[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 0e9fcc3 vfs_snapper man page: Fixed typo from 2c50bdf docs: Improve wording around 'winbind expand groups' param https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 0e9fcc3e7506dff01c3062893eace6beef5781a1 Author: Marc Muehlfeld <mmuehlf...@samba.org> Date: Fri Sep 29 18:34:25 2017 +0200 vfs_snapper man page: Fixed typo This commit corrects a small typo in vfs_snapper manpage. Signed-off-by: Yvan Masson <y...@masson-informatique.fr> Reviewed-by: Marc Muehlfeld <mmuehlf...@samba.org> Autobuild-User(master): Marc Muehlfeld <mmuehlf...@samba.org> Autobuild-Date(master): Sat Sep 30 02:41:46 CEST 2017 on sn-devel-144 --- Summary of changes: docs-xml/manpages/vfs_snapper.8.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Changeset truncated at 500 lines: diff --git a/docs-xml/manpages/vfs_snapper.8.xml b/docs-xml/manpages/vfs_snapper.8.xml index 0cc223f..bc045c3 100644 --- a/docs-xml/manpages/vfs_snapper.8.xml +++ b/docs-xml/manpages/vfs_snapper.8.xml @@ -55,7 +55,7 @@ The underlying share path must have a corresponding snapper configuration file. The snapshot directory tree must allow - access for relavent users. + access for relevant users. -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 4b56f80 Set log level for "Not authorative for" from 2 to 5 from ffee37c torture: Add sharemode tests for SMB2 https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 4b56f803793a2da847b8d8bb65c8173691ab0244 Author: Marc Muehlfeld <mmuehlf...@samba.org> Date: Wed Jul 26 08:00:24 2017 +0200 Set log level for "Not authorative for" from 2 to 5 Signed-off-by: Marc Muehlfeld <mmuehlf...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Marc Muehlfeld <mmuehlf...@samba.org> Autobuild-Date(master): Wed Jul 26 21:34:48 CEST 2017 on sn-devel-144 --- Summary of changes: source4/dns_server/dns_query.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Changeset truncated at 500 lines: diff --git a/source4/dns_server/dns_query.c b/source4/dns_server/dns_query.c index b8ecc2e..4b5bb07 100644 --- a/source4/dns_server/dns_query.c +++ b/source4/dns_server/dns_query.c @@ -1056,7 +1056,7 @@ struct tevent_req *dns_server_process_query_send( if ((req_state->flags & DNS_FLAG_RECURSION_DESIRED) && (req_state->flags & DNS_FLAG_RECURSION_AVAIL)) { - DEBUG(2, ("Not authoritative for '%s', forwarding\n", + DEBUG(5, ("Not authoritative for '%s', forwarding\n", in->questions[0].name)); subreq = ask_forwarder_send(state, ev, dns, -- Samba Shared Repository
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated via a478eab Remove note about FTP from the download page from 5a2608f history: fix and in samba-4.3.0.html https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log - commit a478eabf6d129182071901b3bcd88a2ce0b1de00 Author: Marc Muehlfeld <mmuehlf...@samba.org> Date: Wed Sep 16 08:57:33 2015 +0200 Remove note about FTP from the download page Signed-off-by: Marc Muehlfeld <mmuehlf...@samba.org> --- Summary of changes: download/index.html | 2 +- patches/patches | 1 - patches/series | 2 +- 3 files changed, 2 insertions(+), 3 deletions(-) delete mode 12 patches/patches mode change 12 => 100644 patches/series Changeset truncated at 500 lines: diff --git a/download/index.html b/download/index.html index b331a69..22c7c45 100755 --- a/download/index.html +++ b/download/index.html @@ -3,7 +3,7 @@ Download -The Samba source code is distributed via ftp and http. View the download +The Samba source code is distributed via http. View the download area via HTTP. The file you probably want is called samba-latest.tar.gz. Old releases are available in the Samba archives. diff --git a/patches/patches b/patches/patches deleted file mode 12 index 7ba4428..000 --- a/patches/patches +++ /dev/null @@ -1 +0,0 @@ -patches-3.3.14 \ No newline at end of file diff --git a/patches/series b/patches/series deleted file mode 12 index 3513e95..000 --- a/patches/series +++ /dev/null @@ -1 +0,0 @@ -patches-3.3.14/series \ No newline at end of file diff --git a/patches/series b/patches/series new file mode 100644 index 000..404472c --- /dev/null +++ b/patches/series @@ -0,0 +1 @@ +0001-s3-Stop-using-the-write-cache-after-an-oplock-break.patch -- Samba Website Repository
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated via 9978383 News: Fix link to release notes in 4.2.0 announcement from f3d5831 Announce Samba 4.2.0. https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log - commit 99783831ed8dcf13c550e1c4d133e0c5e0c755c5 Author: Marc Muehlfeld mmuehlf...@samba.org Date: Wed Mar 4 23:04:16 2015 +0100 News: Fix link to release notes in 4.2.0 announcement Signed-off-by: Marc Muehlfeld mmuehlf...@samba.org --- Summary of changes: generated_news/latest_10_bodies.html | 2 +- generated_news/latest_2_bodies.html | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/generated_news/latest_10_bodies.html b/generated_news/latest_10_bodies.html index 3d4226d..779d7ea 100644 --- a/generated_news/latest_10_bodies.html +++ b/generated_news/latest_10_bodies.html @@ -5,7 +5,7 @@ pThe uncompressed tarballs and patch files have been signed using GnuPG (ID 6568B7EA). The source code can be a href=http://samba.org/samba/ftp/stable/samba-4.2.0.tar.gz;downloaded -now/a. See a href=http://samba.org/samba/history/samba-4.0.23.html; +now/a. See a href=http://samba.org/samba/history/samba-4.2.0.html; the release notes for more info/a./p diff --git a/generated_news/latest_2_bodies.html b/generated_news/latest_2_bodies.html index 641a31a..0ff09b0 100644 --- a/generated_news/latest_2_bodies.html +++ b/generated_news/latest_2_bodies.html @@ -5,7 +5,7 @@ pThe uncompressed tarballs and patch files have been signed using GnuPG (ID 6568B7EA). The source code can be a href=http://samba.org/samba/ftp/stable/samba-4.2.0.tar.gz;downloaded -now/a. See a href=http://samba.org/samba/history/samba-4.0.23.html; +now/a. See a href=http://samba.org/samba/history/samba-4.2.0.html; the release notes for more info/a./p -- Samba Website Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 362cac2 samba-tool: Create NIS enabled users and unixHomeDirectory attribute from 7fd2401 s4-samdb/tests: Assert on expected set of attributes for new User object https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 362cac25a744d2d5c6e01495d341969b863d7f12 Author: Marc Muehlfeld mmuehlf...@samba.org Date: Sat Jan 31 19:44:26 2015 +0100 samba-tool: Create NIS enabled users and unixHomeDirectory attribute Allow to create NIS enabled user accounts via 'samba-tool user add'. To create NIS enabled accounts, the parameters --uid-number=, --login-shell=, --unix-home=, --gid-number= are mandatory. Because we didn't had a parameter to set unixHomeDirectory yet, this patch also adds this feature. 'unixUserPassword: ABCD!efgh12345$67890' is added by default, when you enable NIS on an account in ADUC. The same we do in samba-tool. See: https://bugzilla.samba.org/show_bug.cgi?id=10909 Signed-off-by: Marc Muehlfeld mmuehlf...@samba.org Reviewed-By: Jelmer Vernooij jel...@samba.org Autobuild-User(master): Marc Muehlfeld mmuehlf...@samba.org Autobuild-Date(master): Tue Feb 3 17:18:32 CET 2015 on sn-devel-104 --- Summary of changes: python/samba/netcmd/user.py | 25 +++-- python/samba/samdb.py | 18 -- 2 files changed, 39 insertions(+), 4 deletions(-) Changeset truncated at 500 lines: diff --git a/python/samba/netcmd/user.py b/python/samba/netcmd/user.py index 344f35f..2bc5522 100644 --- a/python/samba/netcmd/user.py +++ b/python/samba/netcmd/user.py @@ -71,6 +71,13 @@ samba-tool user create User4 passw4rd --rfc2307-from-nss --gecos 'some text' Example4 shows how to create a new user with Unix UID, GID and login-shell set from the local NSS and GECOS set to 'some text'. +Example5: +samba-tool user add User5 passw5rd --nis-domain=samdom --unix-home=/home/User5 \ + --uid-number=10005 --login-shell=/bin/false --gid-number=1 + +Example5 shows how to create an RFC2307/NIS domain enabled user account. If +--nis-domain is set, then the other four parameters are mandatory. + synopsis = %prog username [password] [options] @@ -107,6 +114,9 @@ Example4 shows how to create a new user with Unix UID, GID and login-shell set f Option(--rfc2307-from-nss, help=Copy Unix user attributes from NSS (will be overridden by explicit UID/GID/GECOS/shell), action=store_true), +Option(--nis-domain, help=User's Unix/RFC2307 NIS domain, type=str), +Option(--unix-home, help=User's Unix/RFC2307 home directory, +type=str), Option(--uid, help=User's Unix/RFC2307 username, type=str), Option(--uid-number, help=User's Unix/RFC2307 numeric UID, type=int), Option(--gid-number, help=User's Unix/RFC2307 primary GID number, type=int), @@ -130,7 +140,8 @@ Example4 shows how to create a new user with Unix UID, GID and login-shell set f job_title=None, department=None, company=None, description=None, mail_address=None, internet_address=None, telephone_number=None, physical_delivery_office=None, rfc2307_from_nss=False, -uid=None, uid_number=None, gid_number=None, gecos=None, login_shell=None): +nis_domain=None, unix_home=None, uid=None, uid_number=None, +gid_number=None, gecos=None, login_shell=None): if random_password: password = generate_random_password(128, 255) @@ -164,6 +175,14 @@ Example4 shows how to create a new user with Unix UID, GID and login-shell set f if not lp.get(idmap_ldb:use rfc2307): self.outf.write(You are setting a Unix/RFC2307 UID or GID. You may want to set 'idmap_ldb:use rfc2307 = Yes' to use those attributes for XID/SID-mapping.\n) +if nis_domain is not None: +if None in (uid_number, login_shell, unix_home, gid_number): +raise CommandError('Missing parameters. To enable NIS features, ' + 'the following options have to be given: ' + '--nis-domain=, --uidNumber=, --login-shell=' + ', --unix-home=, --gid-number= Operation ' + 'cancelled.') + try: samdb = SamDB(url=H, session_info=system_session(), credentials=creds, lp=lp) @@ -173,7 +192,9 @@ Example4 shows how to create a new user with Unix UID, GID and login-shell set f jobtitle=job_title, department=department, company=company, description=description, mailaddress=mail_address, internetaddress=internet_address
[Samba] File share permissions act different on member server than on DC
Hello, a while ago I wrote the http://wiki.samba.org/index.php/Setup_and_configure_file_shares HowTo. When I wrote the HowTo, I setup and configured the share on a DC - what still works like described. Today I tried the first time to do exactly the same on a 4.0.10 and 4.1.0 _member server_, and it doesn't work there. The share in smb.conf: [demo] path = /srv/samba/Demo read only = no The folder in the filesystem (XFS): drwxr-xr-x 2 root root6 13. Okt 22:16 /srv/samba/Demo I connect to the share as Domain Admin, right-click to it and go to the security tab. Here I see now everyone and two root entries. - I click the edit button and remove the two root entries. When I click apply, everything is reset (the two entries went back. - If i grant modify to everyone - where all allow entries are empty per default and click apply, then all boxes are checked automatically (full access) and CREATOR OWNER and CREATOR GROUP appear. And this two can't be removed as well any more. If I do exactly the same on a DC, then already the security tab shows on the first time I open it very different settings. The wiki screenshot shows them: http://wikiupload.samba.org/images/8/8f/Demo_Share_Security.png). But the folder on Linux side is also just 755 (and without any extended ACLs when I begin). Also whatever I change (like remove root from the ACLs) everything is done like expected and saved. The member server is also self compiled. I installed all packages on my RHEL6 that I have installed on the DC too. Any idea what could be different on a 4.x member than on a DC? Or did I find a bug? Regards Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [Announce] Samba 4.1.0 Available for Download
Hello Szymon, Am 11.10.2013 21:53, schrieb Szymon Życiński: Any infos about update from 4.0.9? Regular way: - download - ./configure - make - make install Yes. If there are other steps required, it is mentioned in the release notes. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Point'n Print setup on Samba4 failing to install drivers
Hello Pablo, Am 08.10.2013 17:41, schrieb Pablo T. Virgo: If I attempt to load the driver with the [print$] share permissions set as per the howto, (755 server side, samba config includes 'writeable = yes') I get an access denied error. - Can you show the output of getfacl on the directory? - What filesystems is this share on? - Is it mounted with user_xattr? Main question: What could I have overlooked? What do I need to do in order to get the print drivers to installed on the server? I wrote that HowTo in June. So I think I had tested everything with 4.0.6. What version are you running? What OS/Distribution/Version are you running? If I have time later, I can try setup printing on my test environment to re-validate the HowTo. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 as AD member local rights problem...
