Re: [Samba] Windows 2008 Standard SP2 cannot access samba share by hostname but ok with IP
JY Rowland, JY I did see those from my searches as well. However, this samba JY configuration worked prior to migrating it to RHEL and into a more current JY samba. JY regards, JY j HI Jerome, '0x80070021' is a windows error and the most likely cause would seem to be trying to copy a users .pst file whilst outlook is still running, try doing a web search on the error. Rowland But that doesn't address Rowland's point at all. Are you sure this file isn't in use, even if it might have worked before? It seems pretty dismissive, IMO, to simply say it worked before. [I've seen Rowland spend an enormous amount of time recently trying to help people, and in several cases it seems the person getting helped isn't putting in nearly as much effort as I'd expect. I'm not saying it's that way in this case - but IMO, you need to address the Is this file open and that's the cause of the error?] But perhaps I'm just feeling cranky this morning. :) --- ...And I have to say, 'Man Rowland, you and Steve have gone way above and beyond in spending time and effort helping.' You guys make community software rock! -Greg -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4.1.0 join Windows 2003 Server with BIND9_DLZ
Wild guess: The errors I see all have to do with an account that doesn't have a password, the password is expired etc. Are you *sure* the account you're using to join with is valid, and works properly in other contexts? Do some google searches on: [SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0] and you'll see what I mean. That doesn't mean that's the problem, but that's what I get out of it - perhaps incorrectly. -Greg JR Hi guys, JR When run join in DC JR root@samba4:~# samba-tool domain join jacoramos.net.br DC -Uadministrador JR --realm=jacoramos.net.br --dns-backend=BIND9_DLZ JR Finding a writeable DC for domain 'jacoramos.net.br' JR Found DC win2003.jacoramos.net.br JR Password for [WORKGROUP\administrador]: JR workgroup is JACORAMOS JR realm is jacoramos.net.br JR checking sAMAccountName JR Adding CN=SAMBA4,OU=Domain Controllers,DC=jacoramos,DC=net,DC=br JR Adding JR CN=SAMBA4,CN=Servers,CN=Primeiro-site-padrao,CN=Sites,CN=Configuration,DC=jacoramos,DC=net,DC=br JR Adding CN=NTDS JR Settings,CN=SAMBA4,CN=Servers,CN=Primeiro-site-padrao,CN=Sites,CN=Configuration,DC=jacoramos,DC=net,DC=br JR Adding SPNs to CN=SAMBA4,OU=Domain JR Controllers,DC=jacoramos,DC=net,DC=br JR Setting account password for SAMBA4$ JR Enabling account JR Adding DNS account JR CN=dns-SAMBA4,CN=Users,DC=jacoramos,DC=net,DC=br with JR dns/ SPN JR Join failed - cleaning up JR checking sAMAccountName JR Deleted CN=SAMBA4,OU=Domain Controllers,DC=jacoramos,DC=net,DC=br JR Deleted CN=NTDS JR Settings,CN=SAMBA4,CN=Servers,CN=Primeiro-site-padrao,CN=Sites,CN=Configuration,DC=jacoramos,DC=net,DC=br JR Deleted JR CN=SAMBA4,CN=Servers,CN=Primeiro-site-padrao,CN=Sites,CN=Configuration,DC=jacoramos,DC=net,DC=br JR ERROR(ldb): uncaught exception - LDAP error 53 LDAP_UNWILLING_TO_PERFORM - JR 052D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0 JR File JR /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py, JR line 175, in _run JR return self.run(*args, **kwargs) JR File JR /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py, line JR 552, in run JR machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) JR File JR /usr/local/samba/lib/python2.7/site-packages/samba/join.py, line JR 1169, in join_DC JR ctx.do_join() JR File JR /usr/local/samba/lib/python2.7/site-packages/samba/join.py, line JR 1072, in do_join JR ctx.join_add_objects() JR File JR /usr/local/samba/lib/python2.7/site-packages/samba/join.py, line JR 616, in join_add_objects JR ctx.samdb.add(msg) JR root@samba4:~# JR --- JR Anyone have any ideas? JR -- JR *O homem não foi criado para ser feliz nem para vencer, mas para viver JR para Deus. Quando vive para Deus é feliz e vence. Isaltino Gomes JR * JR * JR $whoami* JR- Perito Forense Computacional JR- Pentester JR- Esp. em Segurança de Redes de Computadores com enfâse a Perícia JRForense Computacional - FACID JR- Bacharel em Ciência da Computação - UESPI JR- Administrador de Redes de Computadores JR- CCNA Modulo II JR- Lattes: *http://lattes.cnpq.br/1591329268136905* JR Esta mensagem pode conter informações confidenciais e/ou privilegiadas. Se JR você não for o destinatário ou a pessoa autorizada a receber esta mensagem, JR não deve usar, copiar ou divulgar as informações nela contida ou tomar JR qualquer ação baseada nessas informações. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Multiple A records on my parent domain name are confusing hosts
AB On Tue, 2013-10-08 at 10:23 -0700, Scott Goodwin wrote: I'm using Samba 4.0.9, Bind 9.9.4 w/ dlz My domain is example.com My Samba4 server is myserver.example.com myserver has two nics: 10.10.10.5 and 192.168.10.2 My externally hosted web site is www.example.com, and is hosted at 123.123.123.123 I have an A and CNAME in DNS like so: @ A 123.123.123.123 www CNAME example.com. The above allows internal web browsers to access the external site via www.example.com or example.com. This works great. The problem is that every ten minutes when samb's dns update happens, it keeps putting the following two entries in, which points internal hosts to the dns server, instead of the externally hosted web site: @ A 10.10.10.5 @ A 192.168.10.2 Why do these keep showing up? I'm sure there is a place that the info is coming from, but I don't know where, and I desperately need to prevent this from happening. I mean, don't get me wrong, I realize what the records mean, but what I'm trying to do is prevent them from repopulating and preventing my internal hosts from browsing the web site. I didn't have this problem when I could edit the bind files directly, but now that I'm using bind_dlz for samba, I'm a little lost. AB The issue is that Samba controls that name, and tries to set it to match AB the network interfaces of the DC, because AD clients may (few actually AB do, in this specific case) use this name to find a DC. See AB dns_update_list. AB I suggest breaking the CNAME and not using example.com to find your AB website internally. Wouldn't it make a lot of sense, provided one had the infrastructure [extra servers/hardware] to handle DNS like this: (And at a smaller site, you could do this in a VM like virtualbox on the same hardware as the S4/AD server - memory is cheap, and at a small site, I/O load is going to be trivial.) --- Setup a DNS+DHCP server, external to/outside of the AD. Say, mydomain.local DHCP and DDNS would apply against mydomain.local Put the S4/Windows AD in a 3rd level domain - say samba.mydomain.local. Point all queries for the 3rd level DNS [samba.mydomain.local] to the AD/ DNS controller. [i.e. A forward zone for samba.mydomain.local - S4AD server] This resolves issues with DHCP/DDNS - since you're not trying to make the AD controller handle it. Next by using something like .local as your 1st level domain, you don't have conflicts with real-world external domains. [And even if you did use something like .com - you could tweak the DNS server to handle it without messing with the AD domain - provided you didn't use anything in that 3rd level domain (samba.mydomain.local) out in the open/public internet.] I know it's extra work, but it just seems to make things a lot cleaner and keeps DNS from becoming such a tangle in AD, IMO Thoughts? -Greg -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba-tool join domain fails
, axel OK, I did this yesterday, but with a samba4 DC joining to another samba4 DC, try this: kinit admin /usr/local/samba/bin/samba-tool domain join intranet.domain.de DC -Uadmin --realm=intranet.domain.de Rowland Yes, admin can log into the servers, but does he have the right to add workstations to the domain? Also was Administrator renamed or was a new user called admin created? Rowland Like i said, admin ist the main domain-administrator and has all rights to this domain. He wasn't created new, just renamed. Axel Well if admin has all the required rights, I wonder if it is a problem with access rights to sam.ldb, on my secondary DC this belongs to root:root and the root user has read + write access and getfacl shows: getfacl: Removing leading '/' from absolute path names # file: usr/local/samba/private/sam.ldb # owner: root # group: root user::rw- group::--- other::--- so you need to be root to alter it, should you be running the command with sudo? do you have root user enabled i.e. are you running as root? I take it that /etc/resolv.conf points to your windows server (or something that points to it) One other thing that I can think of is that samba-tool domain join is hardcoded to the Administrator but I do not really think this is likely. Lastly, because its debian, Apparmor, if this is on, try turning it off. Rowland Look at my code. Im running with root. getfacls shows: root@samba-dc1:/# getfacl /var/lib/samba/private/sam.ldb getfacl: Removing leading '/' from absolute path names # file: var/lib/samba/private/sam.ldb # owner: root # group: root user::rw- group::--- other::--- resolv.conf: root@samba-dc1:/# cat /etc/resolv.conf domain intranet.domain.de search intranet.domain.de nameserver 127.0.0.1 nameserver 192.168.200.10 -- Windows DC wi-pas01 nameserver 192.168.200.254 Hmm, im wondering. When I did my 'domain join' I had resolv.conf pointing to just the samba4 AD DC, so you could try that, but frankly after that I have run out of ideas. Rowland A No chance... same issue, also when i renamed admin to administrator. A I'm running out of ideas, too. A It's a great pity... thanks for your support! A Axel -- Gregory Sloop, Principal: Sloop Network Computer Consulting Voice: 503.251.0452 x82 EMail: gr...@sloop.net http://www.sloop.net --- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Sharing files while being member of an active directory
You give almost no information about what's wrong or the details. What version of Samba? 4.0.? Did your install go flawlessly, and the new Samba box joined the domain fine? What Windows clients, Win7, XP, Vista, Win8, Win95? Are the windows clients members of the domain? What is holding the domain, a Samba server or Windows? What functional level is the domain? (AD 2000, AD 2008R2 etc) It's not clear to me, you're sharing files from the Samba4 box? Could you reproduce your smb.conf? I'm probably not the guy who can help best, but no-one will have the least idea where to start with what you've *not* provided in terms of details. -Greg MC I've tried this guide : MC https://wiki.samba.org/index.php/Samba4/Domain_Member MC Which as far as i can se is the nearest thing to an official MC advisory on how to join a file-sharing host to en active directory. MC wbinfo -u and wbinfo -g works, but we cannot access the share MC from our windows clients, it prompts for passwords right away. MC I can't find any clue in the log files and I'm kinda stranded … where to go from here? MC Thanks in advance, your doing a great job. MC /Mikjaer -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How to allow users to be local admin
GRIK Am 02.09.13 18:20, schrieb Marc Muehlfeld: Hello Götz, Am 02.09.2013 14:43, schrieb Götz Reinicke - IT Koordinator: it's some time that I had to touch our samba installation and may be somewon can point me to the right direction. We run a samba-3.6.9 PDC with ldap backend and windows 7 clients. Everything for normal users is working fine (domain logon, roaming profiles). But now we'd like to enable our systemadministartors to login to any workstation with there domain user and install software or do other administrative things. I'v read a bit about domian accounts and mappings. But I'm not sure where to add or change what. The admins affected are also in a special posix group. There are also Domain Admins and Administrators posix groups and net groupmap entries. Would be great if some one can help me. I'm not sure if this is possible with an NT4-style domain. With (Samba) AD it is, if you plan to migrate. Then you can use restricted groups for that (http://community.spiceworks.com/how_to/show/907-gpo-to-push-out-local-administrators-across-a-domain). I don't know how many clients you have. If it's a manageable size, you can create a group in your domain, go to each workstation and add this domain group to the local administrators group once. Then everyone who is member of that domain group is automatically local admin on each of that machines (this is what you do with the restricted group in AD in 2 mins, without leaving your desk). You only have to add this domain group on every PC you reinstall. But if it's a possibility, migrate to Samba AD. AD brings you many great features, expecially GPO, multi master replication, etc. GRIK Hi Marc, currently we dont plan a change to Samba AD, and editing every GRIK client to support local grous sounds currently a bit to mutch. (we have GRIK about 200 windows clients and one admin :) ) GRIK Is ther not any other chance or way? The admins are very reliabel, so GRIK they also might have more rights as the normal local admin. GRIK I was thinking of may be putting tham in the group Domain Admins which GRIK is also used to add workstations to the domain. GRIK Or is that something different regarding rights? GRIK Thanks for your feedback. /Götz Yes, making those users members of the Domain Admins group will fix it - but it also has the *usually* undesired side-effect of also making those people *DOMAIN ADMINS!*!! Making a domain group members of the local Admins group on each machine also works without the side-effect of giving them domain root equivalent accounts. The first can be done from a single action on the DC - but the second generally requires action at each station. [Without and AD controller that is.] So, roll the dice. Do you really trust that these folks you want to have local admin privs won't whack the domain intentionally or unintentionally? If you feel good enough about that - then perhaps it's right for you. [For some reason this quote seems to fit. ...you’ve got to ask yourself one question: 'Do I feel lucky?' Well, do you, punk? -From Dirty Harry...] :) -Greg -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Disable password complexity does not work?
IIRC, GPO's can't be used to configure Password CR on an S4 server. [Well you can do it, but it isn't enforced properly...] I'm not sure what would happen in a mixed S4 and Windows server AD domain. Again, that's IIRC - but I think that's the case. -Greg G Hi, G I disabled the password complexity requirements in my domain via group G policy. Computer Configuration, Windows Settings, Security Settings, G Account Policies. There you can configure it exactly as you want. G Best regards. G On Sun, Sep 1, 2013 at 3:18 AM, Szymon Życiński sz.zycin...@gmail.comwrote: Hello I use Samba 4.0.9 and want to disable strong passwords. I've run: ./samba-tool domain passwordsettings set --complexity=off But it seems to not work. If users try to change password via ctrl+alt+del windows still require strong password. Restarting samba to commit change did not solve problem. Is there something i forgot? On my old configuration with old (RIP) server it worked flawessly. Szymon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- Gregory Sloop, Principal: Sloop Network Computer Consulting Voice: 503.251.0452 x82 EMail: gr...@sloop.net http://www.sloop.net --- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Network browsing in S4
MM Am 12.08.2013 22:32, schrieb Gregory Sloop: So, if I understand things correctly, NMBD or network browsing isn't functional under S4 yet. [At least I don't believe it was in 4.03 - and I don't think that's changed.] MM Currently Samba still doesn't support network neighbourhood. Is nmbd support planned, and if so, when? [If you know...] I have some cases where I need accurate NetBIOS name resolution, [and perhaps Network browsing services.] What is the best way of handling this? Is this going to be supported? [or already is with something newer than 4.03] MM There is a way to start nmbd on a Samba 4 DC manually with doing some MM special settings in smb.conf. Andrew told me that secret some time ago. MM But it's nothing that is recommended and not supported. But my MM experiences with it is, that the browsing list is always much smaller MM than it should. So it's better not to use this workaround. So, we'll assume that nmbd doesn't work properly on an S4 AD. Can I run nmbd alone, on an independent box? (I'd guess not.) Or should I run an S3 server as a member of the AD also running nmbd? [This instance won't do any file sharing, as that will all happen on the two S4 servers.] If I run an S3 member, can anyone give me an estimated memory footprint? [Really rough is fine.] -Greg -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Removing password complexity requirements under Samba4
MF We had problems removing password complexity, and I noticed a lot of MF confusion on the list about exactly this topic. So I thought I would post MF our success. MF We're talking about a Samba4 PDC/AD here. Once we got Samba installed and MF provisioned, we used samba-tool from the command-line on the Samba box to MF change the domain password settings: MFsudo samba-tool domain passwordsettings set --complexity=off MFsudo samba-tool domain passwordsettings set --history-length=0 MFsudo samba-tool domain passwordsettings set --min-pwd-age=0 MFsudo samba-tool domain passwordsettings set --max-pwd-age=0 MF Restarted Samba, did a gpupdate /force on the workstation, and it worked. MF No need to set up a GPO (although that would sometimes be preferable). MF We tried the samba-tool method initially, as well as a GPO, and were MF baffled when neither worked. I think we had our minumum password age at the MF default value (1 day) and were trying to reset the password the same day we MF created the accounts. MF In any case, we're able to change passwords with reckless abandon in our MF test environment at the moment. MF Mark FYI Only: One note, for the record. When you're doing the initial provision, and are supplying the root/admin password for the domain, there is NOT a way to reduce the complexity requirements for that operation. [Not that you'd *want* your master domain admin password to be something ridiculously lousy like abc or anything.] But someone has asked about getting 'round it before. If it really bothers someone, you can always meet the complexity requirement during provision, then use the samba-tool as above, and change it to xyz if that's what turns your crank. :) -Greg -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] User policy in samba
P Is it possible to set User specific password policies in Samba4. P Say I wan to set the Password length of a particular user to be 7 where P as my domain policy is 10 P How to do this in samba4? The only way I can think of that would apply some policies to some users and a different policy to others would be a GPO. But I'm not entirely sure if password complexity reqs. can be applied selectively via GPO. [I think so, but I've never tried it - and the docs sure look like it's possible.] In any case, if it IS possible, it's not a Samba thing, it's a AD GPO thing and looking at the docs from MS would be the place to look/ask. -Greg -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] GPO replication?
CR Some people have had success with scripting replication using rsync etc. I don't want this to sound like I'm arguing, because I'm not. I'm just not aware of ANYONE who has gotten rsync to work properly handling all the EA's and such in syncing any Samba4 AD filesystems between AD members. I've seen specific complaints about rsync *not* handling the EA's properly, and comments from Jeremy that fixing rsync would be fairly easy. But I'm not aware of anyone that has successfully done so. I'd be very glad to be proved wrong, as this is on my list of to-do items and knowing it was possible and how would save me a lot of effort. -Greg CR Samba 4 doesn't currently have FRS enabled and so doesn't replicate SYSVOL. CR http://wiki.samba.org/index.php/Samba4/DRS_TODO_List#Add_cifsfs.2Brsync_interim_script_for_group_policy_replication CR Cheers, CR Chris CR On Tue, May 14, 2013 at 4:38 PM, Luc Lalonde luc.lalo...@polymtl.ca wrote: Hello Folks, I've successfully created a GPO for user logon scripts with Samba4... However, the 'SYSVOL\domain\Policies' folder and contents is not replicated to the other DC's. Is this normal? It is working, but it seems that this is a 'single point of failure' for 'logon' scripts. Thank You! -- Luc Lalonde, analyste - Département de génie informatique: École polytechnique de Montréal (514) 340-4711 x5049 luc.lalo...@polymtl.ca - If you are not paying for it, you're not the customer; you're the product being sold. (Andrew Lewis) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] re list
C I am new here and am wondering if I have the correct list to subscibe to. C I am looking for a user forum; technical mutual help/tutorial type C list; would this be that type of thing? You're on the right list. However the varying level of technical complexity is very high. Some of us are doing pretty simple stuff, and others are probably doing rocket-science, literally. :) So, ask here, do a bunch of Google-foo, and tinker yourself. Between one of the three or combinations thereof, you'll probably find an answer. -Greg -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4: W2k clients cannot set / sync time with samba4 AD DC
iM Well, the NTP server on samba4 server is definitely (!) up and iM running. I can triple-check that by ps, netstat and of course by iM getting the time of all my other clients (winxp, win7, linux, unix) so iM NTP server is definitely running on samba4 host. Up and running doesn't mean it works and that clients can contact it. If you have not SPECIFICALLY taken a non W2K client and done an explicit NTP sync that you can verify worked, and/or done a complete capture of a successful NTP session, I don't think you're actually verified that NTP works. --- IMO, this pursuit seems really crazy - like you want to do nothing to mitigate things on your end, and want the Samba folks to support a long-dead client without any mitigation or changes on the long-dead client end. ALL W2K support ended in July 2010! [Nearly three YEARS ago!] Non extended support [i.e. non-security related support] ended in 2005! Yes, 2005! So, expecting it all to work without very substantial changes on the client side seems pretty demanding, at least IMO. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Fwd: The network path was not found.
And IMO, trying to do this, while streaming the CIFS data and login via the unprotected and vast-vagaries of the open internet - well that just seems pretty crazy to me. H Is CIFS data unencrypted or unprotected, or have some other vulnerability I H should be aware of? I believe the authentication transactions are secure - though I'd still rather not having these streaming over a totally insecure network - even if they are, it allows a larger attack surface for attackers to go after. [The whole AD...] But if you open/save files, I don't believe that there's any encryption on those at all. Anyone in the packet path could reconstruct all/any files - and perhaps even inject data into the packet-streams. So, I think the Auth system is secure, actual file use under CIFS isn't. [Someone correct me if I'm wrong here...] H I'm setting up a central auth system for a hackerspace. A lot of vagaries H of the internet come inside the private lan anyway. Non-secured networks H is just something I am going to have to handle. I do understand this - but limiting attack surface is, IMO, really important. No reason to get your whole server owned because you've let at attacker get to a service you didn't really need to offer. IMO, make each server as secure as you can, but also use the firewall [et al] as a 2nd or 3rd layer to limit what an attacker can get at in each machine. You'll have no idea what might be happening to the traffic, not to mention the security and integrity of the connections. H I was asuuming, perhaps incorrectly, that the data could be encrypted H without the need of a tunnel. I still assume that the ldap and kerberos H data is safe. If not I need to abondon this approach altogether. As said above, I think LDAP and K are secure. CIFS data isn't. As was mentioned before... Is there some reason you're not running this over a tunnel of some sort? Even if you completely strip the encryption away [which seems like a nearly equally terrible idea] you'll at least know, that if the tunnel works at all, someone isn't messing with something inside the tunnel - it [the tunnel] is either up or down. And then you don't have to worry about Comcast filtering CIFS ports, or messing with the traffic with sandvine etc. H I am avoiding running a tunnel, but not refusing too. I felt the SRV H record approach was worth investigating. H The reason for avoiding using a tunnel is to reduce the overhead of adding H machines to the domain. Also, I havn't set up a vpn for this site yet. So, really - building a tunnel - even a simple one would be cheap and easy. Why make this so hard on yourself and burden everyone else with troubleshooting a problem that might have a million different issues that would be completely out of your control and would require hours and hours of troubleshooting to find, much less resolve. H I was trying to save the time of first establishing a vpn conneciton, and H then using services. I was trying to go straight to the using services H part. H Reducing troubleshooting is the goal I had with adjusting SRV records. I H have also heard of L2TP getting wonky if 2 users use it from behind the H same NAT. I am still concerned that adding a VPN increases complexity H instead of reduces it. You are probably right that I have no better H alternative at this point. Yes, I think there's a problem with multiple L2TP users behind the same NAT. But why not build site-to-site tunnels, and do that instead of each user as an individual island. I do think OVPN handles this fine though. [A couple of Routerboard's would do the trick, and if you don't need huge levels of VPN throughput, a pair of RB750's are probably $150 - just one example...] A VPN or other tunnel is really the only answer. H Agreed, I'm thinking of giving H https://wiki.samba.org/index.php/Samba4/HOWTO/Virtual_Private_Network H shot before falling back to openvpn. I'm sure that's not the answer you want - but IMO, it's the only reasonable answer. H Don't get me wrong, I really do appreciate your help. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] NTP doesnt work for Win2000 clients + Samba 4.0.4 (see tcpdump)
iM I am using Samba 4.0.4 as AD DC on my test environment and iM realized that all my W2k clients (default installation, no special iM setups made on the clients) cannot receive the correct time of my iM samba 4.0.4 AD domain controller. Windows XP and 7 work fine iM though. The problem occurs at three W2k test clients I tried with. iM The default behavior of Windows clients is to use the update type iM Nt5DS which means, that the client tries to get the time of its iM domain controller. Unfortunately this fails for my W2k clients in iM conjunction with Samba 4.0.4 and also an error in event log iM appears, that says that the time couldnt be retrieved of my samba4 iM server mysmb4srv.ad.mycompany.com. iM As soon as I execute on win2000 clients cmd prompt net time iM /setsntp:mysmb4srv.ad.mycompany.com it works. This command causes iM the registry entries under HKLM\System\Current Control iM Set\Services\W32Time\Parameters to change the default behavior iM from type=Nt5DS to type=NTP and adds a line NTP iM server=mysmb4srv.ad.mycompany.com. With this setting the time iM sync works fine as soon as I restart the Windows Time Service. I iM have logged the received ntp packets at samba4's side: iM Issue: Win2000 clients cannot update time through NTP of my samba 4.0.4 server which is installed iM and configured like shown on the Samba4 HowTo (+NTP HowTo). Seems that the Nt5DS discovery mode iM on win2000 clients doesnt interact fine with samba4 ??? Here are iM the tcpdump -vv udp port 123 logs I'm sure someone will give you more data, but W2000 was completely out of maintenance mode, what, two+ years ago? Making changes to the registry so it will use NTP for time updates is fairly easy - which will make it compatible with the AD server. It would seem, to me at least, a bad use of resources to trouble-shoot/fix a Win2000 problem when there are work-around's and when Win2000 is not supported any more, and has multiple unpatched vulnerabilities. Just my opinion of course. -Greg -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] DDNS / DHCPd Internal DNS or BIND_DLZ
So, I don't see much on the Wiki [actually nothing] and the relevant threads on the issue are few. So, let me try to outline what appears to be the current state of things and if I'm wrong, please correct me. Running DHCPd on the Samba 4 server works fine. Doing DDNS [dynamic DNS] updates can work with the BIND9_DLZ setup, but not the internal DNS setup. However, if the connecting Samba clients are mostly Windows, doing DHCPd - BIND9_DLZ updates is probably not worth the effort anyway, since the Windows clients will handle updating their DNS via Kerberos and the AD anyway. This isn't the case for Linux clients, so if you have lots of those and you need the DDNS updates then perhaps it's worth tackling. How Mac's handle DNS updates is unknown - [though I'd *guess* it will be exactly/nearly the same as Linux clients.] -- Summary: If your clients are Windows clients, just leave things as is... they will handle updating DNS records in EITHER the internal DNS or BIND_DLZ server without any special hacks or scripts to handle it. If you have a large mix of clients and need the non-windows clients to update DNS via DHCPD, then using the script found in the following link might be useful. http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/ --- Do I have that largely right? -Greg -- Gregory Sloop, Principal: Sloop Network Computer Consulting 503.251.0452 x121 Voice | 503.251.0452 Fax www.sloop.net mailto:gr...@sloop.net -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SAMBA4: pdbedit not changing SID
ssme If I could change the subject somewhat, I am also not clear on how to configure ssme SAMBA4 and the DNS server if my network has an existing DNS server on another ssme machine and I don't really want to move it. The DNS server is a stock install ssme of bind from the distro's repository: ssme bind-9.8.2-0.17.rc1.el6_4.4.x86_64 I'd guess the easiest way would be to setup the Samba AD domain as a subdomain of the existing DNS domain. Say samba.third-level.somedomain.com Then for queries for samba.third-level.somedomain.com the exiting DNS server could forward them to the Samba AD running the Internal_Samba_DNS, and for queries outside samba.third-level.somedomain.com the Samba4 AD could send them to the existing DNS server. The Samba AD must have it's own DNS, either the Samba_Internal or Bind9_DLZ. [I've not heard of anyone doing a Samba4 setup with DNS completely external to the Samba4 AD hardware, though perhaps it's possible - but I'd guess one would be better off partitioning the two - DNS related to the Samba domain and DNS outside of it.) HTH - I'm no expert, but that's the way I've seen it done [and done it myself] and that seems the most straight-forward to my way of thinking. -Greg -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Making users local administrators
ML On Thu, Mar 21, 2013 at 11:24 AM, Terry Austin te...@crownhardware.com wrote: On 21 Mar 2013 at 10:29, L.P.H. van Belle wrote: DONT DO IT !! This is Administrators 1ste rule !! NEVER, but then NEVER giver users Administrator/PowerUser rights. I have no choice. There's too much stuff out of my control that requires the daily user have admin rights locally. ML Well, it's a lot more work, but you could use the Windows utilities ML FILEMON and REGMON to monitor what file and registry access your ML applications require on the local machine, and then grant the local ML user access to just those needed items, rather than across-the-board ML full local administrator access. For goodness sake. I think it's appropriate to remember that the networks and workstations were put there, NOT for the enjoyment and ability of network admins to insist on technical purity and rightness, but to get work done. If technical purity becomes the paramount focus, IMO, we're doing it wrong. Finally, sometimes political considerations, among others also outweigh technical purity. And frankly, given the environment and time constraints, it may be MORE work and cost to figure out what's needed to not allow local admin privs. So, please. Go ahead and warn if you like, but offer some help, don't just abuse the poster for making a decision that's practical for their particular situation. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Making users local administrators
An easy way is: For the Administrator group on the local machine, add domain users to that *local* group. [This means that any domain authenticated user will have local admin privs.] --- While I've not done this via GPO - this looks like a reasonable way of doing so. http://www.expta.com/2011/02/adding-users-to-local-security-groups.html HTH -Greg TA I have Samba 4 (lastest version, I think) set up for Active Driectory. TA Everything is working just, using Microsoft's Group Policy Editor to manage TA stuff. Except one thing: TA For reasons you don't want to get me started on, I need all users to have TA local administrative priviliges on any computer on the domain. This is TA supposed to be a simple, straightforward thing. Google has led me to half a TA dozen different ways to do this through group policies. And none of them TA work. I can set any other kind of group policy I want, power saving TA settings, screen saver settings, various security settings in IE, and the TA new settings show up with a gpupdate /force, but I cannot figure out how to TA add someone to the local administrators group. Can somebody point me to a TA really remedial howto? Something like group policies for complete idiots TA maybe. -- Gregory Sloop, Principal: Sloop Network Computer Consulting Voice: 503.251.0452 x82 EMail: gr...@sloop.net http://www.sloop.net --- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Making users local administrators
The linky-thingy did have a way of doing so via a GPO. I've not tried it, but it certainly looks like it should work. While I've not done this via GPO - this looks like a reasonable way of doing so. http://www.expta.com/2011/02/adding-users-to-local-security-groups.html Try it. -Greg -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 AD DC and BIND
If you are doing that, then I suggest you find a different way to operate - the AD DC is the security heart of the network, and should be more protected than that. GR My AD DC is not directly connected to the internet. It is GR behind an internet gateway router which has 53 open and GR routing traffic to/from the BIND server on the AD DC. Nothing unusual about this. GR The point of the split DNS and views is exactly to prevent GR exposing internal network to the outside world. Which, to me at least, means that queries from the world are hitting the BIND server on your AD - which is *exactly* what Andrew was talking about. ...And when someone finds a way to compromise BIND, your AD is also totally compromised. It's probably a lot easier to burn down and rebuild a BIND server vs your whole AD infrastructure. I guess this whole branch of the discussion is essentially off-topic, but were I in your shoes, I'd be running a stand-alone BIND server completely separate from the AD for security as well as simplicity purposes. [Or moving the external DNS services into a service provider somewhere.] ...Or run it in a VM if you have to. Just don't, IMO, run a world-reachable BIND server as part of AD. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Weird behaviour of one Win7 user
DHK Hello list, DHK I have a samba 3.5.6 running on a Debian squeeze machine. This box is running DHK since more than a year without any problems. DHK Since a couple of days we have the following problem. DHK One Win7 user doesn't get his user profile any more DHK The log file tells: DHK [2013/03/04 07:43:14.641151, 1] DHK auth/auth_util.c:580(make_server_info_sam) DHK User WIN7MACHINE$ in passdb, but getpwnam() fails! DHK [2013/03/04 07:43:14.641191, 0] DHK auth/auth_sam.c:493(check_sam_security) DHK check_sam_security: make_server_info_sam() failed with DHK 'NT_STATUS_NO_SUCH_USER DHK This happens from any machine the user concerned tries to connect the domain. DHK Other Win7 users do not have the problem regardless what machine they use. DHK The user exists in tbdsam and in the unix passwd file as does the machine. DHK Everything worked well until Friday, when we experienced this problem. Friday DHK the user first experienced this problem, however after several retries to log DHK in the domain it suddenly worked again. DHK Today (Monday) the user couldn't get his user profile anymore and couldn't DHK connect to the domain. DHK Neither samba configuration, nor user settings have been changed. The problem DHK occured without any configuration or permission changes. Others will probably have better suggestions than I - but it would appear that the account has been damaged. Is it possible to easily delete the user and re-create the account in Samba? If after deleting the account and re-creating the problem still exists, then my guess must be wrong. If it fixes it, then you know the account was damaged. In either case, it narrows the list of things to test considerably. --- But I can certainly see where nuking the user and recreating them might not be a trivial process. If so, hopefully others will suggest better/more precise steps. -Greg -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 provision password complexity error
Known issue - see the wiki. [I don't think you can change the password complexity before provisioning, but perhaps you can.] #this sets the complexity req off. #(I do this after provisioning, but it may work before...) samba-tool domain passwordsettings set --complexity=off --- But you'll have to run provisioning again, which will fail. Thus, the easiest way I've found is simply to nuke the Samba install ie. rm /usr/local/samba/ -rf Then run make install again and re-run provisioning. This all assumes you're running 4.0.3 and did your own compile and install into the default directory. -Greg GR I am trying to provision my samba 4 domain and even though I have GR deactivated password complexity using the samba-tool I GR still receive this error during the provision: GR ERROR(ldb): uncaught exception - 052D: Constraint violation - GR check_password_restrictions: the password does not GR meet the complexity criteria! GR Is this a known issue or do I need to do something else to get GR this working (not counting making the password more complex)? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 provision password complexity error
Perhaps, though it really doesn't make sense to have complexity req before you tell it, it's a Windows style AD domain - hence that would be why it happens when you provision the domain. [I've never tried to set it prior to provisioning the domain, so I'm not at all sure it's really a bug - though I'd agree cosmetically it's a little odd.] But _really,_ it's not that hard to meet the complexity req - especially for your master Admin account. Then once you get it set, and you'd _really_ *like* a vulnerable admin password you can always turn off the req and then change it back. ;) -Greg GR On 03/10/2013 10:21 PM, Gerry Reno wrote: I am trying to provision my samba 4 domain and even though I have deactivated password complexity using the samba-tool I still receive this error during the provision: ERROR(ldb): uncaught exception - 052D: Constraint violation - check_password_restrictions: the password does not meet the complexity criteria! Is this a known issue or do I need to do something else to get this working (not counting making the password more complex)? GR When I check the complexity before the provision it is off. GR When I check the complexity after the error it is on !! GR Something is turning the complexity back on during the provision. BUG -- Gregory Sloop, Principal: Sloop Network Computer Consulting Voice: 503.251.0452 x82 EMail: gr...@sloop.net http://www.sloop.net --- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 provision password complexity error
GR Ok I finally gave up and made something really complex: Administrator1 GR Boy, we feel really secure now.:rolleyes: GR RANT: I wish people would stop all this complexity nonsense and GR just let people set their passwords how they want to GR set them. I really hope you're venting at Microsoft who set the standard and which Samba, for FREE, is simply following. It's the exact same setup as a Windows Server install. You can't turn off the complexity requirements there before you setup the Admin account either. Seriously dude. It works just like it does in Windows and clearly you want it just like Windows or you wouldn't be running an AD provision. Seems like a lot of venting and gnashing of teeth for an extra couple of minutes of work. [Not to mention a poke in the Samba Devs' eyes about what you have not paid a penny for.] :rolleyes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] tracking user activity - Active Directory
Pardon me for butting in, and probably you've already considered this, but what the heck. Do you even know that the user actually logged in during the time in question? I suppose the logs will at least let you know *if* anyone did login, but if the trouble-maker used an already logged in station you get nada in the logs. -Greg -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Password Policy - how to reduce password complexity
Windows cannot set the password for because: The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements. TS It's giving that error because you have a minimum length specified or TS complexity on. If you want to change that you need to run 'samba-tool TS domain passwordsettings set --min-pwd-length=1 --complexity=off'. Do you TS really want to disable complexity and allow very weak passwords? I think best practices show that passwords that are too hard to remember [IMO the complexity requirement starts to get into this area] simply frustrate users and the result will be they write down the password and stick it near the computer. Then is far worse than a weak password. It's a password you can find by pulling open the top drawer of their desk, looking under their keyboard, or simply looking at the postie on the monitor. I'd recommend something like LastPass, but that's not really applicable here, unless you're going to pull it off your phone or something. IMO, for most of my mid-to-smaller clients, I disable password complexity requirements. I also disable the can't reuse passwords for 4675 years. (sarcasm) I've tended to simply generate passwords for each user and provide them with a copy. We pick multiple quasi-words with some numbers and simply live with some decreased security. [If the attacker can hit your authenticator db with millions of guesses, on or off-line, the game's probably over anyway.] I'm sure that doesn't work for everyone - but a good admin should know when and where to require higher security passwords and when not to. If the admin doesn't know this - then they'll make a myriad of other mistakes, so that high password complexity requirement will largely be useless. [i.e. A high security lock in a styrofoam door.] So, I guess I'd summarize this as: If high complexity passwords are appropriate for your site, use them. If not, don't feel particularly bad about not using them. -Greg -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 PDC to BDC file replication
Thanks. I asked this a few weeks back and didn't get much response. The half-hearted consensus was that rsync wouldn't do the job. [It seemed to me it should, as long as you're replicating between two DC members, and not to a non DC member. (Because, as I figured it, a non DC member wouldn't have any idea about the users/groups, since it's not replicating and of the DC data, right?)] Glad for any light you can shed - and thanks for letting me know it should work. I'll tinker with it when I'm to that point. -Greg JA On Thu, Feb 28, 2013 at 09:13:39PM -0800, Gregory Sloop wrote: I'm in the same boat, and I'm only aware of two possibilities. 1) Robocopy - using a Windows client. BUT Robocopy doesn't do file deltas - changed files are copied in their entirety. Which isn't a problem if you don't have large files. But if you've got a 10G file that changes often, then this probably isn't the best alternative. 2) http://www.bvckup.com/support/ [Bvckup] This also appears to be a Windows utility, but does handle file delta's. I have never used this tool and so can't vouch for it in any way. If you find a functional solution, that preferably can be used on the two Linux/Samba boxes to do file-deltas and still maintain the permissions - that would be best. One other option that might work: Rsync the data, and use robocopy to simply duplicate the permissions structure. [I believe this is possible.] JA rsync using -A (preserve ACLs) and -X (preserve extended attributes) JA and -o (preserve owner (super-user only)) and -g (preserve group) JA should copy thing perfectly. -- Gregory Sloop, Principal: Sloop Network Computer Consulting Voice: 503.251.0452 x82 EMail: gr...@sloop.net http://www.sloop.net --- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 PDC to BDC file replication
CW I have built two samba4 boxes, one as a PDC and the as a DC, all working CW perfectly. If I create a user through the mmc snapin then turn off the PDC, CW I can still login to the domain using the DC which is great. The problem is CW their files and ntfs permissions on BDC. CW I have assigned user and group rights using windows explorer to certain CW folders, i.e granted user1 full permissions to that folder CW The problem I have is trying to replicate/snc the users data/files from PDC CW to DC whilst keeping the NTFS permissions that have been set. Rysnc doesnt CW seem to keep the ntfs permissions CW The reason for this is if the PDC goes down, user logs on using the DC and CW can access their files which have retained their files and permissions. CW Is there some way to achieve this? I'm in the same boat, and I'm only aware of two possibilities. 1) Robocopy - using a Windows client. BUT Robocopy doesn't do file deltas - changed files are copied in their entirety. Which isn't a problem if you don't have large files. But if you've got a 10G file that changes often, then this probably isn't the best alternative. 2) http://www.bvckup.com/support/ [Bvckup] This also appears to be a Windows utility, but does handle file delta's. I have never used this tool and so can't vouch for it in any way. If you find a functional solution, that preferably can be used on the two Linux/Samba boxes to do file-deltas and still maintain the permissions - that would be best. One other option that might work: Rsync the data, and use robocopy to simply duplicate the permissions structure. [I believe this is possible.] This last idea sounds bat$hit insane - but hey, it might actually work reasonably well. :) -Greg -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 - smbd; can't parse the PAC: NT_STATUS_BUFFER_TOO_SMALL error but only for a single domain user (Server 2008 R2 domain, Server 2008 functional level forest).
I do so enjoy working with users who I can ask to 'put some code in' and who can handle this so well :-). TM Why thank you, kind Sir :-) TM I do so enjoy working with people who quite obviously really, REALLY, know their subject :-) TM In my case, evidence only of far too many years stuck in front of TM a keyboard, I'm afraid ... Anyway, the code wasn't that good - TM for some reason it's not actually replacing the '\' in any TM principal names - never mind, it'll do for this purpose ... Ok, I have nothing to add, constructively, to this conversation - but I have to say... Watching this thread has been like going out for a Sunday afternoon lap swim, and finding you're in the pool with Lochte and Phelps. It's *really* cool to watch, but it also makes you question what on earth you're doing in the pool with these guys. Sheesh, thanks. We're questioning the reason for our existence now. :) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] some DNS trouble ...
mmgc Well … just found that the options mmgc server role mmgc dns recursive queries mmgc dns forwarders mmgc are ignored … hmmm … well … does anyone know how to achieve the mmgc desired behavior without these options ? Perhaps I don't understand what's going on - but are you sure your DNS forwarder *IS* working properly? Because if the forwarder wasn't servicing the DNS queries, then it would *look* like [dns forwarders] wasn't working. This came up in another thread in the last week. Make sure the DNS server specified in the [dns forwarders] is actually serving DNS queries for the AD host in question. It's common for BIND to be locked down so it will handle local queries for all requests, or remote queries for zones it's auth for - but not to handle remote requests for non-auth zones. [See listen-on and allow-query in BIND docs, among other things.] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Synchronising password of some AD users with an external LDAP?
PLJJ I know that if I were running a Windows AD, I could most likely PLJJ accomplish what I want with--if nothing else--the 389 DS by using PLJJ DS-provided Password Sync Service (see PLJJ https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Windows_Sync-Configuring_Windows_Sync.html PLJJ for more information). This is way over my head, in terms of expertise - but since the AD should function identically to the Windows AD setup, it may well work just fine, even though the back-end isn't a Windows AD box, but a Samba4 AD. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Synchronising password of some AD users with an external LDAP?
PLJJ I know that if I were running a Windows AD, I could most likely PLJJ accomplish what I want with--if nothing else--the 389 DS by using PLJJ DS-provided Password Sync Service (see PLJJ https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Windows_Sync-Configuring_Windows_Sync.html PLJJ for more information). This is way over my head, in terms of expertise - but since the AD should function identically to the Windows AD setup, it may well work just fine, even though the back-end isn't a Windows AD box, but a Samba4 AD. PLJJ Read the guide on the page that I linked. The said Password Sync Service PLJJ is a Windows application. It installs a new password filtering DLL and a PLJJ system service to a Windows DC. PLJJ Samba, on the other hand, hardly runs on Windows. And even if it can be PLJJ run (by compiling under Cygwin, perhaps?) it would be rather pointless. Sorry, I missed that - I did do a very cursory scan and didn't see anything Windows specific. Guess that's what happens when you scan a little too quickly/lightly. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba AD DC with BIND DNS on separate server
LL I see from the documentation that it is possible to use BIND9 as LL a drop-in replacement for the internal SAMBA4 DNS service... LL However, I would like to know if I can keep the BIND9 DNS server LL on a seperate server from de one that SAMBA4 is running on (AD DC). LL If this is possible, how would one go about achieving this? LL I've got an existing DNS infrastructure that I do not necessarily change in a big way... LL Thank You! A thought. How about creating your domain as a subdomain of your current DNS domain. Something like samba.some-domain.com - where some-domain.com is the main domain you've got in BIND9. Then, delegate only that subdomain to Samba4 and have the Samba server forward queries for anything outside samba.some-domain.com to the BIND9 server. This gives you most of what you want: Not having to change the BIND9 server, as well as leave the internal namesever in Samba4. [They're both happy and all works fine (I think)] I know that doesn't answer your direct question, but perhaps it offers a fuller view of what the options that might work are. -Greg -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] PROPOSAL: Remove SWAT in Samba 4.1
-SNIP- However, for anyone looking for a web version of the smb.conf for 4.0.3 - see this wiki page. http://wiki.samba.org/index.php/Documentation_Links/samba4-smb.conf SA Just curious what is the source of the smb.conf manual above. I think your question was answered in terms of S4 vs S3 applicability, but to answer the direct question: It was pulled directly from the 4.0.3 source files. [And as a follow-up - I hacked up the formatting as much as seemed practical. groff seemed to have problems and the text size kept getting larger and larger and *larger* toward the end of the document. However the fixes were not as good as I'd like and thus it's still got some of those same problems, just not as severe. The overall formatting is really quite ugly. But it's quite useable, at least it was for me.] -Greg -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba_upgradeprovision and msDS-SupportedEncryptionTypes / msDS-NcType
DE Originally I had a Win 2003 DC. I added a samba 4.0.0 DC to the
DE domain, allow full replication to take place and then transferred all
DE the roles to the samba 4.0.0 dc. Finally I removed the Windows DC from
DE the domain.
DE Everything has been working well. Today I upgraded from samba 4.0.0 to
DE 4.0.3 and ran samba_upgradeprovision --full. Initially this was
DE failing in update_present throwing an exception when attempting to
DE modify msDS-NcType and msDS-SupportedEncryptionTypes attributes which
DE didn't exist. I was able to get the upgradeprovision to run to
DE completion by removing these from the deltas
DE i.e.,
DE delta.remove('msDS-SupportedEncryptionTypes')
DE delta.remove('msDS-NcType')
DE Everything seems to be up-and-running again at 4.0.3, so it went well.
DE However, if these attributes are missing - a) shouldn't I get these
DE attributes added? b) why don't these show up as missing attributes on
DE the samba-tool dbcheck?
I can't help you at all, but over the last week or so, Andrew Bartlett
has mentioned, IIRC, that the upgradeprovision should not be run to
upgrade a 4.0.x box to 4.0.3.
Essentially, as I understand it, the code is only working properly for
alpha version upgrades, and it was too dangerous to recommend for use
for a production version [4.0.x].
Hopefully someone else will chime in here that knows more than I.
Just thought if you hadn't seen those messages - that might explain
the source of the problems you have.
-Greg
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 Auto-start
MR I'll cut to the chase -- several weeks ago, I thought I had an MR upstart configuration file that would start Samba4 when the VM was MR turned on; but it turns out I was wrong. At the time there was MR nothing on the wiki about it (the links were broken). MR The script I thought was working was simply: MR start on runlevel [2345] MR exec /usr/local/samba/sbin/samba MR In any case, looking at the official wiki today, I found a new MR note, stating that the links were indeed broken and that this one should probably work: -SNIP- MR I am running Version 4.1.0pre1-GIT-f25debf on Ubuntu 12.04 LTS, MR with the samba executable at /usr/local/samba/sbin/samba and the MR conf file as /etc/init/samba4.conf. I'm the one that dug up that upstart script and put it in the Wiki. [Since the link we broken.] But I don't think the upstart script has anything to do with what ports Samba's going to listen on. While someone else may be able to offer more helpful advice, I'd guess that the difference is that the upstart is starting samba with a different config than the manual start - if you figure out how it's getting a different config, then I suspect your problem will go away or be trivially solvable. Also, while I think there's no difference in terms of if the upstart script works properly or not, I used it on version 4.0.3. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] PROPOSAL: Remove SWAT in Samba 4.1
DS On 02/17/2013 6:02 PM, Andrew Bartlett wrote: As most of you would have noticed, we have now had 3 CVE-nominated security issues for SWAT in the past couple of years. -SNIP- Therefore, it was suggested on a private list that we just drop SWAT. I want to start a public discussion on that point, prompted by http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700729 which reminds us why we didn't apply the specific CSRF hardening we applied in 4.0.2 to SWAT in the first place. Thanks, Andrew Bartlett DS I have yet to make the jump to Samba4, so I have not seen the version of DS SWAT designed for it. DS For me, the primary benefit of SWAT in Samba3 was the ability to use the DS help link for any parameter to see what that parameter did, what the DS default was, and what its proper syntax was. For reference, I ran man DS smb.conf. Viewing full screen, I pressed the Page Down key 34 times DS and was still in the 1st third of the alphabetical listing of DS parameters. It's no small wonder that I never used man smb.conf to DS configure Samba. SWAT was my friend. DS So, if Samba4 has anywhere near the number of parameters as Samba3, I DS would be greatly disappointed to see SWAT go away entirely. An html DS version of the samba-doc package that contained all parameters with DS links to their definitions/descriptions would be a welcome and suitable DS replacement. DS Thanks, DS Dale I'm working through smb.conf options now, and I see that the official Samba docs for the smb.conf file are v3 only. I've taken the liberty of cranking the smb.conf man file to html and I've added a link in the wiki to it. [I can't post full html to the Wiki and editing the smb.conf html conversion to wiki-eese will be way too time consuming and cumbersome. So, I've simply put it on my own web-server and linked to it. My apologies if this violates some commonly accepted protocol, but I needed it as much as anyone. I'm glad to send the file to whomever needs it and once it's up at samba.org, change the link to point there.] However, for anyone looking for a web version of the smb.conf for 4.0.3 - see this wiki page. http://wiki.samba.org/index.php/Documentation_Links/samba4-smb.conf While for format isn't perfect, it's easier to search and navigate than the man page. -Greg -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] smb.conf for Windows clients
So, I'm trying to paw through the long set of smb.conf options - and it's rather daunting. I'm wondering what smb.conf options are most important/appropriate/common for mostly Windows XP/7/(possibly v8) clients. TIA -Greg -- Gregory Sloop, Principal: Sloop Network Computer Consulting 503.251.0452 x121 Voice | 503.251.0452 Fax www.sloop.net mailto:gr...@sloop.net -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] BIND9_DLZ CNAME Records Not Resolving from Windows Workstations
-SNIP- TS Perfect! Now from the Windows workstation. C:\Users\Admin1ipconfig /flushdns TS Windows IP Configuration TS Successfully flushed the DNS Resolver Cache. C:\Users\Admin1ping foo.internal.testdom.com TS Ping request could not find host foo.internal.testdom.com. Please check the TS name TS and try again. A NSLookup trace would probably be more helpful, than just a non resolution from ping. Perhaps it won't show us anything, but it might. --- Provided the nslookup trace show that the server you expect isn't giving answers, rather than some other problem... Is BIND configured to answer queries from hosts in the IP block that the station is in? [See listen-on and allow-query in BIND docs] -Greg -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] rsync'ing samba shares
I know this has come up a bit in the past, but consider this situation: Two Samba4 DC's - and I want to mirror the data shares to the backup DC in case we lose the primary DC and it's file shares. [A cheap, dirty, poor-mans semi-CTDB. How did you ever guess that Red Green was helping me?!] The easiest way is probably rsync'ing the data. However, will that include all the ACL's and extra data associated with the files. I understand that to a disk on part of the DC, it might not. But on the second DC, all the relevant users, AD group etc do all exist. So, is using rsync in such a situation reasonable/workable, or should we use some windows based utility - say robocopy to handle this? TIA -Greg -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Replication Ok, or not?
Setup a DC using 4.0.3 - all appears to go fine... Setup a second DC and everything works fine to here...but I'm not sure if replication is actually working or not. Here's what I get from ./samba-tool drs showrepl I've also done. [./samba-tool drs kcc -Uadministrator dc2.samba.somedom.local] in an attempt to fix the replication problem. (or what I think is a problem.) [The outbound neighbors data seems hinky... and searches on similar cases don't seem to return much useful data.] --- Default-First-Site-Name\DC1 DSA Options: 0x0001 DSA object GUID: b895f491-759f-4c72-a068-d1a40d0a8f4a DSA invocationId: e72417ee-e57b-430f-b636-1d3745a94c89 INBOUND NEIGHBORS DC=ForestDnsZones,DC=samba,DC=somedom,DC=local Default-First-Site-Name\DC2 via RPC DSA object GUID: 6c05f6d6-0626-494a-8192-9d574a99cc34 Last attempt @ Tue Feb 12 09:10:15 2013 PST was successful 0 consecutive failure(s). Last success @ Tue Feb 12 09:10:15 2013 PST DC=DomainDnsZones,DC=samba,DC=somedom,DC=local Default-First-Site-Name\DC2 via RPC DSA object GUID: 6c05f6d6-0626-494a-8192-9d574a99cc34 Last attempt @ Tue Feb 12 09:10:16 2013 PST was successful 0 consecutive failure(s). Last success @ Tue Feb 12 09:10:16 2013 PST DC=samba,DC=somedom,DC=local Default-First-Site-Name\DC2 via RPC DSA object GUID: 6c05f6d6-0626-494a-8192-9d574a99cc34 Last attempt @ Tue Feb 12 09:10:17 2013 PST was successful 0 consecutive failure(s). Last success @ Tue Feb 12 09:10:17 2013 PST CN=Schema,CN=Configuration,DC=samba,DC=somedom,DC=local Default-First-Site-Name\DC2 via RPC DSA object GUID: 6c05f6d6-0626-494a-8192-9d574a99cc34 Last attempt @ Tue Feb 12 09:10:17 2013 PST was successful 0 consecutive failure(s). Last success @ Tue Feb 12 09:10:17 2013 PST CN=Configuration,DC=samba,DC=somedom,DC=local Default-First-Site-Name\DC2 via RPC DSA object GUID: 6c05f6d6-0626-494a-8192-9d574a99cc34 Last attempt @ Tue Feb 12 09:10:18 2013 PST was successful 0 consecutive failure(s). Last success @ Tue Feb 12 09:10:18 2013 PST OUTBOUND NEIGHBORS DC=ForestDnsZones,DC=samba,DC=somedom,DC=local Default-First-Site-Name\DC2 via RPC DSA object GUID: 6c05f6d6-0626-494a-8192-9d574a99cc34 Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) DC=DomainDnsZones,DC=samba,DC=somedom,DC=local Default-First-Site-Name\DC2 via RPC DSA object GUID: 6c05f6d6-0626-494a-8192-9d574a99cc34 Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) DC=samba,DC=somedom,DC=local Default-First-Site-Name\DC2 via RPC DSA object GUID: 6c05f6d6-0626-494a-8192-9d574a99cc34 Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) CN=Schema,CN=Configuration,DC=samba,DC=somedom,DC=local Default-First-Site-Name\DC2 via RPC DSA object GUID: 6c05f6d6-0626-494a-8192-9d574a99cc34 Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) CN=Configuration,DC=samba,DC=somedom,DC=local Default-First-Site-Name\DC2 via RPC DSA object GUID: 6c05f6d6-0626-494a-8192-9d574a99cc34 Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) KCC CONNECTION OBJECTS Connection -- Connection name: 6c662086-56f8-4932-aead-3ecf580e705e Enabled: TRUE Server DNS name : DC2.samba.somedom.local Server DN name : CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=somedom,DC=local TransportType: RPC options: 0x0001 Warning: No NC replicated for Connection! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Promoting a DC
So, I'm wondering if anyone has a howto on promoting a non-master DC to FSMO/Operation master and making it the Primary DC? [I don't see it in the Wiki and searching doesn't produce anything for me.] In my particular case, I have a couple of test DC's I've setup. Rather than tear them down, I might like to just move them into production/final testing and then replace those machines with more appropriate hardware - and promote the new DC to the master.] Perhaps this isn't the best approach - and that's fine. But even then, knowing how to make one of the non-master DC's a master under Samba4 might be a good thing to know, before I have an emergency where I need to do it. --- PS: I did one more search and got this article. https://lists.samba.org/archive/samba/2012-April/167012.html Is it really as easy as [./samba-tool fsmo transfer --role=all --realm=SOMEDOM.COM ... ] ? Again, something more formal might be nice. I'd be glad to author it on the Wiki if someone can walk me through the proper steps. [I don't want to document it if I'm not sure I'm doing it right.] TIA -Greg -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Wiki link / Attn:samba dev team, web maint..
The Wiki page has been SSL-only for a few days to a week or so. [perhaps this is by design, I don't know - but it is different than it was a week or more ago.] But the link to it from the main samba.org page is wrong and the suggested link doesn't get you to the wiki either. [It goes to CIFS.ORG.] Most of us can find our way - but it probably needs addressing sometime soon. -Greg -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] about samba4 and external ldap and dns
AVH thanks, AVH there is any documentation for using samba4 with an external bind9? https://wiki.samba.org/index.php/Samba4/HOWTO#Bind_9.8.0_or_newer [There's a problem with the Wiki - it's only accepting HTTPS connections today - just a heads-up for whomever in the Samba crew might be responsible.] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] migrating samba shares to a netapp filer?
LO Al 31/01/13 16:09, En/na John P Arends ha escrit: If I were you I'd connect to both shares using a Windows machine and run robocopy to copy all the permissions. LO I thought about that but I'd prefer a Linux solution (if possible). If you want the least hassle and all the permissions etc, than Robocopy is your friend. But if you'd like a bunch of drama getting the permissions back right, then I'm sure RSync will do ya. :) Seriously though. Perhaps someone else has a better answer - but I've done this before, and always the best and easiest way always comes back to robocopy. [Perhaps I've led too sheltered a life, but hey, it works and there's no real reason not to use it, IMO.] -Greg -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] domain provision error
[I sent this back on Friday AM, but it claimed it was being held, yet
I've not seen it show up, so I'm reposting both to update the thread,
as well as for others who might be having the same issue. My apologies
if it eventually shows up twice.]
---
As was posted initially, I got a whole set of errors in doing my
domain provisioning. The error messages looked like they pointed
toward not having ACL support in the filesystem, or in Samba, or not
having the ACL packages installed.
[See the bottom of the message for a partial repost of the error.]
---
So, in frustration I nuked the test-bed setup and completely
reinstalled the OS, pulled Samba and all packages, re-compiled etc.
And I made the same mistake as the first time - I used a password that
didn't meet the complexity requirements and the provision script
bombed. But I just thought I'd re-run it with a better password. And
*boom* the same error as below - a second time.
That started me thinking that the issue was probably that the
provision script didn't know how to handle things if it was only half
done.
So, I tried deleting the smb.conf file and trying again. [As suggested
in the Wiki.] But that didn't do it either.
So, I nuked it from orbit - the only way to be sure!
rm /usr/local/samba/ -rf
[I installed to the default - but if you're having the same issue,
make sure you delete the path you installed to, as long as nothing
else is valuable there... :) ]
The I did a samba {make install] again to put the files back.
Re-ran the [domain provision] again, making sure to use a complex
enough password and the provision completed without error.
---
I might suggest that someone who knows that script include some error
handling that would at least kick meaningful error messages in the
same situation. [It doesn't have to roll things back automagically
but if it would at least recognize what was the problem and provide
feedback that would clue one in about what was *really* wrong and
perhaps what to do to fix it.]
Hope that helps someone else - or prompts a re-write of the script.
Thanks for all the help attempts!
-Greg
---
Error output from original posting below. [To help your google-fu!]
---
When doing the domain provisioning I get these errors.
---
Asks for Relm/Domain/DNS/Samba type [ad] etc...
Then...
...
ldb: module schema_load initialization failed : No such object
ldb: module rootdse initialization failed : No such object
ldb: module samba_dsdb initialization failed : No such object
ldb: Unable to load modules for /usr/local/samba/private/sam.ldb: (null)
samdb_connect failed
VFS connect failed!
ERROR(class 'samba.provision.ProvisioningError'): Provision failed -
ProvisioningError: Your filesystem or build does not support posix ACLs,
which s3fs requires. Try the mounting the filesystem with the 'acl'
option. File
/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py,
line 398, in run use_rfc2307=use_rfc2307, skip_sysvolacl=False)
File
/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py
, line 1965, in provision raise ProvisioningError(Your filesystem or build
does not support posix ACLs, which s3fs requires. Try the mounting the
filesystem with the 'acl' option.) ---
Yet, I find:
/usr/local/samba/lib/ldb/schema_load.so
/usr/local/samba/lib/ldb/samba_dsdb.so
/usr/local/samba/lib/ldb/rootdse.so
1)These all exist.
2) Running as root, and files are [r x] for root.
Also, a mount shows this for the / partition: (rw,acl,errors=remount-ro)
So, it appears that I have ACL support too.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
[Samba] domain provision error
Ubuntu 12.04 Following the Samba4 AD Wiki Howto. --- When doing the domain provisioning I get these errors. --- Asks for Relm/Domain/DNS/Samba type [ad] etc... Then... ... ldb: module schema_load initialization failed : No such object ldb: module rootdse initialization failed : No such object ldb: module samba_dsdb initialization failed : No such object ldb: Unable to load modules for /usr/local/samba/private/sam.ldb: (null) samdb_connect failed VFS connect failed! ERROR(class 'samba.provision.ProvisioningError'): Provision failed - ProvisioningError: Your filesystem or build does not support posix ACLs, which s3fs requires. Try the mounting the filesystem with the 'acl' option. File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py, line 398, in run use_rfc2307=use_rfc2307, skip_sysvolacl=False) File /usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py, line 1965, in provision raise ProvisioningError(Your filesystem or build does not support posix ACLs, which s3fs requires. Try the mounting the filesystem with the 'acl' option.) --- Yet, I find: /usr/local/samba/lib/ldb/schema_load.so /usr/local/samba/lib/ldb/samba_dsdb.so /usr/local/samba/lib/ldb/rootdse.so 1)These all exist. 2) Running as root, and files are [r x] for root. Also, a mount shows this for the / partition: (rw,acl,errors=remount-ro) So, it appears that I have ACL support too. --- Google-fu done for, nothing to show for it. I'm stumped. Suggestions? -Greg -- Gregory Sloop, Principal: Sloop Network Computer Consulting 503.251.0452 x121 Voice | 503.251.0452 Fax www.sloop.net mailto:gr...@sloop.net -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] domain provision error
GK it's not only your file system supporting ACL's - also some GK devel packages must be around during the build. GK See https://wiki.samba.org/index.php/Samba_4/OS_Requirements Thanks, but I do have all the ACL packages etc, described in the reqs. [I followed, exactly, the Deb/Ubuntu instructions.] -Greg -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] domain provision error
GK it's not only your file system supporting ACL's - also some GK devel packages must be around during the build. GK See https://wiki.samba.org/index.php/Samba_4/OS_Requirements GS Thanks, but I do have all the ACL packages etc, described in the reqs. GS [I followed, exactly, the Deb/Ubuntu instructions.] One more follow-up to this. I see there were some other file-system reqs [I initially didn't think that section applied to Ubuntu.] However, I went back and edited fstab as required, and did the ACL tests. All appears good. So I re-ran the domain provision again. Same failure. So, as far as I can tell, it's not an actual ACL problem. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Ubuntu compile/install location
Ok, while I'm usually more comfortable installing an RPM or DEB package and having the package maintainer handle all the details for me - I don't get a choice here. The latest Ubuntu 12.04 package is the Alpha18 release. So, I've compiled my own copy of Samba4.01 - and surprise, surprise, it went well. So the crux of the question is: Where should I install it to. [What directory.] The Wiki notes that it will go to [/usr/local/samba] by default. While this is probably more a Debian/Ubuntu question - it probably makes as much sense to ask here, vs the Ubuntu folks. I suspect there's a bunch of you who are experienced on Ubuntu and who might be able to point me to somewhere that might clarify this question for me, or offer their own experience/advice. So, again - the install by default is to [usr/local/samba] Is leaving the default a good idea? If not, why and where should I install to to avoid issues later. And as long as we're on the subject - any advice to make my long term experience better, having compiled my own vs. a package install? TIA -Greg -- Gregory Sloop, Principal: Sloop Network Computer Consulting 503.251.0452 x82 Voice | 503.251.0452 Fax www.sloop.net mailto:gr...@sloop.net -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] fail-over, redundancy, bdc, multi-dc-domain
I'm aware of, at least generally, how one would have done a BDC/Redundant server under OpenLDAP Samba3. However, rolling your own multi-domain-controller was fairly daunting [for me] under Samba3 / OpenLDAP. I've been very interested in Samba4 for the more integrated nature of having LDAP/DNS/Samba all under one roof. [i.e. Fewer places where I can screw it up horribly.] However I'm also interested in how one can handle fail-over. I don't need something totally seamless and big-iron style. A backup box that would need some manual intervention would be fine. So, something like an rsync'd backup box where the shared files/accounts/etc are perhaps an hour out of date, and that would require 15 minutes to bring up as a primary would be an acceptable solution. That's not to say I wouldn't want something better, but that's kind of the low end of the acceptable scale. I've done some searches on the list and spent a while looking for examples but I don't easily find any. [Using searches with: samba4 bdc, redundant, backup, etc. There are a ton of very old articles on the list, but almost nothing I could find specifically on Samba4.] Could some kind soul point me either to: 1) Search terms more likely to produce results, or some discussion threads or 2) wiki/how-to's on how to accomplish something in the neighborhood on this subjet? [Option #2 preferred.] As a note, I'd be glad to help document this/provide a here's what I did and how, provided it's something reasonable for me to apply to the situation I'm referring to - so I'm more than glad to contribute back where I can. TIA -Greg -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
