Re: [Samba] ldbedit syntax problem
2013-09-22 21:09 keltezéssel, steve írta: On Sun, 2013-09-22 at 13:36 +0100, Rowland Penny wrote: On 22/09/13 13:04, steve wrote: Hi How do I ldbedit this dn? CN=*,OU=auto.users,ou=automount,DC=bar,DC=foo It's the * that I can't get. Cheers, Steve Hi Steve, how about 'ldbedit -e nano --url=ldap://server.bar.foo --kerberos=yes --krb5-ccache=/tmp/krb5cc_0 CN=*' and then search in the results for '*' Rowland Hi Rowland, hi everyone Yes, that works fine, thanks. The problem is that it loads the whole of the db into the editor. Cheers, Steve Hi, I haven't tried it but with ldbsearch it works: -b OU=auto.users,ou=automount,DC=bar,DC=foo CN=* Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] moodle + samba4 authentication
2013-08-14 20:50 keltezéssel, Darek Frączkiewicz írta: hello, has anyone tried to log in from Moodle to samba4 AD users? I can't config LDAP authentication. Through MS ActiveDirectory doesn't work. Pozdrowienia -- Darek Frączkiewicz daf...@gmail.com It is working for us. What isn't working for you? What moodle version (we use 2.x) Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Remote linux auth vs samba4: winbind or nslcd + openldap.
2013-08-15 18:45 keltezéssel, Andres Tello Abrego írta: I'm lost in documentation. I setup a samba4 AD, and configured winbind so I can have local authentification using pam, I can now login to AD users vía ssh. I want to achieve the Holy Gria of 1 source of users and password, for both, linux and windows machines, but I'm lost in documentation. So far I know: samba4 cann't use openldap as backend. samba4 ldap doesn't really is a full ldap. samba4 provides uid/gid mapping using winbind or nlscd So far, I'm using winbind and I can see the samba ad users added to the password database executing: getenv passwd But, after that, I'm lost. Can I impelement remote winbind at remote linux client machines? Do I need to setup a openldap proxy? If I setup an openldap proxy, should I use winbind or nslcd? openldap now uses automatic configuration, any clue to implement the openldap proxy with this type? Thanks... We use winbind from samba 3.6.x on the non DC linux boxes for this. Winbind from samba 4.0.x under testing. Our config (the relevant part of): /etc/krb5.conf: [libdefaults] default_realm = YOURREALM /etc/samba/smb.conf: [global] workgroup = YOURDOMAIN realm = YOURREALM kerberos method = system keytab security = ads winbind enum groups = yes winbind enum users = yes idmap config *:backend = tdb idmap config *:range = 11-30 idmap config YOURDOMAIN:default = yes idmap config YOURDOMAIN:backend = ad idmap config YOURDOMAIN:range = 0-10 idmap config YOURDOMAIN:schema_mode = rfc2307 winbind nss info = rfc2307 winbind expand groups = 5 winbind nested groups = yes winbind use default domain = yes Of course the ranges depend on the uids/gids you've allocated. Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 Using AD/UNIX attributes for home directory and shell not possible?
Hi, Hi, I'm would like to use the attributes in AD for home directory (homeDirectory) and the login shell (loginShell) for users logging in via ssh to a linux box. Samba 4.x has (from the point of view of domain membership) two modes: 1. Active directory domain controller 2. Standalone, domain member or classic (NT4-like) domain controller In the first case only the samba binary should run, which takes care of the winbind task (mapping user attributes) too. Unfortunately it can't retrieve homedir and shell attributes from the directory. In the second case a separate winbind instance is/should be running which is able to use those mapping from the directory, so if you are not running an AD DC on the box in question, please send your whole config to be able to help debugging it. I added the following parameters in the global-Section of /etc/samba/smb.conf: winbind nss info = rfc2307 idmap_ldb:use rfc2307 = yes Also I set the attributes for a test-user (called tim) with some values. But when calling getent passwd I got the following result: ... SHADOW\tim:*:317:100:Tim Testinger:/home/SHADOW/tim:/bin/false So it seems that winbind is ignoring AD attributes. Is this a bug or did I misconfigure my samba installation? Best Regards Markus Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Debian Package Updates
2013-08-08 02:11 keltezéssel, Andrew Bartlett írta: On Wed, 2013-08-07 at 17:58 +0100, Dominic Evans wrote: On 5 August 2013 01:28, Andrew Bartlett abart...@samba.org wrote: On Fri, 2013-08-02 at 14:41 +0100, Dominic Evans wrote: The debian package of samba4 is still sitting at 4.0.3 in experimental. Please could someone (Andrew?) upload an updated package now that we are up to 4.0.7? http://packages.qa.debian.org/s/samba4.html We have toiled mightily, and have new experimental packages. They are stuck in the NEW queue, and have been for a month: http://ftp-master.debian.org/new.html (This is because we have additional package names, as part of the merge with the 'samba' package). So the new packages have now made it into experimental http://packages.qa.debian.org/s/samba/news/20130806T230018Z.html However, it isn't obvious what the upgrade step(s) should be from an existing `samba4` install to these packages. They don't appear to have specified Conflicts/Replaces with the samba4 packages, and it appears like a `sudo apt-get install -t experimental samba` would be partially installing alongside the existing samba4 binaries? We do have conflicts/Replaces set, and when the bulk of the packaging work was done this was tested upgrading from both. From here, the best approach would be to tell us what errors you get, and we can add some more as required. Andrew Bartlett Unfortunately http://packages.debian.org/search?keywords=sambasearchon=sourcenamessuite=experimentalsection=all still shows samba4 (4.0.3+dfsg1-0.1). Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Logon scripts, home directories, and Samba4 AD
Hi, This could do the job Identify the home share on your samba3 fileserver (certain it is member of your samba4 domain?!) as dfs root Ex: msdfs root= yes On samba4 ads [home] msdfs proxy= \your-samba3-server\homes read only = No with rsat point to \your-samba3-server\homes Good luck --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- Even easier specify \\your-samba3-server\%USERNAME% as the home folder setting under ADUC for all the users you want (you can even select them set this once) if you also specify home drive H: it will get mounted at that drive letter -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Lee Allen Gesendet: Mittwoch, 3. Juli 2013 00:20 An: samba@lists.samba.org; samba-techni...@lists.samba.org Betreff: [Samba] Logon scripts, home directories, and Samba4 AD I apologize if this appears twice: I posted it several hours ago and it has not appeared on the list, so I am tweaking the email address and trying again. I have two separate (virtual) servers: one running Samba4 functioning as an AD controller, and one running Samba 3.6.1 functioning as a file print server. On the Samba3 side I am using security=ads and winbind and authenticating against the Samba4 ADC. Everything is working great. Where things get a little messy is with the [homes] shares. Here is what I am doing now: My Samba3 smb.conf has a typical [homes] section. I create a subdirectory for each user, and set ownership permissions. I create a logon script on the Samba4 system -- one for each user, because the username is embedded in it: net use H: \\samba3\username And then I use RSAT to set the logon script to the correct value for each user. It's just a lot of steps that need to be performed (perfectly) for each user. Is there a better way? I see RSAT allows me to specify a Home folder. Could this be a folder on the Samba3 server -- ie, \\samba3\username ? (I tried that and it did not work) I can imagine some scripts that would create the logon script on the Samba4 system, and create the necessary directories on the Samba3 system. I could probably manage that, but I hate to re-invent the wheel -- If there is a clean, orthodox way to do this, I would like to know what it is. Thank you. Lee Allen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 pdc: Import sudoers active directory schema to ldb
2013-06-29 11:00 keltezéssel, george Nopicture írta: Hi guys and congrats for bringing a fantastic project to the open source world. I' ve setup a samba4 pdc succefully and i am able to do domain logins. I was also able to add the automount schema into the ldb. But when it comes to sudoers schema i cant import it in. Further system details: Debian wheezy 7, samba 4.0.6 compiled from source, sudo-ldap standard binary package from repos. I have split the sudoers active directory schema that came with sudo to 2 ldifs(classSchema apart from attributeSchema) and tried to import them in but i had no luck. I googled around but came up nothing about it. This is the error i get: ERR: (Invalid attribute syntax) LDAP error 21 LDAP_INVALID_ATTRIBUTE_SYNTAX - 200B: objectclass_attrs: attribute 'mayContain' on entry 'CN=sudoRole,CN=Schema,CN=Configuration,DC=example,DC=com' contains at least one invalid value! on DN CN=sudoRole,CN=Schema,CN=Configuration,DC=example,DC=com at block before line 31. First: I've cc-ed samba-technical as extending the schema is still an experimental feature. Second: it would be helpful to be able to look at the ldif files you try to load (messages like block before line 31 doesn't make too much sense without it) Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SAMBA4 vs Windows 2008 AD
2013-06-05 09:29 keltezéssel, Mario Almeida írta: Thanks Geza, We only need for centralist authentication and for deploying group policies. Using windows XP I create group policy and keep in sysvol folder and sync the sysvol folder on BDC (samba) everything should work fine? Regards, Remy Basically yes, but please test your setup before deployment (preferably on a separate lan) Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SAMBA4 vs Windows 2008 AD
2013-05-26 10:46 keltezéssel, Mario Almeida írta: Hi All, Is there any answer? On Sat, May 25, 2013 at 7:43 PM, Mario Almeida malme...@isa.ae wrote: Hi All, I am planning to covert our company's AD server to Samba4, need to know if Samba4 is complete replacement for Windows 2008 AD. Is there a link to show features comparison, showing what is compatible and what is not? Regards, Remy Yes, but your mail arrived today, probably nobody else on the list haven't seen it before. Please check you outgoing mail route. Basically Samba 4.0.x lacks the following features: 1. Domain DFS 2. DAFSR (needed to replicate sysvol between DCs) 3. Trust (it can be trusted it cannot trust) 4. Forest (multidomain) support 5. Group policy modeling wizard support You should check which of the aforementioned features, if any are important for your company, and could run a few test migrations. Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind strip domain from username?
2013-04-16 12:33 keltezéssel, Luc Lalonde írta: Hello Geza, Here's my 'smb.conf': [global] workgroup = FOO realm = foo.example.com netbios name = ROQUEFORT server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate idmap config * : range = 16777216-33554431 template shell = /bin/bash winbind offline logon = false winbind enum users = yes winbind enum groups = yes obey pam restrictions = yes template homedir = /usagers/%U winbind use default domain = yes map untrusted to domain = no [netlogon] path = /usr/local/samba/var/locks/sysvol/foo.example.com/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No Thanks for your help! Cheers! On 2013-04-16, at 12:09 AM, Gémes Géza g...@kzsdabas.hu wrote: 2013-04-15 23:12 keltezéssel, Luc Lalonde írta: Hello Folks, This directive works with Samba3 but does not seem to work with Samba-4.0.5: winbind use default domain = Yes I want to get a username that does not contain the domain (GIGL). Instead here's what I get: [root@roquefort ~]# getent passwd | grep GIGL GIGL\Administrator:*:0:100::/usagers/%U:/bin/bash GIGL\Guest:*:302:303::/usagers/%U:/bin/bash GIGL\krbtgt:*:307:100::/usagers/%U:/bin/bash GIGL\dns-stilton:*:308:100::/usagers/%U:/bin/bash GIGL\testuser:*:309:100::/usagers/%U:/bin/bash GIGL\llalonde:*:310:100::/usagers/%U:/bin/bash How do I remove the 'GIGL\' from the username? This is causing me problems mounting the user's home directory at logon with 'PAM_MOUNT' What am I missing? Thank You! Please attach your smb.conf. Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba So it is your AD DC then (server role = active directory domain controller) unfortunately in that role samba uses the winbind bundled into the samba binary which has many deficients compared to the standalone winbind binary (but which cannot be run on a DC) Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] file share necessary?
2013-04-15 06:21 keltezéssel, Geoff Crompton írta: On 15/04/13 14:07, Marc Muehlfeld wrote: Am 15.04.2013 04:23, schrieb Geoff Crompton: On https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Setup_a_basic_File_Share the instructions says For the server to be useful you, will need to update it to have at least one share What do you need a file share for the server to be useful? Isn't a domain controller 'useful' to authenticate machines and users even if it doesn't have a file share? I would have thought that this step would be optional, like the NTP step just above it. The DC need at least a sysvol and netlogon share. Regards, Marc That makes sense. If you've followed the HOWTO (as I just have) you probably already have sysvol and netlogon shares. Does anyone mind if I mark the 'Setup a basic File Share' as optional, and add some notes that the sysvol and netlogon shares are needed for a domain controller, but users should feel free to add their own if they desire? Cheers, Geoff +1 from me Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 rfc2307 practice and confuse
2013-04-15 11:51 keltezéssel, d tbsky írta: 2013/4/15 steve st...@steve-ss.com Yes. To get the rfc2307 info out from the directory you can use winbind, nslcd or sssd on the client. If you want to get all of the rfc2307 attributes on the DC, your choice is narrowed down to the latter two. As Geza posted earlier, winbind can only manage uidNumber and gidNumber. I've put our nslcd method here: http://linuxcostablanca.**blogspot.com.es/2013/04/** ubuntu-client-for-samba4.htmlhttp://linuxcostablanca.blogspot.com.es/2013/04/ubuntu-client-for-samba4.html Will post the sssd solution sometime today. HTH Steve I remeber that samba team suggest to use winbind instead of ldap to work with samba server, although I don't know why or is it still true for samba 4 DC. so what's the benefit of winbind? since RHEL 6 comes with sssd, I think maybe I will use that instead of winbind. and thanks a lot for your information!! Regards, tbskyd Winbind strengths: 1. Caching (lot better than nscd) 2. Can get group membership (the SIDs) from PAC (less lookups on the DC) 3. No need for storing plaintext passwords in config files, or create other user accounts than the machine account (created at join) and storing their keytab. Probably there are others too (as well as weaknesses) Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind strip domain from username?
2013-04-15 23:12 keltezéssel, Luc Lalonde írta: Hello Folks, This directive works with Samba3 but does not seem to work with Samba-4.0.5: winbind use default domain = Yes I want to get a username that does not contain the domain (GIGL). Instead here's what I get: [root@roquefort ~]# getent passwd | grep GIGL GIGL\Administrator:*:0:100::/usagers/%U:/bin/bash GIGL\Guest:*:302:303::/usagers/%U:/bin/bash GIGL\krbtgt:*:307:100::/usagers/%U:/bin/bash GIGL\dns-stilton:*:308:100::/usagers/%U:/bin/bash GIGL\testuser:*:309:100::/usagers/%U:/bin/bash GIGL\llalonde:*:310:100::/usagers/%U:/bin/bash How do I remove the 'GIGL\' from the username? This is causing me problems mounting the user's home directory at logon with 'PAM_MOUNT' What am I missing? Thank You! Please attach your smb.conf. Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] python scripting samba
2013-04-16 01:30 keltezéssel, Geoff Crompton írta: Can someone point me to some documentation on scripting samba user and group management from python? I'd much rather not do this via calls out to samba-tool, and if I could do this remotely (via LDAP like calls) I'd be even happier. Cheers, Geoff Have a look at the samba-tool code at: /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ and /usr/local/samba/lib/python2.7/site-packages/samba/provision/ There are really good examples of using SAMDb even remote ones. Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] file share necessary?
2013-04-15 04:23 keltezéssel, Geoff Crompton írta: On https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Setup_a_basic_File_Share the instructions says For the server to be useful you, will need to update it to have at least one share What do you need a file share for the server to be useful? Isn't a domain controller 'useful' to authenticate machines and users even if it doesn't have a file share? I would have thought that this step would be optional, like the NTP step just above it. Cheers, Geoff I agree, the step is completely optional, but the the NTP config is highly recommended. Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 rfc2307 practice and confuse
2013-04-13 18:49 keltezéssel, d tbsky írta: hi: I setup a small samba 4.0.5 AD DC server. my client is windows 7 and linux. and I use windows 7 with remote managment tools to manage rfc2307 account seetings of samba4 DC. I hope my users can use the same account to use windows and linux. samba4 DC provsion command as below: samba-tool domain provision --use-rfc2307 --function-level=2008_R2 --interactive and smb.conf global section for samba4 DC below: workgroup = DOM realm = AD.DOM.COM.TW netbios name = DC server role = active directory domain controller dns forwarder = 10.11.1.254 idmap_ldb:use rfc2307 = yes template shell = /bin/bash winbind nss info = rfc2307 under samba4 DC, with getent passwd command,the situation is below: 1. the uid and gid are correct. getent group works. 2. the shell and homedir is not correct. winbind nss info = rfc2307 is uselss, samba4 always use template for shell and homedir. and even worse, if I set template homedir = /home/%U, the %U macro is ignored, so everyone's homedir is just /home/%U. however the default /home/%D/%U is working if you didn't set any template homdir. so not setting any template homedir is the only way you can get under samba4 DC. Unfortunately the winbind implementation samba as an AD DC uses (the one in the samba binary) is not able to read other posix information from AD other than the uidNumber and gidNumber. under other scientifc linux 6.4 workstation (comes with samba 3.6.9. I also tried 3.6.13.): the global section of smb.conf below: workgroup = DOM password server = DC.AD.DOM.COM.TW realm = AD.DOM.COM.TW security = ads idmap config *:backend = tdb idmap config *:range = 2001-3000 idmap config DOM:backend = ad idmap config DOM:default = yes idmap config DOM:range = 1000-2000 idmap config DOM:schema_mode = rfc2307 winbind nss info = rfc2307 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes situation below: 1.uid,shell,home are correct from rfc2307. but gid is not.and getent group never works. 2. the gid comes from domain account's primary group. so to make my linux client work, I need to set a special domain group, set the group's rfc2307 guid number(I set it to number 1000). and change every user's primary group from domain users to the special domain group, then I can get the correct getent passwd. I search sambawiki and email-list, there is very little informatin about rfc2307 (but many questions and confustion without reply in the email list).so I post my experience here. and I wonder the strange behavior is bug or feature. I wonder what is the original design idea to use rfc2307 under samba 4 domain? thanks for advice. I have read many times complaints like this, it seems, that some distributions/relases bundle a version of samba, that has some bugs, a similar setup (just the ranges are different) works for me using ubuntu 12.04. Regards Geza Gemes Regards, tbskyd -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 member of an another « Samba4 » domain
2013-04-11 01:14 keltezéssel, François Lafont írta: Le 10/04/2013 06:59, Gémes Géza a écrit : You should check rfc2307 on the samba AD, if your users do not have uidNumber gidNumber attributes they are going to be ignored by the winbind daemon if you specify rfc2307 schema mode on the domain member. If I have understood, when I don't use rfc2307 in the dc server (this is the default) and if I don't use rfc2307 in the member server with this config: --- # No refer to rfc2307. [global] workgroup = CHEZMOI security = ADS realm = CHEZMOI.PRIV encrypt passwords = yes idmap config *:backend = tdb idmap config *:range = 70001-8 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes --- It seems to work well, but the uid and the gid of the domain accounts are different between the dc and the member. And if I use the rfc2307, then it's possible to have the same uid and gid on the dc and the member. Is it correct ? For the moment, I don't succeed in the use rfc2307 with a dc and a member. Without rfc2307, I think It works well with: 1. For the dc: --- [global] workgroup = CHEZMOI realm = CHEZMOI.PRIV netbios name = WHEEZY-SERVER server role = active directory domain controller dns forwarder = 212.27.40.241 [netlogon] path = /usr/local/samba/var/locks/sysvol/chezmoi.priv/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No --- 2. And for the member: --- [global] workgroup = CHEZMOI security = ADS realm = CHEZMOI.PRIV encrypt passwords = yes idmap config *:backend = tdb idmap config *:range = 70001-8 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes --- It works well (imho), but, for each account, the uid/gid are different between the dc and the member, and I don't like it. When I try to use rfc2307, it doesn't work for me (but I should make mistakes). For example, I have tried this: 1. On the dc server: # samba-tool domain provision --realm=CHEZMOI.PRIV --domain=CHEZMOI --server-role=dc --dns-backend=SAMBA_INTERNAL --adminpass='+toto123' --use-rfc2307 that creates this smb.conf: --- [global] workgroup = CHEZMOI realm = CHEZMOI.PRIV netbios name = WHEEZY-SERVER server role = active directory domain controller dns forwarder = 212.27.40.241 idmap_ldb:use rfc2307 = yes [netlogon] path = /usr/local/samba/var/locks/sysvol/chezmoi.priv/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No --- Next, I use winbind in nsswitch.conf in order to resolv the uid/gid -- names. 2. On the member, I edit this smb.conf file (found here https://wiki.samba.org/index.php/Samba4/Domain_Member#Setting_up_a_basic_smb.conf): --- [global] workgroup = CHEZMOI security = ADS realm = CHEZMOI.PRIV encrypt passwords = yes idmap config *:backend = tdb idmap config *:range = 70001-8 idmap config CHEZMOI:backend = ad idmap config CHEZMOI:schema_mode = rfc2307 idmap config CHEZMOI:range = 500-4 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes --- and I join the server with net ads join (next I use winbind too in nsswitch.conf). Next, I create a account in the dc (samba-tool user add test1 --random-password) and, under a Windows station, I edit this account with dsa.msc and I set: - the UID attribute in the Unix attributes tab - the GID attribute in the Unix attributes tab But, the dc and the member seems to ignore this value and, for example, with getent passwd the uid/gid are different for each user between the dc and the member. If you are advices or links to install dc and member so that the uid/gid are the same between the dc and the member, It interest me very much. :-) Thanks in advance. PS: and very sorry for my poor english. The easiest way to test out rfc2307 would be to provision a new domain with samba-tool domain provision --use-rfc2307
Re: [Samba] LDAP (Schemas,Users) to Samba4 migration
2013-04-09 14:56 keltezéssel, alxgrb írta: Thank you for support. OK. If one has 10 users, it goes by hand, but we have ca. 110 users. Maybe there for it an automatic solution? -- View this message in context: http://samba.2283325.n4.nabble.com/LDAP-Schemas-Users-to-Samba4-migration-tp4646168p4646470.html Sent from the Samba - General mailing list archive at Nabble.com. The problem is: If you have users with only posixAccount (or similar) objectClasses (without samba 3.x aka classic attributes) you could add them by an ldapsearch ldbadd based script, but you won't be able to transfer the passwords, as OpenLDAP (with posixAccount and similar objectClasses) uses a differently encrypted userPassword attribute, than Samba as an AD controller (kerberos keys) can use. As the passwords are one way encrypted without having an NTPassword attribute (which correspond to a arcfour-hmac-md5 enctype) you will lose the password during //migration. Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 member of an another « Samba4 » domain
2013-04-10 01:32 keltezéssel, François Lafont írta: Le 09/04/2013 09:34, Matthieu Patou a écrit : Le 08/04/2013 01:37, Matthieu Patou a écrit : Then, in the DC server, I have done: --- samba-tool domain provision # I keep the default answers each time, seems to work fine # 192.168.0.21 = IP of DC server which are DNS server (internal DNS) echo nameserver 192.168.0.21 /etc/resolv.conf ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 vi /etc/nsswitch.conf # add winbind for passwd and group ldconfig samba --- [...] --- echo nameserver 192.168.0.21 /etc/resolv.conf samba-tool domain join chezmoi.priv MEMBER -U administrator --realm=CHEZMOI.PRIV # seems to work fine ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 vi /etc/nsswitch.conf # add winbind for passwd and group ldconfig vi /usr/local/samba/etc/smb.conf # see below smbd nmbd winbindd -i -d 10 --- And Boum ! I have the same error which I have described in my previous message. The winbindd command is stopped. [...] Are you sure that the two host have a different name as you are creating everything from the same base ? Yes I'm absolutely sure because the names of the 2 servers have been set *during* the installation with a netinstall CD : - hostname == wheezy-server for the DC server - hostname == wheezy-2 for the MEMBER server Also could you do a net join -d 10 and attach the secrets.tdb after the first join ? Yes, no problem. But, you suggest I use this command: net ads join -d 10 -U administrator I would like to understand. For join a member server in a domain (with a Samba4 DC), which command should I use: 1. net ads join -U administrator or 2. samba-tool domain join chezmoi.priv member -U administrator ? So, if I understand well, you ask me to try the first command (net ads join) with -d 10 option. Here: http://sisco.laf.free.fr/codes/samba4.zip you'll find the output of the join command in debug mode and the secrets.*db files (before and after the join, in the member server and in the dc server): - with the net ads join -U administrator -d 10 command - and with the samba-tool domain join chezmoi.priv MEMBER -U administrator command if so for the new user did you set the needed attributes ? I have just run: samba-tool user add test12 --random-password That's all. Which are the needed attributes? When you specify rfc2307 winbindd expect to use uidNumber and gidNumber in order to convert the SID to uid/gid, hence the error message. But is the rfc2307 option in smb.conf really mandatory? 1. For example, when I install a simple Samba4 DC like this: --- samba-tool domain provision # I keep the default answers each time echo nameserver 192.168.0.21 /etc/resolv.conf # The DNS is the DC himself ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 vi /etc/nsswitch.conf # add winbind for passwd and group ldconfig samba --- It seems to work fine. getent password, wbinfo -u, wbinfo -i user1, wbinfo -n=user1 are OK, yet there is no rfc2307 string in the default smb.conf file. 2. Another example. I have installed a member server like this (member of a Samba4 DC, I have no Windows server): --- vi /usr/local/samba/etc/smb.conf # see below for the smb.conf file vi /usr/local/samba/etc/smb.conf # The DC is the DNS server ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 vi /etc/nsswitch.conf # add winbind ldconfig net ads join -U administrator smbd nmbd winbindd --- with this smb.conf file: --- # No refer to rfc2307. [global] workgroup = CHEZMOI security = ADS realm = CHEZMOI.PRIV encrypt passwords = yes idmap config *:backend = tdb idmap config *:range = 70001-8 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes --- and the member server seems to work fine. If I create a user toto on the DC: samba-tool user add toto --random-password In the member, I have: root@member:~# wbinfo -i toto toto:*:70011:70001:toto:/home/CHEZMOI/toto:/bin/false root@member:~# wbinfo -n=toto S-1-5-21-1430849794-1775759099-2616264933-1112 SID_USER (1) The only problem that I see,
Re: [Samba] ClassicUpgrade = EpicFail
2013-04-05 21:47 keltezéssel, Jon Detert írta: ClassicUpgrade of my samba3 data to samba4 fails, with this error: ERROR(class 'passdb.error'): uncaught exception - Unable to get id for sid Full log of the classicupgrade is at the end of this email. Project member on this list, Andrew Barlett, wrote that the issue is probably that my Samba 3 passdb was passable in an NT 4 DC mode, but is actually 'invalid' : The big issue here is that passdb has never had a 'fsck', and Samba operates quite well as a 'classic' DC with an almost totally invalid database! As to what has happened in your particular instance, could you please post me the output of ldbdump private/idmap.ldb? I did post that, and will do so again, at the end of this email. Assuming that the problem is my samba3 passdb.tdb data, what can I do to get on with the upgrade? My passdb is small-ish: 927 keys, according to this command, using samba3 binaries: tdbtool passdb.db keys | wc -l Is it feasible for me to manually 'fsck' my passdb.db? Just looking at the output of tdbtool, it appears that there are 3 different kinds of keys: 1) RID_8 character hex code; e.g. RID_0c54 2) USER_machine name; e.g. USER_mailserver$ 3) USER_username; e.g. USER_jdoe There are 463 RID_ keys, and 463 USER_ keys. That makes me think that there's supposed to be a RID_ key for each USER_ key. On that assumption, I did this to compare: 1) get sorted list of names appearing to be associated to RID_ keys: tdbtool passdb.tdb dump | perl -ne 'if (/^(RID_\S+)/) { $rid=$1; $count =0;} else { $count++; if ($count == 2 /^\[\w+\]\s+(\w\w\s\s*)+(\w{3,}.*)$/) { $name = $2; $name =~ s/\s//g; print $name\n;}}' | sort RID-names 2) get sorted list of names from USER_ keys: tdbtool passdb.tdb keys | grep USER | sed 's/USER_//' | sort USER-names 3) compare the 2 lists: diff USER-names RID-names 6c6 a758b$ --- a758$ 147d146 foo-0m1onzr8h2a$ 175,176d173 is-conference$ is-contractor$ 244a242 kstachowiak$ 270d267 lwilcott$ 421a419 termservbill$ 424a423 termservdev$ 450d448 tthomas There are diffs. I.e. There is a USER_ key for machine a758b, but no associated RID_ key. There are RID_ keys for 4 machine accounts (a758$, kstachowiak$, termservbill$, termservdev$) that have no USER_ keys. Etc. Are these diffs indicative of problems that would cause the Classic Upgrade to fail? If so, can I use pdbedit to remove these problems from my samba3 passdb.tdb? Thanks, Jon p.s. The full classic upgrade log, with log level set to 3: classicUpgradeLog Reading smb.conf Processing section [netlogon] Processing section [homes] Processing section [hr] Processing section [is] Processing section [billing] Processing section [names] Processing section [changed] Processing section [to] Processing section [protect] Processing section [the] Processing section [innocent] Processing section [is_helpdesk] Processing section [ISContractsAndLicenses] Processing section [unsecure] Processing section [names] Processing section [changed] Processing section [spaceplan] Processing section [dr] Processing section [to] Processing section [hr_scan] Processing section [ar] Processing section [minutes] Processing section [meeting_08_05] Processing section [meeting_08_18] Processing section [hr_analyst] Processing section [hr_payroll] Processing section [protect] Processing section [financial_systems] Processing section [is_files] Processing section [valuation_model] Processing section [the] Processing section [innocent] Processing section [bla] Processing section [is_technical_services] Processing section [bla bla] Processing section [bla bla bla] Processing section [bla bla bla bla] Processing section [is_billing_files] Processing section [lawson_project] Processing section [jklsdfjklsdf] Processing section [sdfsdfa] Processing section [fax] Processing section [werwer] Processing section [anesth_coding] Processing section [is_crystal_reports] Processing section [7iiio] Processing section [uiui] Processing section [asdasdasd] Provisioning Exporting account policy Exporting groups Exporting users snip I omitted a whole bunch of lines from this output like the following, in order to remove sensitive names. /snip Ignoring group memberships of 'helpstar-phone$' S-1-5-21-4219228698-1431711829-1578001372-2776: Unable to enumerate group memberships, (-1073741724,No such user) Demoting BDC account trust for mobius, this DC must be elevated to an AD DC using 'samba-tool domain promote' Ignoring group memberships of 'mrad$' S-1-5-21-4219228698-1431711829-1578001372-2952: Unable to enumerate group memberships, (-1073741724,No such user) Next rid = 3689 Exporting posix attributes Reading WINS database Cannot open wins database, Ignoring: [Errno 2] No such file or directory: '/usr/local/mobius/var/wins.dat' lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf params.c:pm_process() - Processing configuration file /usr/local/samba/etc/smb.conf
Re: [Samba] SAMBA4: pdbedit not changing SID
2013-04-01 02:36 keltezéssel, simon+sa...@matthews.eu írta: Since I don't seem to be having any luck with the classicupgrade, I decided to try starting from scratch and then adding users. I ran the command: /usr/local/samba/bin/samba-tool domain provision --realm=my realm \ --domain=mydomain --adminpass 'mypass' --server-role=dc \ --dns-backend=BIND9_DLZ Then I tried both adding and changing users. In neither case can I change the SID with pdbedit. It seems to be added with a system-defined SID, irrespective of what I specify. pdbedit -v is able to list the user's parameters, including the SID. Any suggestions? I am pretty much stuck here trying to figure out how to migrate from an existing SAMBA3 domain to SAMBA4. Hi, Trying to add users one by one (preserving SID) is IMHO a lot harder (you would probably need to ldbmodify the user record of each one) to do, than fixing your samba3 install to have it classicupgraded. Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SAMBA4: pdbedit not changing SID
2013-04-02 05:35 keltezéssel, simon+sa...@matthews.eu írta: On Mon, 1 Apr 2013, simon+sa...@matthews.eu wrote: On Tue, 2 Apr 2013, Andrew Bartlett wrote: On Mon, 2013-04-01 at 09:26 +0200, Gémes Géza wrote: 2013-04-01 02:36 keltezéssel, simon+sa...@matthews.eu írta: Since I don't seem to be having any luck with the classicupgrade, I decided to try starting from scratch and then adding users. I ran the command: /usr/local/samba/bin/samba-tool domain provision --realm=my realm \ --domain=mydomain --adminpass 'mypass' --server-role=dc \ --dns-backend=BIND9_DLZ Then I tried both adding and changing users. In neither case can I change the SID with pdbedit. It seems to be added with a system-defined SID, irrespective of what I specify. pdbedit -v is able to list the user's parameters, including the SID. Any suggestions? I am pretty much stuck here trying to figure out how to migrate from an existing SAMBA3 domain to SAMBA4. Hi, Trying to add users one by one (preserving SID) is IMHO a lot harder(you would probably need to ldbmodify the user record of each one) todo, than fixing your samba3 install to have it classicupgraded. Indeed. The only way to safely import a list of users who already have SIDs is to migrate them to Samba 4.0's AD DC using one of the supported migration tools. These are 'samba-tool domain join dc' and 'samba-tool domain classicupgrade'. Perhaps I need to address why the classicupgrade did not work. I see now that I did not pass the --dbdir option when running it before. I'll try again. I went back to trying to get the classicupgrade to work: /usr/local/samba/bin/samba-tool domain classicupgrade \ --dbdir=/var/lib/samba/ --dbdir=/var/lib/samba/ --realm=a.b \ /etc/samba/smb.conf --use-xattrs=yes For the realm, I used a subdomain of one of the two existing dns domains in the LAN. It appears to be processing the information from the old domain tdb files, although I see some errors: Cannot open idmap database, Ignoring: [Errno 2] No such file or directory Importing groups Could not add group name=Remote Desktop Users ((68, samldb: Account name (sAMAccountName) 'Remote Desktop Users' already in use!)) Could not modify AD idmap entry for sid=S-1-5-21-4254857281-3346836279-4152649156-555, id=5077, type=ID_TYPE_GID ((32, Base-DN 'SID=S-1-5-21-4254857281-3346836279-4152649156-555' not found)) Could not add posix attrs for AD entry for sid=S-1-5-21-4254857281-3346836279-4152649156-555, ((32, Base-DN 'SID=S-1-5-21-4254857281-3346836279-4152649156-555' not found)) Group already exists sid=S-1-5-21-4254857281-3346836279-4152649156-512, groupname=Domain Admins existing_groupname=Domain Admins, Ignoring. However, after this, all I get from pdbedit -L is: # pdbedit -L RAIDSERVER$:4294967295: Administrator:4294967295: [root@samba ~]# pdbedit -L RAIDSERVER$:4294967295: Administrator:4294967295: krbtgt:4294967295:--dbdir=/var/lib/samba/ --realm=a.b /etc/samba/smb.confnobody:99:Nobody Any ideas? What information might help debug this? Simon Could this happen because pdbedit is from the samba3 install? I recommend doing upgrade on a new box/virtual machine where no samba3 is installed, and copying the tdb files to the new box. Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 Dc Winbind and uidNumbers
Hi, On Wed, Mar 27, 2013 at 6:14 AM, Jim Potter jimchuf...@googlemail.com wrote: Hi all, I'm trying to get the unix extensions working in AD. I'm obviously missing something, but I can't see what... I've just created user Jim (using ADUC) and added a uidnumber (using ADSIEdit). From this and what I have below, user Jim should have uidNumber of 12345 (from AD) and not be prefixed with Domain name. This isn't happening. Does anyone have any idea why not? cheers, Jim Excerpt from getent passwd: saned:x:110:117::/home/saned:/bin/false FASTFOOD\Administrator:*:0:100::/home/FASTFOOD/Administrator:/bin/false FASTFOOD\Guest:*:311:312::/home/FASTFOOD/Guest:/bin/false FASTFOOD\krbtgt:*:316:100::/home/FASTFOOD/krbtgt:/bin/false FASTFOOD\jim:*:319:100:Jim Chu:/home/FASTFOOD/jim:/bin/false smb.conf: [global] workgroup = FASTFOOD realm = FASTFOOD.LAN netbios name = CHIPSHOP server role = active directory domain controller dns forwarder = 62.24.199.13 log level = 3 algorithmic rid base = 1 idmap config * : range = 50001-6 idmap config * : backend = ad idmap config FASTFOOD : range = 1-5 idmap config FASTFOOD : backend = ad Hello Jim, Try adding these lines. If this doesn't work, I think you're being bitten by a known bug specific to this setup on an S4 DC. Andrew wrote a patch back in Nov-Dec, but it may not have made it into the codebase. Let me know if that doesn't work and I'll try to find that thread. I'm pretty sure someone came up with a work around. idmap config FASTFOOD : schema_mode = rfc2307 idmap config FASTFOOD : default = yes winbind enum users = yes winbind enum groups = yes winbind nss info = rfc2307 winbind use default domain = yes [netlogon] path = /var/lib/samba/sysvol/fastfood.lan/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No My user from AD: dn: CN=Jim Chu,CN=Users,DC=fastfood,DC=lan objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Jim Chu sn: Chu givenName: Jim instanceType: 4 whenCreated: 20130317212551.0Z displayName: Jim Chu uSNCreated: 3873 name: Jim Chu objectGUID:: hXvFCY0pTUeIgltTLbnOcQ== badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 objectSid:: AQUAAAUVbDu04eltc/ij6yQSUQQAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: jim sAMAccountType: 805306368 userPrincipalName: j...@fastfood.lan objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=fastfood,DC=lan pwdLastSet: 13008029152000 userAccountControl: 66048 uidNumber: 12345 whenChanged: 20130317212824.0Z uSNChanged: 3877 distinguishedName: CN=Jim Chu,CN=Users,DC=fastfood,DC=lan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba If you are running samba 4 as an AD DC (that is if you specify: server role = active directory domain controller) you will need to configure winbind inside the samba binary. The settings you have are obeyed by the winbind binary which should be run e.g. on a member server, so you need to replace them with: idmap_ldb:use rfc2307 = yes that is the only settings (it defaults to no) which can affect winbind behavior on an AD DC. Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 home share problem
Hi, Hi, I have installed Samba4 and the home share functionality is not working. Samba version: 4.0.1 OS: Debian Squeeze Kernel: 2.6.32-5-amd64 The smb.conf: [global] workgroup = TESZT realm = TESZT.HU netbios name = FILESERVER server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate load printers = no printing = bsd printcap name = /dev/null show add printer wizard = no disable spoolss = yes log level = 3 syslog = 3 syslog only = yes logon path = # logon home = \\fileserver\homes\%U logon drive = H: logon script = %U.cmd [netlogon] path = /opt/samba4/var/lib/samba/sysvol/fileserver.teszt.hu/scripts read only = No [sysvol] path = /opt/samba4/var/lib/samba/sysvol read only = No [homes] path = /home read only = no After a net use h: /home command on client I get this: System error 53 has occured. The network path was not found. The user I try: Administrator and the client OS is Windows XP Pro. I think the rights on the server are ok. When I try to set the home for Administrator in AD I get the answer: The system could not create the startfolder (\\fileserver\homes\Administrator), because can't find path. Is there anybody who can use this functionality? Please help. Thanks for the replies. Chris Samba 4.0.x has two operation modes: 1. Active directory domain controller 2. Member or standalone server (or classic (NT4 style) domain controller) 2. behaves the same way (regarding shares) as Samba 3.x.y 1. has some limitation in this regard, for example the missing home metashare (in 3.x.y you shouldn't specify a path as it would be deduced based on the connected users home directory) You could emulate a behavior similar to the 3.x.y one with the AD mode if you specify hide unreadable = yes and set the folder rights for each home directory accordingly. As a sidenote: 4.0.1 is quite old, especially if you want to run your AD DC as a fileserver at least 4.0.4 is recommended. Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Fwd: kerberos
2013-03-09 15:49 keltezéssel, Saad Benateigha írta: Sorry - Forwarded Message - From: Saad Benateigha sbenatei...@geomega.com To: Andrew Bartlett abart...@samba.org Sent: Friday, March 8, 2013 4:09:36 PM Subject: Re: [Samba] kerberos Andrew: I have found some information in the Samba and beyond And this what I did # samba-tool user create postgres-servername # samba-tool spn add postgres/servername.domain_name@REALM postgres-servername The following command: # samba-tool domain exportkeytab /root/krb5.keytab --principal=postgres/servername.domain_name@REALM generates the following exception ERROR(runtime): uncaught exception - Key table entry not found File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py, line 103, in run net.export_keytab(keytab=keytab, principal=principal) What did I do? Saad - Forwarded Message - From: Saad Benateigha sbenatei...@geomega.com To: Ricky Nance ricky.na...@weaubleau.k12.mo.us Sent: Friday, March 8, 2013 1:08:34 PM Subject: Re: [Samba] kerberos Thank you for that I was wondering if anyone has created a service principle for postgresql? S. - Forwarded Message - From: Ricky Nance ricky.na...@weaubleau.k12.mo.us To: Andrew Bartlett abart...@samba.org Cc: Saad Benateigha sbenatei...@geomega.com, samba@lists.samba.org Sent: Friday, March 8, 2013 5:37:36 AM Subject: Re: [Samba] kerberos https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO_TEMP#Samba_AD_management may be of help. Ricky On Fri, Mar 8, 2013 at 12:53 AM, Andrew Bartlett abart...@samba.org wrote: On Wed, 2013-03-06 at 14:18 -0700, Saad Benateigha wrote: I am having a problem using kerberos I have installed samba4, and it appears to work correctly However I want to create a service principle and every time I try to use kadmin -p admin I get this error: Database error! Required KADM5 principal missing while initializing kadmin interface What am I doing wrong? Is there another command since Samba4 has it own kerberos? Please shed some light on my dilemma. Correct, you cannot use kamin against a Samba AD DC. We do not provide this interface. See samba-tool to managet your AD users. Andrew Bartlett Hi, Just out of memory: Have you tried: samba-tool domain exportkeytab /root/krb5.keytab --principal=postgres/servername.domain_name without the @REALM part? Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4: Extending the Schema
2013-02-14 06:42 keltezéssel, Fabian von Romberg írta: Hi Bob, could you please share the link where you found in google how to enable it. Regards, Fabian Hi, You are probably looking for: http://technet.microsoft.com/en-us/library/cc737499%28v=ws.10%29.aspx Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Extend Samba4 Schema Scope
2013-02-13 06:20 keltezéssel, Vijay Thakur írta: Hi All Experts, I am about to extend our production Samba4 schema to add a few intra-organizational attributes (Employee ID,Passport No., Date of Joining, Date of Leaving) . How can I make change in my samba4 schema. I have already make a post in the forum, but got no reply. Sorry for posting again. But precaution should be taken in to prevent the server from any damage. Kindly help. With Warm Regards, Vijay Thakur Hi, First of all I suggest setting up a test domain (preferably holding the same data as the production one, but on a physically separated network), then trying to load the schema mods on that test system. If everything goes fine then apply it to the prod network, if not come back with the errors. As a starting point I suggest the thread starting with https://lists.samba.org/archive/samba/2013-February/171523.html Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4: Extending the Schema
2013-02-11 20:04 keltezéssel, Varoujan Avanessians írta: Hi We are thinking of Developing a corporate Directory application the would pull user information from Samba4 Ad. However for our needs we need some additional User attributes that don't seem to be available as part of the AD-schema, such as Hire Date or Emergancy contact information, so it seems to me that I would need to Extend the Schema to make this user attributes available. My question is: Can this be done? and if so has anyone done something similar and can direct me to the right place for information? Any help is greatly appreciated. Hi, As a jump-start: https://wiki.samba.org/index.php/Samba4/Schema_extenstions Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] generate keytab
Hi, Hi, does not http.keytab. exported thus: $samba-tool domain exportkeytab http.keytab --principal=HTTP/ ejbca.nisled@nisled.org ouput line: # klist -ke http.keytab Keytab name: WRFILE:http.keytab KVNO Principal -- 2 HTTP/ejbca.nisled@nisled.org (des-cbc-crc) 2 HTTP/ejbca.nisled@nisled.org (des-cbc-md5) 2 HTTP/ejbca.nisled@nisled.org (arcfour-hmac) kinit: # kinit -k -e http.keytab http-ejbca kinit: Key table entry not found while getting initial credentials Prof. Msc. Clodonil H. Trigo www.nisled.org E-mail: clodo...@nisled.org Classificação: () Confidencial (X) Interna As informações contidas nesta mensagem e respectivos anexos são de interesse exclusivo a quem foram dirigidos, podendo ser confidenciais, portanto fica proibida sua retenção, distribuição, divulgação, reprodução ou utilização, sob as penas da lei. Caso tenha recebido esta mensagem por engano, pedimos a gentileza de informar ao seu autor, eliminando-a de sua caixa de entrada, registros ou sistema de controle. Your kinit line is invalid. If you've exported HTTP/ejbca.nisled@nisled.org, you should kinit (using keytab) as it: kinit -k -e http.keytab HTTP/ejbca.nisled.org (supposing that NISLED.ORG is your default domain) as there were no keytab entries for http-ejbca (even if they are the same on the KDC beeing only as spn for each other) Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 Winbind - is it really not possible to be sensible?
2013-01-25 20:43 keltezéssel, Rob McCorkell írta: Samba3 allowed for the setting of idmaps and passdb backends to configure how users were pulled in. This made integrating with existing LDAP databases, other other forms of authentication easy, since Samba could be configured to present the same UID and GID as directly from the [insert other auth method here] system. All was good. Unfortunately Samba4 seems to have removed much of that functionality. I understand that in an AD context, passdb backend doesn't really make very much sense, so removing that was fair. What I do not understand is why Winbind cannot be configured to use certain idmaps, more specifically the RID mapping. This would make it significantly easier to integrate LDAP authenticating clients into Samba4, for example using nslcd to map the UIDs and GIDs. The current implementation is forced into using allocated *IDs, which are not consistent across machines. But all in all this is not a big problem, since although machines get different *IDs, they use the CIFS protocol which uses usernames instead, so each machine knows who a user is. The problem is when a server that runs Samba4 as a file server uses LDAP to get user information. When a client connects, Samba4 the user UID which is allocated. Samba4 then finds the home share, but since the UID on the home share (dutifully mapped by nslcd from the RID on the end of the objectSid) doesn't match the allocated one, it refuses access. All that nslcd does in this case is map a UID to the RID from the objectSid in LDAP. This is a very simple mapping - just get the end of the string, where the first bit is the domain SID. Samba3 supported RID mapping in this fashion, but I do not understand why this was not ported across to Samba4. It would only change the UIDs and GIDs as seen by Samba, which as far as I know are used very little within Samba, where the objectSid is used instead. Of course, it could be that I have a massive misunderstanding of the internals of Samba4, and there is a reason why this functionality wasn't brought across. Rob If you provision/run with idmap_ldb:use rfc2307 then you can assign each user/group a uidNumber/gidNumber which then is/can be obeyed by samba/nslcd. Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [Samba 4] Issues with uidNumber and gidNumber in AD for Linux clients
2013-01-22 15:52 keltezéssel, Fred F írta: Hi, I am still experimenting with Samba 4 and I'd like to serve both Windows and Linux clients with Samba (standalone AD server). The Windows-side is already working well. For serving Linux-clients I need to store the users' uidNumber and gidNumber in the Active Directory. This is how I do that: 1. Create a user test with samba-tool 2. Get the internal UID which was assigned to this user by Samba through wbinfo 3. Add the UID to CN=test,CN=Users,CN=DOMAIN as uidNumber 4. Add gidNumber=100 (Domain Users) to CN=test,CN=Users,CN=DOMAIN With the correct nss_ldap setup (mainly attribute mappings) the Linux boxes can now get their passwd/shadow/group information directly from AD. The Linux user now has the exact same attributes and groups as the Windows user. Now the issue is that Samba needs a group with the same gidNumber as the uidNumber for each user to work correctly in this setup (see why in #9521 [1]). The only logical way of doing that is storing this gidNumber as the user's primary group in the AD. This way the user loses the membership in the group Domain Users (gidNumber 100), though - at least on the Linux side. Are there any thoughts on how to solve this? Is this maybe a Samba issue or is my setup just wrong? Regards, Frederik [1] https://bugzilla.samba.org/show_bug.cgi?id=9521 I don't agree, because users can be members of multiple groups, not just the group identified as their primary group Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 Key Management Server; DNS Failure To Register
2013-01-04 21:18 keltezéssel, Adam Tauno Williams írta: I have Microsoft Key Management server on a Windows 2003 server - joined to my new Samba4 AD domain. But the KMS is not available. In the event log it says: Event Type: Error Event Source: Software Licensing Service Event Category: None Event ID: 12293 Date: 1/4/2013 Time: 3:05:38 PM User: N/A Computer: IPECACA Description: Publishing the Key Management Service (KMS) to DNS in the 'micore.us' domain failed. Info: hr=0x80072338 Our Samba4 DC is using the Internal DNS. As a workaround would suggest to add the DNS entries manually or disable DNS autoregistration of the kms service as described in: http://technet.microsoft.com/en-us/library/ff793405.aspx Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 - Bind Config with DHCP
First: please keep discussion on list. 2012-12-03 02:24 keltezéssel, Jorell írta: On 12/2/2012 7:32 AM, Hleb Valoshka wrote: On 11/23/12, Joubert, Dawie dawie.joub...@rhdhv.com wrote: My question is thus: How can I make Samba4 update the DNS entries and allow DHCP to update the entries? Somebody should add this link to howto :) http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/ Secondly, is this even necessry with the AD type domain? dunno I don't see how updating a M$ DNS server applies here. M$ DNS server (if AD integrated) uses the same RPC management protocol which is implemented by the dnsserver dcerpc endpoint server running by default inside the samba binary. I haven't used a recent build of Samba 4.0 but samba use to create a bind.conf file on creating the domain. If you merge the two you should be able to get everything working. Regards Geza Gemes That is very useful to know, but he said BIND. Would that sill apply? Yes it applies regardless of the DNS server (the program listening on port 53) because it manipulates the data underneath. So it should apply to both samba internal DNS server and bind (with dlz plugin) as well. Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 Classicupgrade Failed
2012-12-04 05:46 keltezéssel, Mario Codeniera írta: Uprading on a New Server (Running on Centos 6.3, OpenLDAP 2.4.23 migrated the data from existing server). I dunno know where to fix it, or someone gave some idea how it works? [root@gaara samba]# /usr/local/samba/bin/samba-tool domain classicupgrade --dbdir=/home/ambot/Downloads/var/lib/samba --use-xattrs=yes --realm=ewanko.local /etc/samba/smb.conf Reading smb.conf WARNING: Ignoring invalid value 'cups' for parameter 'printing' Provisioning ERROR(type 'exceptions.AttributeError'): uncaught exception - 'NoneType' object has no attribute 'strip' File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py, line 1318, in run useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs) File /usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py, line 600, in upgrade_from_samba3 ldappass = (secrets_db.get_ldap_bind_pw(ldapuser)).strip('\x00') On Tue, Dec 4, 2012 at 3:21 PM, Mario Codeniera mario.codeni...@gmail.comwrote: Hi, I am stuck on upgrading the current Samba3 to Samba4, currently used Samba 3.3.10 and upgraded to Samba 3.4.17 still the same problems below. I also try to upgrade the Python 2.4.3 to Python 2.7 still same problems, with the OpenLDAP 2.3.43. [root@ewanko]# /usr/local/samba/bin/samba-tool domain classicupgrade --dbdir=/var/lib/samba/ --use-xattrs=yes --realm=ewanko.local /etc/samba/smb.conf ERROR(exceptions.TypeError): uncaught exception - __init__() got an unexpected keyword argument 'epilog' File /usr/local/samba/bin/samba-tool, line 44, in ? retval = cmd._run(samba-tool, subcommand, *args) File /usr/local/samba/lib/python2.4/site-packages/samba/netcmd/__init__.py, line 201, in _run return self.subcommands[subcommand]._run( File /usr/local/samba/lib/python2.4/site-packages/samba/netcmd/__init__.py, line 201, in _run return self.subcommands[subcommand]._run( File /usr/local/samba/lib/python2.4/site-packages/samba/netcmd/__init__.py, line 142, in _run parser, optiongroups = self._create_parser(argv[0]) File /usr/local/samba/lib/python2.4/site-packages/samba/netcmd/__init__.py, line 130, in _create_parser prog=prog,epilog=epilog) Are there any links for those successfully upgrade their samba 3 to samba 4? Regards, Mario It seems that it couldn't find secrets.tdb to read the password to bind to ldap with it. Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 - Bind Config with DHCP
2012-12-03 02:24 keltezéssel, Jorell írta: On 12/2/2012 7:32 AM, Hleb Valoshka wrote: On 11/23/12, Joubert, Dawie dawie.joub...@rhdhv.com wrote: My question is thus: How can I make Samba4 update the DNS entries and allow DHCP to update the entries? Somebody should add this link to howto :) http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/ Secondly, is this even necessry with the AD type domain? dunno I don't see how updating a M$ DNS server applies here. M$ DNS server (if AD integrated) uses the same RPC management protocol which is implemented by the dnsserver dcerpc endpoint server running by default inside the samba binary. I haven't used a recent build of Samba 4.0 but samba use to create a bind.conf file on creating the domain. If you merge the two you should be able to get everything working. Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] NIS to SAMBA4 Migration
Hi, I am also struggling to find up to date information on using Samba 4 with linux clients. I have managed to get the RFC 2307 fields by installing the 'NIS tools' feature on a W2k8 DC, and creating a 'NIS domain'. Previously I could see the fields, but could not select a NIS domain in the ADUC tool to make the RFC 2307 fields enabled. I was successful in using Samba4 AD with Ubuntu 12.04 (precise) clients using winbind (in nsswitch and pam) and kerberos (pam-krb5) the relevant changes (to the default config are): /etc/krb5.conf proxiable = false /etc/samba/smb.conf workgroup = YOUR_WORKGROUP realm = YOUR_REALM kerberos method = system keytab security = ads winbind enum groups = yes winbind enum users = yes idmap config *:backend = tdb idmap config *:range = 201-300 idmap config YOUR_WORKGROUP:default = yes idmap config YOUR_WORKGROUP:backend = ad idmap config YOUR_WORKGROUP:range = 0-200 idmap config YOUR_WORKGROUP:schema_mode = rfc2307 winbind nss info = rfc2307 winbind expand groups = 2 winbind nested groups = yes winbind use default domain = yes /etc/nsswitch.conf passwd: files winbind group: files winbind pam-auth-update took care of pam configuration (I had to do only afs homedirs related changes, irrelevant if you don't use afs) winbind pulls correctly all the information for the users and group which have been posixified. However with the same config on debian squeeze or wheezy I receive only a part of the group memberships, and other nastiness (e.g. getent group and id for a group member give different results) I'm also trying to find out the correct way to add the autohome nis map. I have tried: ldbmodify -H /usr/local/samba/private/sam.ldb automount_template.ldif You shouldn't modify the sam.ldb directly while samba is running instead would suggest to use ldbmodify -H ldap://your-ad.server --option=dsdb:schema update allowed=true But this seemed to fail. I have thought I might need to use the Microsoft schema management tool to add the automount schema. Regards Geza Gemes Hi, Hello Steve, The only way I have found to enable those options is to provision with --use-rfc2307. We are performing an upgrade from Samba3 and I noticed that the options were not grayed out after performing a classicupgrade, but were grayed out after a clean provision. I finally figured out that the classicupgrade always uses the --use-rfc2307 flag. This flag will add the option idmap_ldb:use rfc2307 = yes to your smb.conf, however, it has been my experience that adding that to smb.conf post-provision does not enable the UNIX Attributes options, so the provision option must do something else. I would like to know if there is a way to enable this after the fact, but I've not come up with anything yet. I need to complete further testing on the actual authentication of Linux clients, Apache, RADIUS and OpenVPN, but have run into a show-stopper with DNS replication and have moved all my efforts to this for the time being. I was able to get Linux clients authenticating via winbind, but this was before I found out about the --use-rfc2307 option and winbind was using auto-generated UIDs and GIDs. Any notes you come up with would be greatly appreciated. Thanks, Thomas. Provisioning with --use-rfc2307 also loads the NIS schema into AD and thus allows you to set that attributes via ADUC. To do the same after provision you would need to import the schema after provision. The skeleton of it is in /usr/local/samba/share/setup/** ypServ30.ldif on a default install. Regards Geza Gemes On Fri, Nov 23, 2012 at 10:38 AM, Steve van Maanen st...@starsphere.jp wrote: Hello everyone, I am trying to figure out a way to migrate NIS maps to SAMBA4 (I want to replace NIS with SAMAB4 for a Linux domain. I have researched a fair bit on the web but have not found out any solutions and was hoping I could find some help here. What I have found so far pertains to Windows implementations of Active Directory. Here are my questions. 1) Is it possible with a default install of SAMBA4 or do I need to extend the schema? 2) I notice there is a Unix attributes tab for users, when using Active Directory users and groups to administer the Samba4 AD, but I am unable to change the properties. Is there any way I can enable this? 3) Has anyone done this and if so, can you offer me some pointers? Many thanks! Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] NIS to SAMBA4 Migration
Hi, Hello Steve, The only way I have found to enable those options is to provision with --use-rfc2307. We are performing an upgrade from Samba3 and I noticed that the options were not grayed out after performing a classicupgrade, but were grayed out after a clean provision. I finally figured out that the classicupgrade always uses the --use-rfc2307 flag. This flag will add the option idmap_ldb:use rfc2307 = yes to your smb.conf, however, it has been my experience that adding that to smb.conf post-provision does not enable the UNIX Attributes options, so the provision option must do something else. I would like to know if there is a way to enable this after the fact, but I've not come up with anything yet. I need to complete further testing on the actual authentication of Linux clients, Apache, RADIUS and OpenVPN, but have run into a show-stopper with DNS replication and have moved all my efforts to this for the time being. I was able to get Linux clients authenticating via winbind, but this was before I found out about the --use-rfc2307 option and winbind was using auto-generated UIDs and GIDs. Any notes you come up with would be greatly appreciated. Thanks, Thomas. Provisioning with --use-rfc2307 also loads the NIS schema into AD and thus allows you to set that attributes via ADUC. To do the same after provision you would need to import the schema after provision. The skeleton of it is in /usr/local/samba/share/setup/ypServ30.ldif on a default install. Regards Geza Gemes On Fri, Nov 23, 2012 at 10:38 AM, Steve van Maanen st...@starsphere.jpwrote: Hello everyone, I am trying to figure out a way to migrate NIS maps to SAMBA4 (I want to replace NIS with SAMAB4 for a Linux domain. I have researched a fair bit on the web but have not found out any solutions and was hoping I could find some help here. What I have found so far pertains to Windows implementations of Active Directory. Here are my questions. 1) Is it possible with a default install of SAMBA4 or do I need to extend the schema? 2) I notice there is a Unix attributes tab for users, when using Active Directory users and groups to administer the Samba4 AD, but I am unable to change the properties. Is there any way I can enable this? 3) Has anyone done this and if so, can you offer me some pointers? Many thanks! Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 logon server against windows server 2003
2012-11-21 23:47 keltezéssel, Innocent Yevide írta: Hello, does any one knows how I can force samba4 to be the logon server against windows server 2003? I have below in my smb.conf but it doesn't help: domain logons = Yes domain master = Yes preferred master = Yes os level = 255 Best Regards, Innocent. IMHO you can't. Active Directory was designed to provide a round robin type failover, and thus each AD controller (in a site) is equally probably chosen by clients. Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 logon server against windows server 2003
Hi, I would recommend checking, that the samba4 server has all the DNS records, that the Win2k3 has, especially under _msdcs. except the PDC entry which should be unique to the AD controller which owns the PDC fsmo role. Regards Geza Gemes Thanks Gémes, the point here is that whenever the clients login, I see that they have only the windows server as logon server and not the samba4 server: I always have this: LOGONSERVER=\\WINSERVER My Expectation is to have: LOGONSERVER=\\SAMBA4SERVER but when I switch off the Win Server, I could log into the samba4 server. I even tried Adjusting the Weight and Priority for DNS SRV Records in the Registry on the Windowsserver so that the samba4 will be prioritized... but it doesn't help. Best Regards, Innocent. *De :* Gémes Géza g...@kzsdabas.hu *À :* samba@lists.samba.org *Envoyé le :* Jeudi 22 novembre 2012 19h41 *Objet :* Re: [Samba] Samba4 logon server against windows server 2003 2012-11-21 23:47 keltezéssel, Innocent Yevide írta: Hello, does any one knows how I can force samba4 to be the logon server against windows server 2003? I have below in my smb.conf but it doesn't help: domain logons = Yes domain master = Yes preferred master = Yes os level = 255 Best Regards, Innocent. IMHO you can't. Active Directory was designed to provide a round robin type failover, and thus each AD controller (in a site) is equally probably chosen by clients. Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Migrating from windows server 2003 to SAMBA4
2012-11-02 15:30 keltezéssel, Innocent Yevide írta: Hello, I have an existing basic DC configured on windows server 2003, and would like to move/migrate it to Samba4. Is that possible, if so, could anyone tell me way to do it? Thanks beforehand. Inno. 1. Join samba4 with samba-tool domain join ... 2. ensure that the directory is replicated 3. copy the sysvol share from win2k3 to samba4 4. run samba-tool ntacl sysvolreset on the samba4 box 5.-1000. Test test test 1001. If you are satisfied with how samba4 is working you can launch dcpromo on win2k3 in order to demote it. Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] cant find provision
2012-10-31 22:35 keltezéssel, samba.to.anomal...@xoxy.net írta: The wiki and most of the how-to web sites reference this command to set up a new ad domain, but I can find this command anywhere in the file system, only a directory with .py commands. samba_upgradeprovision does not seem to support the same arguments. Installed with git clone, configure, make, make quicktest, make install. What do I need to do to create a new Active Directory domain? samba-tool --help in general and samba-tool domain --help in this case are your friends. Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] PDC and BDCs : net rpc testjoin
2012-10-23 23:52 keltezéssel, Michael Wood írta: Hi Marcio On 23 October 2012 21:01, Marcio Oli marcio.oli...@gmail.com wrote: Ok Michalel, thanks. But is not clear to me yet. The samba PDCs and BDCs have obligation to be joined to domain? In other words, I need to type a manual linux command within Samba Domain Controllers (like: # net rpc join [DOMAIN] -U AdminUserofDomain) . I think Geza was saying that you do (for Samba 3), but I have not run a Samba 3 PDC/BDC before, so I am not the one to answer that question. OK First: Thanks Michael for correcting my typo Second: For Samba3 PDC/BDC there is no need to be joined to the domain, if you do not plan to use winbind on them (e.g. for trusted domains, or ldapsam:editposix stuff) Hope that is clearer now. Regards, Marcio. 2012/10/23 Michael Wood esiot...@gmail.com Hi On 23 October 2012 16:48, Marcio Oli marcio.oli...@gmail.com wrote: Thanks Gémes! I'sorry about my ignorance, but what is a aka classic domain? aka classic domain now (I think Geza meant to say now instead of not) means that the type of domain that Samba3 implements is now also known as a classic domain. I hope my explanation helps :) My samba version is 3.5.10-116.el6_2. OS: Red Hat Enterprise Linux Server release 6.2 / Linux 2.6.32-131.6.1.el6.x86_64 Best regards, Marcio Oliveira. 2012/10/23 Gémes Géza g...@kzsdabas.hu 2012-10-22 20:10 keltezéssel, Marcio Oli írta: I think the question is simple, so anybody could help me with this? The questions are: 1. The samba PDCs and BDCs have obligation to be joined to domain? In a samba3 (aka classic domain not) [...] -- Michael Wood esiot...@gmail.com -- Marcio Oliveira. Tudo concorre para o bem daqueles que amam à Deus. (Rom 8,28) Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] PDC and BDCs : net rpc testjoin
2012-10-22 20:10 keltezéssel, Marcio Oli írta: I think the question is simple, so anybody could help me with this? The questions are: 1. The samba PDCs and BDCs have obligation to be joined to domain? In a samba3 (aka classic domain not) 2. The net rpc testjoin command must to return OK in this case? IF joined yes Thanks, Marcio Oliveira 2012/10/19 Marcio Oli marcio.oli...@gmail.com People, I have one PDC and a BDC on the matrix side and two BDCs on the branch office. I don't know if it is a problem. Anybody could help me? PDC # net rpc testjoin get_schannel_session_key: could not fetch trust account password for domain 'DOMAIN_NAME' net_rpc_join_ok: failed to get schannel session key from server PDC for domain DOMAIN_NAME. Error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO Join to domain 'DOMAIN_NAME' is not valid: NT_STATUS_CANT_ACCESS_DOMAIN_INFO BDCs # net rpc testjoin net_rpc_join_ok: failed to get schannel session key from server PDC for domain DOMAIN_NAME. Error was NT_STATUS_ACCESS_DENIED Join to domain 'DOMAIN_NAME' is not valid: NT_STATUS_ACCESS_DENIED What should I do to solve these problems? Thanks, -- Marcio Oliveira. Tudo concorre para o bem daqueles que amam à Deus. (Rom 8,28) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] DNS Domain Name vs Samba4 Domain Name vs NT4 Domain Name
Hi, See inline: I am unclear on the relationship between the hostname, DNS domain, server's FQDN, NT4 domain name, etc. Quoting the HOWTO: For the rest of the HOWTO we will assume that your DNS domain name is samdom.example.com, your short (also known as NT4) domain name is samdom, your Samba server's hostname is samba and the IP Address of your Samba server is 192.168.1.2. What is the standard when it comes to these? Using the example from the howto: Samba server's name is:samba Samba server's FQDN is:samba.samdom.example.com DNS Domain is: samdom.example.com Samba4 domain is: samdom.example.com NT4 Domain is: samdom Therefore, for my setup: My samba server's name is: tainan My samba server's FQDN is: tainan.internal.stmaryscollege.co.uk My DNS domain is:internal.stmaryscollege.co.uk Samba4 Domain is: ??? internal.stmaryscollege.co.uk ??? My NT4 Domain is: ??? internal ??? Samba4 domain (in smb.conf the realm) has to be INTERNAL.STMARYSCOLLEGE.CO.UK The NT4 domain name (in smb.conf the workgroup) can be anything you wish (with some restrictions (I think max 14 characters and couldn't contain a dot) I currently have a s3 domain set up called SMC (I am _NOT_ going to attempt migrate it to a samba4 domain). Does my NT4 domain have to be the first part of my Samba4 domain? Can I make the NT4 domain name SMC also? As I wrote before you can have any workgroup name. Thanks, Alex Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How can I switch from internal dns server to bind9
2012-10-12 14:34 keltezéssel, fe...@epepm.cupet.cu írta: On Tue, 2012-10-09 at 17:18 -0400, fe...@epepm.cupet.cu wrote: On 10/9/12, fe...@epepm.cupet.cu fe...@epepm.cupet.cu wrote: How can I switch from internal dns server to bind9??? Add into [global] section of smb.conf server services = -dns. Configure Bind (see named.* files which comes with samba) to use dlz plugin or good old plain files (requires basic zone definition). -- I guess it's not that easy. First, I added by hand the file named.conf to /usr/local/samba/private. Second the dlz complains: Failed to connect to /usr/local/samba/private/dns/sam.ldb and there is no such directory, instead sam.ldb is directly under /usr/local/samba/private/ Run samba_upgradedns to create the extra files and the account. Andrew Bartlett Now that I'm using bind9 I have two sam.ldb and sam.ldb.d. One pair directly under /usr/local/samba/private/ and the other pair under /usr/local/samba/private/dns/ The last pair was created when I switched to bind9. Can I delete the pair directly under /private ??? Cheers, Felix. NO! You will lose your samba domain. The sam.ldb in the private directory is the master part of the domain and the one under dns is just a replica which is created to do not give to bind access to the whole domain. Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [PATCH] allow to create Unix-UID/SID mapping in samba-tool user create
2012-09-25 11:58 keltezéssel, Alexander Wuerstlein írta: On Tue, 25 Sep 2012 15:49:11 +1000 Andrew Bartlett abart...@samba.org wrote: On Tue, 2012-09-25 at 00:19 +0200, Alexander Wuerstlein wrote: From: Alexander Wuerstlein a...@arw.name Reads Unix UID from NSS or commandline and creates a UID/SID mapping when creating a new user. As Gémes Géza mentions this really needs to honour idmap_ldb:use rfc2307 = yes and set it in the sam.ldb if that is set, and while useful in the general case, for the case you are targeting, the classicupgrade will work better. Classicupgrade would only handle the initial import, not later addition of users which is the more frequent case here. But idmap_ldb:use rfc2307 = yes seems to work fine, and it seems to be a lot less ugly than fiddling with idmap.ldb. I'll try to get samba-tool to create the RFC2307 attributes and send a patch if its not too ugly. Ciao, Alexander Wuerstlein. Hi, Just a suggestion: In my homemade (I hadn't time to develop a proper patch with tests) bash scripts I look for the RID part of the newly created users SID and search for the uidNumber and gidNumber attributes with that value. If none found assign it as uidNumber or gidNumber dependending on if a user or group is going to be created. If the given RID has been assigned as an uidNumber or gidNumber increment it and then try again, until it isn't in use. Cheers Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4: samba-tool and (unix) uids
2012-09-24 22:52 keltezéssel, Thomas Karmann írta: Hello, at my universities CS computer pools we're trying to migrate our samba3 based NT domain to AD with samba4-rc1. In the past we had a little script which our users could run on their own from their linux account which created a samba user with their own uid/gid and set their password (via smbpasswd). We're trying to recreate this behaviour with samba-tool user create but we couldn't find a parameter to set the mapping SID - uid. Without the correct mapping we can't get the users profile/home permissions right. Will we have to manually correct the private/idmap.ldb each time we add a user or are we missing something? Is it save to edit the idmap on the fly? With kind regards, Thomas Hi, If you migrate via samba-tool classicupgrade it takes care of migrating existing uids gids shells and homedirectories to samba4. At the same time it sets idmap_ldb:use rfc2307 = yes in the global section of Samba4 smb.conf. That means, that Samba4 winbind retrieves uids, gids from the directory. Because of that you don't need to fiddle with idmap.ldb. So until samba-tool gets support for manipulating posix attributes I would recommend setting up those attributes by ldmodify against the directory (or if you prefer a gui via ADUC (if you install RSAT on Windows Vista/7)) Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4, DHCP, BIND DLZ
2012-09-21 01:55 keltezéssel, Jeff írta: Hello, I have recently compiled, installed and configured samba4 to run on a FreeBSD server. samba -V reports the version to be Version 4.1.0pre1-GIT-57990cb. The server has working BIND 9.9 and ISC-DHCP services running on it. I have provisioned samba 4 to use the BIND_DLZ DNS backend. On the whole things seem to be working. local names are being resolved. phpLDAPAdmin shows the new AD. I need to resolve a couple of things though. (1) log.samba has a lot of [2012/09/20 15:41:08, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: response to GSS-TSIG query was unsuccessful [2012/09/20 15:41:08, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: response to GSS-TSIG query was unsuccessful [2012/09/20 15:41:08, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: response to GSS-TSIG query was unsuccessful [2012/09/20 15:41:08, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: response to GSS-TSIG query was unsuccessful [2012/09/20 15:41:09, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: response to GSS-TSIG query was unsuccessful [2012/09/20 15:41:09, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: response to GSS-TSIG query was unsuccessful What does it mean and how do I fix it?? (2) I need to ensure that DHCP is playing nicely with samba4. How are DNS updates from the DHCP server propagated to samba4?? I've changed my BIND so that it no longer uses zone files for the local domain. Instead it uses the bind9 dlz driver that came with samba4. If I understand correctly, this means that bind will now pass queries about the local domain off to samba. So samba must be updated whenever a new DHCP lease is granted by the dhcp server. Does the DLZ driver handle this, or does the DHCP server need to be configured to cause these updates to go directly to samba?? Thanks, Jeff Hi, The windows clients try to update their dns records themselves without the help of the dhcp server, for *nix clients I've seen some description how to configure isc-dhcp to update records on a Windows AD, which should apply to Samba as well, unfortunately I have no pointer to that document, but Google should find it. I have no personal experience with such setup, because I've decided to go with statically assigned addresses (based on MAC addresses). Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Sysvol Replication in Samba4
2012-08-29 02:31 keltezéssel, Matthieu Patou írta: On 08/26/2012 10:24 PM, Gémes Géza wrote: Hi Matthieu! Thank you for the script. Could you also attach /usr/local/etc/ecv/list_dcs which is sourced? Well no :-( But this is defining the variable LIST_DC a bit like this: LIST_DC=dc1name namedc2 It's a space separated list of dc names. Matthieu. Thank you! Of course I didn't want you to share confidential information. I was just thinking about a clever script to query the actual DCs from AD. Cheers Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Support for Linux Authentication with Samba4's Internal LDAP Server
2012-08-28 10:32 keltezéssel, Andrew Bartlett írta: On Mon, 2012-08-27 at 16:42 -0500, Andrew Martin wrote: Hello, This topic has been touched on in the past, but I'd like to ask for additional clarification on the structure of the internal LDAP server that Samba4 provides. I currently am using OpenLDAP for authenticating Linux servers and a number of web-based services. I also use Samba 3 for presenting shares to Windows users, but it maintains a separate password database. I would like to migrate to a single sign-on, ideally using Samba4. I use the inetOrgPerson schema for users ( http://www.andrew.cmu.edu/user/dd26/ldap.akbkhome.com/objectclass/ inet OrgPerson.html ) and the posixGroup schema for groups ( http://www.andrew.cmu.edu/user/dd26/ldap.akbkhome.com/objectclass/posixGroup.html ). Does the internal LDAP server in Samba4 support these schemas? I don't mind writing some scripts to manually populate/update additional fields as needed, but need to know that services which expect a regular LDAP server would be able to utilize the Samba4 one? You should be able to use both of those, and do a simple bind against Samba4 for password validation. You can even avoid using a DN for the simple bind, we also accept user@realm and domain\user as the 'DN'. Andrew Bartlett Hi, I can confirm this, just switched the moodle installation from authenticating against OpenLDAP to Samba4. The only caveat was figuring out that I couldn't bind anonymously. Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Sysvol Replication in Samba4
Hi Matthieu! Thank you for the script. Could you also attach /usr/local/etc/ecv/list_dcs which is sourced? Thank you in advance! Cheers Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] XP Administrator has no access to shares
2012-08-21 10:32 keltezéssel, steve írta: On 20/08/12 21:17, Gémes Géza wrote: 2012-08-20 11:09 keltezéssel, steve írta: On 20/08/12 10:45, steve wrote: On 20/08/12 09:42, Gémes Géza wrote: setfacl -R -m u:Administrator:rwx,d:u:Administrator:rwx /home2/home Hi Géza Sorry to be a pain but there is a slight problem with the acl All folders under /home2/home now have e.g.: drwxrwxr-w+ 20 steve2 domain users and files have: -rw-rwx---+ steve2 domain users which means somehow, group rw has been set for everything: steve@hh32:/home2 getfacl home # file: home # owner: root # group: root user::rwx user:administrator:rwx group::r-x mask::rwx other::r-x default:user::rwx default:user:administrator:rwx default:group::r-x default:mask::rwx default:other::r-x Is there a way to correct this? Cheers, Steve Hi If I understand your problem you didn't like the fact that the group domain users have write and read rights, isn't it? You can change those rights with setfacl for example. Regards Geza Gemes Hi Géza Actually this works. It denies group rw access _even though_ in a file listing with ls -l files show as: Set the acl like you suggested: setfacl -R -m u:Administrator:rwx,d:u:Administrator:rwx /home2/home Files now appear like this: -rwxrwx--x+ It looks as though they are group rw but in actual fact, they behave like this: -rwxr-x--x Conclusion: Don't believe what the file listing shows. It doesn't seeem to be wysiwyg. The only way you can really see access rights is to do a getfacl. Does that seem OK? Does anyone else observe this? Cheers, Steve Yes, this is expected behavior. Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] XP Administrator has no access to shares
Hi Steve, Answers below Hi Géza Thanks for your patience. Lets take this share: [home] path = /home2/home read only = No 1. Could you tell me what I need to add to enable Administrator to have full control over it? The most probable cause of not having access is that Administrator has no access to the underling filesystem, so I would do a setfacl -R -m u:Administrator:rwx,d:u:Administrator:rwx /home2/home It could have two results: 1. everything starts working, 2. it complains, that couldn't find user Administrator which indicates, that you should review your winbind and nsswitch config. 2. is there a user in the Domain (like root in Linux) who has control over everything? Shares, users, network, the lot? NO 3. Is there a global way of enabling Administrator to be allowed write acess and be able to change permisiions and acl's from the scurity tab? Or must this be done on a per share basis. Write access and ability to change ACLs (at least using s3fs or samba3 smbd) comes from the posix access rights and ACLs, so you need to set them. I made one change to the [global] section: winbind use default domain = Yes This drops the ALTEA\ part of the name. Otherwise users cannot authenticate via Kerberos because PAM passes the name as ALTEAuser rather than ALTEA\user to the KDC. with the default domain line it passes the name correctly as just name and krb5 auth works again. Cheers, Steve Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] XP Administrator has no access to shares
2012-08-20 11:09 keltezéssel, steve írta: On 20/08/12 10:45, steve wrote: On 20/08/12 09:42, Gémes Géza wrote: setfacl -R -m u:Administrator:rwx,d:u:Administrator:rwx /home2/home Hi Géza Sorry to be a pain but there is a slight problem with the acl All folders under /home2/home now have e.g.: drwxrwxr-w+ 20 steve2 domain users and files have: -rw-rwx---+ steve2 domain users which means somehow, group rw has been set for everything: steve@hh32:/home2 getfacl home # file: home # owner: root # group: root user::rwx user:administrator:rwx group::r-x mask::rwx other::r-x default:user::rwx default:user:administrator:rwx default:group::r-x default:mask::rwx default:other::r-x Is there a way to correct this? Cheers, Steve Hi If I understand your problem you didn't like the fact that the group domain users have write and read rights, isn't it? You can change those rights with setfacl for example. Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] XP Administrator has no access to shares
2012-08-18 08:48 keltezéssel, steve írta: On 17/08/12 13:17, Gémes Géza wrote: 2012-08-17 11:44 keltezéssel, steve írta: Hi S4 DC with S3 fileserver. smb.conf on the fileserver: [global] workgroup = ALTEA realm = HH3.SITE security = ADS kerberos method = secrets and keytab winbind enum users = Yes winbind enum groups = Yes idmap config *:backend = tdb idmap config *:range = 3000-4000 idmap config ALTEA:backend = ad idmap config ALTEA:range = 2-4000 idmap config ALTEA:schema_mode = rfc2307 winbind nss info = rfc2307 winbind expand groups = 2 winbind nested groups = yes usershare allow guests = No winbind refresh tickets = yes [home] path = /home2/home read only = No [staff] path = /home2/staff read only = No [profiles] path = /home2/profiles read only = No store dos attributes = Yes create mask = 0600 directory mask = 0700 [dropbox] path = /home2/dropbox force create mode = 0660 force directory mode = 0770 read only = No wbinfo -u lists Administrator but getent passwd lists only those users with a uidNumber and gidNumber. The latter users can login to xp and enter the shares fine. Administrator can login but gets a password prompt each time he hits a share. Giving the correct password results in XP stating the he has no permission to access the share. How do I get Administrator to enter and manipulate the shares. I thought that that was his purpose. Cheers, Steve First: the Windows in the security model Administrator=root from the Unix world it is just a predefined account memeber of the Administrators or in a domain of the Domain Admins group and that gives access , so you could do all the management operation from any other user account member of the Domain Admins group. Second: samba3 smbd and thus s3fs (I think ntvfs not, but I could be wrong) needs that the connected user have a valid uid/gidnumber in order to be able to check the posix acl permissions, so if you want to connect to a Samba3 box with Administrator, first give it all the posix attributes you've give to the other user accounts (however it doesn't need a unixHomedirectory or loginshell if you won't login e.g. via ssh as Administrator) Regards Geza Gemes Hi Geza OK. Domain Admins and Domain Users have posixGroup and gidNumber. They show on getent passwd name of group I login to XP as Administrator. I can do stuff like unjoin the domain and change the DNS address but I cannot access the shares. Is there a user in m$ that is like the root user in Linux? Should domain admins have a gidNumber of 0 (zero)? Should domain admins also have a posixAccount with a uidNumber of 0 (zero)? What am I missing? Cheers, Steve Hi Steve, First check if the user has permissions on the box running samba3 Second check if you have in the share definition any of valid user, write list, read list, readable, writable paramaters Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] XP Administrator has no access to shares
2012-08-17 11:44 keltezéssel, steve írta: Hi S4 DC with S3 fileserver. smb.conf on the fileserver: [global] workgroup = ALTEA realm = HH3.SITE security = ADS kerberos method = secrets and keytab winbind enum users = Yes winbind enum groups = Yes idmap config *:backend = tdb idmap config *:range = 3000-4000 idmap config ALTEA:backend = ad idmap config ALTEA:range = 2-4000 idmap config ALTEA:schema_mode = rfc2307 winbind nss info = rfc2307 winbind expand groups = 2 winbind nested groups = yes usershare allow guests = No winbind refresh tickets = yes [home] path = /home2/home read only = No [staff] path = /home2/staff read only = No [profiles] path = /home2/profiles read only = No store dos attributes = Yes create mask = 0600 directory mask = 0700 [dropbox] path = /home2/dropbox force create mode = 0660 force directory mode = 0770 read only = No wbinfo -u lists Administrator but getent passwd lists only those users with a uidNumber and gidNumber. The latter users can login to xp and enter the shares fine. Administrator can login but gets a password prompt each time he hits a share. Giving the correct password results in XP stating the he has no permission to access the share. How do I get Administrator to enter and manipulate the shares. I thought that that was his purpose. Cheers, Steve First: the Windows in the security model Administrator=root from the Unix world it is just a predefined account memeber of the Administrators or in a domain of the Domain Admins group and that gives access , so you could do all the management operation from any other user account member of the Domain Admins group. Second: samba3 smbd and thus s3fs (I think ntvfs not, but I could be wrong) needs that the connected user have a valid uid/gidnumber in order to be able to check the posix acl permissions, so if you want to connect to a Samba3 box with Administrator, first give it all the posix attributes you've give to the other user accounts (however it doesn't need a unixHomedirectory or loginshell if you won't login e.g. via ssh as Administrator) Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] About s3fs in samba4
2012-08-17 17:31 keltezéssel, fe...@epepm.cupet.cu írta: Reading Whatsnew.txt in samba I understand that If I use s3fs, as it is set by default in the provision step, I won't be able to modify GPOs later, right? So I have a couple of questions: - What's the advantage of using s3fs over ntvfs in new installations? - If I'm planning to deploy a new Domain, probably needing to change GPOs later, should I select ntvfs??? Best regards, Felix If you use s3fs, the only thing you may need to do (first test if it is still necessary it was with the git version a week ago) is to give group Domain Admins, full access to the sysvol share (and recursively all subfolders) from a Windows domain member computer (loged in of course as a member of the Domain Admins group). The major problem with ntvfs is that it isn't actively developed anymore and hasn't received those protocol dialect updates (smb2-3) which were introduced in Vista and 7, and thus it may have compatibility problems later (no known problem exist so far) Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Domain Admin cannot access files
2012-08-16 13:48 keltezéssel, steve írta: On 15/08/12 23:51, Rowland Penny wrote: On 15/08/12 22:10, Gémes Géza wrote: 2012-08-15 18:59 keltezéssel, steve írta: Hi I just joined a Samba 3.6.3 machine as a file server for a Samba4 domain. Normal users can login and reach the shares apart from the domain Administrator. After Administrator has logged in, any attempt to reach the file server results in a username and password prompt. Supplying the correct information still will not allow share access for Administrator. Using s3fs under Samba4, Administrator is allowed full access without being asked for a password. What am I missing? Cheers, Steve [global] workgroup = MARINA realm = hh3.site security = ADS [home] path = /home2/MARINA read only = No [staff] path = /home2/staff read only = No IF this is a Samba3 config file, you DO NOT need to specify a path for a [homes] share. That way (a correctly configured Samba3 box (HERE COMES winbind into PLAY!)) will give each user its own home share. I've pasted a default [homes] section from an ubuntu 12.04 box (I'm using it only for running winbind on it to allow login of domain users, no samba running on that box), as you can see it is still commented out: ;[homes] ; comment = Home Directories ; browseable = no # By default, the home directories are exported read-only. Change the # next parameter to 'no' if you want to be able to write to them. ; read only = yes # File creation mask is set to 0700 for security reasons. If you want to # create files with group=rw permissions, set next parameter to 0775. ; create mask = 0700 # Directory creation mask is set to 0700 for security reasons. If you want to # create dirs. with group=rw permissions, set next parameter to 0775. ; directory mask = 0700 # By default, \\server\username shares can be connected to by anyone # with access to the samba server. Un-comment the following parameter # to make sure that only username can connect to \\server\username # The following parameter makes sure that only username can connect # # This might need tweaking when using external authentication schemes ; valid users = %S Regards Geza Gemes He is not exporting the samba homes share, he is exporting a share called [home], that is why he needs the path statement. Administrator on my samba4 server is a member of: Group Policy Creator Owners Enterprise Admins Schema Admins Domain Admins So unless your shares are owned by Administrator or one of his groups or are set xx7, I do not think he should be able to get into the shares. Rowland Hi Geza, Rowland, everyone openSUSE 12.1 Samba 4.0.0beta7-GIT 9566786 DC Samba 3.6.3 file server on Vbox [homes] is not the same as [home] I do not want the restriction of [homes] with all home directories all having to be in the same folder. With homes you don't need to have all the shares in the same folder, instead samba (only 3 so far) does an nss lookup to find the hom directory for the user, e.g. you have two users: steve1 and steve2, with home directories /home/users/first-type/steve1 and /usr/local/testprojects/homfolders/steve2, and the [homes] share transforms it in \\servername\steve1 for the user steve1 and \\servername\steve2 for the user steve2 respectively. The key element here is being able to lookup the homedirectories for the users (preferably from the unixHomedirectory attribute) and here comes a correctly configured winbind into play. With s3fs, Administrator has full control over all the shares. What I'm trying to do is convert this on S4 s3fs (which works perfectly): [global] server role = domain controller workgroup = ALTEA realm = hh3.site netbios name = HH1 passdb backend = samba4 idmap_ldb:use rfc2307 = yes [netlogon] path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No [home] path = /home2 read only = No [profiles] path = /home2/profiles read only = No To something equivalent on S3 smbd. This is what I have so far: [global] workgroup = ALTEA realm = HH3.SITE security = ADS kerberos method = secrets and keytab winbind enum users = Yes winbind enum groups = Yes winbind expand groups = 2 winbind nss info = rfc2307 winbind refresh tickets = Yes idmap config ALTEA:schema_mode = rfc2307 idmap config ALTEA:range = 2-4000 idmap config ALTEA:backend = ad idmap config * : backend = tdb [home] path = /home2/home read only = No [profiles] path = /home2/profiles read only = No create mask = 0600 directory mask = 0700 store dos attributes = Yes It works, but it's slow and roaming profiles sometimes work, sometimes not. And Administrator has no control over permissions. No one on m$ has control over
Re: [Samba] S4 DC S3 file server: samba-tool and net ads user problems
2012-08-16 18:53 keltezéssel, steve írta: Hi everyone I have a S4 DC with a S3 fileserver. I want to create users and their UninxHomeDirecory on the fileserver. I can do this with a script which uses ldapmodify. Fine so far. The user shows in getent passwd on the DC and in wbinfo -u on the S3 box but does not show in getent passwd on the fileserver. The user has been created with all his rfc2307 attributes but is invisible to winbind on the S3 box. I have tried restarting winbind on the S3 box but still no luck. Is there a cache I must clear somewhere? How can I get new users to show on the S3 box? Cheers, Steve Hi, I'm not sure I've understand your situation, so please correct me if I'm wrong. You have 3 computers: 1. Samba4 (everything work to the amount permitted by its winbind implementation) 2. Samba3 (everything works, including having homedirs and shells obtained via winbind from AD) 3. Samba3 (where do you intend to have home directories, and could not list users) If that is the situation you could simply copy the config from second box to third one, and add a [homes] share and everything should work. If not, in a previous e-mail of you've already wrote the samba config needed for having a working winbind with idmap_ad. On think I've learned the hard way: if any of the gidNumbers of a group a user belongs to is out of the range you've specified in your smb.conf for your domain that user is going to be invisible (I've avoided it with a range = 0-1000). If you have winbind installed by package I would try to delete /var/lib/samba/winbind* (WHILE winbind IS STOPED), and then reatart it. Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] S4 DC S3 file server: samba-tool and net ads user problems
2012-08-16 20:07 keltezéssel, steve írta: On 16/08/12 19:32, Gémes Géza wrote: 2012-08-16 18:53 keltezéssel, steve írta: Hi everyone I have a S4 DC with a S3 fileserver. I want to create users and their UninxHomeDirecory on the fileserver. I can do this with a script which uses ldapmodify. Fine so far. The user shows in getent passwd on the DC and in wbinfo -u on the S3 box but does not show in getent passwd on the fileserver. The user has been created with all his rfc2307 attributes but is invisible to winbind on the S3 box. I have tried restarting winbind on the S3 box but still no luck. Is there a cache I must clear somewhere? How can I get new users to show on the S3 box? Cheers, Steve Hi, I'm not sure I've understand your situation, so please correct me if I'm wrong. You have 3 computers: 1. Samba4 (everything work to the amount permitted by its winbind implementation) Does winbindd have to be running on this DC? I thought it didn't matter whether it was or it wasn't. I use nss-ldapd for mapping on this box as the S4 winbindd seems to be broken for groups. It is running inside the samba binary, you don't have/can't start it independently 2. Samba3 (everything works, including having homedirs and shells obtained via winbind from AD) Yes. The home director shares are all on this box 3. Samba3 (where do you intend to have home directories, and could not list users) No. I have no box 3. Just 2 boxes. S4 Dc and S3 fileserver. Here is the conf which works on box2: [global] realm = hh3.site workgroup = ALTEA security = ADS winbind enum users = Yes winbind enum groups = Yes idmap config *:backend = tdb idmap config *:range = 3000-4000 idmap config ALTEA:backend = ad idmap config ALTEA:range = 2-4000 idmap config ALTEA:schema_mode = rfc2307 winbind nss info = rfc2307 winbind expand groups = 2 winbind nested groups = yes [home] path = /home2/home read only = No [profiles] path = /home2/profiles read only = No However, m$ machines cannot write to the shares even though they are correctly listed as having the correct permissions and ownership. The following are for the Samba3 box: Does net ads testjoin reports join ok? wbinfo -u lists all the users? wbinfo -g lists all the groups? wbinfo -i some_username is able to list all user info? Have you changed your /etc/nsswitch.conf to have? passwd:files winbind group: files winbind (others doesn't realy matter) does id some_username and getent passwd some_username give meaningless results? If all the above yes, have you checked, that the shared folder permits write access for the above some_username (from linux shell first)? If that is the situation you could simply copy the config from second box to third one, and add a [homes] share and everything should work. If not, in a previous e-mail of you've already wrote the samba config needed for having a working winbind with idmap_ad. On think I've learned the hard way: if any of the gidNumbers of a group a user belongs to is out of the range you've specified in your smb.conf for your domain that user is going to be invisible (I've avoided it with a range = 0-1000). If you have winbind installed by package I would try to delete /var/lib/samba/winbind* (WHILE winbind IS STOPED), and then reatart it. Regards Geza Gemes Hope that the above order of checks help to find out the problem. Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 DC with Samba3 file-server howto
2012-08-15 13:02 keltezéssel, steve írta: Hi I have a Samba4 DC (hh30.hh3.site, 192.168.1.30) and a Samba3 VM on the same box (hh33.hh3.site, 192.168.1.33). How do I tell XP and 7 clients to look at the S4 DC for authentication and the S3 fileserver for files? It already does the authentication bit OK. It's mainly the second part of the question as to how to instruct the m$ boxes to look at the file-server rather than the DC for files. Cheers, Steve Hi, It depends on what you mean by having to look at. On way is to write some logon scripts, by which they would map the shares as drives (of course that suppose to have the Samba3 boxes joined to the AD of Samba4). If you intend to share some home directories, then create the home share on Samba3 and specify the homepath for each user as \\samba3servershostname\%USERNAME% and a homedrive according to your taste (I had chosen U: (about 10 years ago (Samba 2.2.something))). If you want to redirect some folders (e.g. Documents, Desktop, etc.) you can do that by firing up the group policy editor and specifying the redirects there. Regards Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Domain Admin cannot access files
2012-08-15 18:59 keltezéssel, steve írta: Hi I just joined a Samba 3.6.3 machine as a file server for a Samba4 domain. Normal users can login and reach the shares apart from the domain Administrator. After Administrator has logged in, any attempt to reach the file server results in a username and password prompt. Supplying the correct information still will not allow share access for Administrator. Using s3fs under Samba4, Administrator is allowed full access without being asked for a password. What am I missing? Cheers, Steve [global] workgroup = MARINA realm = hh3.site security = ADS [home] path = /home2/MARINA read only = No [staff] path = /home2/staff read only = No IF this is a Samba3 config file, you DO NOT need to specify a path for a [homes] share. That way (a correctly configured Samba3 box (HERE COMES winbind into PLAY!)) will give each user its own home share. I've pasted a default [homes] section from an ubuntu 12.04 box (I'm using it only for running winbind on it to allow login of domain users, no samba running on that box), as you can see it is still commented out: ;[homes] ; comment = Home Directories ; browseable = no # By default, the home directories are exported read-only. Change the # next parameter to 'no' if you want to be able to write to them. ; read only = yes # File creation mask is set to 0700 for security reasons. If you want to # create files with group=rw permissions, set next parameter to 0775. ; create mask = 0700 # Directory creation mask is set to 0700 for security reasons. If you want to # create dirs. with group=rw permissions, set next parameter to 0775. ; directory mask = 0700 # By default, \\server\username shares can be connected to by anyone # with access to the samba server. Un-comment the following parameter # to make sure that only username can connect to \\server\username # The following parameter makes sure that only username can connect # # This might need tweaking when using external authentication schemes ; valid users = %S Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4: rfc2307 compatibility with Samba3
2012-08-14 23:15 keltezéssel, steve írta: On 12/08/12 17:45, Gémes Géza wrote: 2012-08-12 16:26 keltezéssel, steve írta: On 12/08/12 15:28, Gémes Géza wrote: 2012-08-12 09:31 keltezéssel, steve írta: On 08/11/2012 01:10 PM, Andrew Bartlett wrote: On Sat, 2012-08-11 at 11:21 +0200, Helmut Hullen wrote: Hi Geza, hi everyone OK, conclusion. I have a single box with s4 DC. The same same box with a Vbox guest running S3.6, and NFS. The S4 DC becomes a NFS client when I mount the shares from the Vbox guest on it. I create users and their home directories on the DC. Files are served from the S3 Vbox guest. The DC has no shares apart from [global], [netlogon] and [sysvol]. The s3 guest carries all the shares I would normally add after the 3 default DC shares. Instead of using the hostname of the DC when I mount shares on remote clients, I use the hostname of the S3 Guest. How am I doing so far? Cheers, Steve Hi, IMHO what you've written could be a short HOWTO for using Samba4 in a network (maybe just without virtualbox part ;-) ). If this is more than a test setup I would recommend using Xen or KVM for virtualisation (My production boxes run on top of Xen for about 6 years, and at home I use KVM (for running test setups) (was easier to set up on a Desktop machine), (used Virtualbox before (didn't have hardware support for KVM))). Hi, Hi Geza, hi everyone Thanks. Praise indeed coming from a dev of your status:) Please do not overestimate the occasional patches I've submitted. I'd still like to see s3fs cope with file serving on the DC itself, as it's sooo much easier to setup. What is wrong with Vbox? Is Xen any smaller or faster? Both smaller and faster (http://www.phoronix.com/scan.php?page=articleitem=ubuntu_1110_xenkvmnum=1), and unlike vbox both kvm and xen provide a way to boot your virtual machine at the boot of the host. Our DC has only 2GB RAM. Running a VM on top of is already asking a lot of it. Also we have rpm's for host and guest out of the box on openSUSE. Can you take snapshots on Xen like on Vbox and roll back when you screw up? On the NFS side of affairs I see it is impossible to create a group rw NFS4 share from a 0022 umask. The NFS devs seem unwilling or unable to do anything about it. Meanwhile the NFS3 Kerberos backport works well enough. Any ideas? A separate partition with a 0002 umask. Can I do that on the same disk? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] RFC2307, AD, and Samba 3.6
Hi, Hi all, I'm still struggling with getting samba 3.6 to use the uids and gids from my Active Directory 2008 R2 setup. I can see the users, I just can't get their UIDs mapped onto my linux machine. I've configured AD to use it's services for unix feature, and through that, I got a Unix Attributes tab where I could enter fields like uid, home dir, shell, and primary GID. My few questions: 1. Am I supposed to configure Samba to use rfc2307, or sfu? 2. As you can see in my config, below, I've configured an idmap range for the AD domain. It seems to be ignored, and instead, my users get placed in the wildcard domain's idmap range. 3. I found some advice (don't remember where) to try to delete these files when I change this part of my config: /var/run/samba/gencache* /var/cache/samba/winbindd_cache.tdb /var/lib/samba/winbindd_idmap.tdb Any thoughts about the need/value to delete these temp files is appreciated. 4. Finally, does anyone have suggestions of other things I can try? thanks very much. best, -Nick According to man idmap_ad you should have a generic idmap backend line as well, like: idmap backend = tdb idmap uid range = some uninteresting range idmap gid range = some uninteresting range I've wrote uninteresting range, because you should specify a range you haven't placed you users via ADUC [global] (from my smb.conf) workgroup = CORP server string = %h server (Samba, Ubuntu) security = ADS realm = CORP.xxx.COM allow trusted domains = yes winbind use default domain = yes winbind nested groups = YES winbind nested groups = YES winbind enum groups = yes winbind enum users = yes winbind nss info = rfc2307 winbind refresh tickets = yes idmap config CORP : backend = ad idmap config CORP : schema_mode = rfc2307 #idmap config CORP : range = 1000 - 9 idmap config * : default = yes #idmap config * : backend = tdb #idmap config * : range = 10 - 19 idmap config * : range = 900 - 1999 encrypt passwords = true obey pam restrictions = yes client use spnego = yes client ntlmv2 auth = yes encrypt passwords = true restrict anonymous = 2 When I perform an ldapsearch against my server, I see these attributes, among others: msSFU30Name: nick msSFU30NisDomain: corp uidNumber: 1001 gidNumber: 1000 unixHomeDirectory: /home/nick loginShell: /bin/bash Regards Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4: rfc2307 compatibility with Samba3
2012-08-12 09:31 keltezéssel, steve írta: On 08/11/2012 01:10 PM, Andrew Bartlett wrote: On Sat, 2012-08-11 at 11:21 +0200, Helmut Hullen wrote: Hallo, Andrew, Du meintest am 11.08.12: In Samba3, I have full rfc2307 compliance via winbind where all attributes can be obtained from AD. In Samba4 I only have partial rfc2307 compatibility with: idmap_ldb:use rfc2307 = yes uidNumber and gidNumber can be obtained from AD but uinxHomeDirectory and loginShell are missing. [...] At this stage, we still don't recommend combining file server and DC functions. By separating these functions onto different (virtual) servers, you can avoid this issue. Sorry - that sounds ugly. I prefer using samba as a combined system for SOHO (especially for schools). And working with several servers (especially virtual servers) is not attractive for someone who looks for the server as a second or third job, beneath his/her main job. I would rather advertise a narrower, known to work set of functionality than to promise broader features than we know works well in production experience. In particular, we know about the limitations that Steve mentions, and we know the workaround: don't mix the file server and AD DC. Andrew Bartlett Hi Does this mean having one Samba4 machine as the DC and another Samba4 (e.g. Vbox) machine joined to it as a member to act as fileserver? Cheers, Steve If you don't want to use the second box interactively yes, if you intend to login there, or have home directories served from there better install Samba3.6 on it. Regards Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4: rfc2307 compatibility with Samba3
2012-08-12 16:26 keltezéssel, steve írta: On 12/08/12 15:28, Gémes Géza wrote: 2012-08-12 09:31 keltezéssel, steve írta: On 08/11/2012 01:10 PM, Andrew Bartlett wrote: On Sat, 2012-08-11 at 11:21 +0200, Helmut Hullen wrote: Hallo, Andrew, Du meintest am 11.08.12: In Samba3, I have full rfc2307 compliance via winbind where all attributes can be obtained from AD. In Samba4 I only have partial rfc2307 compatibility with: idmap_ldb:use rfc2307 = yes uidNumber and gidNumber can be obtained from AD but uinxHomeDirectory and loginShell are missing. [...] At this stage, we still don't recommend combining file server and DC functions. By separating these functions onto different (virtual) servers, you can avoid this issue. Sorry - that sounds ugly. I prefer using samba as a combined system for SOHO (especially for schools). And working with several servers (especially virtual servers) is not attractive for someone who looks for the server as a second or third job, beneath his/her main job. I would rather advertise a narrower, known to work set of functionality than to promise broader features than we know works well in production experience. In particular, we know about the limitations that Steve mentions, and we know the workaround: don't mix the file server and AD DC. Andrew Bartlett Hi Does this mean having one Samba4 machine as the DC and another Samba4 (e.g. Vbox) machine joined to it as a member to act as fileserver? Cheers, Steve If you don't want to use the second box interactively yes, if you intend to login there, or have home directories served from there better install Samba3.6 on it. Regards Geza Hi Geza, hi everyone OK, conclusion. I have a single box with s4 DC. The same same box with a Vbox guest running S3.6, and NFS. The S4 DC becomes a NFS client when I mount the shares from the Vbox guest on it. I create users and their home directories on the DC. Files are served from the S3 Vbox guest. The DC has no shares apart from [global], [netlogon] and [sysvol]. The s3 guest carries all the shares I would normally add after the 3 default DC shares. Instead of using the hostname of the DC when I mount shares on remote clients, I use the hostname of the S3 Guest. How am I doing so far? Cheers, Steve Hi, IMHO what you've written could be a short HOWTO for using Samba4 in a network (maybe just without virtualbox part ;-) ). If this is more than a test setup I would recommend using Xen or KVM for virtualisation (My production boxes run on top of Xen for about 6 years, and at home I use KVM (for running test setups) (was easier to set up on a Desktop machine), (used Virtualbox before (didn't have hardware support for KVM))). Regards Geza P.S. Sorry for the off-topic about virtualisation. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] idmap confusion
2012-08-04 12:07 keltezéssel, steve írta: On 03/08/12 21:54, Gémes Géza wrote: 2012-08-03 18:46 keltezéssel, steve írta: On 03/08/12 13:39, Gémes Géza wrote: 2012-08-03 13:07 keltezéssel, steve írta: Three unfathormable questions: 1. What's the difference between: idmap_ldb : use rfc2307 = Yes It is a samba4 winbind setting, so you need it on the Samba4 AD controller only and idmap config * : backend = ad the correct form is: idmap config SOMEDOMAINNAME : backend =ad and instructs the winbind from the samba3 suite to look up the uids gids from AD for accounts in SOMEDOMAINNAME 2. Do the terms in (1) above apply equally to Samba4 beta6 and Samba 3.6.3? 3. If I specify either in (1) then idmap config : range = abc-xyz becomes meaningless. No. With idmap_ad you map all not specifically configured domains using: idmap backend = tdb idmap uid = some uninteresting range idmap gid = some uninteresting range then for each DOMAIN you want to get the idmap information from the AD, you specify: idmap config INTERESTINGDOMAIN1 : backend = ad idmap config INTERESTINGDOMAIN1 : range = first range idmap config INTERESTINGDOMAIN2 : backend = ad idmap config INTERESTINGDOMAIN2 : range = second range and so on. Cheers, Steve Regards Geza Hi Geza On the Samba4 DC: Despite having: idmap config INTERESTINGDOMAIN1 : backend = ad idmap config INTERESTINGDOMAIN1 : range = first range No! You have misunderstood how things work currently. On Samba4 those settings have NO meaning. The only smb.conf setting which is meaningful for the samba4 winbind is that with rfc2307 All the idmap_ad options have to be written in the samba3 clients smb.conf Ho Geza Thanks. Got it. Samba4 DC: idmap_ldb use : rfc2307 = Yes Samba3.6 client: idmap config INTERESTINGDOMAIN1 : backend = ad idmap config INTERESTINGDOMAIN1 : range = abitlessthanlowestnumberIhaveforUID/GID - abitbiggerthanthe biggestnumberforUID/GID How does that look? Cheers, Steve Looking good, but please don' forget about the uninteresting part with tdb backend on samba3. Regards Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind: uid range is ignored
2012-08-03 10:22 keltezéssel, steve írta: On 03/08/12 09:01, NdK wrote: Il 03/08/2012 08:01, steve ha scritto: getent passwd/group works fine. I get the names and coresponding uid:gid numbers within the range specified in smb.conf but all I get when I list files on the nfs share, are numerical uid:gid values. I want those values to be DOMAIN\username DOMAIN\group rather than numerical values. How do I do that? Use *the same* range on both server and clients. Hi Diego Thanks for your patience in helping me sort this. It doesn't seem to matter. I can have the same id range on both server and client. What is uid 327 on the server becomes uid 302 on the client. The uid:gid values are not in the range set in smb.conf. They are the uid:gid values in idmap _on the server_. Its as if nsswitch is ignoring winbind. Obvious. NFS passes *numeric* IDs, so if a file is owned by userid 123456 on the server, then the client will see the same 123456 uid. That, if not correctly mapped, would give another user access to it (negating access to the original one). That's exactly my point. My 327 maps correctly to DOMAIN\steve2 on the server but getent passwd on the client gives DOMAIN\steve2 as 302. If steve2 logs in and creates a file it becomes uid 327 and _not_ 302. If winbind is doing the mapping correctly it should map 327 to 302 and when I list a file that I have made it should give me back a uid of DOMAIN\steve2. It doesn't. The file created has uid 327 which works _but_ I want to see uid's as names, not numbers. I've also tried adding posixAccount, uidNumber and gidNumber to pull the uid:gid directly from AD with: idmap config * : backend = ad but then, getent passwd gives me no list of users. Really stuck on this one. . . The client is Ubuntu 12.04 with samba 3.6.3. Maybe 3.6.3 has bugs? Cheers, steve Please try with idmap backend = tdb idmap uid = some uninteresting range idmap gid = some uninteresting range idmap config YOURDOMAINNAMEHERE : backend = ad idmap config YOURDOMAINNAMEHERE : range = the range you want your uids/gids to be Like in http://www.samba.org/samba/docs/man/manpages-3/idmap_ad.8.html Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] idmap confusion
2012-08-03 13:07 keltezéssel, steve írta: Three unfathormable questions: 1. What's the difference between: idmap_ldb : use rfc2307 = Yes It is a samba4 winbind setting, so you need it on the Samba4 AD controller only and idmap config * : backend = ad the correct form is: idmap config SOMEDOMAINNAME : backend =ad and instructs the winbind from the samba3 suite to look up the uids gids from AD for accounts in SOMEDOMAINNAME 2. Do the terms in (1) above apply equally to Samba4 beta6 and Samba 3.6.3? 3. If I specify either in (1) then idmap config : range = abc-xyz becomes meaningless. No. With idmap_ad you map all not specifically configured domains using: idmap backend = tdb idmap uid = some uninteresting range idmap gid = some uninteresting range then for each DOMAIN you want to get the idmap information from the AD, you specify: idmap config INTERESTINGDOMAIN1 : backend = ad idmap config INTERESTINGDOMAIN1 : range = first range idmap config INTERESTINGDOMAIN2 : backend = ad idmap config INTERESTINGDOMAIN2 : range = second range and so on. Cheers, Steve Regards Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] idmap confusion
2012-08-03 18:46 keltezéssel, steve írta: On 03/08/12 13:39, Gémes Géza wrote: 2012-08-03 13:07 keltezéssel, steve írta: Three unfathormable questions: 1. What's the difference between: idmap_ldb : use rfc2307 = Yes It is a samba4 winbind setting, so you need it on the Samba4 AD controller only and idmap config * : backend = ad the correct form is: idmap config SOMEDOMAINNAME : backend =ad and instructs the winbind from the samba3 suite to look up the uids gids from AD for accounts in SOMEDOMAINNAME 2. Do the terms in (1) above apply equally to Samba4 beta6 and Samba 3.6.3? 3. If I specify either in (1) then idmap config : range = abc-xyz becomes meaningless. No. With idmap_ad you map all not specifically configured domains using: idmap backend = tdb idmap uid = some uninteresting range idmap gid = some uninteresting range then for each DOMAIN you want to get the idmap information from the AD, you specify: idmap config INTERESTINGDOMAIN1 : backend = ad idmap config INTERESTINGDOMAIN1 : range = first range idmap config INTERESTINGDOMAIN2 : backend = ad idmap config INTERESTINGDOMAIN2 : range = second range and so on. Cheers, Steve Regards Geza Hi Geza On the Samba4 DC: Despite having: idmap config INTERESTINGDOMAIN1 : backend = ad idmap config INTERESTINGDOMAIN1 : range = first range No! You have misunderstood how things work currently. On Samba4 those settings have NO meaning. The only smb.conf setting which is meaningful for the samba4 winbind is that with rfc2307 All the idmap_ad options have to be written in the samba3 clients smb.conf and with /etc/nsswitch.conf passwd: compat winbind group: compat winbind getent passwd/group return _all_ objects with or without posixAccount uidNumber or posixGroup gidNumber. I expected that with those settings, getent passwd would return only e.g. users with a uidNumber. Maybe I have a tdb to clear somewhere? Cheers, Steve Regads Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4: net ads join fails: Host is not configured as a member server.
2012-08-02 09:01 keltezéssel, steve írta: Hi everyone I'm trying to join an Ubuntu 12.04 client to a 12.04 Samba4 DC. xp and win7 clients can join fine. Here is my minmal smb.conf realm = POLOP.SITE workgroup = POLOP security = ADS Kerberos is working: kinit Administrator Password for administra...@polop.site: But then it tell me that the DC is _not_ a DC: net ads join -UAdministrator Host is not configured as a member server. Invalid configuration. Exiting Failed to join domain: This operation is only allowed for the PDC of the domain. and: net ads testjoin Failed to open /usr/local/samba/private/secrets.tdb Join to domain is not valid: Access denied Can anyone help me tell the Ubuntu client that it really _is_ a DC? Or WHY. Cheers, Steve Hi, The most probable reason is having different versions of samba binaries installed. Using net ads ... suggests the use of samba3 client tools installed from packages, the path /usr/local/samba/private/secrets.tdb suggest a Samba built from source via ./configure make make install (which corresponds to a Samba4 install) Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind: uid range is ignored
2012-08-02 17:45 keltezéssel, steve írta: On 02/08/12 17:14, Bjoern Baumbach wrote: Hi Steve, please use idmap config * : range = ... instead of idmap uid/gid. Thanks Jonathan and Bjoern I have that now. I chose: idmap config * : range = 3-4 I have deleted the winbind files from /var/lib/samba and /var/cache/samba and restarted smbd and winbind but the idmap ranges are still at the old values. In fact they are the same numerical values as on the DC e.g. -rw-r--r-- 1 337 20513 0 Aug 2 17:34 file1 Back on the DC/fileserver that is correctly mapped as: -rw-r--r-- 1 POLOP\steve2 Domain Users 0 Aug 2 17:34 file1 Is there a cache somewhere else? I have even totally purged the whole of samba and reinstalled from nothing but still the old values reappear. How do I lose the old values so it accepts my new range and maps the files correctly as humanly readable uid:gid pairs rather than numbers? nscd is not active. cheers Steve /etc/samba/smb.conf [global] realm = polop.site workgroup = POLOP security = ADS wide links = Yes unix extensions = No template shell = /bin/bash winbind enum users = Yes winbind enum groups = Yes idmap config * : backend = tdb idmap config * : range = 3-4 I would suggest using idmap_ad: http://www.samba.org/samba/docs/man/manpages-3/idmap_ad.8.html Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Fwd: Fwd: Fwd: Fwd: Re: Fwd: Re: Samba 4 Smart card logon
2012-07-12 10:47 keltezéssel, Charalampos Anargyrou írta: I have finally found out that my problems had to do with wrong certificates. The commands I used to generate the certificates where taken from http://k5wiki.kerberos.org/wiki/Pkinit_configuration I downloaded and built heimdal 1.5.2 (I couldn't find hxtool in samba 4, that's why I used the instructions for OpenSSL in MIT Kerberos Wiki for the certificates in the first place). Using the hxtool I created new certificates and ... Success! Now that Heimdal has been configured to accept PKINIT, it's time to configure Samba4 to know about the certificate. Can anyone point me where to look for Samba 4 configuration options for PKINIT? Kind Regards, Charalampos Original Message Subject: Fwd: Fwd: Fwd: Re: [Samba] Fwd: Re: Samba 4 Smart card logon Date: Thu, 05 Jul 2012 13:04:21 +0300 From: Charalampos Anargyrou charalampos.anargy...@gmail.com To: samba@lists.samba.org Ok, I managed to solve some of my problems I had typographic errors in my /etc/krb5.conf Specifically I had [kdc] enable_pkinit = yes pkinit_identify = FILE:/home/virusakos/Downloads/kdc.pem,/home/virusakos/Downloads/kdckey.pem Changed to [kdc] enable-pkinit = yes pkinit_identity = FILE:/home/virusakos/Downloads/kdc.pem,/home/virusakos/Downloads/kdckey.pem I have also enabled debugging by stopping the samba service and started samba with: samba -i -M single -d3 Tried again to test samba4kinit with certificate with: /opt/samba-master/bin/samba4kinit -e arcfour-hmac-md5 --request-pac --renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem virusakos@SERVER.CENTOSDOMAIN which again produces samba4kinit: krb5_get_init_creds: Already tried pkinit, looping but I can at least see in the console this: Kerberos: AS-REQ virusakos@SERVER.CENTOSDOMAIN from ipv4:172.16.9.134:49289 for krbtgt/SERVER.CENTOSDOMAIN@SERVER.CENTOSDOMAIN Kerberos: Client sent patypes: PK-INIT(win2k), 132, 128 Kerberos: Looking for PKINIT pa-data -- virusakos@SERVER.CENTOSDOMAIN Kerberos: PKINIT: failed to verify signature: No signers where found: 569890 Kerberos: PKINIT: Couldn't find signers certificate Kerberos: Failed to decode PKINIT PA-DATA -- virusakos@SERVER.CENTOSDOMAIN Kerberos: Looking for ENC-TS pa-data -- virusakos@SERVER.CENTOSDOMAIN Kerberos: No preauth found, returning PREAUTH-REQUIRED -- virusakos@SERVER.CENTOSDOMAIN Kerberos: AS-REQ virusakos@SERVER.CENTOSDOMAIN from ipv4:172.16.9.134:44976 for krbtgt/SERVER.CENTOSDOMAIN@SERVER.CENTOSDOMAIN Kerberos: Client sent patypes: PK-INIT(win2k), 132, 128 Kerberos: Looking for PKINIT pa-data -- virusakos@SERVER.CENTOSDOMAIN Kerberos: PKINIT: failed to verify signature: No signers where found: 569890 Kerberos: PKINIT: Couldn't find signers certificate Kerberos: Failed to decode PKINIT PA-DATA -- virusakos@SERVER.CENTOSDOMAIN Kerberos: Looking for ENC-TS pa-data -- virusakos@SERVER.CENTOSDOMAIN Kerberos: No preauth found, returning PREAUTH-REQUIRED -- virusakos@SERVER.CENTOSDOMAIN Original Message Subject: Fwd: Fwd: Re: [Samba] Fwd: Re: Samba 4 Smart card logon Date: Thu, 05 Jul 2012 12:01:13 +0300 From: Charalampos Anargyrou charalampos.anargy...@gmail.com To: samba@lists.samba.org I've checked the source code and found out the enctypes I can test /opt/samba-master/bin/samba4kinit -e arcfour-hmac-md5 --request-pac --renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem virusakos@SERVER.CENTOSDOMAIN produces samba4kinit: krb5_get_init_creds: Already tried pkinit, looping For the rest enctypes /opt/samba-master/bin/samba4kinit -e aes256-cts-hmac-sha1-96 --request-pac --renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem virusakos@SERVER.CENTOSDOMAIN /opt/samba-master/bin/samba4kinit -e aes128-cts-hmac-sha1-96 --request-pac --renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem virusakos@SERVER.CENTOSDOMAIN /opt/samba-master/bin/samba4kinit -e des3-cbc-sha1 --request-pac --renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem virusakos@SERVER.CENTOSDOMAIN /opt/samba-master/bin/samba4kinit -e des3-cbc-none --request-pac --renewable --pk-user=FILE:/home/virusakos/Downloads/client.pem virusakos@SERVER.CENTOSDOMAIN I get samba4kinit: krb5_get_init_creds: KDC has no support for encryption type Looking on the Internet, I found a suggestion to write allow_weak_crypto = true under [libdefaults] in /etc/krb5.conf, which I did, but I still get the same messages back Can anyone understand what could be my problem? Original Message Subject: Fwd: Re: [Samba] Fwd: Re: Samba 4 Smart card logon Date: Wed, 04 Jul 2012 20:22:12 +0300 From: Charalampos Anargyrou charalampos.anargy...@gmail.com To: samba@lists.samba.org I have followed the instructions on http://k5wiki.kerberos.org/wiki/Pkinit_configuration and created CA and certificates with
Re: [Samba] splitting services in samba4
Hi Quinn, Thanks for the quick response. So I guess if you wanted high availability, you would either have to implement a PDC/BDC solution with samba4 or use samba4 on top of a corosync/pacemaker cluster. Is this correct? br, Quinn On Wed, Jul 11, 2012 at 10:43 AM, Gémes Géza g...@kzsdabas.hu wrote: 2012-07-11 10:27 keltezéssel, Quinn Plattel írta: Question: Right now samba4 is great as in all-in-one solution (samba, kerberos, ldap, dns) into one service. Is it possible to split it up so that for example, I run openldap on one server, kerberos on another server, and then dns/samba on a third server? br, Quinn Short answer: NO Longer: Windows clients expect kerberos, ldap and samba rpc+filesharing services on the same host, so if you need AD functionality you couldn't separate them. They also expect a schema (the AD schema) which is incompatible with OpenLDAP. Regards Geza The multiple AD DC (in active directory every (non readonly) DC is a sort of PDC) is the tried and recommended method (even by M$) Regards Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba help?
Hi Miklós, Hello everyone, I have just joined this group (discussion board) and would like to know how it works. Can I just put questions out there about my Samba difficulties and hope someone can help me? Sorry to sound naïve, but I do need help with my Samba config and I have spent months, yes months, trying to get what I am told is a simple thing to work, to work for me and I just can't get it. I would love it if I could get some help because I sure do need it. Respectfully waiting for the kindness of strangers.. Miklos First of all please do not hijack other threads! Second tell us your questions/problems! Third if you need help in Hungarian you can contact me (I wouldn't say I'm the source of knowledge, but if I can help I won't refuse) Regards Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba help?
Hi Miklos, Hello Geza, I stand chastised and apologize. I didn't mean to hijack someone's thread. I also didn't plan to ask for help in Hungarian, and this is just a coincidence. However, if you can help me I'll take whatever I can get, so thank you. My question/problem is that I have no windows background at all and am trying to configure Samba with Active Directory. I also have no access to any windows machines to test my configuration so I don't know if it works. I believe I'm almost there but how do I know if it's really working? SWAT works fine, but Winbindd won't start. infadmnq:/lssrc -g samba Subsystem GroupPID Status smbd samba14221530 active nmbd samba13893726 active winbindd samba inoperative I ran testparm and it comes back clean. infadmnq:/testparm Load smb config files from /usr/lib/smb.conf Processing section [samba_infaQ] Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions [global] workgroup = HUMC security = DOMAIN auth methods = winbind password server = dchumc01, dchumc02 client NTLMv2 auth = Yes syslog = 3 log file = /var/log/samba ldap ssl = no idmap uid = 1-2 idmap gid = 1-2 winbind enum users = Yes winbind enum groups = Yes [samba_infaQ] comment = Share for DBA SAs path = /samba_infaQ I run: smbclient -L '\\fileserver1\DECN_Shared\' -U INFAservice and I get two pages of output starting like this: Sharename Type Comment - --- CHRT_Shared Disk CHRT Departmental Shared Files HEDU_Shared Disk HEDU Departmental Shared Files MREC_Shared Disk MREC Departmental Shared Files PHBL_Shared Disk PHBL Departmental Shared Files PHRM_Shared Disk PHRM Departmental Shared Files SLAB_Shared Disk SLAB Departmental Shared Files SPAS_Shared Disk SPAS Departmental Shared Files SPTY_Shared Disk SPTY Departmental Shared Files WomenChild Disk Kosonok minden sekitsegett!! Miklos First question: What does wbinfo -p, wbinfo -u and wbinfo -g returns? You wrote, that you have to authenticate your users against an AD. Have you joined it (e.g. net ads join -U username_of_an_AD_user_with_the_priviledge_of_joining (for example an administrator))? Regards Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 Multi-Master replication
On 2012-06-13 17:10, steve wrote: On 12/06/12 19:19, Gémes Géza wrote: On 2012-06-12 12:16, Morten Kramer wrote: Hi guys, I'm trying to get the Samba4 multi-master replication to work. With your setup DNS is the single point of failure, because with the (default) DLZ setup bind9 is able to serve DNS records only when samba4 is running on that box. My recommendation would be to try to set up DNS on the second DC too. Hi Would both DC's and every client have both IP's in their resolv.conf (or whatever windoze calls it)? Cheers, Steve Short answer: Yes Longer answer: The easiest is to do that via dhcp Regards Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 Multi-Master replication
On 2012-06-12 12:16, Morten Kramer wrote: Hi guys, I'm trying to get the Samba4 multi-master replication to work. I set up the primary domain controller using this howto (under CentOS 6.2 x64): http://wiki.samba.org/index.php/Samba4/HOWTO I installed bind 9.8.3 and enabled encrypted dns updates. I set up another VM with the same CentOS version and oriented myself on this howto: http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC to join the second DC into the domain. I edited /etc/resolv.conf and set the nameserver to the IP of the primary DC (bind dns server). Basic replication seems to work (not doing the rsync for sysvol yet). However, when i take the primary DC offline (bind keeps running), I can't use any of the .msc domain admin tools anymore. I always get an error message, telling me that there is no RPC server available. When i run gpmc.msc i can choose the DC i want to work on and I can see the secondary one, but it will come back with the RPC error. I had Wireshark running on one of the Windows7 clients. It seems like it tries to talk to the 2nd DC (DCERPC packets). But i'm not an expert in packet analysis, could somebody give me a hint what to look for here? User authentication does still work and Kerberos tickets are generated by the 2nd DC. I can find this in the log: ../source4/dsdb/kcc/kcc_topology.c:1402: failed to find nCName attribute of object CN=ac7bf69c-9458-4205-acba-6fe172412d1b,CN=Partitions,CN=Configuration,DC=aeriatest2,DC=dc,DC=loc ../source4/dsdb/kcc/kcc_topology.c:3158: failed to color vertices: NT_STATUS_INTERNAL_DB_CORRUPTION ../source4/dsdb/kcc/kcc_topology.c:3415: failed to create connections: NT_STATUS_INTERNAL_DB_CORRUPTION ... Warning: 60 extra bytes in incoming RPC request ../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:74: doing DsBind with system_session Do i need to configure something extra, so the secondary DC will be able to act as an RPC server? Thanks, freezer Hi, With your setup DNS is the single point of failure, because with the (default) DLZ setup bind9 is able to serve DNS records only when samba4 is running on that box. My recommendation would be to try to set up DNS on the second DC too. Regards. Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 for AD using existing LDAP, Kerberos, and Bind Setup.
Hi, I don't have a personal experience on it, but in case of suspecting a missing functionalitaty IMHO you should ask at the samba-rtechnical mailing list. Cheers Geza Geza, Have you actually set up a cross domain trust in Samba4 yet? My impression was that this was NOT working yet. I know you can configure the S3 server to join the S4 domain, but I don't think that's what you are talking about. I've been waiting to be able to set up a domain trust for some time now (with a WS2008 DC trusting a Samba4 based domain), and would love to know if you've found a way to do it! On Wed, May 16, 2012 at 1:26 AM, Gémes Géza g...@kzsdabas.hu mailto:g...@kzsdabas.hu wrote: On 2012-05-16 04:28, David Minard wrote: We run Apple's OD to support our Linux, Mac, and Windows clients and servers. We are under pressure to use AD because more and more software coming out for Windows requires it. We don't want to use AD, so Samba4 looks good. However, we don't want to pull apart our directory to implement samba4. Is there a way to get Samba 4 running so that it is able to use the existing LDAP and Kerberos set up for user info and user auth look up, still support Windows clients with AD, and still use our existing bind for general host look ups, but use samba4's own internal DNS for AD stuff? Cheers, David. If Apples solution is based on Samba3 (I have no personal experience with it). You would probably need two domains: the existing one and a new Samba4 one. Then set up a cross-domain trust between. Then join your windows boxes to the Samba4 domain. Regards Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Charles Tryon _ “Risks are not to be evaluated in terms of the probability of success, but in terms of the value of the goal.” - Ralph D. Winter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 for AD using existing LDAP, Kerberos, and Bind Setup.
On 2012-05-16 04:28, David Minard wrote: We run Apple's OD to support our Linux, Mac, and Windows clients and servers. We are under pressure to use AD because more and more software coming out for Windows requires it. We don't want to use AD, so Samba4 looks good. However, we don't want to pull apart our directory to implement samba4. Is there a way to get Samba 4 running so that it is able to use the existing LDAP and Kerberos set up for user info and user auth look up, still support Windows clients with AD, and still use our existing bind for general host look ups, but use samba4's own internal DNS for AD stuff? Cheers, David. If Apples solution is based on Samba3 (I have no personal experience with it). You would probably need two domains: the existing one and a new Samba4 one. Then set up a cross-domain trust between. Then join your windows boxes to the Samba4 domain. Regards Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 Localization
2012-04-10 17:28 keltezéssel, German Molano írta: Hi there, there is any way to add self localization names to the default groups and users created by provision at the initial setting up of samba4, if so let me know how to work about it I want to add spanish localization to the default setup. German Molano I would suggest to send this (development related) question to samba-technical instead. Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] windows and nfs4 acls
2012-02-28 08:27 keltezéssel, steve írta: Hi everyone We're really struggling with nfs4 -- windows acls. Scenario Samba4 share -- cifs -- win7. No problem Samba4 share -- nfs4 -- Linux. acls not inherited Neither is there inheritance vica versa. e.g. It is not possible to create files with group rw on a umask 0022 nfs4 share. nfs4_setfacl cannot override umask. Using POSIX or windows acls this works fine. I've approached the nfs4 devs and they've said that they'll look into it, but so far. Exporting nfs4 with -o noacl (in the hope that the windows acl would take effect) has no effect. 1. Is it possible to get Samba to override the nfs4 acl and use whatever I've set on windows security acl instead? 2. Is there a way to export a single directory with a umask of my choice? 3. Would it be reasonable to ask my distro (openSUSE) to consider this problem as a feature request? Perhaps as a patch over nfs4_setfacl? Thanks, L S at lcb IMHO Samba4 sets the windows (non posix) acls as extended attributes. In order to get them applied o the Linux (or NFS4) side there should be a Linux kernel security module (LSM) which would override the posix acls. Regards Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 xidNumber and idmap.ldb
2012-02-26 10:28 keltezéssel, steve írta: Hi everyone The s4 Domain Users group has xidNumber: 100 and the Linux users group has gidNumber=100. I've been mapping xidNumber -- gidNumber for s4 posix groups I've added myself, but this causes a name collision for Domain Users. This also has implications on Linux as local users have access to the group owned stuff of Domain users. I've changed the xidNumber in idmap.ldb to 2000 and posix-ified my Domain Users correspondingly. Everything still works, well, it works for one test user at least. 1. Does xidNumber: 100 have any special meaning to windows? 2. To help readability, would it be possible to add a label to common entries in idmap to help us identify them? Cheers, Steve 1. idmap.ldb is private to the Samba4 box so windows sees nothing from xids 2. xids are there as (I hope) a temporary solution for storing uids, gids in a unified manner, if those attributes would be visible windows would still ignore them Regards Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 gid-to-sid question
2012-02-16 11:39 keltezéssel, steve írta: On 02/16/2012 06:58 AM, Gémes Géza wrote: 2012-02-16 02:01 keltezéssel, steve írta: Hi. We used info from a SID created using samba-tool group add to posix-ify it and then add a posix-ifed domain user to it. The AD doco defines two sorts of SID. Ones that change, and ones that don't. Here is a search on our posix-ified group: ldbsearch --url=/usr/local/samba/private/idmap.ldb 'xidnumber=312' objectSid: S-1-5-21-980186919-4150830324-975011627-1121 We set the primaryGroupID of the user to 1121, his gidNumber to 312 and his uidNumber from wbinfo. He becomes visible to Linux via nss-ldapd, whilst retaing his Domain User status on the windows side:-) My question is, to which category of SID does S-1-5-21-980186919-4150830324-975011627-1121 belong? Can we assume that this is fixed for the life of the domain? Under what circustances could s4 change it, and if id did, would we be given warning? Thanks, Steve Hi SIDs over S-1-5-21-.-1000 are ordinary SIDs used by windows for users and groups. The M$ docs describe modifying the SID as a very dangerous, unsupported operation with unpredictable consequences, so yes SIDs can be considered as something carved in stone. Regards Geza Hi Geza Thanks for the confirmation. Will s4 follow the carved in stone m$ guidelines? So far, the schema has allowed my addition of POSIX objects and attributes to the ldb's. Indeed, some of them such as posixAccount are already there, just waiting to be pulled in. Will there be any changes made which will negate this? e.g. I have a user with primaryGroupID: 1121, uidnumber: 300, unixhomedirectory: /home/workgroup/user. Will the user always have those attributes? Now? After the next git? After a s4 release? Maybe the question should be, will there be any changes made to the schema which would disallow rfc2307 attributes to be included? It's almost Friday. Cheers, Steve Hi, As I've understand the plan is to support rfc2307 attributes in the samba4 winbind implementation so I would be very surprised+annoyed if they would get unsupported on Samba4 Regards Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 gid-to-sid question
2012-02-16 02:01 keltezéssel, steve írta: Hi. We used info from a SID created using samba-tool group add to posix-ify it and then add a posix-ifed domain user to it. The AD doco defines two sorts of SID. Ones that change, and ones that don't. Here is a search on our posix-ified group: ldbsearch --url=/usr/local/samba/private/idmap.ldb 'xidnumber=312' objectSid: S-1-5-21-980186919-4150830324-975011627-1121 We set the primaryGroupID of the user to 1121, his gidNumber to 312 and his uidNumber from wbinfo. He becomes visible to Linux via nss-ldapd, whilst retaing his Domain User status on the windows side:-) My question is, to which category of SID does S-1-5-21-980186919-4150830324-975011627-1121 belong? Can we assume that this is fixed for the life of the domain? Under what circustances could s4 change it, and if id did, would we be given warning? Thanks, Steve Hi SIDs over S-1-5-21-.-1000 are ordinary SIDs used by windows for users and groups. The M$ docs describe modifying the SID as a very dangerous, unsupported operation with unpredictable consequences, so yes SIDs can be considered as something carved in stone. Regards Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4, where is wbinfo 'info' stored?
Hi, See comments/questions below: Hi When I type this: getent passwd steve6 steve6:*:315:316:steve6:/home/CACTUS/steve6:/bin/bash I can see that the info is coming from LDAP by looking at the ldif for cn=steve6 What is your /etc/nsswitch.conf file like? When I type this: wbinfo -i steve6 CACTUS\steve6:*:315:316::/home/CACTUS/steve6:/bin/false Is this on the samba4 box? wbinfo is the samba4 wbinfo or a samba3 one? Where is the info coming from now? Thanks, Steve Regards Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4, where is wbinfo 'info' stored?
Hi On 02/13/2012 07:53 PM, Gémes Géza wrote: Hi, See comments/questions below: Hi When I type this: getent passwd steve6 steve6:*:315:316:steve6:/home/CACTUS/steve6:/bin/bash I can see that the info is coming from LDAP by looking at the ldif for cn=steve6 What is your /etc/nsswitch.conf file like? passwd files ldap group files ldap When I type this: wbinfo -i steve6 CACTUS\steve6:*:315:316::/home/CACTUS/steve6:/bin/false Is this on the samba4 box? wbinfo is the samba4 wbinfo or a samba3 one? samba4 box wbinfo = samba4 No s3 installed on this box. Where is the info coming from now? Thanks, Steve Samba4 stores idmap information under an idmap.ldb named ldb file which is NOT exported to AD. So you could modify things by ldbediting it directly. Regards Geza Everything is OK. Login and uid:gid mapping are fine on both Linux and win7 clients. I'm just trying to script all this from the Linux side without having to tie up a win7 box to do it. The other thread explains why I know there must be a difference between wbinfo and getent: Re: [Samba] samba-tool set default group Cheers, Steve Regards Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba-tool set default group
2012-02-10 12:11 keltezéssel, steve írta: On 02/10/2012 12:08 PM, steve wrote: On 02/09/2012 07:17 PM, Gémes Géza wrote: 2012-02-09 14:21 keltezéssel, steve írta: Hi How do I set the default group for a user? e.g. samba-tool group add opensuse samba-tool group addusers opensuse steve But steve's default group is still Users. I'm looking for soething like this: 'samba-tool group setdefaultgroup steve opensuse' But here isn't that command. I have to do it in Windows. Is there a command I'm missing? Cheers, Steve IMHO currently your best bet is ldbmodify. Regards Geza I tried using phpldapadmin: http://4.bp.blogspot.com/-oeTty-Y6HFo/TzT49_mZe3I/ALE/zGb00l_WMC4/s320/ldapadmin.png Same. I can add the user to the group but I can't find where the default group attribute or object is in ldap. What shoud I be looking for? Thanks, Steve Sorry: http://4.bp.blogspot.com/-oeTty-Y6HFo/TzT49_mZe3I/ALE/zGb00l_WMC4/s1600/ldapadmin.png Hi, You need to modify the user, not the group. The attribute you are looking for is: primaryGroupID Regards Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] latest Samba 4 does not look in keytab
2012-02-10 17:58 keltezéssel, steve írta: Hi After upgrading to Version 4.0.0alpha18-GIT-24ed8c5 on Ubuntu 11.10, Samba 4 no longer looks in the keytab for my nfs server entry: mount -t nfs4 foo bar --o sec=krb5 Kerberos: AS-REQ nfs/hh3.hh3.s...@hh3.site from ipv4:192.168.1.3:53213 for krbtgt/hh3.s...@hh3.site Kerberos: UNKNOWN -- nfs/hh3.hh3.s...@hh3.site: no such entry found in hdb The nfs entry is in the keytab: klist -ke /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal -- 1 nfs/hh3.hh3.s...@hh3.site (des-cbc-crc) 1 nfs/hh3.hh3.s...@hh3.site (des-cbc-md5) 1 nfs/hh3.hh3.s...@hh3.site (arcfour-hmac) How do I tell this new version to look in the keytab? or, How do I add the nfs internally? Thanks, Steve Hi, First some basics, sorry if it is boring ;-) /etc/krb5.keytab is the password file your nfs service is using in order to be able to authenticate itself with samba4's kerberos service; it could be on a completely different machine and would work in the same way. Samba4 stores the same password in its internal database (ldb) and when connected it looks it up there. Now back on your situation: Have you re-provisioned after upgrade? If yes you need to recreate the principal and the spn for nfs, and reexport the keytab for it. If not you may need to do an upgradeprovision in order to apply the expected directory changes. Good Luck! Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 and new Kerberos version
2012-02-08 09:29 keltezéssel, steve írta: On 07/02/12 20:52, Gémes Géza wrote: 2012-02-07 16:07 keltezéssel, steve írta: On 07/02/12 12:01, Andrew Bartlett wrote: On Tue, 2012-02-07 at 10:24 +0100, steve wrote: I just got this from the mit list: quote DES transition == The krb5-1.8 release disables single-DES cryptosystems by default. As a result, you may need to add the libdefaults setting allow_weak_crypto = true to communicate with existing Kerberos infrastructures if they do not support stronger ciphers. /quote Does/will this apply to us? Heimdal did this a long time ago, so yes. If you wish to use DES, you have to set that in your krb5.conf. Andrew Bartlett Hi I'm using S4 out of the box on openSUSE 12.1. All the Kerberos transactions seem to choose arcfour. Does the des stuff apply to me? Thanks, Steve Hi, You need to enable weak crypto if you want to use kerberos with apps which depends on des (e.g nfs, openafs). Regards Geza Mmm. That's what I thought. I added that line to krb5.conf before using nfs. I commented it and it still works. The s4 nfs transactions seem to choose arcfour, not des. I can't find this documented anywhere but noises on the nfs kernel list suggest that the weak crypto is not now necessary. Will leave the line commented until nfs explodes at some stage. Cheers, Steve Could have been fixed I've used nfs with gss/krb a few years ago when it ws working with des-cbc-crc only, have migrated to openafs since then. Cheers Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba-tool set default group
2012-02-09 14:21 keltezéssel, steve írta: Hi How do I set the default group for a user? e.g. samba-tool group add opensuse samba-tool group addusers opensuse steve But steve's default group is still Users. I'm looking for soething like this: 'samba-tool group setdefaultgroup steve opensuse' But here isn't that command. I have to do it in Windows. Is there a command I'm missing? Cheers, Steve IMHO currently your best bet is ldbmodify. Regards Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 and new Kerberos version
2012-02-07 16:07 keltezéssel, steve írta: On 07/02/12 12:01, Andrew Bartlett wrote: On Tue, 2012-02-07 at 10:24 +0100, steve wrote: I just got this from the mit list: quote DES transition == The krb5-1.8 release disables single-DES cryptosystems by default. As a result, you may need to add the libdefaults setting allow_weak_crypto = true to communicate with existing Kerberos infrastructures if they do not support stronger ciphers. /quote Does/will this apply to us? Heimdal did this a long time ago, so yes. If you wish to use DES, you have to set that in your krb5.conf. Andrew Bartlett Hi I'm using S4 out of the box on openSUSE 12.1. All the Kerberos transactions seem to choose arcfour. Does the des stuff apply to me? Thanks, Steve Hi, You need to enable weak crypto if you want to use kerberos with apps which depends on des (e.g nfs, openafs). Regards Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 posixGroup mapping
2012-02-06 09:29 keltezéssel, steve írta: On 02/06/2012 07:19 AM, Gémes Géza wrote: 2012-02-06 01:27 keltezéssel, steve írta: Hi I've created a Samba 4 group called suseusers and mixed in posixGroup and gidNumber using samba-tool group add as a basis. It works, e.g. when I added an existing user to the group: getent group suseusers suseusers:*:2000: and getent passwd steve4 steve4:x:319:2000:steve4:/home/CACTUS/steve4:/bin/bash and id uid=319(steve4) gid=2000(suseusers) groups=2000(suseusers) but there seems to be something wrong with getent group. A local group gives this: getent group users users:x:100:machine x not * This happens both on the Samba 4 machine and a client with his /home directory on nfs4. The uid:gid mappings and permissions are perfect at both ends:) But what is the difference between the group info coming from Samba 4 and the group info coming from /etc/group? I'm sure that this is an error on my part, but I can't force it into failing no matter what I throw at it. Thanks, Steve For an answer we would need some configuration details, first of all nsswitch.conf, then depending on that maybe other files Regards Geza Hi /etc/nsswitch.conf passwd: files ldap group: files ldap shadow: files ldap hosts: files mdns4_minimal [NOTFOUND=return] dns networks: files dns services: files protocols: files rpc:files ethers: files netmasks: files Ah, maybe this has something to do with it. For the user ldapmodify I have: dn: cn=steve4,cn=Users,dc=hh3,dc=site changetype: modify add: objectclass objectclass: posixaccount - add: objectclass objectclass: shadowaccount - add: uidnumber uidnumber: 321 - add: gidnumber gidnumber: 2000 - add:unixhomedirectory unixhomedirectory: /home/CACTUS/steve2 - add: loginshell loginshell: /bin/bash and for the group I have: dn: cn=suseusers,cn=Users,dc=hh3,dc=site changetype: modify add: objectclass objectclass: posixGroup - add: gidnumber gidnumber: 2000 /etc/nslcd.conf: uid nslcd-user gid nslcd-user uri ldap://192.168.1.3 base dc=hh3,dc=site mappasswd uid sAMAccountName mappasswd homeDirectoryunixHomeDirectory mapshadow uid sAMAccountName #mappasswd gidNumbergidNumber sasl_mech GSSAPI sasl_realm HH3.SITE krb5_ccname /tmp/krb5cc_0 Then: samba-tool group addmembers suseusers steve4 getent group suseusers suseusers:*:2000: Comes out with the * But steve4 comes out correctly, as a local user would: getent passwd steve4 steve4:x:319:2000:steve4:/home/CACTUS/steve4:/bin/bash The only difference I see is that steve4 has a shadowaccount object which can't be mapped for the group (because it doesn't have one). Is there anything else here? Any other files needed? In fact, I don't think I need shadowaccount mappings at all do I? Isn't that where the unix passwords are stored? But that's probably another thread. Thanks, Steve I'm ot sure but maybe you should change how nslcd.conf maps group memberships (by default it looks at membership expecting stock posixaccount and posixgroup objectclasses, while AD uses member and memberoff which are close but not the same). You can safely ignore anything shadowaccont related, because you would be better authenticating via kerberos anyway. Regards Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 posixGroup mapping
2012-02-06 23:58 keltezéssel, steve írta: On 02/06/2012 08:10 PM, Gémes Géza wrote: 2012-02-06 09:29 keltezéssel, steve írta: On 02/06/2012 07:19 AM, Gémes Géza wrote: 2012-02-06 01:27 keltezéssel, steve írta: Hi I've created a Samba 4 group called suseusers and mixed in posixGroup and gidNumber using samba-tool group add as a basis. It works, e.g. when I added an existing user to the group: getent group suseusers suseusers:*:2000: and getent passwd steve4 steve4:x:319:2000:steve4:/home/CACTUS/steve4:/bin/bash and id uid=319(steve4) gid=2000(suseusers) groups=2000(suseusers) but there seems to be something wrong with getent group. A local group gives this: getent group users users:x:100:machine x not * This happens both on the Samba 4 machine and a client with his /home directory on nfs4. The uid:gid mappings and permissions are perfect at both ends:) But what is the difference between the group info coming from Samba 4 and the group info coming from /etc/group? I'm sure that this is an error on my part, but I can't force it into failing no matter what I throw at it. Thanks, Steve For an answer we would need some configuration details, first of all nsswitch.conf, then depending on that maybe other files Regards Geza Hi /etc/nsswitch.conf passwd: files ldap group: files ldap shadow: files ldap hosts: files mdns4_minimal [NOTFOUND=return] dns networks: files dns services: files protocols: files rpc:files ethers: files netmasks: files Ah, maybe this has something to do with it. For the user ldapmodify I have: dn: cn=steve4,cn=Users,dc=hh3,dc=site changetype: modify add: objectclass objectclass: posixaccount - add: objectclass objectclass: shadowaccount - add: uidnumber uidnumber: 321 - add: gidnumber gidnumber: 2000 - add:unixhomedirectory unixhomedirectory: /home/CACTUS/steve2 - add: loginshell loginshell: /bin/bash and for the group I have: dn: cn=suseusers,cn=Users,dc=hh3,dc=site changetype: modify add: objectclass objectclass: posixGroup - add: gidnumber gidnumber: 2000 /etc/nslcd.conf: uid nslcd-user gid nslcd-user uri ldap://192.168.1.3 base dc=hh3,dc=site mappasswd uid sAMAccountName mappasswd homeDirectoryunixHomeDirectory mapshadow uid sAMAccountName #mappasswd gidNumbergidNumber sasl_mech GSSAPI sasl_realm HH3.SITE krb5_ccname /tmp/krb5cc_0 Then: samba-tool group addmembers suseusers steve4 getent group suseusers suseusers:*:2000: Comes out with the * But steve4 comes out correctly, as a local user would: getent passwd steve4 steve4:x:319:2000:steve4:/home/CACTUS/steve4:/bin/bash The only difference I see is that steve4 has a shadowaccount object which can't be mapped for the group (because it doesn't have one). Is there anything else here? Any other files needed? In fact, I don't think I need shadowaccount mappings at all do I? Isn't that where the unix passwords are stored? But that's probably another thread. Thanks, Steve I'm ot sure but maybe you should change how nslcd.conf maps group memberships (by default it looks at membership expecting stock posixaccount and posixgroup objectclasses, while AD uses member and memberoff which are close but not the same). You can safely ignore anything shadowaccont related, because you would be better authenticating via kerberos anyway. Regards Geza Hi Geza, hi everyone This looks like good news. I asked the nslcd author directly: quote My question is, how do I extract the gid from the ldap? I've tried: map group gid gidnumber You shouldn't need to map the gidNumber attribute because nslcd already uses that attribute by default. In any case if you're trying to find the primary group of a user you should do: map passwd gidNumber XXX (where XXX is the attribute in your LDAP server) The passwd map is what defines the output of getent passwd, the group map defines the information on groups. /quote That seems true. The posixGroup I defined is mapped without me doing anything in nslcd and map passwd gidNumber gidNumber would seem pointless as it's already got the gidNumber. You are right about the shadowaccount. This also solves the x and *. I removed the objectclass shadowaccount from ldap and the map shadow uid from nslcd and hey: getent passwd steve4 steve4:*:319:2000:steve4:/home/CACTUS/steve4:/bin/bash I interpret that as 'it's an x if there's a shadow entry, a * if there isn't' This is getting to the stage where it's not worth waiting for a working winbind. i.e. leave the windows side as it is and go with nfs4 and rpc.idmapd for the the Linux side. How difficult do you think it would be to script the adding of the user posix attributes after creating the s4 user? I envisage something like: samba-tool user add steve --posix
Re: [Samba] Samba 4 posixGroup mapping
2012-02-06 01:27 keltezéssel, steve írta: Hi I've created a Samba 4 group called suseusers and mixed in posixGroup and gidNumber using samba-tool group add as a basis. It works, e.g. when I added an existing user to the group: getent group suseusers suseusers:*:2000: and getent passwd steve4 steve4:x:319:2000:steve4:/home/CACTUS/steve4:/bin/bash and id uid=319(steve4) gid=2000(suseusers) groups=2000(suseusers) but there seems to be something wrong with getent group. A local group gives this: getent group users users:x:100:machine x not * This happens both on the Samba 4 machine and a client with his /home directory on nfs4. The uid:gid mappings and permissions are perfect at both ends:) But what is the difference between the group info coming from Samba 4 and the group info coming from /etc/group? I'm sure that this is an error on my part, but I can't force it into failing no matter what I throw at it. Thanks, Steve For an answer we would need some configuration details, first of all nsswitch.conf, then depending on that maybe other files Regards Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 4 PAM and xscreensaver
2012-02-01 19:07 keltezéssel, steve írta: On 01/09/2012 08:42 AM, steve wrote: Hi I have a Linux client running XFCE and authenticating against Samba 4. When trying to return to the session after xscreensaver has kicked in, authentication fails. Sorry to bump, but I've just seen this in the xscreensaver doco: XScreenSaver Dependencies Required snip Optional libjpeg-8c, libgnome-2.32.1, GLE, Netpbm, XDaliClock, Linux-PAM-1.1.5, _MIT Kerberos V5-1.6 (built with Kerberos V4 backwards compatibility), and krb4 and Heimdal-1.4 (Kerberos authentication requires having Kerberos V4 and V5 on the system)_ Does Samba 4 have this? Cheers, Steve Not in a form required by xscreensaver or any other program requiring kerberos library. You should install those libraries (I doubt you really need krb4 nowadays) Regards Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nfs4 with Samba 4
2012-01-28 10:40 keltezéssel, steve írta: Hi everyone Version 4.0.0alpha18-GIT-bfc7481 openSUSE 12.1 Conventional nfs4 export works fine, but I'm having trouble kerberizing it for Samba 4 for my Samba 4 users. I've setup the nfs4 pseudo stuff like this: hh3:/ # mkdir /export hh3:/ # mkdir /export/home hh3:/ # mount --bind /home /export/home Here is /etc/exports: /exportgss/krb5(rw,fsid=0,insecure,no_subtree_check,async) /export/homegss/krb5(rw,nohide,insecure,no_subtree_check,async) /etc/sysconfig/nfs has: NFS_SECURITY_GSS=yes I have used samba-tool to make an nfs service principal and it responds: Kerberos: TGS-REQ HH3$@HH3.SITE from ipv4:192.168.1.3:35191 for nfs/hh3.hh3.s...@hh3.site [canonicalize, renewable] Kerberos: TGS-REQ authtime: 2012-01-28T09:31:37 starttime: 2012-01-28T09:31:37 endtime: 2012-01-28T19:31:37 renew till: 2012-01-29T09:31:37 when I: mount -t nfs4 hh3:/home /mnt -o sec=krb5 It mounts OK and mount shows: hh3:/home/ on /mnt type nfs4 (rw,relatime,vers=4,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=krb5,clientaddr=192.168.1.3,minorversion=0,local_lock=none,addr=192.168.1.3) Autenticated Samba 4 users get 'Permission denied when trying to cd to /mnt. Only root can enter. The permissions using ls -la are: d? ? ???? mnt You can see that /home has indeed been mounted but with strange permissions. Has anyone tried nfs with Samba 4 Kerberos? Why the permissions? What am I missing? Cheers, Steve root can enter, because (you don't have no_root_squash) it is mapped to the nobody user and thus has the basic rights I would check if the user account you are trying to read/write/list/etc the /mnt dir has got the nfs tickets, with a klist Regards Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nfs4 with Samba 4
2012-01-28 12:21 keltezéssel, steve írta: On 28/01/12 11:03, Gémes Géza wrote: 2012-01-28 10:40 keltezéssel, steve írta: Hi everyone Version 4.0.0alpha18-GIT-bfc7481 openSUSE 12.1 Conventional nfs4 export works fine, but I'm having trouble kerberizing it for Samba 4 for my Samba 4 users. I've setup the nfs4 pseudo stuff like this: hh3:/ # mkdir /export hh3:/ # mkdir /export/home hh3:/ # mount --bind /home /export/home Here is /etc/exports: /exportgss/krb5(rw,fsid=0,insecure,no_subtree_check,async) /export/homegss/krb5(rw,nohide,insecure,no_subtree_check,async) /etc/sysconfig/nfs has: NFS_SECURITY_GSS=yes I have used samba-tool to make an nfs service principal and it responds: Kerberos: TGS-REQ HH3$@HH3.SITE from ipv4:192.168.1.3:35191 for nfs/hh3.hh3.s...@hh3.site [canonicalize, renewable] Kerberos: TGS-REQ authtime: 2012-01-28T09:31:37 starttime: 2012-01-28T09:31:37 endtime: 2012-01-28T19:31:37 renew till: 2012-01-29T09:31:37 when I: mount -t nfs4 hh3:/home /mnt -o sec=krb5 It mounts OK and mount shows: hh3:/home/ on /mnt type nfs4 (rw,relatime,vers=4,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=krb5,clientaddr=192.168.1.3,minorversion=0,local_lock=none,addr=192.168.1.3) Autenticated Samba 4 users get 'Permission denied when trying to cd to /mnt. Only root can enter. The permissions using ls -la are: d? ? ???? mnt You can see that /home has indeed been mounted but with strange permissions. Has anyone tried nfs with Samba 4 Kerberos? Why the permissions? What am I missing? Cheers, Steve root can enter, because (you don't have no_root_squash) it is mapped to the nobody user and thus has the basic rights I would check if the user account you are trying to read/write/list/etc the /mnt dir has got the nfs tickets, with a klist Regards Geza Hi Geza, hi everyone A bit of progress: Yes, the /mnt dir got the nfs ticket when I issued the mount command. Also, authenticated Samba 4 users can enter /mnt but only if they do a kinit first. IOW they have to authenticate twice. Once in his home folder (now under /mnt) he only has read access to his files. klist looks OK: Ticket cache: FILE:/tmp/krb5cc_320 Default principal: ste...@hh3.site Valid starting ExpiresService principal 01/28/12 11:57:35 01/28/12 21:57:35 krbtgt/hh3.s...@hh3.site renew until 01/29/12 11:57:29 01/28/12 11:57:40 01/28/12 21:57:35 nfs/hh3.hh3.s...@hh3.site renew until 01/29/12 11:57:29 I think I'd need root_squash to prevent root no? But no worries. Just trying to get nfs write access for a user. The Kerberos seems to be working in that a local user gets 'Pemission denied when trying to cd to /mnt and gets this when ls'ing: d? ? ???? mnt A doubly authenticated Samba 4 user gets: drwxr-xr-x 5 root root 4096 Dec 23 00:15 mnt but no write access to his nfs mounted home folder. Why is the double authentication needed? How can we get rw access to the share? Thanks, Steve Hi, It seems that your authentication scheme (pam) doesn't involve kerberos. You can check after login with klist if you have any tickets. If not you would probably need to setup pam in order to use kerberos for authentication (from my memories it was pretty easy using yast) Regards Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nfs4 with Samba 4
2012-01-28 18:41 keltezéssel, steve írta: On 28/01/12 12:21, steve wrote: On 28/01/12 11:03, Gémes Géza wrote: Summary: 1. kerberized /etc/exports /exportgss/krb5(rw,fsid=0,insecure,no_subtree_check,async) /export/homegss/krb5(rw,nohide,insecure,no_subtree_check,async) then: mount -t nfs4 hh3:/home /mnt -o sec=krb5 no write access 2. conventional /etc/exports /export*(rw,fsid=0,insecure,no_subtree_check,async) /export/home*(rw,nohide,insecure,no_subtree_check,async) then: mount -t nfs4 hh3:/home /mnt write access OK 3. kerberized variation on /etc/exports /export *(rw,fsid=0,crossmnt,insecure,no_subtree_check,async,sec=krb5) /export/home*(rw,insecure,no_subtree_check,async,sec=krb5) then: mount -t nfs4 hh3:/home /mnt -o sec=krb5 no write access I have tried all combos of crossmnt and nohide idmapd seems to be mapping correctly and id user gives what getent gives Any ideas? Why does the kerberized mount not allow rw access? Steve Geza, do you think it's worth sticking this on samba technical? To me it seems an nfs4 related problem so no samba-technical is not the right place to ask In the meantime please tell us a little more about your environment: pam config idmapd config klist (of user) right after login, before trying to do anything on nfs and after (e.g an ls) I'm not an nfs4 expert myself, but before migration (a few years ago) to openafs I've had a working nfs4 gss/krb5 setup (it just kernel panic-ed every other day, until I've got fed up and migrated away from it) maybe I can remember. Regards Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nfs4 with Samba 4
2012-01-28 21:44 keltezéssel, steve írta: On 28/01/12 20:29, Gémes Géza wrote: 2012-01-28 18:41 keltezéssel, steve írta: On 28/01/12 12:21, steve wrote: On 28/01/12 11:03, Gémes Géza wrote: Summary: 1. kerberized /etc/exports /exportgss/krb5(rw,fsid=0,insecure,no_subtree_check,async) /export/homegss/krb5(rw,nohide,insecure,no_subtree_check,async) then: mount -t nfs4 hh3:/home /mnt -o sec=krb5 no write access 2. conventional /etc/exports /export*(rw,fsid=0,insecure,no_subtree_check,async) /export/home*(rw,nohide,insecure,no_subtree_check,async) then: mount -t nfs4 hh3:/home /mnt write access OK 3. kerberized variation on /etc/exports /export *(rw,fsid=0,crossmnt,insecure,no_subtree_check,async,sec=krb5) /export/home*(rw,insecure,no_subtree_check,async,sec=krb5) then: mount -t nfs4 hh3:/home /mnt -o sec=krb5 no write access I have tried all combos of crossmnt and nohide idmapd seems to be mapping correctly and iduser gives what getent gives Any ideas? Why does the kerberized mount not allow rw access? Steve Geza, do you think it's worth sticking this on samba technical? To me it seems an nfs4 related problem so no samba-technical is not the right place to ask In the meantime please tell us a little more about your environment: pam config idmapd config klist (of user) right after login, before trying to do anything on nfs and after (e.g an ls) I'm not an nfs4 expert myself, but before migration (a few years ago) to openafs I've had a working nfs4 gss/krb5 setup (it just kernel panic-ed every other day, until I've got fed up and migrated away from it) maybe I can remember. Regards Geza Hi again The share mounts rw conventionally but olnt ro when exported gss/krb5 Here is the output and some files: /etc/pam.d/common-auth (the other pam files are OK and pam is working) authrequiredpam_env.so authoptionalpam_gnome_keyring.so authsufficientpam_unix2.so authsufficientpam_krb5.souse_first_pass authrequiredpam_deny.so /etc/idmapd.conf [General] Verbosity=0 Pipefs-Directory=/var/lib/nfs/rpc_pipefs Domain=CACTUS [Mapping] Nobody-User=nobody Nobody-Group=nobody idmapd seems to be working fine. Mappings are perfect client/server Here is some output, which looks OK except for the mount being read only. # mount -t nfs4:/home /mnt -o sec=krb5 produces a lot of activity in Samba 4 including: Kerberos: TGS-REQ HH3$@HH3.SITE from ipv4:192.168.1.3:45825 for nfs/hh3.hh3.s...@hh3.site [canonicalize, renewable] Kerberos: TGS-REQ authtime: 2012-01-28T21:16:16 starttime: 2012-01-28T21:16:16 endtime: 2012-01-29T07:16:16 renew till: 2012-01-29T21:16:16 nd a ticket cache appears called krb5cc_machine_HH3.SITE and klist krb5cc_machine_HH3.SITE Ticket cache: FILE:krb5cc_machine_HH3.SITE Default principal: HH3$@HH3.SITE Valid starting ExpiresService principal 01/28/12 18:57:25 01/29/12 04:57:25 krbtgt/hh3.s...@hh3.site renew until 01/29/12 18:57:25 01/28/12 18:57:25 01/29/12 04:57:25 nfs/hh3.hh3.s...@hh3.site renew until 01/29/12 18:57:25 I got some rpc stuff during the mount: # rpc.gssd -vvvf beginning poll dir_notify_handler: sig 37 si 0xbfbd324c data 0xbfbd32cc dir_notify_handler: sig 37 si 0xbfbd324c data 0xbfbd32cc dir_notify_handler: sig 37 si 0xbfbd324c data 0xbfbd32cc dir_notify_handler: sig 37 si 0xbfbd324c data 0xbfbd32cc dir_notify_handler: sig 37 si 0xbfbd324c data 0xbfbd32cc handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt13) handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 ' handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt13) process_krb5_upcall: service is 'null' Full hostname for 'hh3.hh3.site' is 'hh3.hh3.site' Full hostname for 'hh3.hh3.site' is 'hh3.hh3.site' Success getting keytab entry for 'HH3$@HH3.SITE' Successfully obtained machine credentials for principal 'HH3$@HH3.SITE' stored in ccache 'FILE:/tmp/krb5cc_machine_HH3.SITE' INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_HH3.SITE' are good until 1327817776 using FILE:/tmp/krb5cc_machine_HH3.SITE as credentials cache for machine creds using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_HH3.SITE creating context using fsuid 0 (save_uid 0) creating tcp client for server hh3.hh3.site DEBUG: port already set to 2049 creating context with server n...@hh3.hh3.site DEBUG: serialize_krb5_ctx: lucid version! prepare_krb5_rfc4121_buffer: protocol 1 prepare_krb5_rfc4121_buffer: serializing key with enctype 18 and size 32 doing downcall dir_notify_handler: sig 37 si 0xbfbd324c data 0xbfbd32cc dir_notify_handler: sig 37 si 0xbfbd324c data 0xbfbd32cc dir_notify_handler: sig 37 si 0xbfbd324c data 0xbfbd32cc destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt14 user steve5 logs in: # su steve5 (passwd etc...) Kerberos: AS-REQ ste...@hh3.site from ipv4:192.168.1.3:50182 for krbtgt/hh3.s...@hh3.site