Am 24.09.2013 09:13, schrieb Thomas Besser: Like described here (http://geekyprojects.com/ubuntu/getting-windows-printer-drivers-from-cups/) I enabled 'root' for short and granted the 'SePrintOperator' right to a normal account and switched back to security = ads Now the next problem arises: I can now upload the win drivers as described in your howto section Uploading printer drivers for Point'n'Print driver installation successfully. I can also see the files in the samba drivers share. But I can not associate it with a printer! The dropdown on https://wiki.samba.org/index.php/File:Choose_driver.png is empty! Any hint what's wrong here? A bug in samba4? I revalidated my HowTo today for someone else who is having a question about print server. And I could reproduce your problem: I upload a x64 driver successfully, but the driver combobox with the drivers is empty. If I associate the driver with the printer by rpcclient, as mentioned in the HowTo, too, everything is fine and I can configure the printer and continue. But what confuses me more: If I upload a x86 driver for the printer, too, then the driver appears in the list. Also the driver appears if only a x86 driver is uploaded. This sounds a bit like a bug for me. I'll try to find out more. But as workaround you can upload the x86 driver (additionally to your x64 driver) or use rpcclient to associate the driver with the printer. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Point'n Print setup on Samba4 failing to install drivers
Am 08.10.2013 18:53, schrieb Pablo T. Virgo: - Can you show the output of getfacl on the directory? - What filesystems is this share on? - Is it mounted with user_xattr? Details on the share: /var/samba/print_drivers is on the /var partition, which is mounted with user_xattr, as per the Domain Setup howto. Here is the current output on the share. I've tried it with the local owner as root:root as well. getfacl /var/samba/print_drivers/ getfacl: Removing leading '/' from absolute path names # file: var/samba/print_drivers/ # owner: 300 # group: users user::rwx user:root:r-x group::r-x group:root:r-x group:users:r-x group:300:rwx group:308:rwx mask::rwx other::r-x default:user::rwx default:user:root:rwx default:user:300:rwx default:group::r-x default:group:root:r-x default:group:users:r-x default:group:300:rwx default:group:308:rwx default:mask::rwx default:other::r-x I wrote that HowTo in June. So I think I had tested everything with 4.0.6. What version are you running? What OS/Distribution/Version are you running? I compiled Samba 4.0.9 on Debian Wheezy (stable). If I have time later, I can try setup printing on my test environment to re-validate the HowTo. I setup a print server based on my HowTo with 4.0.10. As permissions for the driver share folder I simply just set 755 (no permissions set on windows on the share nor on the filesystem). Printer driver upload works fine (I tried the Win7 driver of a Sharp MX-2600n PS). But I found a bug if only x64 drivers are uploaded: https://bugzilla.samba.org/show_bug.cgi?id=10186 I'll add a hint to the HowTo about that. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Folder disappears on rename
Hello Jones, Am 06.10.2013 09:02, schrieb Jones: Sometimes this symptom happened in my environment, and found this link: SMB2 Client Redirector Caches Explained http://technet.microsoft.com/zh-tw/library/ff686200(v=ws.10).aspx Here is one test case, during Windows 7 and Samba are negotiated with = protocol SMB 2.0, Windows 7 might cache the directory entries, i.e. the directory entries are locally satisfied by Windows 7, and there are no SMB2 packets across network while refreshing the list thru powershell dir command, hence Windows 7 with Wireshark captures no packets. After following 3 DWORDs are applied to Windows 7 and reboot is required, this symptom seems no longer exist in my environment. Not sure is this a acceptable change but hope this help. FileInfoCacheLifetime = 0 FileNotFoundCacheLifetime = 0 DirectoryCacheLifetime = 0 If I add this three values to my registry and reboot, the problem is immediately gone. Thanks for that information. So this is on Windows side and nothing that can be fixed/improved by Samba. I'll update my bug report. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Folder disappears on rename
Am 06.10.2013 23:27, schrieb Charles Marcus: Fyi... this is a known problem (with both renames and newly created files/folders, and even deleted foles/folders) on Windows 7, even with a real Windows Server... never seen it on XP, but it happens all the time on Windows 7 here. It's a SMB2 caching issue (that's why you don't have it on XP). Jones already posted a workaround/solution: Am 06.10.2013 09:02, schrieb Jones: Sometimes this symptom happened in my environment, and found this link: SMB2 Client Redirector Caches Explained http://technet.microsoft.com/zh-tw/library/ff686200(v=ws.10).aspx Here is one test case, during Windows 7 and Samba are negotiated with = protocol SMB 2.0, Windows 7 might cache the directory entries, i.e. the directory entries are locally satisfied by Windows 7, and there are no SMB2 packets across network while refreshing the list thru powershell dir command, hence Windows 7 with Wireshark captures no packets. After following 3 DWORDs are applied to Windows 7 and reboot is required, this symptom seems no longer exist in my environment. Not sure is this a acceptable change but hope this help. FileInfoCacheLifetime = 0 FileNotFoundCacheLifetime = 0 DirectoryCacheLifetime = 0 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Folder disappears on rename
Hello Jeremy, I did an intensive testing this morning to reproduce and find out the circumstances. My results I put on a bug report (incl. wireshark capture, level 10 debug log, etc.): https://bugzilla.samba.org/show_bug.cgi?id=10184 Maybe the other people in this thread, who have also this issues, can add their experiences to it, too. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Folder disappears on rename
Hello, after spending my saturday afternoon with digging into the problem and comparing smb.conf files of servers where this problem occurs and where not, I found out the following: When I remove max protocol = SMB2 from my smb.conf and restart Samba, the problem seems to be gone (but I had to restart my Win7 workstation, too). If the problem is related to SMB2, this would explain, why I didn't had this issue on XP machines (SMB2 was introduced in Vista). Does this fixes/workaround on your servers, too? Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Folder disappears on rename
Hello, Am 03.10.2013 20:57, schrieb Brian Martin: I have Samba 4.0.9 installed under Ubuntu 12.04. It's configured as a domain member, with a Windows 2008R2 server being the DC. All workstations are running Windows 7. One of my users is reporting problems in the following scenario: 1) She creates a folder in one of the Samba shares, and places a number of documents there. 2) She closes all open documents and closes Windows Explorer 3) Another user on another workstation subsequently renames the folder as part of the work flow process to indicate it has been reviewed. 4) The original user then navigates to where the renamed folder should be and cannot find it, either under the original name or the new name. Refreshing doesn't help. 5) After a period of time, typically 3-5 minutes but in one case around 30 minutes, the folder reappears under the new name. this sounds a bit like something mysterious I had had today at work on my Samba 3.6.18 server: - On the Linux server I downloaded a file to my home directory (was a simple *.txt file) - On my Windows PC I could not see the file, but it was there on Linux side - I renamed the file on linux and then it was visible with the new name on windows, too. A different user had the following today: - She created a file on the Samba share (same 3.6.18 server) - But it wasn't visible from a different PC - After about 3h it was suddenly visible without any changes. The problem wasn't reproducable on both machines a second time. Both workstations run W7 64-Bit. We don't use offline syncronisation here. I haven't had this before and I thought something got confused and I want to restart Samba later at night. But your posting sounds similar to the problem I had today. So maybe it's a bug. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Use LDAP for passwords ONLY
Hello, Am 03.10.2013 18:17, schrieb Garey: I am trying to figure out if I can setup samba to verify only passwords against LDAP and keep everything else local. Can you be a bit more specific what you intend to do? Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Understanding the difference of lock/state/cache directory
Hello Andrew, Am 30.09.2013 21:55, schrieb Andrew Bartlett: *Question 1*: The manpage says state directory is for persistent and cache directory for non-persistent data. Ok. That's clear. But what is stored in the lock directory and what is the reason why its content isn't placed in one of the other two directories? locks are for things that can (and should) go away at shutdown. cache is for things that are handy to have, but can be re-generated without major cost (which makes it fiddly, as you then get to your next question) *Question 2*: Why is the winbindd_cache.tdb stored in the state directory? Isn't it just a cache file? The issue is that if this is treated as cache, and destroyed, then offline logins fail after a reboot on a system that chooses to purge such cache files. I think there may also be some other persistent data in there as well (others I hope will clarify). At least that is how I understand the issue. See also the FHS: http://www.pathname.com/fhs/pub/fhs-2.3.html#PURPOSE33 Thanks for that good explanation. This clarifies my questions. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Host Cannot Access Samba
Hello Amanda, Am 27.09.2013 21:56, schrieb Hicks, Amanda: Answers as follows: - The linux VB is on a different network than the server Does the VB host do NAT for his guest? - I have a log file generated for that VB ipaddress with errors: getpeername failed. Error was Transport endpoint is not connected read_fd_with_timeout: client 0.0.0.0 read error = Connection timed out. closed connection to service This message isn't a problem: http://lists.samba.org/archive/samba/2011-March/161477.html But is this everything that appears in the moment you try connecting? And on which loglevel? What appears in the log if you increase the loglevel and re-try to connect? Please be a bit more generous with information. :-) - Is this an AD or NT4 domain? - Is the VB guest is joined to the domain? - Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Must Samba4 AD be provisionned with rfc2307 to use winbind ?
Hello, Am 28.09.2013 10:11, schrieb Rowland Penny: Without the rfc2307 domain provision, will I have to add manually uidNumber and guiNumber each time a new user is created from Windows Management Console ? Even with RFC2307 domain provision, you will have to add the uidNumber gidNumber manually, as Steve says, you can do this with samba-tool, but YOU have to supply these numbers, they are not incremented automatically. If you use the MMC, the numbers are incremented automatically. You simply select the NIS domain in the Unix tab and it shows the last UID/GID + 1. So you don't have to track somewhere which was the last UID/GID you've set. Microsoft tracks this somewhere in the directory under System / RpcServices. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Understanding the difference of lock/state/cache directory
Hello, in Samba 3 I had all TDBs on one place configured through lock directory. Now I saw that Samba 4 split the location of the database files into lock/state/cache directory. *Question 1*: The manpage says state directory is for persistent and cache directory for non-persistent data. Ok. That's clear. But what is stored in the lock directory and what is the reason why its content isn't placed in one of the other two directories? *Question 2*: Why is the winbindd_cache.tdb stored in the state directory? Isn't it just a cache file? Regards, Marc This is the content of the three directories after a fresh 4.0.9 member server installation: lock directory: == smbXsrv_tcon_global.tdb smbXsrv_version_global.tdb serverid.tdb smb_krb5/krb5.conf.SAMDOM dbwrap_watchers.tdb notify_index.tdb brlock.tdb smbXsrv_open_global.tdb gencache.tdb smbXsrv_session_global.tdb messages.tdb printer_list.tdb mutex.tdb locking.tdb notify.tdb gencache_notrans.tdb state directory: === group_mapping.tdb share_info.tdb account_policy.tdb winbindd_cache.tdb winbindd_idmap.tdb registry.tdb cache directory: === browse.dat printing/{...printername1...}.tdb printing/{...printername2...}.tdb printing/{...printernameN...}.tdb printing/printers.tdb netsamlogon_cache.tdb -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Host Cannot Access Samba
Hello Amanda, Am 25.09.2013 19:57, schrieb Hicks, Amanda: Our windows clients can access samba but we have a user using linux in a virtual box that is getting permission errors when trying to access the share. Can someone give direction to samples with Linux client smb.conf? You are giving to less information, to provide any help. - Is the Linux in VB in the same network than the server? Or maybe the VB network is using NAT to connect? - Anything in the logfiles on the Samba server? At least you should see the connection try. If not, increase the loglevel to 2 or 3. - Any firewall on the VB Linux or on it's host? Or between them and the server? - Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 as AD member local rights problem...
Hello Thomas, Am 24.09.2013 09:13, schrieb Thomas Besser: Like described here (http://geekyprojects.com/ubuntu/getting-windows-printer-drivers- from-cups/) I enabled 'root' for short and granted the 'SePrintOperator' right to a normal account and switched back to security = ads I'm not sure if I understand this. Did you took the server out of the domain and temporary downgrade it to a standalone server for granting the privilege? Can you make sure, that the privilege was granted to a _domain account_? # net rpc rights list accounts -Uadministrator Now the next problem arises: I can now upload the win drivers as described in your howto section Uploading printer drivers for Point'n'Print driver installation successfully. I can also see the files in the samba drivers share. But I can not associate it with a printer! The dropdown on https://wiki.samba.org/index.php/File:Choose_driver.png is empty! I haven't had this case yet. Just some questions that may help us to find the cause of your problem: - Do you connect to to the server as the user you granted the SePrintOperator permissions to? - Is the user you granted the permission to is a domain account? - The account you use to associate the driver with a printer is the same than the one you used for uploading the drivers? - Did the driver upload wizzard runs fine? Or any errors or untypical messages? - Can you associate the driver on *nix side by using 'rpcclient'? (see https://wiki.samba.org/index.php/Samba_as_a_print_server#Associating_a_shared_printer_with_a_driver_and_preconfiguring) - Is the combobox still empty, if you use a domain admin account (grant the privilege to first)? Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] smbd 3.6.9-151 Red Hat EL 6 crashes from time to time
Hello Götz, Am 20.09.2013 08:54, schrieb Götz Reinicke - IT Koordinator: we still run a Red Hat EL 6.x samba-3.6.9-151 PDC with domain login, roaming profiles, Windws 7 clients and LDAP back end. In the last couple of weeks we notice some unregular crashes with abrt reports. But as an university our RH subscription dose not include the full support. I cant see any changes to the installation or configuration which might have an influence to the chrashes. So any suggestion or help on debugging that problem is very appreciated. please provide some more information to reduce the possible 75381 causes for your problem to a smaller number ;-) * Any messages/backtraces in the logs when the crash appears? * What kind of crashes are these? Does only a user smbd process crashes? Or do the parent smbd process die? Or maybe nmbd/winbindd? * Can you try a self compiled version (preferred 3.6.18 if you want to stay in the 3.6 tree)? Maybe the problem/bug is meanwhile fixed/gone. * ...? Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 as AD member local rights problem...
Hello Thomas, Am 19.09.2013 16:27, schrieb Thomas Besser: have a samba4 server as AD member (security =ADS). I have no account with Domain Admin rights, only a normal account with delegated privilege to managing GPO and for domain join. I can not manage the printserver resp. upload the win drivers. The smb.conf option 'printer admin' is gone with v4. Have a look at the print server HowTo, I wrote: http://wiki.samba.org/index.php/Samba_as_a_print_server Also I tried to grant the SePrintOperatorPrivilege to a normal domain user. Got also stuck. What went wrong? http://wiki.samba.org/index.php/Samba_as_a_print_server#Granting_print_operator_privileges Every time the net command wants the 'root' password, but root is unknown in the AD environment: net rpc group addmem SAMBASERVER\Administrators Enter root's password: Could not connect to server 127.0.0.1 The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE -Uadministrator ? Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows 7 and Samba
Hello Geoffrey, Am 17.09.2013 17:45, schrieb Geoffrey Myers: After researching win7 and samba issues we upgraded to 3.5.22. We still can not connect to shares on the RHEL 5.9 box. Odd thing is, when attempting to connect we never see anything in the logs, which makes me think its a networking issue. We've turned off the firewall on the win 7 box, but still nothing. We can ping the RHEL server from the Win 7 box. Any insights or suggestions would be appreciated. - Can other clients connect to the server? - Is this a NT4 domain or just a standalone server? - Is the machine joined, if it's a domain member? - Any registry changes done on W7? See http://wiki.samba.org/index.php/Registry_changes_for_NT4-style_domains for what is neccessary and what you should avoid. - Is there a firewall on the RHEL box or between the server and the client? - Does Samba listen on all ports it should? See http://wiki.samba.org/index.php/Samba_port_usage#Port_usage_when_Samba_runs_as_NT4-domain - Is Samba listening on the right interfaces? (maybe it's just listening on localhost and not on your NIC or not on the right NIC if you have more than one). Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Fwd: Samba4 DC with multiple IPs
Hello Rafael, Am 16.09.2013 17:18, schrieb Rafael Steiner: Is there a way to limit dynamic updates to a specific interface or can I disable it altogether on the DC? Do you want to listen Samba on any interface and only limit dynamic updates to a defined interface? In this case I don't think this is possible. If you want Samba to listen on defined interfaces in general: https://wiki.samba.org/index.php/Samba_port_usage#Prevent_Samba_from_listening_on_all_interfaces Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Upgrading samba 2.2.8a to 3.6.15 on Solaris 9 -- 3.6.15 brings all inetd services down
Hello Jordan, Am 17.09.2013 01:28, schrieb Jordan Verschuer: However, after rebooting I can log on to swat and see that the smbd and nmbd services are running and I can make quick changes to the configuration, like adding a new user or updating the password, and I can even map to the share... for about a minute! After about 1 minute the swat/smbd/nmbd services stop... as well as all inetd services!! I don't know Solaris, but why are you starting Samba through Inetd and not as standalone? And what happens if you start it standalone? I never saw Samba through Inetd. But as I said: I'm not familiar with Solaris. :-) I cannot rlogin from a new terminal, or rsh or finger in the current terminal, however ssh still works but this isn't an inetd service. Has anyone got a clue as to what might be happening? It seems that something crashes the whole Inetd, what causes it's child processes automatically also to die. I haven't used Inetd any more for almost 15 years. Is there anything in the logs or a way to increase Inetd loglevel? I would try to avoid Inetd for starting samba. And why not updating to the latest Samba version? 3.6 goes into security only maintainance mode with it's next version. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] NT_STATUS_CONNECTION_REFUSED with smbclient and samba 4.0.6
Hello, Am 03.09.2013 17:55, schrieb GUEI née worou noee: I'm trying to install samba 4 as a DC following this tutorial https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO. ... Samba 4 has started successfully Your netstat output doesn't look like a successfull start. Here is a list of tcp/udp ports, that should be listening, when Samba is fully up: http://wiki.samba.org/index.php/Samba_port_usage#Port_usage_when_Samba_runs_as_DC As I only see smbd processes and no samba process listening on any port: Did you start samba, like said in the HowTo, or smbd? Is Samba self compiled or a package from somewhere? What are the Samba logs saying? Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How to allow users to be local admin
Hello Götz, Am 02.09.2013 14:43, schrieb Götz Reinicke - IT Koordinator: it's some time that I had to touch our samba installation and may be somewon can point me to the right direction. We run a samba-3.6.9 PDC with ldap backend and windows 7 clients. Everything for normal users is working fine (domain logon, roaming profiles). But now we'd like to enable our systemadministartors to login to any workstation with there domain user and install software or do other administrative things. I'v read a bit about domian accounts and mappings. But I'm not sure where to add or change what. The admins affected are also in a special posix group. There are also Domain Admins and Administrators posix groups and net groupmap entries. Would be great if some one can help me. I'm not sure if this is possible with an NT4-style domain. With (Samba) AD it is, if you plan to migrate. Then you can use restricted groups for that (http://community.spiceworks.com/how_to/show/907-gpo-to-push-out-local-administrators-across-a-domain). I don't know how many clients you have. If it's a manageable size, you can create a group in your domain, go to each workstation and add this domain group to the local administrators group once. Then everyone who is member of that domain group is automatically local admin on each of that machines (this is what you do with the restricted group in AD in 2 mins, without leaving your desk). You only have to add this domain group on every PC you reinstall. But if it's a possibility, migrate to Samba AD. AD brings you many great features, expecially GPO, multi master replication, etc. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [samba]wrong record for connetcting share
Hello Ming, Am 29.08.2013 10:08, schrieb ming: I have some question about smbcontrol reload-config ,please explain it to me.Thanks! Connecting samba share by windows,and modify the smb.conf(EX:modify the share record rw to ro). After that,execute smbcontrol -d 10 all reload-config. But it doesn't work on the samba connecting ,it's also the old record. How to let the samba connecting become the new record except samba service restart or disconnect the link. Wait for your write back... I'm not sure, if this matters, but the smbcontrol manpage says: smbcontrol [destination] [message-type] [parameter] What happens if you # smbcontroll all reload-config -d 10 or skip the -d ...? What version of Samba is it? Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba setup
Am 25.08.2013 18:12, schrieb Keller Racing: Hi all. I am a truly new to Samba so please bear with me while I ask a few questions. I am running a Pentium 366 Celeron, 128meg memory, Red Hat Linux 7.2, Linux 2.4.7-10, Samba 2.2.1a. I am running this much older version as the best book I have on Linux is Ren Hat Linux 7.2 Bible by Chris Negus. It is the most complete book I have so in order to have my experiments with Linux and Samba match the pictures ;-)), I opted to use the older version. I really think you should skip this book, get a version of Samba that isn't 12 years old, and have a look to the thousands of good internet pages descriping almost everything around Samba. I'm sure, you will learn more and have less problems. :-) And of course you would get much more help with recent versions, because nobody remembers what were bugs or specific things in such an old version. Pick a recent version, give it a try (maybe you would require something newer than that old pentium :-)) and if you are having problems, let us know what you plan to do and what went wrong, and we surely will find a way to get it work here on the list. :-) [root@4445 root]# smbstatus Samba version 2.2.1a Serviceuidgidpidmachine --- Failed to open byte range locking database ERROR: Failed to initialize locking database Can't initialize locking module - exiting Assumed that this was the same 12 years ago: Run # testparm -vs | grep lock directory and have a look, where lock directory points too. Then check if this directory is existing. The permissions should be 755 and owner root:root. You can try stopping Samba, remove the locking.tdb (make a copy before) and start Samba again. It will be recreated. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
Am 31.08.2013 00:14, schrieb Luca Olivetti: I'm not still 100% convinced that I need to migrate from samba 3 to samba 4, and once I am I have to explain it to my boss. Samba 4 != AD only Samba 4 is the the next version after the 3.6 tree and contains everything + AD DC functionality. You can run Samba version 4 still as an NT4 domain if you or your boss doesn't want to migrate to AD. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Where is the DLZ zone file with the bind dns backend?
Am 31.08.2013 11:35, schrieb Sense Zeng: I'm testing the samba4 with bind. Samba: 4.0.9 Bind: 9.9.3-P2 I configured with the document http://wiki.samba.org/index.php/Dns-backend_bind and seems dns update completed. I trying to find out where is the DLZ zone file. Is there? Or it's just the ldb file? ./private/dns/sam.ldb.d/DC=DOMAINDNSZONES,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb ./private/sam.ldb.d/DC=DOMAINDNSZONES,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb Both are the same files (hard-linked). Why do you need the zone file? Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Where is the DLZ zone file with the bind dns backend?
Am 31.08.2013 13:58, schrieb Sense Zeng: I hope to manual edit the zone file, like adding an A host record. I test the bind backend was wish it has a DLZ zone file like the nomal bind zone file. But it's the ldb file. It seems I‘d use samba-tool. Thx. Yes, you need to use samba-tool for doing changes. But you can script around it. An other way would be editing the ldb file. But I won't do that, if I have a tool like samba-tool for doing changes. Here I put a HowTo about working with Samba AD DNS: http://wiki.samba.org/index.php/DNS_Administration Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
Am 30.08.2013 23:44, schrieb steve: That's a good idea. Often, when we've been in production for while without errors, we lose sight of what it was like at the beginning. If there's anything here or in my sssd howto you would change it would be great if you could let us have it as a real user who isn't averse to getting his hands dirty. It's always best when it's still fresh in your mind. Today I continued working a bit on the sssd HowTo. I saw, that you three had a long discussion, while I was out. I'll try to catch the important stuff and include it in the HowTo. I think I have finalized and re-validated everything until the beginning of next week. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] sambaLMPassword
Hello Michelangelo, Am 29.08.2013 10:12, schrieb Michelangelo Rezzonico: I have a Samba-PDC installation (version is 3.6.3) with openLDAP. When I change the password from a client (Windows/XP and Windows/7) the attribute sambaNTPassword is changed and I can log-in with the new pssword. The problem is that the content of the attribute sambaLMPassword is deleted. It's not a problem. It was a security decission. :-) If there's no good reason, you should keep this new default. If you really want to re-enable, have a look at the smb.conf manpage and search for the lanman auth option. I remember that in my previous version of Samba (3.0.28) both attributes were updated. Is this correct ? Yes it is. :-) The old LanManager passwords are very insecure. And Samba disabled them by default somewhen around 3.3 when I remember right. On MS side the support for LM passwords was disabled in Vista and later, too. Where is used the attribute sambaLMPassword ? It is removed on password changes. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nslcd / pam_ldap HowTo
Am 29.08.2013 12:31, schrieb steve: The first 4 bullets of 'Method 2' are unnecessary. Why don't we use what we already have? How about this instead? 1. For a client joined to the domain, please skip to (3) below. 2. On the DC: Extract the machine key: samba-tool domain exportkeytab /etc/krb5.keytab --principal=DC1$ 3. Get tickets and create the cache: k5start -f /etc/krb5.keytab -U -o nslcd -K 60 -b -k /tmp/nslcd.tkt I had a look on my production site. I don't have a krb5.keytab on any of my Samba 3 or 4 servers in my AD. After some reading, I found out, that I must have a kerberos method entry in my smb.conf file for that. I'm not sure, how many people this are having this option. As the HowTo should be usable for as many people as possible, I would keep this short steps. They don't bring problems and works even if there's already a keytab on the machine. - Switch bullets 6 and 7: edit /etc/nsswitch.conf _before_ you start nslcd. Makes sense. Changed. It's unfortunate we still have to cater for the old versions too. The extra mappings slow things down considerably for large domains especially as enumeration is enabled. I think most companies running Samba in production don't use the latest versions of everything, because they run enterprise distributions like RHEL, SLES, Debian, etc. At work we only run self compiled software, when there's a requirement for that, because everything that isn't updated through the paket manager, is extra work (steady check for security updates, manual patching on all servers, etc.). Also packages in the enterprise software are more tested and stable. That's why I think it's worth to take care of such situations and not only serve users running the latest versions (of course not ancient versions). But I already have some comments in the configuration examples about the mappings. It's up to the admin to review what he/she uses in production and fine tune. :-) Thanks for your comments. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Change default GID of users
Hello Bruno, Am 29.08.2013 16:11, schrieb Bruno Vane: I had this mapping in nslcd.conf map passwd gidNumber primaryGroupID I need the gidNumber to be 100 because this is gidnumber of group users in my Ubuntu servers. I will disable this mapping and test if everything is OK. The mapping is not just for mapping one field to an other. You can replace values, too or do other things (see manpage for more). You can hardcode the mapping: map passwd gidNumber 666 # getent passwd ... Administrator:*:1:666::/home/Administrator:/bin/bash technik:*:10001:666:Technik:/home/technik:/bin/false demo1:*:10002:666:Demo User1:/home/demo1:/bin/sh And all your domain accounts have primary group 666 :-) Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] nslcd: kerberos vs. simple bind
Hello, I took this out of the OpenSSH auth in SAMBA4 LDAP thread, because it was drifting away from it's origin question :-) I played this afternoon a bit with nslcd and kerberos for extending my Wiki HowTo. But as more as I read, one question comes bigger and bigger: What are the advantages of kerberos against simple bind with DN and password? Simple bind method: Create a user, add the credentials to the root only readable file nslcd.conf. Done Kerberos: Create user, add a SPN, extract keytab, edit nslcd.conf (ok. This is all done only once.). But then, if I understand it right, I need something that renews the kerberos ticket from time to time. In your blog you use k5start for that. Also Fedora 19 and RHEL6 doesn't have it in their repositories. So something more to compile and to be ensured that it starts and run. :-) So currently I don't see what are the advantages of Kerberos and in which way it should be easier or anything else. :-) Maybe someone can give me (Kerberos beginner) some answers/hints. :-) Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nslcd: kerberos vs. simple bind
Am 28.08.2013 19:11, schrieb steve: If you're happy with plain text passwords being passed over the network then use them. There may be some admins that will not be able to do that though, so. . . Ok. This is an good argument I haven't tought about. In production I have used LDAPS. But the HowTo is currently describing it in plain text, right. You may want to kerberise it. It's very easy: you don't need to create anything new. Just use an object you already have. You always have a machine key for example. Good idea with the machine key. If I use the machine account, then I have to re-export the keytab if I rejoin the machine, right? On the DC, you'll have to extract its keytab but otherwise, away you go: k5start -v -f /etc/krb5.keytab -U -o nslcd-user -K 360 -k /tmp/nslcd.tkt If you need to be up more than 10 hours a day and if you don't like k5start, cron it. The clients already have the keytab so nothing else to do. HTH Thanks for that information. It clarifies some questions that came up with the first Kerberos tries. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
Am 29.08.2013 00:10, schrieb Luca Olivetti: Yeah, nslcd works well, but for AD funcionality and speed, sssd is the only way to go for nss on Samba4 or any m$ server. Just my €0.02 I'll try it. I only used nslcd because that's what was suggested in the samba wiki. The Winbind and sssd Howto isn't finished yet. Currently I don't have to much time, but I'm working on. :-) Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nslcd / pam_ldap HowTo
Am 27.08.2013 10:52, schrieb Marc Muehlfeld: I had a short search for 0.8 and it seems that since that, some comfortable changes where done for AD. If I have time tonight, I'll compile the latest version and try to find out the differences and comment my examples accordingly. Then the users can decite to stay on their old version (if the use an enterprise distribution) of to use the new one. I published a larger rework of the HowTo. It's containing Kerberos and other information I collected from the discussions from the last days about nslcd. https://wiki.samba.org/index.php/Local_user_management_and_authentication/nslcd @All: Please give some feedback. Thanks. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] OpenSSH auth in SAMBA4 LDAP
Am 27.08.2013 10:38, schrieb Luca Olivetti: http://support.microsoft.com/kb/921913/en Thank you, I was missing idmu.exe Now I can see the unix tab, but, whenever I click accept, it tells me Unable to modify the object property values. Check your credentials. There could be a network problem. Active Directory could be down. Contact your system administrator. However, when I open the user again I can see the modified unix attributes *but* the added user still doesn't show, unsurprisingly since it's missing the posixAccount class: I only used a very short time XP together with Samba AD. But I remember, that I got a message about something there too. Do you have a chance to try it on W7? Regards Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nslcd / pam_ldap HowTo
Am 27.08.2013 10:11, schrieb steve: Your distro must be still using the 0.7 series. Yes. RHEL ships 0.7.5. I had a short search for 0.8 and it seems that since that, some comfortable changes where done for AD. If I have time tonight, I'll compile the latest version and try to find out the differences and comment my examples accordingly. Then the users can decite to stay on their old version (if the use an enterprise distribution) of to use the new one. Thanks for that information. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] objectClass:posixAccount missing
Hello, I start a new thread, because the other one meanwhile drifted far away from what the OP asked. :-) Am 27.08.2013 17:02, schrieb Luca Olivetti: If you provisioned your domain with --use-rfc2307, then in Win7 ADUC you can see the posixAccount (UNIX Attributes) of the users. I did a classicupgrade, not a provisioning, and I can see the unix attributes of the migrated users, the problem is the error message when modifying them and the fact that _new_ users don't have a class: posixAccount in the directory. I rechecked this. My test environment was provisioned on 4.0.5 with --use-rfc2307 (I'm sure I did, because without that option, you also doesn't have the cn=ypServ30,cn=RpcServices,cn=System,... subtree). And I can confirm that new users doesn't get the objectclass:posixAccount entry. Also new added groups doesn't have objectclass:posixGroup. The unix attributes tab in ADUC (W7) is there and works fine on users. On groups I can set values. But if I re-open this tab again, I get Unwilling to perform. Does anybody have an idea on that? Do posixAccount/posixGroup objectClasses have to be there normally? Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] OpenSSH auth in SAMBA4 LDAP
Hello Bruno, Am 25.08.2013 22:26, schrieb Bruno Vane: Yes I read these sections, but I want something different. Users will join on AD domain (Samba 4) and will connect to an entry SSH server, and from this server they can access other SSH servers on the network. All SSH servers are configured with /etc/hosts.allow to allow SSH connections only from this entry SSH server. This Ubuntu servers running SSH will not join in the AD domain, only users of the network. Is this possible? I think this shouldn't matter. You can configure the entry host with nslcd to retrieve the account information via LDAP from AD and pam_ldap to authenticate against AD (without necessity to join the machine to the domain). Then you have the other hosts. These you can authenticate on the same way, if they are not joined to the domain, or you join them and the authentication is done through winbind. For the nslcd you can use the following config (you must create an bind account in your domain for that first): #Mappings for Active Directory pagesize 1000 referrals off # Passwd filter passwd ((objectClass=user)(!(objectClass=computer))(uidNumber=*)) map passwd uid sAMAccountName map passwd homeDirectory unixHomeDirectory map passwd gecos displayName map passwd gidNumber primaryGroupID # Shadow filter shadow ((objectClass=user)(!(objectClass=computer))(uidNumber=*)) map shadow uid sAMAccountName map shadow shadowLastChangepwdLastSet # Groups filter group ((objectClass=group)(objectClass=posixGroup)(gidNumber=*)) map group uniqueMembermember # Local account, nslcd runs under uid nslcd gid ldap # LDAP server settings uri ldap://127.0.0.1:389/ base dc=SAMDOM,dc=example,dc=com # Account in AD that is used from Nslcd to bind to the directory binddn CN=nslcd-connect,cn=Users,dc=SAMDOM,dc=example,dc=com bindpw x pam_ldap config you find here: https://wiki.samba.org/index.php/Authenticating_other_services_against_AD#Authentication_against_AD Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] OpenSSH auth in SAMBA4 LDAP
Am 26.08.2013 14:10, schrieb Bruno Vane: I will try this configuration. For this to work I need openLDAP proxy? No. You can access AD via LDAP direclty. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] OpenSSH auth in SAMBA4 LDAP
Am 26.08.2013 16:11, schrieb Bruno Vane: Marc, sorry to bother you with this, but I can not access a SSH server using these settings. Could you take a look if you have time to find out if my settings are wrong? When I do a ssh -l nslcd-connect (or any other user) to the server, i got this in /var/log/auth.log: Aug 26 11:09:14 ldap sshd[4642]: Invalid user nslcd-connect from MY_MACHINE Aug 26 11:09:14 ldap sshd[4642]: input_userauth_request: invalid user nslcd-connect [preauth] Aug 26 11:09:21 ldap sshd[4642]: pam_unix(sshd:auth): check pass; user unknown Aug 26 11:09:21 ldap sshd[4642]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=MY_FQDN Aug 26 11:09:21 ldap sshd[4642]: pam_ldap: ldap_simple_bind Can't contact LDAP server Aug 26 11:09:21 ldap sshd[4642]: pam_ldap: reconnecting to LDAP server... Aug 26 11:09:21 ldap sshd[4642]: pam_ldap: ldap_simple_bind Can't contact LDAP server Aug 26 11:09:23 ldap sshd[4642]: Failed password for invalid user nslcd-connect from MY_MACHINE port 51004 ssh2 Aug 26 11:09:25 ldap sshd[4642]: Connection closed by MY_MACHINE [preauth] You don't connect with the nslcd-connect account via ssh to the server. Each user connect with his/her domain account. You need this account (nslcd-connect) in your AD, to allow nslcd to connect to your directory (you can give it any name you want, of course), because Samba/AD doesn't allow anonymous bind. This are the steps you do: - Create a new account (i named it nslcd-connect) in your AD - Put the accounts DN + password in your nslcd.conf - Restart nslcd.conf - Add ldap to the following three lines in your /etc/nsswitch.conf (sorry. I forgot this in my previous post): passwd: files ldap shadow: files ldap group: files ldap - Now you should be able to see all accounts (the local and domain accounts), when you type # getent passwd - If you don't see the domain accounts, add acl:search = no to the [global] section of your smb.conf and restart Samba. (Workaround for bug #9788) - If there's nothing else preventing (missing home, missing keyfile, etc), you should be able now, to login via ssh by # ssh -l {domainusername} {entryservername} The domainusername is the attribute that is mapped in nslcd.conf to uid (If you use my nslcd.conf example, the domainusername is what stand in the AD attribute sAMAccountName). This is my samba4 server LDAP test: root@samba:~# ldapsearch -U nslcd-connect -h localhost -b DC=corporativo,DC=mydomain,DC=net cn=nslcd-connect distinguishedName If you let ldapseach search for all attributes mentioned in nslcd.conf (sAMAccountName, unixHomeDirectory, etc.) and you don't get result for all of them, you need the workaround for bug #9788 (see above) or these attributes are not filled in AD. I'm currently still working on a HowTo about sssd, nslcd and winbind, which would contain this all in a much more detailed depth. But I had to less time at the moment to finish it yet. Maybe next week it will be done and published in the Wiki. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] OpenSSH auth in SAMBA4 LDAP
Am 26.08.2013 19:19, schrieb steve: On Mon, 2013-08-26 at 19:09 +0200, Marc Muehlfeld wrote: passwd: files ldap shadow: files ldap group: files ldap @marc Just curious, but why are you trying to pull shadow from the directory? You are right. This is not necessary. passwd+group is enough. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] OpenSSH auth in SAMBA4 LDAP
Am 26.08.2013 20:12, schrieb Luca Olivetti: - Now you should be able to see all accounts (the local and domain accounts), when you type # getent passwd I tried it on a test VM, but it only showed accounts migrated from samba 3+ldap (since they have the posix attributes), new users/groups added via samba-tool or windows didn't appear. Of course this would only work if you have posix information in your directory. If you don't want to manage them in AD, you can use winbind or sssd. But there you have other requirements (machine joined to domain, kerberos, ...). Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] OpenSSH auth in SAMBA4 LDAP
Am 26.08.2013 21:58, schrieb Bruno Vane: Now i have to research how to auto-create the home dir and change the shell to /bin/bash. For the home auto creation, PAM maybe could help you (pam_mkhomedir). But this won't help you, if use ssh with keyfiles, because someone have to place the public key in ~/.ssh. The shell you can assign on the unix tab in ADUC as well. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nslcd / pam_ldap HowTo (was: OpenSSH auth in SAMBA4 LDAP)
Am 25.08.2013 09:27, schrieb Bruno Vane: I have some Ubuntu LTS servers running openssh server authenticating to external openldap. I installed a new Ubuntu LTS server with Samba4 to create a domain and is working very well. I managed to make a pfsense firewall authenticate users in this Samba4 ldap. How to make openssh in Ubuntu authenticate users in Samba4 ldap? As the Winbind, sshd and nslcd-HowTo I am currently working on is getting longer and longer, I decited to split it into the three parts, so it won't get to confusing. Also then I can publish the already finished and validated nslcd part. And here it is: https://wiki.samba.org/index.php/Local_user_management_and_authentication/nslcd @Bruno: This HowTo should contain all the short information I already gave you here on the list in a more detailed depth. @All: Feel free to give comments. Or let me know if something is missing/wrong. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] OpenSSH auth in SAMBA4 LDAP
Hello Luca, Am 27.08.2013 00:11, schrieb Luca Olivetti: The problem is, how do I get the posix information into samba4? With samba 3 I could manage users and groups with ldap account manager and they got both samba and posix attributes. I have a windows workstation at work. There I use ADUC. Everything I need to administrate users/groups, etc. And if you delegate permissions (https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Add.2Fchange.2Fdelete_accounts.2Fgroups.27-permissions), you don't have to work with an domain administrator account the whole day. ADUC has for me some advantages: - I can administrate all accounts in a nice clear GUI (I know that linux admins shouldn't say that :-)) - I don't have to track the last UID/GID I give, because it's stored in AD and ADUC automatically incements. - I can delegate permissions down to attribute level to other departments (like human resources for changing phone numbers, etc.) - and some more Another nice thing is that I could script the creation of home directory, mailbox, etc. I though that samba 4 allowed me to do the same, but with windows administrative client (ADUC?) Maybe this can be a solution for you: https://lists.samba.org/archive/samba/2013-July/174252.html If you don't want to manage them in AD, you can use winbind or sssd. But there you have other requirements (machine joined to domain, kerberos, ...). I'd like to avoid winbind if at all possible In Samba 4 you don't need to have the users local. You can completely skip ldap/winbind/whatever. Permission changing can be done from windows on directories/shares. Only if you don't want to see only UIDs/GIDs on the filesystem or other services require them, you need a way to get the users/groups mapped. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] OpenSSH auth in SAMBA4 LDAP
Am 27.08.2013 00:28, schrieb Luca Olivetti: I tried ADUC (again, in a test VM joined to the domain), which could be suitable, but I couldn't see any unix tab (and if I have to manually assign uids/gids there it's not an option). In ADUC on Win7 the tab should be there (on XP you need to install something additionally if I remember right). But you can only choose the NIS domain in that tab, if your domain was provisioned/upgraded with the --use-rfc2307 parameter. Otherwise the required parts in AD were not created. I had added this parameter to the provisioning/upgrading commands on the Wiki pages some time ago, because I'm not sure how to add this things afterwards (and I think if it's possible, it's not that easy than just this one parameter). Does anybody know if this posix stuff can be added afterwards? Not just simply adding an attribute. I mean the whole thing, like the cn=ypServ30,cn=RpcServices,cn=System,... Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] OpenSSH auth in SAMBA4 LDAP
Am 27.08.2013 00:56, schrieb Luca Olivetti: ..when I tried to add a user via ADUC I couldn't see it with nslcd. Maybe I didn't really use ADUC? (dsa.msc) Do the users have posix attributes (uid, shell, etc.)? I published my nslcd HowTo some hours ago. Have a look on it. Maybe you missed something. https://wiki.samba.org/index.php/Local_user_management_and_authentication/nslcd Another nice thing is that I could script the creation of home directory, mailbox, etc. I though that samba 4 allowed me to do the same, but with windows administrative client (ADUC?) Maybe this can be a solution for you: https://lists.samba.org/archive/samba/2013-July/174252.html Mmh, I don't think so. Is that the only option? Isn't there a way to hook a script in samba 4 when a user is created? I'm not 100% sure. But I think there's no user created event you can hook into with an script. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nslcd / pam_ldap HowTo (was: OpenSSH auth in SAMBA4 LDAP)
Hello Steve, thanks for your suggestions. Am 27.08.2013 00:40, schrieb steve: 1. Nested groups work fine with nslcd. Please use the latest version: man nslcd.conf(5) I use the version Redhat ships. I haven't used that latest version and I think most will use the one shipped with their distribution, too. But of course I've changed the information in the HowTo. 2. We really should encourage users away from plain text passwords stored in files. nslcd works fine with sasl binds. The devs have worked hard to give us Kerberos out of the box. I think we should use it: http://linuxcostablanca.blogspot.com.es/p/s4bind.html I wanted to first create a very simple and basic HowTo, because during the last time we often had questions about nslcd, etc. on the list. But you are right. Kerberos should be the preferred way. I'll have a look on that the next days and switch the HowTo to Kerberos or add this as an additional way. But give me some time, because I validate everything I publish. 3. nslcd is already AD aware and this is not winbind so let's keep it simple. The following lines are not required/produce errors/ slow down lookups. filter passwd ((objectClass=user)(!(objectClass=computer))(uidNumber=*)) map passwd gecos displayName map passwd gidNumber primaryGroupID filter group ((objectClass=group)(gidNumber=*)) map group uniqueMember member Can you please give me more details here? I don't get any errors on RHEL6 here. Because the removal of this line, I'm not sure, why. I have added them deliberately out of the following reasons: If I remove the filter passwd line, then getent passwd returns nothing no domain accounts any more. If I remove the map passwd gidNumber primaryGroupID, then id username doesn't return the in AD configured primary group in the unix tab. If I remove the filter group line, then getent group doesn't return domain groups any more. If I remove the map group uniqueMember member line, then id username won't tell me, in which groups the user is. Do you have different results on your system? Or why would you remove this lines? Again, it is important to use the latest version. I think most users first try the version shipped with their distribution, like me. Because every self compiled program is something you have to update manually (and on every server), while everything else can be done at once via yum/apt/whatever. I think it's not important to use the latest version, except it contains something I can't live without it. But everybody has different opinions on that, I guess. ;-) Thanks for your comments. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] OpenSSH auth in SAMBA4 LDAP
Am 27.08.2013 01:13, schrieb Luca Olivetti: In ADUC on Win7 the tab should be there (on XP you need to install something additionally if I remember right). Ah, OK, I'm on XP and I installed the tools here: https://wiki.samba.org/index.php/Samba_AD_management_from_windows#Windows_XP_Pro No unix tab http://support.microsoft.com/kb/921913/en But you can only choose the NIS domain in that tab, if your domain was provisioned/upgraded with the --use-rfc2307 parameter. Otherwise the required parts in AD were not created. I used the instructions here: https://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTO It doesn't mention the --use-rfc2307 parameter ... Hm. I thought I had added it there, too. I'm not sure about the upgrading process yet (my last upgrade was longer ago). I'll have a look on this. But reworking the upgrade HowTo is still on my list (work and my real life doesn't leave to much time left for writing currently :-)). Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] OpenSSH auth in SAMBA4 LDAP
Am 27.08.2013 01:19, schrieb Luca Olivetti: https://wiki.samba.org/index.php/Local_user_management_and_authentication/nslcd Yep, I only had to comment the map group uniqueMember member line, though (migrated) groups show the members fine. What didn't work when you have this line in? I have this in production (migrated) and in my test environment (new provisioned). Here without this line, id username won't show the groups the user is member: Without this line: # id demo1 uid=10002(demo1) gid=513 Gruppen=513 With this line: # id demo1 uid=10002(demo1) gid=513 Gruppen=513,10001(demo-group) But for simply getent group and chgrp this line is not required. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] OpenSSH auth in SAMBA4 LDAP
Hello Bruno, Am 25.08.2013 09:27, schrieb Bruno Vane: I have some Ubuntu LTS servers running openssh server authenticating to external openldap. I installed a new Ubuntu LTS server with Samba4 to create a domain and is working very well. I managed to make a pfsense firewall authenticate users in this Samba4 ldap. How to make openssh in Ubuntu authenticate users in Samba4 ldap? Have you already looked here: http://wiki.samba.org/index.php/Authenticating_other_services_against_AD#Authentication_against_AD http://wiki.samba.org/index.php/Authenticating_other_services_against_AD#Secure_passwordless_SSH Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [samba]How to config samba4 internal dns?
Hello, Am 22.08.2013 12:30, schrieb Sense Zeng: There are two DC in the domain: 1. win2003. It's created dotest.com http://dotest.com and with dns server too; 2. linux with samba4. It join the domain and being a DC. I can't use samba-tool to query any thing in the internal dns, like: samba-tool dns query samba_ip dotest.com http://dotest.com testhost A It will print error message: ERROR(runtime): uncaught exception - (9717, 'WERR_DNS_ERROR_DS_UNAVAILABLE') File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/dns.py, line 974, in run None, record_type, select_flags, None, None) And in /usr/local/samba/var/log.samba will see the error (There are no other err in the log file): [2013/08/22 17:50:24.165606, 0] ../source4/rpc_server/dnsserver/dnsdb.c:112(dnsserver_db_enumerate_zones) dnsserver: Failed to find DNS Zones in CN=MicrosoftDNS,DC=ForestDnsZones,DC=dotest,DC=com Does the replication between the DCs work? What is the output of # samba-tool drs showrepl Are you sure, that the internal DNS was used during joining? # samba-tool domain join ... --dns-backend=SAMBA_INTERNAL But the other way, follow command would just ok: samba-tool dns query win2003_srv_ip dotest.com http://dotest.com testhost A Here you are asking the DNS on the windows host to resolve the query. Not your samba DC and it's DNS OR host -t A testhost.dotest.com http://testhost.dotest.com samba_srv_ip Could it be possible that the output of this command is ok, because you specified other DNS servers in your /etc/resolv.conf, than the one on which you setup the additional DC? Then the reply was from the other host. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [samba]How to config samba4 internal dns?
Hello, Am 21.08.2013 08:45, schrieb Sense Zeng: I'm new for samba4 and I'm trying to test samba4(Version 4.0.8) with internal dns. Did internal dns can config? Could I just manual add some host(A) in? What do you mean by configure internal DNS? How to setup? The internal DNS is default when you do the provisioning/upgrading. You only have to setup an forwarder (DNS to forward queries to, for foreign zones). See http://wiki.samba.org/index.php/DNS#Configuration Or do you simply want to know how to work with DNS (add/remove/change records/zones, etc.)? Then have a look at the HowTo I wrote some time ago: http://wiki.samba.org/index.php/DNS_Administration If you ment something else, please be more specific. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problems Implementing roaming profiles with Samba
Hello Jose, Am 16.08.2013 14:46, schrieb Fermin Francisco: In tab Security it shows the follow: the requested security information is either unavailable or cannot be displayed Does your filesystem on which you have the share, supports extended ACLs and are they enabled during mount (depending on your filesystem this may be automatically done). Anything in the logs? Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Trying to Join a Working W2K3 AD
Hello Kevin, hello Eli, Am 15.08.2013 05:48, schrieb Kevin Field: I get to the step /usr/local/samba/bin/samba-tool dns add 192.168.1.252 _msdcs.domain.co.il 2d59ac49-1175-4656-943e-d556baa242cb CNAME DC2.domain.co.il -Uadministrator I get the following error message: ERROR(runtime): uncaught exception - (9601, 'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST') File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/dns.py, line 1053, in run 0, server, zone, name, add_rec_buf, None) Is 192.168.1.252 is the already existing DNS on your W2k3 Server or is it the IP of your Samba DC? It should be the IP of your existing DNS server, because Samba isn't up at that time. You can also add the record through the MS DNS Console on windows. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 Delegation
Hello Andreas, Am 15.08.2013 11:07, schrieb Andreas Krupp: For information, what I was trying to do was: - Create an OU for a group of applications - Delegate control of this OU to a normal user (not helpdesk or domain admin) to be able to create groups and assign domain users to them - What where the exact steps you did? - On what Samba version? - Did you run 'samba-tool dbcheck --reset-well-known-acls --fix' to reset the ACLs? This is recommented for 4.0.5 and higher, if you provisioned your domain with an earlier version to fix missing ACLs. (If you haven't done yet, remember, that you'll loose your current delegations!) The problem was, whenever I used Security Groups the delegation did not work. Impossible for the user to whom I delegated group creation and modifaction rights of the ou to add or remove domain users. The work-around (since Security Groups are all to picky) -- Use Distribution Groups. Once I created distribution groups in the OU I was able to freely assing users to them and remove them as required. Now this is definetly not best pratice, but until the same is possible in an easy way with Security Groups this will well serve the purpose. If it's reproducable, you should open a bug report with the exact steps and a level 10 debug log, to get this fixed in future. PS: Marc thx a lot for your help before - since I read a bit more about GIT, I know understand much better the Samba4 building howto and how to get the latest stable version. It's all good now ;-) If you are using versions from git, remember, that they can contain code that shouldn't be used for production yet. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Remote linux auth vs samba4: winbind or nslcd + openldap.
Hello Andres, Am 15.08.2013 18:45, schrieb Andres Tello Abrego: I want to achieve the Holy Gria of 1 source of users and password, for both, linux and windows machines, but I'm lost in documentation. So far I know: samba4 cann't use openldap as backend. Right. samba4 ldap doesn't really is a full ldap. What do you mean by is not a full ldap? samba4 provides uid/gid mapping using winbind or nlscd Samba AD provides the backend, where the accounts are stored. To get the users to your local *nix system, you can use winbind, nslcd or sssd. Can I impelement remote winbind at remote linux client machines? What is remote winbind? Do I need to setup a openldap proxy? I would only use an openldap proxy to AD in my DMZ, because this prevents me from having a Samba AD installation there with all that open ports and Winbind on all DMZ machines. If I setup an openldap proxy, should I use winbind or nslcd? If you get your information from AD via a LDAP proxy, I guess the only solution are LDAP based tools like nslcd. I think Winbind can't access through an LDAP proxy, because it uses more than LDAP to talk to the DC (rpc or whatever). openldap now uses automatic configuration, any clue to implement the openldap proxy with this type? Automatic configuration? Here I placed e. g. a solution for an openLDAP proxy and examples for how to connect other services: https://wiki.samba.org/index.php/Authenticating_other_services_against_AD I guess it's really time, to finish my Winbind/Nslcd/SSSD page for the different methods to get the directory users to the local system. This questions are comming up very often meanwhile :-) I already started a while ago. I'll try to find some time to finish and publish it next week. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 4.0.x : samba_backup wrong path line 54
Hello, Am 12.08.2013 07:33, schrieb m...@electronico.nc: (samba 4.0.8 compiled from git source) Just tried the samba_backup from https://wiki.samba.org/index.php/Backup_and_Recovery line 54 mention : tdbbackup $ldb where it should be /usr/local/samba/bin/tdbbackup $ldb Thanks for this nice samba version ! Simply add your samba directory to your $PATH variable. http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Paths Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 with LDAP proxy in DMZ
Hello Julian, Am 08.08.2013 18:14, schrieb Julian Pilfold-Bagwell: I'm setting up a Samba AD domain which works perfectly with the WIn 7 server tools and so far everything is going fine. What has me stumped is setting up an LDAP proxy in our DMZ against which I can authenticate our email and web services. I've got port 389 open on my main Samba 4 DC and if I use the domain administrator account to bind the proxy, everything works. In order to give a degree of separation however, I've created a user called ldapbindacc and have used the server remote admin tools to delegate control of the directory server to that user with read only access to user and group details. When I try to access the directory using this account, I get the following error message (the password is definitely correct): # ldapsearch -LLL -H ldap://127.0.0.1 -b 'dc=bordengrammar,dc=kent,dc=sch,dc=uk' -D 'cn=ldapbindacc,cn=Users,dc=bordengrammar,dc=kent,dc=sch,dc=uk' -W '(sAMAccountName=Test.User)' Enter LDAP Password: ldap_bind: Invalid credentials (49) additional info: Simple Bind Failed: NT_STATUS_LOGON_FAILURE As I'm moving fro Samba 3 to 4, my AD knowledge is limited so I've been patching things together from various howto's. Has anyone succeeded in this who can give me some tips. Here I described how to setup an openLDAP proxy to AD: http://wiki.samba.org/index.php/Authenticating_other_services_against_AD (incl. authenticating other ldap based services) Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 + winbind did not work
Hello Darek, Am 12.08.2013 20:03, schrieb Darek Frączkiewicz: unfortunately this howto (https://wiki.samba.org/index.php/Samba4/Domain_Member ) did'n work. After configure with options: ./configure --with-ads --with-shared-modules=idmap_ad and change files ktrb.conf and smb.conf samba didn't starting. What are the samba logs saying? /net ads join -U administrator/ Host is not configured as a member server. Invalid configuration. Exiting Can you show your smb.conf/testparm output? Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 + winbind did not work
Hello Darek, Am 12.08.2013 21:09, schrieb Darek Frączkiewicz: I was add in smb.conf log file = /var/log/samba.log and now i see: [2013/08/12 21:02:08, 0] ../source4/smbd/server.c:461(binary_smbd_main) At this time the 'samba' binary should only be used for either: 'server role = active directory domain controller' or to access the ntvfs file server with 'server services = +s$ You should start smbd/nmbd/winbindd instead for domain member and standalone file server tasks I don't understand this log... Just to clarify some things: - Is your winbind configuration on the same machine as your DC? - Or are you configuring winbind on a member server (a different machine)? - And you are running Samba 4 as AD DC (not an NT4-style domain), right? The configuration I described in the Wiki is only tested on a member server. If you require to have the Samba AD accounts local on your Samba DC (not on a member server), then the winbind configuration may be a bit different (haven't done that yet). But you can use nslcd (adapt the config from here: http://wiki.samba.org/index.php/Authenticating_other_services_against_AD#Nslcd:_User.2FGroups_from_AD_through_openLDAP_proxy) or sssd (if you google, there are some configuration examples for setting up sssd with AD). Regards Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] os level permissions for samba 4 share
Hello Eduardo, Am 12.08.2013 20:15, schrieb Eduardo Sotomayor: I read at the samba4 wiki that to setup a samba4 share you need to Create a folder that you want to share # mkdir -p /srv/samba/Demo/ Add a new share to your smb.conf: [Demo] path = /srv/samba/Demo/ read only = no but what about permission at os level? I mean do I have to chmod 770 or chmod 2770 the folder or else? I read somewhere that it was necessary to chmod 777 but that configuration is very unsecure at os level. The ACLs on the share/filesystem are now fully manageable through windows. The filesystem ACLs are stored in extended attributes (that's why you need an filesystem supporting ext. ACLs). Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 + winbind did not work
Am 12.08.2013 22:04, schrieb Darek Frączkiewicz: I'm testing samba4 (with https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO) since one year and this config: debian + samba4 +bind9+dhcp+ntp+LAMP gives me domain, joining workstations, menage users and GPO. All works good. In this howto I don't see anything about config winbind. This HowTo was written just as a guide for setting up a member server, not for setting up winbind on top of a DC. If you require to have the Samba AD accounts local on your Samba DC (not on a member server), then the winbind configuration may be a bit different (haven't done that yet). But you can use nslcd (adapt the config from here: http://wiki.samba.org/index.__php/Authenticating_other___services_against_AD#Nslcd:___User.2FGroups_from_AD_through___openLDAP_proxy http://wiki.samba.org/index.php/Authenticating_other_services_against_AD#Nslcd:_User.2FGroups_from_AD_through_openLDAP_proxy) or sssd (if you google, there are some configuration examples for setting up sssd with AD). As you have just a single DC, nslcd, sssd or winbind is what you should try. I haven't tried sssd, but as I heard a lot from others here on the list, it would be currently a good choice for that. But use a recent version. I already planed about writing a new HowTo about the three daemons, but currently doesn't had the time for it. But it's still on my list. Regards Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Network browsing in S4
Hello Greg, Am 12.08.2013 22:32, schrieb Gregory Sloop: So, if I understand things correctly, NMBD or network browsing isn't functional under S4 yet. [At least I don't believe it was in 4.03 - and I don't think that's changed.] Currently Samba still doesn't support network neighbourhood. I have some cases where I need accurate NetBIOS name resolution, [and perhaps Network browsing services.] What is the best way of handling this? Is this going to be supported? [or already is with something newer than 4.03] There is a way to start nmbd on a Samba 4 DC manually with doing some special settings in smb.conf. Andrew told me that secret some time ago. But it's nothing that is recommended and not supported. But my experiences with it is, that the browsing list is always much smaller than it should. So it's better not to use this workaround. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 + winbind did not work
Am 12.08.2013 22:40, schrieb Darek Frączkiewicz: If you require to have the Samba AD accounts local on your Samba DC (not on a member server), then the winbind configuration may be a bit different (haven't done that yet). But you can use nslcd (adapt the config from here: http://wiki.samba.org/index.__php/Authenticating_other___services_against_AD#Nslcd:___User.2FGroups_from_AD_through___openLDAP_proxy http://wiki.samba.org/index.php/Authenticating_other_services_against_AD#Nslcd:_User.2FGroups_from_AD_through_openLDAP_proxy) or sssd (if you google, there are some configuration examples for setting up sssd with AD). in this howto i'm reading : *Use the following slapd.conf example*: I remember new openldap has not file slapd.conf I'm running the version shipped with RHL 6.4. This works fine with the slapd.conf. Haven't tried the latest version and I don't know if something changed there. What version of openldap do you use? And what does the manpage says? I found about sssd: http://debian.2.n7.nabble.com/Fwd-Samba4-and-SSSD-td2793432.html The easiest way to get Linux clients to work with samba4 is to start by creating an unprivileged binduser account. samba-tool user add binduser will do that for you. Then *on the client side*, install sssd (apt-get install sssd) and write something like that in /etc/sssd/sssd.conf: I think it doesn't work Why? I haven't tried sssd yet. But if you reply to the list and not just to my mail address, others could help you, too. :-) Steve often recommends sssd. When I remember right, he already posted a few times configuration examples to the list. You can google for that. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Network browsing in S4
Am 12.08.2013 23:28, schrieb Gregory Sloop: So, we'll assume that nmbd doesn't work properly on an S4 AD. Can I run nmbd alone, on an independent box? (I'd guess not.) Or should I run an S3 server as a member of the AD also running nmbd? [This instance won't do any file sharing, as that will all happen on the two S4 servers.] If I run an S3 member, can anyone give me an estimated memory footprint? [Really rough is fine.] The domain master browser must be on the DC with the PDC emulator FSMO role: http://support.microsoft.com/kb/324801/en So you can't run it on a s3 member server, because you need an AD DC for the FSMO stuff. So currently you can't have network neighbourhood on a s4 DC. I know that the developers have this on their list. But I don't know if theres already a plan when it'll be included. Here first some users missed the network neighbourhood browsing. Meanwhile they had learned, that it's much easier to direclty connect via \\servername. Do you have a special need for it? Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 + winbind did not work
Hello Darek, Am 11.08.2013 23:02, schrieb Darek Frączkiewicz: I have install samba4 on debian whezzy 64-bit All is working OK, but now I try to add qoutas to users and this tutorial did not working https://wiki.samba.org/index.php/Samba4/Winbind have a look at this HowTo https://wiki.samba.org/index.php/Samba4/Domain_Member This one works fine here. I'm not sure about the other one. I haven't compared them. I'll merge the two HowTos the next time, when I have time. * Are your DC and your member both running Samba 4? * Do you run your DC as AD DC or NT4-style DC? * If you are retrieving the xIDs via rfc2307, have you filled the unix tab in ADUC for the users/groups? Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 + winbind did not work
Am 12.08.2013 00:29, schrieb Darek Frączkiewicz: thank's Marc i will try tomorow this howto https://wiki.samba.org/index.__php/Samba4/Domain_Member https://wiki.samba.org/index.php/Samba4/Domain_Member I'm going to connect samba4 as AD with 30 windows workstations in my school. After testing all is OK and works (joining windows, login users, homedrives, GPO). The last thing is add qoutas to users. I can't do this yet. Quotas I haven't tried yet. But at least the winbind stuff should work like expected with this HowTo. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Joining Samba4 as DC--Error Failed to find a writeable DC for domain
Hello Daniel Am 31.07.2013 09:39, schrieb Daniel Müller: Just did the trick: Put the nameserver MasterDC in my /etc/resolv.conf on the SlaveDC and all is finished. Please add this hint to http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC I already had this on my to-do list, but haven't done yet. But it's done yet. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem to demote samba4 dc
Hello Davy, Am 31.07.2013 15:35, schrieb Davy HUBERT: I recently migrated our samba 3 domain to an AD domain using Samba 4 classic upgrade tool. Well, everything seems to work fine since i'm still alive ;) . I promoted a Windows 2k8 box as a new DC of this domain and I transfer the 5 FSMO roles to it. Now I would like to demote the Samba4 DC but when I tried I got this message : # samba-tool domain demote ERROR: Current DC is still the owner of 2 role(s), use the role command to transfer roles to another DC When check the fsmo roles status via samba-tool fsmo show it confirms that the Samba 4 DC doesn't own anything. How can I manage to demote the Samba 4 box ? * How did you transfered the roles to to your Samba DC? (through windows, samba-tool, ...?) * What Samba version are you running? fsmo seize wasn't working for a while: https://bugzilla.samba.org/show_bug.cgi?id=9461 * Any errors/messages in the log when you transfer the roles? Please give some more information, to make it easier to help. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows 8 pro and Samba 4
Hallo, Am 30.07.2013 14:17, schrieb iss...@aralar.edunet.es: Well, to begin with a BIG THANK YOU!!! win 8 pro joined the samba NT4 style domain. After making the 2 changes, 1) put my dns suffix in computer- properties- computer name- dns suffix 2) add the keys to the registry with the values [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services \LanManWorkstation\Parameters] DWORD DomainCompatibilityMode 1 DWORD DNSNameResolutionRequired 0 The win8 machine joined our samba 4.0.x NT4 style domain (running on opensuse 12.2) seamlessly . I also realized that it was also able to join the samba 3.6.3 NT4 style domain (running on opensuse 11.4). Men! You can´t imagine how excited I was this morning. I tested 3 domain user accounts, gem, ped, testacc i.e logging into the win8 as a domain user and logging out. Everything went fine. Good to know if this solves your problem. I'll try to clarify the Wiki article about the registry changes for that during the next time. But, at logging out win8 informs me that it could not synchronize the profile perfectly and referred me to the system logs. I attach the system log section as pdf. It seems it has problem synchronizing some folders. What do you think I can do about it? I don't speak spanish. But if I use Google translate, Es posible que este error se deba a problemas de red o derechos de seguridad insuficientes. I interprete it, that you maybe don't have permissions to store the profile on the server. What are the permissions on your profiles share (\\china\profiles)? Can a user create there a new folder for your *.v2 profile? Secondly your email raised another issue what is the difference between running samba as NT4 domain style or as AD DC? AD allows you to have a central place for user management and many more. http://en.wikipedia.org/wiki/Active_Directory Current windows versions can still join NT4 style domains. But they can't use many of the great features an AD allows you to do. E. g. group policies to preconfigure/restrict/etc. user accounts/machines, etc. Also you can use the Windows tools for administrating accounts, groups, set permission on shares/files, etc. Have a look to the Samba Wiki (http://wiki.samba.org/index.php/Samba). There are some HowTos that show you how to setup Samba AD or migrate an existing NT4-style domain. But if you are currently happy with the domain you have and don't require any of the AD features, you can of course stay on your NT4 domain. But even for small company networks AD would be a good advancement in administration. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows 8 pro and Samba 4
Am 30.07.2013 18:43, schrieb Marc Muehlfeld: I'll try to clarify the Wiki article about the registry changes for that during the next time. I over-worked the Wiki Win7 registry hack page and also renamed it: https://wiki.samba.org/index.php/Registry_changes_for_NT4-style_domains It should now be clearer what and when registry changes are needed. If something is missing, let me know. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Printer IP
Hello Jimc, Am 31.07.2013 06:34, schrieb jimc: My printer somehow got its IP changed. How do I change my server (Mint linux 13, Samba 4.06) to reflect the change? I suggest not to use IP addresses in your Samba configuration. Use names and make sure, you're having a working DNS to resolve. Then you don't have to worry if your devices are changing their IPs. Or use static IPs on devices that are IP-hardcoded somewhere. Because you gave no information about your environment (Printserver cups/lpd/..., Samba configuration section of the printer, etc) it's hard to provide a good help. So I can only give you a very general hint: Have a look in your printer configuration and in smb.conf, search for the old IP in it and replace it. Most Linux distribution are shipped with a tool for printer configuration. So this maybe is a place to start. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows 8 pro and Samba 4
Hello, Am 29.07.2013 16:10, schrieb iss...@aralar.edunet.es: The win8 machine is able to resolve the netbios name of the server. ping works fine. I ping the netbios name and it returns the ip address. I attach the 4 screenshots. - the first is the message I get on trying to join the domain - the 2nd - 4th is just to show the network settings of the client. We normally leave all on default settings. The surprising thing is that win7 and winxp join the domain without problems and use exactly the same network settings as the win8. I send you also my samba 4.x global configuration. [global] workgroup = CMARALAR server string = Servidor interfaces = 192.168.1.1/255.255.255.0 bind interfaces only = Yes deadtime = 5 load printers = No add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false %m$ logon script = conecta.vbs logon path = \\%N\profiles\%U logon drive = Z: domain logons = Yes os level = 65 preferred master = Yes domain master = Yes ldap ssl = no idmap config * : range = idmap config * : backend = tdb hide special files = Yes hide unreadable = Yes hide unwriteable files = Yes veto files = /*-China*/*-runtime*/*.desktop*/ Note, I installed opensuse 12.2, after installation, I uninstalled completely samba 3.x and installed samba 4.x, winxp, win7 joins the domain without problems but win8 no! I remember we had the same problem with the samba version that comes with opensuse 11.x and win7, it is only when we installed opensuse 12.x that win7 was able to connect to the samba version. Now the problem is with samba 3.x that comes with opensuse 12.2 and also samba 4.x that is rumoured to support When you wrote Samba 4 I automatically though AD. Sorry. My fault. I run Samba 4 as AD DC. There XP, 7 and 8 doesn't require any changes to join the domain. If you run Samba in a NT4 style domain, it seems that the DomainCompatibilityMode and DNSNameResolutionRequired changes are still required (at least in this articla about W8 and Samba 3.6.9): http://www.admin-magazine.com/Articles/Linux-with-Windows-8 Does it work if you change this two values? Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows 8 pro and Samba 4
Am 29.07.2013 08:00, schrieb Daniel Müller: I have one w8 prof in my Samba AD test environment and it works without problems. Just be sure you did no registry hack on the windows 8 machine!? No registry hack here. Under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters I don't have the entries DomainCompatibilityMode and DNSNameResolutionRequired: http://s1.directupload.net/images/130729/juvqft2b.png So both are on default. My Samba 4 installation is AD (not a NT4-style domain). So I would say, it's not required for Samba AD. But maybe if Samba is providing a NT4 style domain. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Consistent Inter-Samba UID/GID Mappings
Hello Chris, Am 30.07.2013 01:36, schrieb chris.ha...@proporta.com: In an attempt to implement RFC2307 in the Samba directory, I rebuilt my test domain (Samba4) using the --use-rfc2307 option in the samba-tool domain provision command. The --use-rfc2307 option enables your Samba AD automatically to store posix attributes. -- https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Provisioning_Samba_.28Setting_up_a_new_domain.29 This sounded like it would work perfectly for my needs. However it doesn't. I'd hoped that it would ensure that any new user or group is automagically assigned a uidNumber or gidNumber, etc. Currently I'm using RSAT to administer the directory. I'm rather hoping that someone can point out something important that I've not realised. Any information would be enthusiastically received. I'll update this with further information tomorrow (Samba versions -- I believe that the DC is 4.0.6 and the fileserver 3.6.3). the --use-rfc2307 option doesn't automatically assigns xIDs on your DC. It add's the additionals schemas to your directory that allows you among others to assign xIDs to user/groups. If you migrate to Samba AD, then the values from your old Samba PDC are filled in this fields. If you provision a new domain and add users/groups, the fields you require are not set. You can administrate them through ADUC or other ways. If you don't want to administrate the posix stuff in your AD, have a look on sssd instead of winbind. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows 8 pro and Samba 4
Hello Emeka, Am 28.07.2013 18:39, schrieb iss...@aralar.edunet.es: I installed opensuse 12.2, and upgraded the samba 3 it came with to samba 4. I successfully joined win xp, win 7 clients to the samba as domain controller but couldn´t join win 8 prof (it keeps displaying domain does not exist message). Does samba 4 really support win 8 prof or we have to wait for some time? I have one w8 prof in my Samba AD test environment and it works without problems. - Are there any messages/erros in the samba/windows log? - Can the DNS on your w8 resolve the Samba Domain? Please give some more information. That would make it easier to help you. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Fwd: About samba 3.0.28 trust AD
Hello, Am 06.07.2013 15:26, schrieb Wong siu yu: I had a RedHat 5.2 need to trust domain the Windows Server 2008 R2 (forest level 2003). Which package I need to install first? I am using samba-3.0.28 but I have no samba-winbind. May I know procedures of trust setting in Linux? Please have a look here first: http://wiki.samba.org/index.php/FAQ#How_to_do_or_fix_..._in_an_outdated_Samba_version.3F Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Win dcpromo and SysVol Replication
Hello Garth, Am 25.07.2013 13:21, schrieb Garth Keesler: When I DCPROMO a Win2003 server into an existing Samba4.1RC1 domain with two Samba DCs, all appears to be working correctly from the Samba side but the WinDC never starts sharing SysVol as it should. Sites and Services shows all DCs as expected and forcing repl with the Samba PDC works correctly while doing that with the second Samba DC shows the following: The following error occurred during the attempt to synchronize naming context DomainDnsZones.mydomain.local from domain controller SambaDC2 to domain controller WinDC: The naming context is in the process of being removed or is not replicated from the specified server. The operation will not continue. Samba currently doesn't support SysVol replication. It's planned, but not implemented yet. To replicate the content, you need to create a manual workaround. http://wiki.samba.org/index.php/FAQ#Is_SysVol_share_replication_supported_by_a_Samba_AD_DC.3F Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 AD SysVol Replication (HowTo + Script)
Hello, as it is often a question here on the lists and by many others on the internet, I wrote a new HowTo for setting up a SysVol replication workaround, until Samba supports this feature by itself: https://wiki.samba.org/index.php/SysVol_Replication For the replication process, I wrote a Bash script, put it on my webspace and linked it in the HowTo, which should describe everything. I hope this would be a good start/solution for people currently missing this feature. Feel free to give suggestions, comments, etc. :-) Regards, Marc PS: If the Samba developers think it would be an advantage, it would be OK for me, if the script would be added to the samba package. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 AD SysVol Replication (HowTo + Script)
Hello Dewayne, Am 24.07.2013 01:59, schrieb Dewayne Geraghty: Where you mention in the document PDC role, do you mean PdcEmulationMasterRole, or is there some other meaning? Yes. I thought the DC with the FSMO role PDC would be a good choice to be the Master, because some Microsoft tools, like the GPO console, can be configured to connect to the PDC automatically. And group policies is one of the most important things, stored on the SysVol share. Sorry for being pedantic. I'm very new to AD DC, where I've found that being very precise is necessary; but very old to samba (since 2.2.5) and openldap. No problem. It's good to get improvement suggestions. I'll tonight add some more information to the HowTo, to be more specific on that. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] need soms tips for adding samba4 to windows 2008R2 domain
Hello, Am 17.07.2013 11:29, schrieb L.P.H. van Belle: Am 15.07.2013 12:48, schrieb L.P.H. van Belle: 1) keep my existing windows 2008 domain. ( contains dhcp + dns + AD ) its a clean domain, no users yet. dhcp+dns is used already. 2) add samba4 to the windows domain dc as secondairy DC. ( this server wil be my zarafa mail server ) Setup and joining a Samba machine as DC you can find here: http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC This step, Im using bind, i already have windows setup to replicate the DNS to some other linux servers. can i just point samba to the windows server, or can i use the replicated dns, or do i need to setup the dns completely also for samba. Thats not clear in the howto. because this howto points to : http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC ( im using the enterprise samba packages on ubuntu 12.04 ) and http://wiki.samba.org/index.php/Dns-backend_bind I haven't used a Windows server yet. But if the DNS zone is stored in AD, then the directory replication will replicate it to your Samba server, too. But of course you have to run a DNS on your Samba server, too (the internal or BIND DLZ). Realy, im sorry to say, but for me the wiki is a maze of information. to much referendes to other locations. the, im pointed to http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC there i read. What exactly confuses you. Then maybe I can unravel it. Sure, there are references to other HowTos. Otherwise we had to write the same content in different HowTos again and again. And every change had to be done on all places. But if you have good suggestions I can try to do improvments and changes the HowTos. This HOWTO will assume you had configured and installed Samba in the default location of /usr/local/samba. It assumes you are joining Samba to an existing domain called 'samdom.example.com'. What is the problem with that? Because you can configure to have Samba and parts of it whereever you want (as ./configure options), /usr/local/samba is just the default location where Samba is installed in, if you don't do any changes on ./configure. For a tutorial it's best to use the default locations. Just adapt the pathes to your environment. And samdom.example.com is just a sample realm we use in our wiki HowTos. Replace it with your own one. Question here is, do i need the registry fixes for windows 7, if my windows 2008 DC if domain controller. No registry changes, if your Domain is provided by Windows or Samba AD. I have read that it's necessary for a Samba NT4 style domain only. But I haven't used a Samba PDC with Win7 yet myself (only Samba AD). I have some win7 on the NT4 style domain, but i didnt use any registry fixed. If it's working fine without any fixes, where's the problem? ;-) Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Classicupgrade set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_OWNER
Am 16.07.2013 09:28, schrieb Stéphane PURNELLE: I have the same problem with classicupgrade (samba 4.0.6) but on S-1-5.21---xxx-500. This is the domain Admin account. What happens if you remove it before the classicupgrade? Regards Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] New ADC configuration
Am 16.07.2013 18:04, schrieb Matthew Daubenspeck: On Tue, Jul 16, 2013 at 04:42:48PM +0100, Rowland Penny wrote: Hi, Have you given your users groups a uidNumber and/or gidNumber on the server? Rowland Is that something that has to be done with ADUC? I have added all the test users with samba-tool. Yes. If you use Idmap backend AD, then the xID is taken from Active Directory. And if you haven't assigned, then the members with that backend can't get it. This is the tab in ADUC, for assigning unix stuff to and account: http://blogs.technet.com/cfs-filesystemfile.ashx/__key/communityserver-components-imagefileviewer/communityserver-blogs-components-weblogfiles-00-00-00-77-02/6560.shell1.jpg_2D00_550x0.jpg The UID is incremented automatically. So you don't have to track this by yourself. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] New ADC configuration
Hello, Am 16.07.2013 19:16, schrieb Matthew Daubenspeck: On Tue, Jul 16, 2013 at 05:22:14PM +0100, Rowland Penny wrote: Yes, you can use ADUC but you need to have provisioned samba4 with --use-rfc2307 You can also add the uidNumber gidNumber with an ldif and ldapmodify or ldbmodify. Have a look here: [1]http://linuxcostablanca.blogspot.com.es/2012/02/samba-4-posix-domain -user.html Without the uidNumber gidNumber, using the ad backend, Winbind will not display any users, with uidNumber gidNumber, Winbind will only display the users groups that have them. If you do not want to enter the uidNumber etc, have a look at sssd, this will do all that Winbind does without all the hassle. Rowland That must be the problem. The wiki had no mention of provisioning with --use-rfc2307. I'll redo that and try again. You don't need to reprovision. There was a thread some time ago, that could maybe answer some questions: https://lists.samba.org/archive/samba-technical/2012-September/086971.html I'll try to place some hints about --use-rfc2307 and idmap_ldb:use rfc2307 = Yes in the wiki HowTos for giving the users some more information about that topic. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restore samba4 backup
Hello, Am 16.07.2013 15:45, schrieb TI: Calling DNS name update script Failed to find object (null) for attribute fsmoRoleOwner - Cannot find DN (null) to get attribute fsmoRoleOwner for reference dn: Unsupported critical extension 1.2.840.113556.1.4.529 Failed to find if we are the PDC for this ldb: Searching for fSMORoleOwner in (null) failed: Cannot find DN (null) to get attribute fsmoRoleOwner for reference dn: Unsupported critical extension 1.2.840.113556.1.4.529 Searching for dsServiceName in rootDSE failed: NULL Base DN invalid for a base search Failed to find our own NTDS Settings DN in the ldb! Failed to find our own NTDS Settings objectGUID in the ldb! task_server_terminate: [dreplsrv: Failed to connect to local samdb: WERR_DS_UNAVAILABLE ] samba_terminate: dreplsrv: Failed to connect to local samdb: WERR_DS_UNAVAILABLE Calling SPN name update script Searching for dsServiceName in rootDSE failed: NULL Base DN invalid for a base search Failed to find our own NTDS Settings DN in the ldb! Failed to find our own NTDS Settings options in the ldb! Did you use the backup script that is shipped with samba or a modified or other version? Have you renamed all *.bak files back to it's origin name? Have you started samba before you unpacked the .tar.bz2 files from you installation directory? If yes, samba had already created some files new. Then remove your /usr/local/samba, run 'make install' again to have an virgin installation. Then unpack your backuped files like described in the wiki. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] New ADC configuration
Am 16.07.2013 20:38, schrieb Matthew Daubenspeck: I re provisioned the whole works, rejoined the member server. Now in ADUC I can see the NIS domain name and UID, as well is being part of a primary group (after I created one). It works perfectly on the DC server, but still nothing seems to propagate to the member server. DC: # id testuser uid=10001(NWLTECH\testuser) gid=100(users) groups=100(users) Member: # id testuser id: testuser: no such user I've turned the log level to 3, and the only error I see is: [2013/07/16 14:37:05.757568, 1] ../source3/winbindd/idmap_ad.c:653(idmap_ad_sids_to_unixids) Could not get unix ID for SID S-1-5-21-1953420892-2023128348-2744795462-513 And the SIDs change as I query for different users... Did you clean up the tdb files on your member server? I could imagine, that Samba mixes the old and new domain in it's idmap cache. If it's a new installation and nothing important in the member servers registry (like print server printer settings), just remove the whole samba installation, 'make install' again and rejoin. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restore samba4 backup
Hello, Am 16.07.2013 21:31, schrieb TI: /usr/local/samba/lib/private/libntvfs.so: version `SAMBA_4.0.7' not found (required by /usr/local/samba/sbin/samba) Ok, my bad. I have compiled the version 4.0.7 for the new server and the crashed one was probably 4.0.1. This was what I ment with Never do a restore and a version change at once! I was puting in bold in the wiki when I wrote this HowTo ;-) I suggest you start over, but with 4.0.1 and restore again. If everything works like expected, upgrade to 4.0.7 (but read all the different release notes from the later version. Some early 4.0 version release notes said to run samba-tool dbcheck... and samba-tool ntacl ...). Is it ./lib/private directory from backup so important to restore process ? Should I run something to restore the admins power ? You can remove this from the backup. The backup script is very basic and includes a bit more than necessary. That's another reason, why restore with release change at once isn't a good idea. Can you retry with 4.0.1 and say if your Admin accounts are working as expected then (without upgrading to 4.0.7)? Regards Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restore samba4 backup
Hello Edison, Am 16.07.2013 22:53, schrieb TI: Through the strings command (on the library from backup files), I saw that correct version is 4.0.3. So I've compiled and installed samba 4.0.3. I've restored all backup files and renamed the .bak ones. The samba has started without error, but the admin users doesn't have the same rights. I can't run dsa.msc in a Windows Machine anymore. Do you know how to fix that ? Do any errors appear in the samba logs on startup or when you try to use ADUC or other administrative programs? If not, maybe something interesting comes up if you increase the debug level (I guess 3 should be enough). Regards Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restore samba4 backup
Hello, Am 17.07.2013 07:25, schrieb TI: Hi Marc, In the samba logs, I saw these errors: /usr/local/samba/sbin/samba_dnsupdate: Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.1.1.12 /usr/local/samba/sbin/samba_dnsupdate: Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 10.1.1.200 /usr/local/samba/sbin/samba_dnsupdate: Traceback (most recent call last): /usr/local/samba/sbin/samba_dnsupdate: File /usr/local/samba/sbin/samba_dnsupdate, line 509, in module /usr/local/samba/sbin/samba_dnsupdate: get_credentials(lp) /usr/local/samba/sbin/samba_dnsupdate: File /usr/local/samba/sbin/samba_dnsupdate, line 122, in get_credentials /usr/local/samba/sbin/samba_dnsupdate: creds.get_named_ccache(lp, ccachename) /usr/local/samba/sbin/samba_dnsupdate: RuntimeError: kinit for L01SAPP01$@INTRANET.ENXUTO.COM.BR failed (Cannot contact any KDC for requested realm) /usr/local/samba/sbin/samba_dnsupdate: Child /usr/local/samba/sbin/samba_dnsupdate exited with status 1 - Operation not permitted ../source4/dsdb/dns/dns_update.c:294: Failed DNS update - NT_STATUS_ACCESS_DENIED I think it happened because the new server has a different ip address. So, I ran /usr/local/samba/sbin/samba_dnsupdate and it has added the new ip address (10.1.1.150) to the list. 100%. I'll add this to the Wiki page, too. Make sure, you restore on a machine, that is 100% like the old in important things (IP, Hostname, Samba version, etc.) host l01sapp01.intranet.enxuto.com.br. l01sapp01.intranet.enxuto.com.br has address 10.1.1.12 l01sapp01.intranet.enxuto.com.br has address 10.1.1.200 l01sapp01.intranet.enxuto.com.br has address 10.1.1.150 After that, the error has disappear and I could login again (it seems that the admin rights are back). However I couldn't run dsa.msc. I'll try translate the message I'm receiving: There is no User and Computer data available from Active Directory [l01sapp01.intranet.enxuto.com.br] in Domain Controler l01sapp01.intranet.enxuto.com.br. The server is reluctant in process your request. I think that the Windows Machine is trying to connect to 10.1.1.12 (which is the first response received from the internal dns server) instead of 10.1.1.150 (the last and the correct one) What do you think ? Could we remove the old records from dns server ? I'm using the internal server. I wrote an Howto (http://wiki.samba.org/index.php/Change_IP_address_of_the_DC) about changing the IP on a DC a while ago. But I would not combine this with a restore. I think the highest priority should be to get your system restored, so that it is like the one you backuped. Later you can do changes. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] need soms tips for adding samba4 to windows 2008R2 domain
Hello Louis, Am 15.07.2013 12:48, schrieb L.P.H. van Belle: 1) keep my existing windows 2008 domain. ( contains dhcp + dns + AD ) its a clean domain, no users yet. dhcp+dns is used already. 2) add samba4 to the windows domain dc as secondairy DC. ( this server wil be my zarafa mail server ) Setup and joining a Samba machine as DC you can find here: http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC 3) add samba3/4 servers tot this domain als domain members. ( i know this for samba3 ) http://wiki.samba.org/index.php/Samba4/Domain_Member 4) for my remote location i also want to add samba4 servers, which wil get there own share for profiles. ( this i know ) Same as 3. But for the users who should have their profiles on the remote server, you have to specify their profile path in ADUC pointing to this server. Some information about roaming profiles: http://wiki.samba.org/index.php/Samba_%26_Windows_Profiles my old environment is running samba3 +Ldap. I do not need the old info with clasic upgrade, because some pc's have same sid's, and im setting this up for windows 7 pc's. Here's the point, where I'm not sure, if I fully understand you. In 1 you wrote, that you are having an AD, but with no users. Here you say you have a Samba NT4 style domain with users, etc. Do you want to bring them together? I mean keep your Windows Domain and migrate the Samba3 accounts to the domain? You can export your LDAP, script something around for the changes and import them in your AD. But you have to re-join your workstations then. Or do you want a trust. But this isn't possible in both directions yet: http://wiki.samba.org/index.php/FAQ#Does_Samba_support_trust_relationship_with_AD.3F Or do you skip the old domain and join the PCs to the new Windows domain? Then just follow the HowTos above. If you meant something else, please give some more details :-) Question here is, do i need the registry fixes for windows 7, if my windows 2008 DC if domain controller. No registry changes, if your Domain is provided by Windows or Samba AD. I have read that it's necessary for a Samba NT4 style domain only. But I haven't used a Samba PDC with Win7 yet myself (only Samba AD). Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Invalid listing, samba 3.6.6
Hello Simon, Am 15.07.2013 08:33, schrieb Traugott Simon: i do have a problem with Amanda and Smbclient again. Im trying to backup some shares and I do get some errors which i cannot fix: ? smbclient: Error reading file \Dtel\El\2009-11 u TEST\2009-11\Logos\meeting, England\P1020272.MOV : NT_STATUS_OK ? smbclient: Didn't get entire file. size=86525282, nread=61719840 ? smbclient: NT_STATUS_OK opening remote file \Dr\P1020273.JPG (\Dnd\File) ? smbclient: NT_STATUS_CONNECTION_INVALID listing \Drittmittel\Directory\* Are you getting errors too, if you use smbclient to directly connect to your server (without amanda) and browse the shares and retrive files? Can you add a -d 3 to the smbclient command in your amanda configuration and let it log somewhere? Maybe you get some more details what causes your problem. Regards Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba