock(). Reviewed-by: Andrew Bartlett abart...@samba.org Autobuild-User(master): Andrew Bartlett abart...@samba.org Autobuild-Date(master): Wed Jan 9 10:55:23 CET 2013 on sn-devel-104 commit 1aa0503401d41fec48d4d4e30d8bbcbd847ff807 Author: Andreas Schneider a...@samba.org Date: Tue Jan 8 14:21:23 2013 +0100 Use the new directory_create_or_exist_strict() function. Reviewed-by: Andrew Bartlett abart...@samba.org commit 6039388fc1f3671bb60db06211814f7edfc62285 Author: Andreas Schneider a...@samba.org Date: Tue Jan 8 14:21:00 2013 +0100 util: Add a strict directory_create_or_exist function. Reviewed-by: Andrew Bartlett abart...@samba.org commit 5d721de7fdc250c6cb423c553134dd687590c1a0 Author: Stefan Metzmacher me...@samba.org Date: Thu Dec 13 10:44:07 2012 +0100 s3:smb2_negprot: set the 'remote_proto' value Signed-off-by: Stefan Metzmacher me...@samba.org Reviewed-by: Andrew Bartlett abart...@samba.org commit 4d1fd0b7daa089bd8863f0efcaf258bf30192c29 Author: Björn Baumbach b...@sernet.de Date: Thu Dec 20 15:57:43 2012 +0100 samba_dnsupdate: set KRB5_CONFIG for nsupdate command Let nslookup use krb5.conf, which is set in our KRB5_CONFIG. Signed-off-by: Björn Baumbach b...@sernet.de Reviewed-by: Stefan Metzmacher me...@samba.org Reviewed-by: Andrew Bartlett abart...@samba.org commit 8d9a77f8646cd26371dc2ec1d3ed52730ac19eb9 Author: Stefan Metzmacher me...@samba.org Date: Fri Jan 4 13:27:26 2013 +0100 s4:lib/messaging: terminate the irpc_servers_byname() result with server_id_set_disconnected() (bug #9540) Signed-off-by: Stefan Metzmacher me...@samba.org Reviewed-by: Andrew Bartlett abart...@samba.org --- Summary of changes: lib/util/samba_util.h |4 ++ lib/util/util.c | 49 +--- source3/lib/util_sock.c | 50 - source3/rpc_server/rpc_server.c |2 +- source3/smbd/server.c |2 +- source3/smbd/smb2_negprot.c |8 + source4/lib/messaging/messaging.c |6 ++-- source4/lib/messaging/pymessaging.c |4 +- source4/ntp_signd/ntp_signd.c |2 +- source4/scripting/bin/samba_dnsupdate |9 +++-- source4/smbd/service_named_pipe.c |2 +- source4/winbind/wb_server.c |9 - 12 files changed, 83 insertions(+), 64 deletions(-) Changeset truncated at 500 lines: diff --git a/lib/util/samba_util.h b/lib/util/samba_util.h index e553ec1..27c2e6e 100644 --- a/lib/util/samba_util.h +++ b/lib/util/samba_util.h @@ -631,6 +631,10 @@ _PUBLIC_ bool directory_exist(const char *dname); _PUBLIC_ bool directory_create_or_exist(const char *dname, uid_t uid, mode_t dir_perms); +_PUBLIC_ bool directory_create_or_exist_strict(const char *dname, + uid_t uid, + mode_t dir_perms); + /** Set a fd into blocking/nonblocking mode. Uses POSIX O_NONBLOCK if available, else diff --git a/lib/util/util.c b/lib/util/util.c index b50d28a..d49e20e 100644 --- a/lib/util/util.c +++ b/lib/util/util.c @@ -143,12 +143,13 @@ _PUBLIC_ bool directory_exist(const char *dname) * @retval true if the directory already existed and has the right permissions * or was successfully created. */ -_PUBLIC_ bool directory_create_or_exist(const char *dname, uid_t uid, - mode_t dir_perms) +_PUBLIC_ bool directory_create_or_exist(const char *dname, + uid_t uid, + mode_t dir_perms) { int ret; - struct stat st; - + struct stat st; + ret = lstat(dname, st); if (ret == -1) { mode_t old_umask; @@ -179,6 +180,44
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 411440d replace: Fix compilation of rep_mkstemp via 0615f68 s3: Fix vfs_zfsacl to compile. via 1002cc9 selftest: show that Samba honours write list and valid users via fcdd609 Fixup the change_to_user_by_session() case as called from become_user_by_session() via 296c0c3 smbd: Remove some () via 38b34cc smbd: Simplify an if-expression via 1770882 smbd: Fix a typo via b668c90 Move create_share_access_mask() from smbd/service.c to smbd/uid.c. via 86d1e1d Fix bug #9518 - conn-share_access appears not be be reset between users. via 1abb5eb Factor code out of check_user_ok() into a call to check_user_share_access(). via ea86f4e Initialize stack variables. Prelude to factoring out calls to check_user_share_access(). via 8475f20 Add check_user_share_access() which factors out the share security and read_only flag setting code. via 6d7bffa Correctly setup the conn-share_access based on the current user token. via 5e9eebf Change API for create_share_access_mask() - remove conn struct. via 926d930 Change API for create_share_access_mask() to pass in the token. via 00de188 Fix API for create_share_access_mask(). via f7464bb Remove static from create_share_access_mask(). via 4983d58 Add uint32_t share_access to vuid_cache_entry. via 7d90ae1 Clean up struct connection_struct, make struct vuid_cache a pointer not inline. via 5e483ab Remove unneeded variable const struct auth_session_info *session_info via 2e2f464 Remove dead code now vuser can no longer be NULL. via 0a09ffd Remove the second set of {} braces, no longer needed. via 45845f5 Remove one set of enclosing {} braces, no longer needed. via 390a812 Move the definition of struct vuid_cache_entry *ent outside blocks. via 310c4ca Start to tidy-up check_user_ok(). via 5bffdac torture/vfstest.c: Always use create_conn_struct(). Don't hand create connection structs. via 7ba6850 source3/smbd/pysmbd.c: Always use create_conn_struct(). Don't hand create connection structs. via a9730cb smbd/posix_acls.c: Use create_conn_struct(). Don't hand-create connection structs. via b6fe9ec Allow create_conn_struct() to be called with snum == -1. via 97eb049 smbd: Rework create_conn_struct to use conn_new() from 3d5c534 smbd: Fix bug 9549 -- Memleak in the async echo handler http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 411440d2d9085fe9db0e3c26c025c6b94d02c00f Author: Jesper Larsen jesper.lar...@ixonos.com Date: Fri Jan 4 13:03:58 2013 +0100 replace: Fix compilation of rep_mkstemp Commit 1fbc185 removed the variable 'p'. Use the equivalent variable 'template' instead. Reviewed-by: Andrew Bartlett abart...@samba.org Autobuild-User(master): Andrew Bartlett abart...@samba.org Autobuild-Date(master): Wed Jan 9 07:18:33 CET 2013 on sn-devel-104 commit 0615f68096569d00b1f262529024ad40136d445e Author: Ira Cooper i...@samba.org Date: Thu Dec 27 19:57:14 2012 + s3: Fix vfs_zfsacl to compile. Reviewed-by: Andrew Bartlett abart...@samba.org commit 1002cc9a669836d6cddaac350715a2b107bec01e Author: Andrew Bartlett abart...@samba.org Date: Thu Dec 20 23:05:55 2012 +1100 selftest: show that Samba honours write list and valid users Reviewed-by: Jeremy Allison j...@samba.org Reviewed-by: Stefan Metzmacher me...@samba.org commit fcdd6092b10a4b4406af47b989dcf1a9d693580e Author: Jeremy Allison j...@samba.org Date: Tue Jan 8 11:02:16 2013 -0800 Fixup the change_to_user_by_session() case as called from become_user_by_session() Use inside source3/printing/nt_printing.c:get_correct_cversion(). Allow check_user_ok() to be called with vuid==UID_FIELD_INVALID. All this should do is throw away one entry in the vuid cache. Signed-off-by: Jeremy Allison j...@samba.org Reviewed-by: Andrew Bartlett abart...@samba.org commit 296c0c34f198dfc7a8f13f26e54fbc980f667784 Author: Volker Lendecke v...@samba.org Date: Sun Jan 6 14:50:33 2013 +0100 smbd: Remove some () Reviewed-by: Jeremy Allison j...@samba.org Reviewed-by: Stefan Metzmacher me...@samba.org Reviewed-by: Andrew Bartlett abart...@samba.org commit 38b34cc3e529e185dd3b3d9f79ae74d1c9fac435 Author: Volker Lendecke v...@samba.org Date: Sun Jan 6 14:41:24 2013 +0100 smbd: Simplify an if-expression Reviewed-by: Jeremy Allison j...@samba.org Reviewed-by: Stefan Metzmacher me...@samba.org Reviewed-by: Andrew Bartlett abart...@samba.org commit 17708821ffc2d0cb771e8c5cb6415b87e20d6a0a Author: Volker Lendecke v...@samba.org Date: Sun Jan 6 14:39:07 2013 +0100 smbd: Fix a typo Reviewed
Re: [Samba] Samba 4 Services for UNIX?
On Mon, 2013-01-07 at 16:21 -0500, Robert Moggach wrote: I have a working Samba 4.0.0 AD DC running and am able to manage users etc using the Windows tools. Great. Now I want to as much as possible eliminate the need for an additional directory service (OpenLDAP and/or Open Directory) if not entirely. I need automount working and Posix users. I believe it's possible to set this up but haven't been able to find any solid documentation - Can someone point me in the right direction? Specifically I'm looking for: 1) How to install the necessary schema etc for UNIX connectivity 2) How to install/manage UNIX friendly users, groups, etc. 3) How to successfully add the automount schema (the wiki doesn't seem to work for me) 4) How to add automount maps We already include the SFU schema, and users have reported adding the automount schema. You should be able to make this work, but I'll leave to other users to describe the process in more detail. See also: https://wiki.samba.org/index.php/Samba4/Schema_extenstions Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [PATCH] Re: samba-tool domain classicupgrade with LDAP backend
On Fri, 2013-01-04 at 12:53 +0100, Juan Asensio Sánchez wrote: Hi Andrew Unfortunately, after applying the patch, recompile, uninstall and install again, I am getting the same error: # cd ~/samba-4.0.0 # patch -p1 ~/0001-s4-libcli-resolv-Add-alias-hosts-for-host-in-name-re.patch # make uninstall rm -Rf /usr/local/samba/ make clean make make install # samba-tool domain classicupgrade --dbdir ~/sambav3 --realm SSCC.SACYL.TEST --use-xattrs=yes ~/sambav3/smb.conf -d9 ... init_sam_from_ldap: Entry found for user: XXX init_sam_from_ldap: Entry found for user: XXX$ Next rid = 12801001 Failed to connect to ldap URL 'ldap://XX.X.es' - LDAP client internal error: NT_STATUS_BAD_NETWORK_NAME Failed to connect to 'ldap://XX.X.es' with backend 'ldap': (null) Could not open ldb connection to ldap://XX.X.es, the error message is: (1, None) Can you set 'log level = 10' in your smb.conf and try again, I'm very must lost as to what the error is if this doesn't fix it. Can you contact this host using ldbsearch? eg: ldbsearch -H ldap://XX.X.es Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [PATCH] Re: samba-tool domain classicupgrade with LDAP backend
On Tue, 2013-01-08 at 18:42 +1100, Andrew Bartlett wrote: On Fri, 2013-01-04 at 12:53 +0100, Juan Asensio Sánchez wrote: Hi Andrew Unfortunately, after applying the patch, recompile, uninstall and install again, I am getting the same error: # cd ~/samba-4.0.0 # patch -p1 ~/0001-s4-libcli-resolv-Add-alias-hosts-for-host-in-name-re.patch # make uninstall rm -Rf /usr/local/samba/ make clean make make install # samba-tool domain classicupgrade --dbdir ~/sambav3 --realm SSCC.SACYL.TEST --use-xattrs=yes ~/sambav3/smb.conf -d9 ... init_sam_from_ldap: Entry found for user: XXX init_sam_from_ldap: Entry found for user: XXX$ Next rid = 12801001 Failed to connect to ldap URL 'ldap://XX.X.es' - LDAP client internal error: NT_STATUS_BAD_NETWORK_NAME Failed to connect to 'ldap://XX.X.es' with backend 'ldap': (null) Could not open ldb connection to ldap://XX.X.es, the error message is: (1, None) Can you set 'log level = 10' in your smb.conf and try again, I'm very must lost as to what the error is if this doesn't fix it. Can you contact this host using ldbsearch? eg: ldbsearch -H ldap://XX.X.es Andrew Bartlett Also, can you verify that this patch makes the classicupgrade fail right after the failed connection, rather than hobbling on and failing due to an un-set variable? Thanks, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org From 2f9a0fb067471d5dc411b4d77e2ed357c8303201 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett abart...@samba.org Date: Sat, 5 Jan 2013 15:19:09 +1100 Subject: [PATCH] samba-tool domain classicupgrade: Make failure to connect to the LDAP server fatal This avoids a different, less clear fatal condition later in the script. Andrew Bartlett --- source4/scripting/python/samba/upgrade.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source4/scripting/python/samba/upgrade.py b/source4/scripting/python/samba/upgrade.py index d680a7c..b068d44 100644 --- a/source4/scripting/python/samba/upgrade.py +++ b/source4/scripting/python/samba/upgrade.py @@ -788,7 +788,7 @@ Please fix this account before attempting to upgrade again try: ldb_object = Ldb(url, credentials=creds) except ldb.LdbError, e: -logger.warning(Could not open ldb connection to %s, the error message is: %s, url, e) +raise ProvisioningError(Could not open ldb connection to %s, the error message is: %s, url, e) else: break logger.info(Exporting posix attributes) -- 1.7.11.7 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba-tool domain classicupgrade with LDAP backend
On Fri, 2013-01-04 at 08:57 +0100, Juan Asensio Sánchez wrote: Hi I forgot to explain my scenario... I have one Samba3 test-production with LDAP backend (it's a test server, but used intensively), so to make the tests I created a new virtual machine in a separated/isolated network. This is a clean CentOS 6.3 machine, just installed the compile dependencies and then compile and install Samba; I didn't modify resolv.conf, neither nscd.conf, so the name resolution is using an official DNS server. After posting the message, I continued investigating and I found this message https://lists.samba.org/archive/samba-technical/2012-September/086979.html, where the user reports the same problem than me. The solution there is to use the IP address instead of the DNS name, and he says that the problem can be due to his configuration, but I have the same problem... so I could think this is bug, not a server configuration problem I can connect perfectly to the LDAP server, use ldapsearch command, etc. Indeed, the script retrieves correctly the users, but only fails when exporting the Posix attributes). What is your 'name resolve order' parameter set to? The problem with us about ldap group suffix is that our LDAP has multiple organizations, each one with their own users and groups: dc=myorg,dc=es - o=suborg1,dc=myorg,dc=es - - ou=People,o=suborg1,dc=myorg,dc=es - - ou=Groups,o=suborg1,dc=myorg,dc=es - o=suborg2,dc=myorg,dc=es - - ou=People,o=suborg2,dc=myorg,dc=es - - ou=Groups,o=suborg2,dc=myorg,dc=es ... So, in our Samba3 configuration we have ldap suffix to dc=myorg,dc=es but ldap group suffix to ou=Groups,o=suborg1 (for the Samba3 domain controller for suborg1; each suborganization has its own domain under its tree and its own domain controller using that domain). Then, all users (from any suborganization) can login in any organization/domain/domain controller (we have resolved the problem with SIDs from one domain to another using a plugin in the 389DS LDAP server). why is your ldap suffix 'dc=myorg,dc=es' and not 'o=suborg1,dc=myorg,dc=es'? Either way, the migration script expects a directory layout at least somewhat near the typical described in our documentation and populated with either the ldapsam:edixposix tool or smbldap-tools. As you move beyond that, the ability of a standardised script to cope drastically decreases. I'm very happy for the script to try and cope with more diverse configurations, if you wish to propose patches however. I'm keen for it to import any additional attributes for which we have matching schema, for example (not just the posix attributes). Our target (is and here comes my big doubt) is to configure Samba4 to host multiple domains under the same forest, replicating our current environment and stablishing trust relationships between the domains. Is this possible? How should I do it? Samba as an AD DC does not support either being or hosting a subdomain, nor the trust relationships needed between those domains. This remains a future development task. A small amount of support exists for inter-realm trusts, trusts with Samba classic domains and kerberos trusts, but what little support exists here is experimental and undocumented, existing mostly because it fell out of other work. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba