[Samba] Failover
Hi guys, I have a domain with Samba 4.0.5 domain controllers and also a failover DRBD shared disk, where the active DC controlls the access to the disk. DOMAINC01 - 10.48.16.150 DOMAINC02 - 10.48.16.151 DOMAINCHA - 10.48.16.155 this would be the failover IP, which works perfectly on Windows XP clients. I can see the shares, just like on DOMAINC01 or DOMAINC02 and if the users has the proper credentials they can write open etc. But when I try to do the same on a Windows 7 client I simply get an error message You dont have the proper rights to open the directory I guess because of the DOMAINCHA virtual controller is not in the AC, but shall I add a computer to the AC so my win7 clients could open the available shares? Thanks, Robert -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Failover
2013-10-07 21:11 keltezéssel, Andrew Bartlett írta: On Mon, 2013-10-07 at 15:36 +0200, Sandbox wrote: Hi guys, I have a domain with Samba 4.0.5 domain controllers and also a failover DRBD shared disk, where the active DC controlls the access to the disk. DOMAINC01 - 10.48.16.150 DOMAINC02 - 10.48.16.151 DOMAINCHA - 10.48.16.155 this would be the failover IP, which works perfectly on Windows XP clients. I can see the shares, just like on DOMAINC01 or DOMAINC02 and if the users has the proper credentials they can write open etc. But when I try to do the same on a Windows 7 client I simply get an error message You dont have the proper rights to open the directory I guess because of the DOMAINCHA virtual controller is not in the AC, but shall I add a computer to the AC so my win7 clients could open the available shares? Please don't use DRDB with Samba as an AD DC. You don't need it (you should have two DRS replicating DCs). The reason I am so strongly against this is that I had to work very hard to recover a corrupt database at such a site. We suspect that barriers were either not enabled or not passed down to the OS in this case, followed by a unexpected loss of power. The corrupt database was then perfectly mirrored to the DRDB clone, resulting in two corrupt mirrors. DRS replication likely would have detected the corruption (because the database would not have been valid) and failed the replica, saving the data. Andrew Bartlett Hi, You misunderstood me, I don't use DRBD as database storage (only for users documents and stuffs) my servers database are sitting on their private place :) -- Kind regards: Robert -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] setting permissions for unix users on samba shares
I'm trying to grant permissions for linux system users (apache,mysql...) to have permissions on samba shares. I've established domain users permissions while logged in as the domain admin and thought the SYSTEM account would cover these types of usersbut apparently not. Is there a built in linux group that maps to a windows domain group or do I have to establish this manually. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Bind9 AD SDLZ driver failed to load
Registering SDLZ driver 'dlopen' 11-Sep-2013 11:29:11.244 Registering DLZ driver 'dlopen' 11-Sep-2013 11:29:11.245 decrement_reference: delete from rbt: 0x7f916c147068 . 11-Sep-2013 11:29:11.252 loading configuration from '/etc/bind/named.conf' 11-Sep-2013 11:29:11.252 reading built-in trusted keys from file '/etc/bind/bind.keys' 11-Sep-2013 11:29:11.252 set maximum stack size to 18446744073709551615: success 11-Sep-2013 11:29:11.252 set maximum data size to 18446744073709551615: success 11-Sep-2013 11:29:11.252 set maximum core size to 18446744073709551615: success 11-Sep-2013 11:29:11.253 set maximum open files to 18446744073709551615: success 11-Sep-2013 11:29:11.253 using default UDP/IPv4 port range: [1024, 65535] 11-Sep-2013 11:29:11.253 using default UDP/IPv6 port range: [1024, 65535] 11-Sep-2013 11:29:11.255 listening on IPv4 interface lo, 127.0.0.1#53 11-Sep-2013 11:29:11.255 clientmgr @0x7f916c16b010: create 11-Sep-2013 11:29:11.255 clientmgr @0x7f916c16b010: createclients 11-Sep-2013 11:29:11.255 clientmgr @0x7f916c16b010: get client 11-Sep-2013 11:29:11.255 clientmgr @0x7f916c16b010: create new 11-Sep-2013 11:29:11.255 clientmgr @0x7f916c16b010: clientmctx 11-Sep-2013 11:29:11.255 client @0x7f9160091b30: create 11-Sep-2013 11:29:11.256 clientmgr @0x7f916c16b010: get client 11-Sep-2013 11:29:11.256 clientmgr @0x7f916c16b010: create new 11-Sep-2013 11:29:11.256 clientmgr @0x7f916c16b010: clientmctx 11-Sep-2013 11:29:11.256 client @0x7f916009fd40: create 11-Sep-2013 11:29:11.256 binding TCP socket: address in use 11-Sep-2013 11:29:11.256 listening on IPv4 interface eth0, 192.168.217.144#53 11-Sep-2013 11:29:11.256 clientmgr @0x7f916c16b458: create 11-Sep-2013 11:29:11.256 clientmgr @0x7f916c16b458: createclients 11-Sep-2013 11:29:11.256 clientmgr @0x7f916c16b458: get client 11-Sep-2013 11:29:11.256 clientmgr @0x7f916c16b458: create new 11-Sep-2013 11:29:11.257 clientmgr @0x7f916c16b458: clientmctx 11-Sep-2013 11:29:11.257 client @0x7f91600af020: create 11-Sep-2013 11:29:11.257 clientmgr @0x7f916c16b458: get client 11-Sep-2013 11:29:11.257 clientmgr @0x7f916c16b458: create new 11-Sep-2013 11:29:11.257 clientmgr @0x7f916c16b458: clientmctx 11-Sep-2013 11:29:11.257 client @0x7f91600bd230: create 11-Sep-2013 11:29:11.257 binding TCP socket: address in use 11-Sep-2013 11:29:11.258 generating session key for dynamic DNS 11-Sep-2013 11:29:11.258 sizing zone task pool based on 5 zones 11-Sep-2013 11:29:11.259 decrement_reference: delete from rbt: 0x7f916c147850 . 11-Sep-2013 11:29:11.259 Loading 'AD DNS Zone' using driver dlopen 11-Sep-2013 11:29:11.259 Loading SDLZ driver. 11-Sep-2013 11:29:11.277 dlz_dlopen of 'AD DNS Zone' failed 11-Sep-2013 11:29:11.278 SDLZ driver failed to load. 11-Sep-2013 11:29:11.278 DLZ driver failed to load. 11-Sep-2013 11:29:11.278 client @0x7f9160091b30: udprecv 11-Sep-2013 11:29:11.278 client @0x7f916009fd40: udprecv 11-Sep-2013 11:29:11.278 client @0x7f91600af020: udprecv 11-Sep-2013 11:29:11.279 client @0x7f91600bd230: udprecv 11-Sep-2013 11:29:11.279 zone_shutdown: zone 0.in-addr.arpa/IN: shutting down 11-Sep-2013 11:29:11.279 zone_shutdown: zone 127.in-addr.arpa/IN: shutting down 11-Sep-2013 11:29:11.279 zone_shutdown: zone 255.in-addr.arpa/IN: shutting down 11-Sep-2013 11:29:11.279 zone_shutdown: zone localhost/IN: shutting down 11-Sep-2013 11:29:11.279 calling free_rbtdb(.) 11-Sep-2013 11:29:11.279 done free_rbtdb(.) 11-Sep-2013 11:29:11.279 load_configuration: out of memory 11-Sep-2013 11:29:11.279 loading configuration: out of memory 11-Sep-2013 11:29:11.279 exiting (due to fatal error) -- Robert Millott President, Millott and Associates (443) 255-3588 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba4 upgradeprovision
I have the latest samba4 4.2 git running on centos6.4 but when I originally provisioned it I didn't include the --use-rfc2307 for AD posix attributes. I'd like to map certain AD users to unix users so should I do a samba-tool upgradeprovision --use-rfc2307 to add this option? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Win 7 slow browsing issue to SAMBA share
Hi Team, Is there a workaround to fix this slow browsing issue to samba share. we have a ver 3 samba on a solaris box and two users upgraded to win7 from xp and now they have issues on slow browsing to their samba home dirs. Robert -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Local login
Hi, I tested my failover yesterday and a strange problem came up. While my dc01 was down I could not login on dc02 with any of my local accounts. After dc01 was online again, login was OK. My nsswitch.conf is a regular file: passwd: compat winbind group: compat winbind shadow: compat As I read about nsswitch, with this config it should try to authenticate the user from the local files, passwd, group etc and after the search isn't succes goes to search in winbind. Looks like cant find the users in the local files and try to search in winbind but that neither have local accounts information. Shall I change compat to files? Since I dont use +- for NIS database in passwd and group files. -- Kind regards: Robert -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Shares on failover IP
Hi, Anyone has any thought why I could not acces the shares on the failover IP? Robert 2013-07-18 14:46 keltezéssel, Sandbox írta: Hi, I have a failover configuration. The domain controller's IP: 10.23.14.150 as dc01 The failover IP is: 10.23.14.155 as dcha I added an A and a CNAME record to the dns for the failover IP. It is working, i can see the shares, but I could not enter to any share as user, as Administrator it works. I tried to add the interface variable (i am not sure this is available in samba4), that wasn't helped. Thanks, Robert -- Kind regards: Robert -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] What great things can a non-windows user do with Samba
At Thu, 11 Jul 2013 11:52:49 -0400 Steve Litt sl...@troubleshooters.com wrote: Hi all, I ask this question about once a decade. I have about 7 computers, all Linux or BSD. Are there any cool things I can do with Samba, even though I have no Windows computers? Not really. Samba is just a tool to deal with pesky mess-windows machines. On a pure UNIX (Linux, BSD, Solaris, AIX, etc.) LAN, Samba is about as useful as Air Conditioners in Antartica in the middle of the Antartic winter. Thanks, SteveT Steve Litt* http://www.troubleshooters.com/ Troubleshooting Training * Human Performance -- Robert Heller -- 978-544-6933 / hel...@deepsoft.com Deepwoods Software-- http://www.deepsoft.com/ () ascii ribbon campaign -- against html e-mail /\ www.asciiribbon.org -- against proprietary attachments -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] smb.conf sync
Hi, I already have a clustered config between my servers data partitions, is it possible to move my tdb files there and tell samba those tdb files are there? Is this meet the requirements of ctdb solution? I think I can give a try to syncronise my sysvol directory like this way, since the users and IDs should be identical. What are you think about this? Regards, Robert 2013-05-29 14:21 keltezéssel, Andrew Bartlett írta: On Wed, 2013-05-29 at 14:14 +0200, Michael Wood wrote: Hi Andrew On 29 May 2013 03:19, Andrew Bartlett abart...@samba.org wrote: On Tue, 2013-05-28 at 12:45 +0200, Sandbox wrote: I solved the shared data problem with heartbeat+drbd combo so that should not be a problem. TDB files data should be syncronized between my domain members or am I wrong? Please synchronise TDB files except by using using real CTDB (which doesn't provide an AD DC). I spent much of a week trying to reconstruct a database lost this way. I assume you mean Please DO NOT synchronise TDB file except by using real CTDB. Indeed. The only other way to safely access a tdb from 'under' a running process is via tdbbackup. I know that the tdb should eventually end up the same if every change is replicated, and it was probably the lack of barriers in the FS that caused the pain I saw, but direct block replication doesn't do any checks, while tdbbackup and (better) DRS replication will fail and show errors if the DB is corrupt, rather than forward the corruption on to the 'backup'. Andrew Bartlett -- Kind regards: Robert -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] pdbedit error
Samba Version 3.6.3 on Ubuntu 12.04 tbdsam back end. I discovered a couple of accounts we created before the Domain was configured was was an account named administrator intended to be the Smaba Administrator account. In order to change the domain ai ran this command # pdbedit -I DOMAINNAME -U username it worked on a number of accounts when I tried it on administrator I get the # pdbedit -I DOMAINNAME -u administrator Unable to modify TDB passwd: NT_STATUS_UNSUCCESSFUL! Unable to modify entry! # pdbedit -v -u administrator gives the following output Unix username:administrator NT username: Account Flags:[U ] User SID: S-1-5-21-1504512832-3249319461-1142831928-500 Primary Group SID:S-1-5-21-1504512832-3249319461-1142831928-513 Full Name:Samba Administrator,,, Home Directory: \\hamlet\administrator HomeDir Drive:U Logon Script: Profile Path:deleted for privacy Domain: HAMLET Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: never Kickoff time: never Password last set:Fri, 30 Dec 2005 17:29:27 CST Password can change: Fri, 30 Dec 2005 17:29:27 CST Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FF I don't see anything here that looks out of place but I don't know what it all means. -- rob steinmetz Signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] netlogon homes with Samba4 DC
Hi, 1) Windows 7 logs should say something about your netlogon script. 2) I think you have to create the home directories via RSAT or make a pam script and login with the newly created user. I would suggest the second option, since as I discovered when you make your home directories with RSAT you will have getfacl and winbind problems. Well, if you try to use getfacl on a RSAT made directory samba's winbind part dies. 2013-06-01 22:38 keltezéssel, spamv...@googlemail.com írta: hi all, ive setup Samba4 as DC on Ubuntu Server LTS and have two problems right now: 1) netlogon smb.conf [netlogon] path = /usr/local/samba/var/locks/sysvol/asta-wh.de/scripts read only = No I can access the folder and execute the script as user, but it gets not executed automaticly Ive added to [netlogon] preexec = echo %u is in %G /tmp/netlogon to see if netlogon is executed, and its not. Client PC is a new installed Windows 7 Pro. And Ive added \\SMB4SRV\netlogon\userf00.bat via M$ AD Tools to the User. Roaming Prifiles are also enabled and working. 2) homes smb.conf [homes] comment = Home Directories path = /home/HOME/%S valid users = %S read only = No browseable = Yes Home directorys are not created. Im happy with every hint to the right direction Hans -- Kind regards: Robert -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] SID problemRe: Moving a computer from a down domain to a new domain
OK, this is a SID problem. I built an new XP system, installed SP3 then tried to use the wizard to connect to the domain: cat homebase-dectop1 [2013/04/12 16:21:44.899424, 1] auth/server_info.c:386(samu_to_SamInfo3) The primary group domain sid(S-1-5-21-3360932306-476405-2840157550-513) does not match the domain sid(S-1-5-21-4240919292-2417995422-4236335894) for rgm(S-1-5-21-4240919292-2417995422-4236335894-1000) [2013/04/12 16:21:44.899608, 0] auth/check_samsec.c:491(check_sam_security) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL' [root@homebase samba]# cat homebase-dectop1 [2013/04/12 16:21:44.899424, 1] auth/server_info.c:386(samu_to_SamInfo3) The primary group domain sid(S-1-5-21-3360932306-476405-2840157550-513) does not match the domain sid(S-1-5-21-4240919292-2417995422-4236335894) for rgm(S-1-5-21-4240919292-2417995422-4236335894-1000) [2013/04/12 16:21:44.899608, 0] auth/check_samsec.c:491(check_sam_security) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL' [2013/04/12 16:23:30.110032, 1] auth/server_info.c:386(samu_to_SamInfo3) The primary group domain sid(S-1-5-21-3360932306-476405-2840157550-513) does not match the domain sid(S-1-5-21-4240919292-2417995422-4236335894) for winadmin(S-1-5-21-4240919292-2417995422-4236335894-302) [2013/04/12 16:23:30.110200, 0] auth/check_samsec.c:491(check_sam_security) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL' How do you figure out a SID problem and fix it? This was a clean Samba install. On 04/11/2013 08:39 PM, Robert Moskowitz wrote: I had been running a samba server, the AMAHI F12 distro, that has samba 3.4.9. It ran well enough, but I was planning on replacing it with ClearOS. Well monday night I lost my server harddrive, so now it is crunch time to update/upgrade. I think I have ClearOS configured properly, it is running samba 3.6.10 (Redhat 6.4 based). So far I have tried to add two of my XP systems to the new domain. The process I have been using (and what I did 4 years ago when I moved them from a REAL NT domain to the samba domain) was to first login locally as administrator and using System Properties Computer Name Domain Change to move the computer to a workgroup called SELF. I then reboot and use the same dialog to join the new domain, HOME. The old domain was HDA, but a prior domain was also HOME. This fails and in the samba logs I see: [2013/04/11 20:22:29.563127, 0] auth/check_samsec.c:491(check_sam_security) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL' [2013/04/11 20:26:01.504397, 1] auth/server_info.c:386(samu_to_SamInfo3) The primary group domain sid(S-1-5-21-3360932306-476405-2840157550-513) does not match the domain sid(S-1-5-21-4240919292-2417995422-4236335894) for winadmin(S-1-5-21-4240919292-2417995422-4236335894-302) [2013/04/11 20:26:01.504589, 0] auth/check_samsec.c:491(check_sam_security) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL' [2013/04/11 20:26:44.676638, 1] auth/server_info.c:386(samu_to_SamInfo3) The primary group domain sid(S-1-5-21-3360932306-476405-2840157550-513) does not match the domain sid(S-1-5-21-4240919292-2417995422-4236335894) for rgm(S-1-5-21-4240919292-2417995422-4236335894-1000) [2013/04/11 20:26:44.676804, 0] auth/check_samsec.c:491(check_sam_security) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL' rgm is a user on the system that has admin priv, and a user on the samba server that is in the domain_admin group. What is with the SID problem? How do I clean this up? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Moving a computer from a down domain to a new domain
I had been running a samba server, the AMAHI F12 distro, that has samba 3.4.9. It ran well enough, but I was planning on replacing it with ClearOS. Well monday night I lost my server harddrive, so now it is crunch time to update/upgrade. I think I have ClearOS configured properly, it is running samba 3.6.10 (Redhat 6.4 based). So far I have tried to add two of my XP systems to the new domain. The process I have been using (and what I did 4 years ago when I moved them from a REAL NT domain to the samba domain) was to first login locally as administrator and using System Properties Computer Name Domain Change to move the computer to a workgroup called SELF. I then reboot and use the same dialog to join the new domain, HOME. The old domain was HDA, but a prior domain was also HOME. This fails and in the samba logs I see: [2013/04/11 20:22:29.563127, 0] auth/check_samsec.c:491(check_sam_security) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL' [2013/04/11 20:26:01.504397, 1] auth/server_info.c:386(samu_to_SamInfo3) The primary group domain sid(S-1-5-21-3360932306-476405-2840157550-513) does not match the domain sid(S-1-5-21-4240919292-2417995422-4236335894) for winadmin(S-1-5-21-4240919292-2417995422-4236335894-302) [2013/04/11 20:26:01.504589, 0] auth/check_samsec.c:491(check_sam_security) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL' [2013/04/11 20:26:44.676638, 1] auth/server_info.c:386(samu_to_SamInfo3) The primary group domain sid(S-1-5-21-3360932306-476405-2840157550-513) does not match the domain sid(S-1-5-21-4240919292-2417995422-4236335894) for rgm(S-1-5-21-4240919292-2417995422-4236335894-1000) [2013/04/11 20:26:44.676804, 0] auth/check_samsec.c:491(check_sam_security) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL' rgm is a user on the system that has admin priv, and a user on the samba server that is in the domain_admin group. What is with the SID problem? How do I clean this up? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Making users local administrators
Am 21.03.2013 16:39, schrieb Terry Austin: There is no good reason to have users logging in daily as Administrator anymore however its not a good idea, its wide practise that road warrior users are local admins on their laptops, what must not mean ,they are working as such ever, but have the chance to fix stuff if their support is far away. For sure there are tons of workflows around this, but at the end its a security policy decision, which may handled different elsewhere. Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Joerg Heidrich -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] PROPOSAL: Remove SWAT in Samba 4.1
Am 18.02.2013 01:02, schrieb Andrew Bartlett: As most of you would have noticed, we have now had 3 CVE-nominated security issues for SWAT in the past couple of years. At the same time, while I know many of our users use SWAT, we just don't have anybody to maintain it inside the Samba Team. Kai has made a valiant effort to at least apply the XSS and CSRF guidelines when folks make security reports, but by his own admission he isn't a web developer - none of us are! There are many other parts of Samba that have not been substantially maintained in years, but few have the level of security exposure that SWAT does (most are bits of library and utility code that we apply elsewhere, but which just quietly does it's own job). The issue isn't that we can't write secure code, but that writing secure Web code where we can't trust the authenticated actions of our user's browser is a very different modal to writing secure system code. Frankly it just isn't our area. Therefore, it was suggested on a private list that we just drop SWAT. I want to start a public discussion on that point, prompted by http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700729 which reminds us why we didn't apply the specific CSRF hardening we applied in 4.0.2 to SWAT in the first place. Thanks, Andrew Bartlett Hi Andrew , i am not up2date with current samba module in webmin, but however, what about remove swat, and help webmin people for coding stuff there, so samba people dont need to care about the webmin framework security, only i.e helping at integrate new or changed parameters in the samba webmin module. Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Joerg Heidrich -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4 - Logging data entry as LDIF?
Without knowing the process by which data is added to the directory, is there any logging output that shows LDIF data as entries are added? ... Or is the LDIF component more of a translation layer? I've been scripting some tools to more easily automate some of the Linux things I need but I invariably corrupt my test directory on a daily basis. I'd like to be able to add entries on Windows and see the logging on Linux so I can more easily reconcile where I'm making mistakes. I have a hunch it's something to do with primary Group ID or gidNumber or uidNumber in combination with a missing posixAccount or msSFU30NisDomain attribute. Sent from my iPhone -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] DHCP Dynamic DNS
+1 for posting your howto Sent from my iPhone. On 2013-01-14, at 8:36 AM, Rowland Penny rpe...@f2s.com wrote: On 14/01/13 13:00, Benedict White wrote: I have followed the Wiki here http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO On setting up Samba $ as a DC in it's own real. So far so good and all looks to be working well. What this document seems to be missing is a how to on DHCP dynamically updating Samba 4's Integrated DNS server (which is the one I am using). Does anyone know of a how to on this? Hi, I could not get DHCP to update the internal DNS server, but the same dhcpd.conf and bash script updates Bind9 perfectly, so if you are interested, I could probably write you a Samba 4/Bind9/DHCP howto. Rowland PS: So far, very well done to the Samba 4 team, looks very good. Kindest regards, Benedict White -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] DNS updates working Windows only
I'm using BIND9_FLATFILE and able to join windows machines and have DNS updates working but Linux machines join with DNS update errors. Is there additional configuration necessary on Linux for the machines' NICs to be seen as valid? -- Sent from Gmail Mobile -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 Services for UNIX?
I have a little more information about the issues I'm having: When I try to create automountMap or automount objects in the directory using Apache Directory Studio it fails because I need to add the following attributes: instanceType ntSecurityDescriptor objectCategory Can someone enlighten me on the correct value for these attributes? thanks, Rob On Tue, Jan 8, 2013 at 6:43 PM, Robert Moggach r...@dashing.tv wrote: I've solved getting the schema into the directory... and I thought I populated my automount maps... but the directory is unbrowseable - Getting closer... I keep getting the following error: *acl_read: cannot get descriptor of automountMap... etc. etc.* Steps I took... 1) I had changed the Default-First-Site-Name to something more appropriate and changing that back seemed like a good place to start even though fsmo was showing me as the SchemaMaster - 2) At this point I was able to get the schema loaded... almost... ldapadd didn't like attributes and class in the same ldif... and then I had to restart samba to add the class file... ugh... use ldbmodify! I edited the automount.ldif schema file to be two files - one for the attributes and a second for the classes I added the schema using the following two commands: ldbmodify -H /usr/local/samba/private/sam.ldb /root/SAMBA4/automount/autofs_attr.ldif --option=dsdb:schema update allowed=true ldbmodify -H /usr/local/samba/private/sam.ldb /root/SAMBA4/automount/autofs_class.ldif --option=dsdb:schema update allowed=true 4) I then tried to add the automount records with ldbmodify with no luck ... ldbmodify -H /usr/local/samba/private/sam.ldb /root/SAMBA4/automount/03_autofs_maps.ldif ... Sorting rpmd with attid exception 3 rDN=CN DN=CN=linux,CN=autofs,CN=Services,DC=MYDOMAIN ERR: (Naming violation) objectclass: Invalid RDN 'AUTOMOUNTMAPNAME' for objectclass 'automountMap'! on DN automountMapName=auto_master,CN=mac,CN=autofs,CN=Services,DC=MYDOMAIN at block before line 41 Modify failed after processing 5 records Weird... solved that by doing the following, but now i have all kinds of acl_read errors ldbmodify -H /usr/local/samba/private/sam.ldb.d/DC\=MYDOMAIN.ldb 03_autofs_maps.ldif ldapsearch gives me the following: result: 1 Operations errorsearch: 5 result: 1 Operations error text: acl_read: cannot get descriptor of automountMapName=... weird? how do I add acls? The following shows the whole directory as expected... but I need ldap to work for autofs! ldbsearch -H /usr/local/samba/private/sam.ldb So can someone tell me how to get acls added for my objects? Samba version: 4.1.0pre1-GIT-94f11e9 Build environment: Build host: Linux crawford 2.6.32-279.19.1.el6.x86_64 #1 SMP Wed Dec 19 07:05:20 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 Services for UNIX? [SOLVED]
To get the automount schema to work with the git checkout of samba 4 I had to modify the automount schema files and separate the attributes from the classes. I also discovered that it's required to have the ntSecurityDescriptor , instanceType, and objectCategory attributes. Without these it will crash whenever you try to browse... I did alot of stopping samba, tarring of /usr/local/samba and untarring to finally get here... Here's the ldif for the automount attributes I used: dn: CN=automountMapName,CN=Schema,CN=Configuration,DOMAIN objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.1.1.1.31 cn: automountMapName name: automountMapName lDAPDisplayName: automountMapName description: automount Map Name attributeSyntax: 2.5.5.5 oMSyntax: 22 isSingleValued: TRUE systemOnly: FALSE dn: CN=automountKey,CN=Schema,CN=Configuration,DOMAIN objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.1.1.1.32 cn: automountKey name: automountKey lDAPDisplayName: automountKey description: Automount Key value attributeSyntax: 2.5.5.5 oMSyntax: 22 isSingleValued: TRUE systemOnly: FALSE dn: CN=automountInformation,CN=Schema,CN=Configuration,DOMAIN objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.1.1.1.33 cn: automountInformation name: automountInformation lDAPDisplayName: automountInformation description: Automount information attributeSyntax: 2.5.5.5 oMSyntax: 22DOMAIN isSingleValued: TRUE systemOnly: FALSE Here's the ldif for the automount classes: dn: CN=automountMap,CN=Schema,CN=Configuration,DOMAIN objectClass: top objectClass: classSchema governsID: 1.3.6.1.1.1.2.16 cn: automountMap name: automountMap lDAPDisplayName: automountMap subClassOf: top objectClassCategory: 1 mustContain: automountMapName mayContain: description mustContain: instanceType mustContain: ntSecurityDescriptor mustContain: objectCategory defaultObjectCategory: CN=automountMap,CN=Schema,CN=Configuration,DOMAIN defaultHidingValue: TRUE systemOnly: FALSE dn: CN=automount,CN=Schema,CN=Configuration,DOMAIN objectClass: top objectClass: classSchema governsID: 1.3.6.1.1.1.2.17 cn: automount name: automount lDAPDisplayName: automount subClassOf: top objectClassCategory: 1 description: Automount information mustContain: automountKey mustContain: automountInformation mayContain: description mustContain: instanceType mustContain: ntSecurityDescriptor mustContain: objectCategory defaultObjectCategory: CN=automount,CN=Schema,CN=Configuration,DOMAIN defaultHidingValue: TRUE systemOnly: FALSE These were added to the directory using the following commands: ldbmodify -H /usr/local/samba/private/sam.ldb /root/SAMBA4/automount/01_attr.ldif --option=dsdb:schema update allowed=true ldbmodify -H /usr/local/samba/private/sam.ldb /root/SAMBA4/automount/02_class.ldif --option=dsdb:schema update allowed=true Now here's what I did for the actual records. First I created a new OU tree called Automounts and then three OU's beneath that for Mac, Linux, Homeless. Mac uses auto_master and linux uses auto.master but I prefer to have them in separate branches. Here's a sample record: dn: automountMapName=auto_master,OU=Mac,OU=Automounts,DOMAIN objectClass: automountMap objectClass: top automountMapName: auto_master description: Mac OS X Master Autofs map ntSecurityDescriptor:O:BAG:SYD:(A;;0xf01ff;;;S-1-5-21-1698313198-1485347608-3860200556-500)(A;;0xf01ff;;;SY)(A;;0x20094;;;AU) ObjectCategory: CN=automountMap,CN=Schema,CN=Configuration,DOMAIN instanceType: 4 These couldn't be added with the above string so instead I used the following: ldbmodify -H /usr/local/samba/private/sam.ldb.d/DC\=DOMAIN.ldb -U administrator 03_smb_maps.ldif To understand the ntSecurityDescriptor attribute I had to learn all about SDDL syntax and then by trial and error realize I needed to use hex format. The following links were invaluable. http://www.netid.washington.edu/documentation/domains/sddl.aspxhttp://networkadminkb.com/KB/a152/how-to-read-a-sddl-string.aspxhttp://www.windowsitpro.com/article/security/defining-an-ad-object-s-default-security-descriptor Further... this little python snippet helped me remember how to add hex #!/usr/bin/python GA=int('0x1000',0) GR=int('0x1000',0) GW=int('0x1000',0) GX=int('0x1000',0) RC=int('0x2',0) SD=int('0x1',0) WD=int('0x4',0) WO=int('0x8',0) RP=int('0x0010',0) WP=int('0x0020',0) CC=int('0x0001',0) DC=int('0x0002',0) LC=int('0x0004',0) SW=int('0x0008',0) LO=int('0x0080',0) DT=int('0x0040',0) CR=int('0x0100',0) PERMS = { 'All Perms ': RC+SD+WD+WO+RP+WP+CC+DC+LC+SW+LO+DT+CR, 'Read Only ': RP+LC+LO+RC } for key,value in PERMS.items(): print key, value, hex(value) I hope this helps others to avoid frustration. Rob On Wed, Jan 9, 2013 at 2:23 PM, Robert Moggach r...@dashing.tv wrote: I have a little more information about the issues I'm having: When I try to create automountMap or automount objects
Re: [Samba] Samba 4 Services for UNIX? [SOLVED]
OK. So I now no longer 'CORRUPT' my database. Thanks to Andrew for pointing this out as it didn't seem to have caused problems until I tried to edit attributes. The following is my latest attempt. Given the errors I was getting were all related to an invalid rdn I moved to change to a schema that was a little more generic and uses OU and CN instead. In hindsight it was the missing rdnAttId that was probably causing this error so you can probably try adding that to the previous schema definition instead. Not sure what's ideal. The following schema and corresponding data load without issue using the documented ldbmodify command... It's now 3 ldif files... one for the attribute, one for the automountMap class, one for the automount class. It wouldn't do it for me otherwise as it needed to see the preceding attribute or class before being added. Split these into three separate files... 01_autofs_attr.ldif dn: CN=automountInformation,CN=Schema,CN=Configuration,DOMAIN objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.1.1.1.25 cn: automountInformation name: automountInformation lDAPDisplayName: automountInformation description: Information used by the autofs automounter attributeSyntax: 2.5.5.5 oMSyntax: 22 isSingleValued: TRUE systemOnly: FALSE 02_autofs_map.ldif dn: CN=automountMap,CN=Schema,CN=Configuration,DOMAIN objectClass: top objectClass: classSchema governsID: 1.3.6.1.4.1.2312.4.2.2 rdnAttId: ou cn: automountMap name: automountMap lDAPDisplayName: automountMap subClassOf: top objectClassCategory: 1 mustContain: ou defaultObjectCategory: CN=automountMap,CN=Schema,CN=Configuration,DOMAIN defaultSecurityDescriptor:O:BAG:SYD:(A;;0xf01ff;;;S-1-5-21-1698313198-1485347608-3860200556-500)(A;;0xf01ff;;;SY)(A;;0x20094;;;AU) defaultHidingValue: TRUE systemOnly: FALSE systemPossSuperiors: organizationalUnit 03_autofs_mount.ldif dn: CN=automount,CN=Schema,CN=Configuration,DOMAIN objectClass: top objectClass: classSchema governsID: 1.3.6.1.1.1.1.13 rdnAttId: cn cn: automount name: automount lDAPDisplayName: automount subClassOf: top objectClassCategory: 1 mustContain: cn mustContain: automountInformation mayContain: description defaultObjectCategory: CN=automount,CN=Schema,CN=Configuration,DOMAIN defaultSecurityDescriptor:O:BAG:SYD:(A;;0xf01ff;;;S-1-5-21-1698313198-1485347608-3860200556-500)(A;;0xf01ff;;;SY)(A;;0x20094;;;AU) defaultHidingValue: TRUE systemOnly: FALSE systemPossSuperiors: automountMap Add them as documented in the wiki ldbmodify -H /usr/local/samba/private/sam.ldb /root/01_autofs_attr.ldif ...etc...etc...etc Modify the actual data accordingly to remove automountKey and automountMapName attributes and change as needed. These work for me and I can edit them without issue. On Wed, Jan 9, 2013 at 7:50 PM, Robert Moggach r...@dashing.tv wrote: To get the automount schema to work with the git checkout of samba 4 I had to modify the automount schema files and separate the attributes from the classes. I also discovered that it's required to have the ntSecurityDescriptor , instanceType, and objectCategory attributes. Without these it will crash whenever you try to browse... I did alot of stopping samba, tarring of /usr/local/samba and untarring to finally get here... Here's the ldif for the automount attributes I used: dn: CN=automountMapName,CN=Schema,CN=Configuration,DOMAIN objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.1.1.1.31 cn: automountMapName name: automountMapName lDAPDisplayName: automountMapName description: automount Map Name attributeSyntax: 2.5.5.5 oMSyntax: 22 isSingleValued: TRUE systemOnly: FALSE dn: CN=automountKey,CN=Schema,CN=Configuration,DOMAIN objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.1.1.1.32 cn: automountKey name: automountKey lDAPDisplayName: automountKey description: Automount Key value attributeSyntax: 2.5.5.5 oMSyntax: 22 isSingleValued: TRUE systemOnly: FALSE dn: CN=automountInformation,CN=Schema,CN=Configuration,DOMAIN objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.1.1.1.33 cn: automountInformation name: automountInformation lDAPDisplayName: automountInformation description: Automount information attributeSyntax: 2.5.5.5 oMSyntax: 22DOMAIN isSingleValued: TRUE systemOnly: FALSE Here's the ldif for the automount classes: dn: CN=automountMap,CN=Schema,CN=Configuration,DOMAIN objectClass: top objectClass: classSchema governsID: 1.3.6.1.1.1.2.16 cn: automountMap name: automountMap lDAPDisplayName: automountMap subClassOf: top objectClassCategory: 1 mustContain: automountMapName mayContain: description mustContain: instanceType mustContain: ntSecurityDescriptor mustContain: objectCategory defaultObjectCategory: CN=automountMap,CN=Schema,CN=Configuration,DOMAIN defaultHidingValue: TRUE systemOnly: FALSE dn: CN=automount,CN=Schema,CN=Configuration,DOMAIN objectClass: top objectClass: classSchema governsID
Re: [Samba] Samba 4 Services for UNIX?
I've been back and forth with Andrew on this offlist and a few notes to share. I still don't have full success: *1) How to install the necessary schema etc for UNIX connectivity* The part I was missing here, which isn't part of the howto, is that to get Windows to see the UNIX attributes (Services for UNIX etc.) you need to have an NIS domain. When provisioning you need to add the following option: --use-rfc2307 This will add records to create an NIS domain that the Windows side will recognize, allowing you to change UIDs,GIDs etc. in the GUI. It's all possible with ldbmodify but I wanted to get the GUI working. *2) How to install/manage UNIX friendly users, groups, etc.* I found this site which was indispensable in getting back to a familiar place. http://linuxcostablanca.blogspot.ca/p/samba-4.html There are a few places in his howto that I got caught on but in the end I have multiple OSs authenticating against Samba AD DC. It's for OpenSUSE but I had little issue translating for CentOS 6.x. *3) How to successfully add the automount schema (the wiki doesn't seem to work for me)* This ISN'T working yet. :( Regardless of how I've tried using ldapadd or ldbadd or ldbmodify I can't get past the following error: schema_data_add: we are not master: reject request This is with dsdb:schema update allowed = yes used as an option on the command line and also in the smb.conf, separately and together. * 4) How to add automount maps* This seems to be an easy task once the schema is added. http://phaedrus77.blogspot.**com.es/2010/04/samba4-ad-** domain-controller-to-serve.**htmlhttp://phaedrus77.blogspot.com.es/2010/04/samba4-ad-domain-controller-to-serve.html So if anyone has some insight on the we are not master error I'd love it. I'm only running one server so I'm not sure why it's not able to add the records. Rob -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 Services for UNIX?
yes as far as I can tell I have the SchemaMasterRole [root@crawford ~]# samba-tool fsmo show InfrastructureMasterRole owner: CN=NTDS Settings,CN=CRAWFORD,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=mydomain RidAllocationMasterRole owner: CN=NTDS Settings,CN=CRAWFORD,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=mydomain PdcEmulationMasterRole owner: CN=NTDS Settings,CN=CRAWFORD,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=mydomain DomainNamingMasterRole owner: CN=NTDS Settings,CN=CRAWFORD,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=mydomain SchemaMasterRole owner: CN=NTDS Settings,CN=CRAWFORD,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=mydomain When I try to seize I get the following: [root@crawford ~]# samba-tool fsmo seize --role=all Attempting transfer... FSMO transfer of 'rid' role successful ERROR: Failed to initiate role seize of 'rid' role: objectclass: modify message must have elements/attributes! [root@crawford ~]# samba-tool fsmo seize --role=schema Attempting transfer... FSMO transfer of 'schema' role successful ERROR: Failed to initiate role seize of 'schema' role: objectclass: modify message must have elements/attributes! On Tue, Jan 8, 2013 at 3:07 PM, Gémes Géza g...@kzsdabas.hu wrote: please check with samba-tool fsmo show, that the SchemaMasterRole is hold by the DC you are pointing your ldbmodify command (schema master role is one of the five roles which can be had on only one dc in a domain) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 Services for UNIX?
I've solved getting the schema into the directory... and I thought I populated my automount maps... but the directory is unbrowseable - Getting closer... I keep getting the following error: *acl_read: cannot get descriptor of automountMap... etc. etc.* Steps I took... 1) I had changed the Default-First-Site-Name to something more appropriate and changing that back seemed like a good place to start even though fsmo was showing me as the SchemaMaster - 2) At this point I was able to get the schema loaded... almost... ldapadd didn't like attributes and class in the same ldif... and then I had to restart samba to add the class file... ugh... use ldbmodify! I edited the automount.ldif schema file to be two files - one for the attributes and a second for the classes I added the schema using the following two commands: ldbmodify -H /usr/local/samba/private/sam.ldb /root/SAMBA4/automount/autofs_attr.ldif --option=dsdb:schema update allowed=true ldbmodify -H /usr/local/samba/private/sam.ldb /root/SAMBA4/automount/autofs_class.ldif --option=dsdb:schema update allowed=true 4) I then tried to add the automount records with ldbmodify with no luck ... ldbmodify -H /usr/local/samba/private/sam.ldb /root/SAMBA4/automount/03_autofs_maps.ldif ... Sorting rpmd with attid exception 3 rDN=CN DN=CN=linux,CN=autofs,CN=Services,DC=MYDOMAIN ERR: (Naming violation) objectclass: Invalid RDN 'AUTOMOUNTMAPNAME' for objectclass 'automountMap'! on DN automountMapName=auto_master,CN=mac,CN=autofs,CN=Services,DC=MYDOMAIN at block before line 41 Modify failed after processing 5 records Weird... solved that by doing the following, but now i have all kinds of acl_read errors ldbmodify -H /usr/local/samba/private/sam.ldb.d/DC\=MYDOMAIN.ldb 03_autofs_maps.ldif ldapsearch gives me the following: result: 1 Operations errorsearch: 5 result: 1 Operations error text: acl_read: cannot get descriptor of automountMapName=... weird? how do I add acls? The following shows the whole directory as expected... but I need ldap to work for autofs! ldbsearch -H /usr/local/samba/private/sam.ldb So can someone tell me how to get acls added for my objects? Samba version: 4.1.0pre1-GIT-94f11e9 Build environment: Build host: Linux crawford 2.6.32-279.19.1.el6.x86_64 #1 SMP Wed Dec 19 07:05:20 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Help with 'samba-tool dsacl set ...'
I've tried setting default object permissions for the automountMap and automount objects when they're added to my schema but I'm still getting acl errors. I would assume that the 'samba-tool dsacl set' command could help me but I have no clue where to start with syntax and I looked at the python to see if I could find it but to no avail. From using MMC on the windows side I assume I need the following permissions... Authenticated Users: View SYSTEM: Full Domain Admins: Full so without knowing how... samba-tool dsacl set -URL=ldap://sambaserver.mydomain \ --action=allow \ --objectdn='automountMapName=auto.master,DC=MYDOMAIN' \ --trusteedn='CN=Administrator,CN=Users,DC=MYDOMAIN' \ -U Administrator \ --sddl= probably miles away... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4 Services for UNIX?
I have a working Samba 4.0.0 AD DC running and am able to manage users etc using the Windows tools. Great. Now I want to as much as possible eliminate the need for an additional directory service (OpenLDAP and/or Open Directory) if not entirely. I need automount working and Posix users. I believe it's possible to set this up but haven't been able to find any solid documentation - Can someone point me in the right direction? Specifically I'm looking for: 1) How to install the necessary schema etc for UNIX connectivity 2) How to install/manage UNIX friendly users, groups, etc. 3) How to successfully add the automount schema (the wiki doesn't seem to work for me) 4) How to add automount maps Thanks! Rob -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Update A Compiled Version
At Thu, 20 Dec 2012 11:20:40 -0700 Zane Zakraisek doublez...@gmail.com wrote: I'm pretty new to compiling software, although I would rather compile my own Samba 4.0.0 server rather than wait for it to become available in the repositories of my distribution. How do you update compiled software. Like if I compile and install Samba 4.0.0, and then 4.0.1 comes out, Is there a way to update to that without starting from scratch and having to rebuild my domain? Thanks Most (all?) Linux distributions include a compiled version of Samba as part of the distriution's software repository. Check to see what your distribution makes available. -- Robert Heller -- 978-544-6933 / hel...@deepsoft.com Deepwoods Software-- http://www.deepsoft.com/ () ascii ribbon campaign -- against html e-mail /\ www.asciiribbon.org -- against proprietary attachments -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] So no conversion from group_mapping.ldb to group_mapping.tdb?
Greetings, I recently upgraded an AD member server from Samba 3.5.15 to Samba 3.6.9 and found that I had lost all the existing local group mappings. I see that the group mapping file has gone from group_mapping.ldb to group_mapping.tdb. I asked on this list as well as searching the web, Samba documentation (which still seems focused on version 3.5), and Samba Wiki and found nothing on a method to convert/migrate information stores in the group_mapping.ldb file to the new group_mapping.tdb - is that correct? Because of the way Active Directory is managed at out site I store dozens of local groups and their memberships in that file. I found NOTHING in the Samba 3.6.x release notes warning me of the change to the group_mapping file. Just wanted to confirm that there is no conversion utility that I missed and that I am on my own to migrate that information. Thank you Bob Martel -- *** Robert M. Martel I met someone who looks a lot like you System Administrator She does the things you do Levin College of Urban Affairs But she is an IBM Cleveland State University -Jeff Lynne (216) 687-2214 r.mar...@csuohio.edu *** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Lost group mappings going from Samba 3.5 to Samba 3.6
Greetings, I recently upgraded an AD member server from Samba 3.5.15 to Samba 3.6.9 and found that I had lost all the existing local group mappings. I see that the group mapping file has gone from group_mapping.ldb to group_mapping.tdb. Was there a conversion/upgrade procedure I should have found and used? Online documentation I can find says it is for the 3.5 series of samba, does updated documentation for 3.6 exist somewhere? Does a group mapping migration procedure exist, or will I need to recreate it from scratch? On this initial trial of Samba 3.6 only a few groups existed, on the larger production machines the story is different and recreating the groups and memberships will be a chore. Thanks! Bob Martel -- *** Robert M. Martel I met someone who looks a lot like you System Administrator She does the things you do Levin College of Urban Affairs But she is an IBM Cleveland State University -Jeff Lynne (216) 687-2214 r.mar...@csuohio.edu *** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Domain DFS on samba 4
shares does not work. Dfs is for sharing files only. Load balancing To set up a load-balancing Dfs share, create the symbolic link like this: # ln -s 'msdfs:toltec\data,msdfs:mixtec\data' lb-data That is, simply use a list of shares separated by commas as the reference. Remember, it is up to you to make sure the shared folders remain identical. Set up permissions on the servers to make the shares read-only to users. The last thing we need to do is to modify the smb.conf file to define the Dfs root share and add Dfs support. The Dfs root is added as a share definition: [dfs] path = /usr/local/samba/dfs msdfs root = yes You can use any name you like for the share. The path is set to the Dfs root directory we just set up, and the parameter msdfs root = yes tells Samba that this share is a Dfs root. To enable support for Dfs in the server, we need to add one line to the [global] section: [global] host msdfs = yes Restart the Samba daemons—or just wait a minute for them to reread the configuration file—and you will see the new share from Windows clients. If you have trouble accessing any of the remote shares in the Dfs share, recheck your symbolic links to make sure they were created correctly. . Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Joerg Heidrich -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Old, reliable samba 3.5 and Active directory suddenly not reliable
On 10/22/2012 05:10 PM, Andrew Bartlett wrote: On Mon, 2012-10-22 at 14:51 -0400, Robert M. Martel - CSU wrote: [2012/10/22 14:23:07.353280, 0] libads/kerberos.c:333(ads_kinit_password) kerberos_kinit_password WEBDEVEL$@CSUNET.CSUOHIO.EDU failed: Clients credentials have been revoked Join to domain is not valid: Access denied The Active Directory admins are still saying that they have not changed anything on their side. It seems unlikely if you just re-joined, but in case we are talking about multiple machines, could the password have been expired? The problem existed for multiple machines. After Brian Campbell's note I double-checked the clock-sync on the servers and found it to be okay. The Active Directory (AD) admins that did not change anything finally reported having some vague problem with their domain server replication that only seem to affect *my* Samba servers (I may be the only person on campus running Samba servers that are members of the university's Active Directory system.) There was some more hand waving, reports of trying to get some support out of Microsoft, and finally a mention that *someone* had been making some changes to AD config in preparation of moving from Lotus Notes Email to MS Exchange. The AD admins then did something else and now the problem no longer exists. I am still trying to get some real information as to what happened. If I (ever) find out I will note it here. I always hate seeing problem reports in Email archives that never talk about resolution. Thank you! At least I got my Samba versions less out of date. Have to see if building 3.6 is as much of a pain on Solaris as 3.5 has been. -- *** Robert M. Martel I met someone who looks a lot like you System Administrator She does the things you do Levin College of Urban Affairs But she is an IBM Cleveland State University -Jeff Lynne (216) 687-2214 r.mar...@csuohio.edu *** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Old, reliable samba 3.5 and Active directory suddenly not reliable
Greetings, I have an elderly installation of Samba 3.5.8 running on 10 Sparc servers (and 3.5.12 on Solaris 9 servers with the same issue) set up as Active Directory member servers. Since we've laid-off everyone else around here I have not had the opportunity to update the Samba installation - and have not needed to as it has been very solid. Suddenly last Friday the Samba servers started having authentication problems for the active directory users. Users were unable to map drives, looking at files on the server I was seeing UID numbers rather that the user's login ID for the files. Stopping and restarting Samba did not help. I took the machines out of Active Directory, and then re-added them - which they did without a problem. After restarting Samba all was well, for awhile. This morning some folks that had left themselves looked in over the weekend were okay, but others could not map their drives. interactive logins for AD users did not work. I again left and rejoined the AD domain and all was well for a bit, then I had to repeat the cycle. I do not maintain or have access to the Active Directory servers or configuration. The central IT people claim that they have not made any changes to the AD servers...but they don't always tell me the whole truth. I am building Samba 3.5.18 right now in the hope that it will make a difference. I've never had a problem like this since first playing with Samba and Active directory more than 5 years ago - and certainly no issue like this since putting it into production. -- *** Robert M. Martel I met someone who looks a lot like you System Administrator She does the things you do Levin College of Urban Affairs But she is an IBM Cleveland State University -Jeff Lynne (216) 687-2214 r.mar...@csuohio.edu *** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Old, reliable samba 3.5 and Active directory suddenly not reliable
Greetings, something to add. Had one of the Solaris 9 machines just stop working. I stopped samba and restarted it, found the following in smblog.smbd [2012/10/22 11:37:00.299787, 0] libads/sasl.c:823(ads_sasl_spnego_bind) kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials I removed the machine from Active Directory and immediately re-added it - I did NOT run kinit to get new credentials. started Samba and the machine works fine...for now. On 10/22/2012 11:29 AM, Robert M. Martel - CSU wrote: Greetings, I have an elderly installation of Samba 3.5.8 running on 10 Sparc servers (and 3.5.12 on Solaris 9 servers with the same issue) set up as Active Directory member servers. Since we've laid-off everyone else around here I have not had the opportunity to update the Samba installation - and have not needed to as it has been very solid. Suddenly last Friday the Samba servers started having authentication problems for the active directory users. Users were unable to map drives, looking at files on the server I was seeing UID numbers rather that the user's login ID for the files. Stopping and restarting Samba did not help. I took the machines out of Active Directory, and then re-added them - which they did without a problem. After restarting Samba all was well, for awhile. This morning some folks that had left themselves looked in over the weekend were okay, but others could not map their drives. interactive logins for AD users did not work. I again left and rejoined the AD domain and all was well for a bit, then I had to repeat the cycle. I do not maintain or have access to the Active Directory servers or configuration. The central IT people claim that they have not made any changes to the AD servers...but they don't always tell me the whole truth. I am building Samba 3.5.18 right now in the hope that it will make a difference. I've never had a problem like this since first playing with Samba and Active directory more than 5 years ago - and certainly no issue like this since putting it into production. -- *** Robert M. Martel I met someone who looks a lot like you System Administrator She does the things you do Levin College of Urban Affairs But she is an IBM Cleveland State University -Jeff Lynne (216) 687-2214 r.mar...@csuohio.edu *** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Old, reliable samba 3.5 and Active directory suddenly not reliable
Greetings, More responding to my own thread - but no solution in sight. Still having the problem with Samba 3.5.18. New and different error message from net ads testjoin: #webdevel# net ads testjoin [2012/10/22 14:23:07.317109, 0] libads/kerberos.c:333(ads_kinit_password) kerberos_kinit_password WEBDEVEL$@CSUNET.CSUOHIO.EDU failed: Clients credentials have been revoked [2012/10/22 14:23:07.353280, 0] libads/kerberos.c:333(ads_kinit_password) kerberos_kinit_password WEBDEVEL$@CSUNET.CSUOHIO.EDU failed: Clients credentials have been revoked Join to domain is not valid: Access denied The Active Directory admins are still saying that they have not changed anything on their side. On 10/22/2012 11:48 AM, Robert M. Martel - CSU wrote: Greetings, something to add. Had one of the Solaris 9 machines just stop working. I stopped samba and restarted it, found the following in smblog.smbd [2012/10/22 11:37:00.299787, 0] libads/sasl.c:823(ads_sasl_spnego_bind) kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials I removed the machine from Active Directory and immediately re-added it - I did NOT run kinit to get new credentials. started Samba and the machine works fine...for now. On 10/22/2012 11:29 AM, Robert M. Martel - CSU wrote: Greetings, I have an elderly installation of Samba 3.5.8 running on 10 Sparc servers (and 3.5.12 on Solaris 9 servers with the same issue) set up as Active Directory member servers. Since we've laid-off everyone else around here I have not had the opportunity to update the Samba installation - and have not needed to as it has been very solid. Suddenly last Friday the Samba servers started having authentication problems for the active directory users. Users were unable to map drives, looking at files on the server I was seeing UID numbers rather that the user's login ID for the files. Stopping and restarting Samba did not help. I took the machines out of Active Directory, and then re-added them - which they did without a problem. After restarting Samba all was well, for awhile. This morning some folks that had left themselves looked in over the weekend were okay, but others could not map their drives. interactive logins for AD users did not work. I again left and rejoined the AD domain and all was well for a bit, then I had to repeat the cycle. I do not maintain or have access to the Active Directory servers or configuration. The central IT people claim that they have not made any changes to the AD servers...but they don't always tell me the whole truth. I am building Samba 3.5.18 right now in the hope that it will make a difference. I've never had a problem like this since first playing with Samba and Active directory more than 5 years ago - and certainly no issue like this since putting it into production. -- *** Robert M. Martel I met someone who looks a lot like you System Administrator She does the things you do Levin College of Urban Affairs But she is an IBM Cleveland State University -Jeff Lynne (216) 687-2214 r.mar...@csuohio.edu *** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Windows 7 Clients Slow/Unresponsive with some file types
I am having some unresponsive and very slow performance with a couple of different file types with Samba and Windows 7 clients. The problems manifest in the following manners: IGES files, these are CAD files. When opening up certain IGES files from the server, the application can take upwards of 10 minutes to open up the file. If I copy the same file from the server to the desktop, the file will open up in a few seconds. This is most noticable with files in sizes over a few megabytes. Quickbooks. Logging into the Quickbooks file can take longer than normal, upwards of 30 seconds, instead of 5 or fewer seconds. Once in, the application operates normally, until a reconcile action is taken. What happens is that the reconcile action goes through, but the application appears to be processing the reconcile for an inordinate amount of time. This has been left sitting for upwards of 10 to 15 minutes without returning control to the user. Killing the application and then reopening and checking confirms that the reconcile operation was succesful. The file size for the Quickbooks file is over 200 megabytes in size. I have a feeling that this is mostly an optimization issue more than anything else. Any suggestions or pointers towards rectifying this would be most appreciated. Thank you. -- Regards, Robert -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows 7 Clients Slow/Unresponsive with some file types
I have added the socket options of SO_RCVBUFF=65536 and SO_SNDBUFF=65536 and while that has greatly increased file transfer speed, it's instantaneous to transmit an 11mb file from the server to a Windows 7 desktop, there has been no increase in performance for opening up that particular file from the server. Additionally, I should add that we also have other binary file types that can be equally or significantly larger than the IGS files that open up nearly as fast over the network as they do on the local system. These files are the native format for the CAD System that we utilize. The files are not plain text, like the IGES files are. -- Regards, Robert Adkins -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Robert Adkins II Sent: Tuesday, September 18, 2012 8:44 AM To: samba@lists.samba.org Subject: [Samba] Windows 7 Clients Slow/Unresponsive with some file types I am having some unresponsive and very slow performance with a couple of different file types with Samba and Windows 7 clients. The problems manifest in the following manners: IGES files, these are CAD files. When opening up certain IGES files from the server, the application can take upwards of 10 minutes to open up the file. If I copy the same file from the server to the desktop, the file will open up in a few seconds. This is most noticable with files in sizes over a few megabytes. Quickbooks. Logging into the Quickbooks file can take longer than normal, upwards of 30 seconds, instead of 5 or fewer seconds. Once in, the application operates normally, until a reconcile action is taken. What happens is that the reconcile action goes through, but the application appears to be processing the reconcile for an inordinate amount of time. This has been left sitting for upwards of 10 to 15 minutes without returning control to the user. Killing the application and then reopening and checking confirms that the reconcile operation was succesful. The file size for the Quickbooks file is over 200 megabytes in size. I have a feeling that this is mostly an optimization issue more than anything else. Any suggestions or pointers towards rectifying this would be most appreciated. Thank you. -- Regards, Robert -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Changed PDC IP, all hell broke lose
I think you can/should have them remove the PDC from their WINS entry on their end and then you can rejoin the network with the new IP Address. Outside of that, I can only suggest looking into how to send an update to a record on a WINS server from a Samba PDC. I'm unsure if that is possible as I have only run a fully Windows or a Linux/Samba with Windows Clients as a network. -- Regards, Robert Adkins -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Paul Raines Sent: Tuesday, September 04, 2012 2:24 PM To: samba@lists.samba.org Subject: Re: [Samba] Changed PDC IP, all hell broke lose It is definitely an issue with the WINS server which returns the old IP address # nmblookup -U 172.27.88.81 -R 'MRIRESEARCH#1b' querying MRIRESEARCH on 172.27.88.81 132.183.202.95 MRIRESEARCH1b SO it is not automatically picking up the IP change which happened 4 days ago and I have restarted samba on my PDC several times. The old IP is definitely not in /etc/hosts anymore or anywhere in smb.conf. It only shows up in gencache.tdb in the files /var/lib/samba even though I keep deleting that file when I restart. WINS is a total mystery to me. How is this supposed to work? -- Paul Raines (http://help.nmr.mgh.harvard.edu) On Tue, 4 Sep 2012 12:00pm, Paul Raines wrote: I have no idea what the WINS server is except that I am sure it running on Windows since they are totally Windows-based organization. So the WINS server is definitely the problem? When I talk to them and mention I am using Samba on Linux they may totally just say we don't support it and hang up. It seems a strange design that a WINS server can take precedence over my explicit password server setting in my smb.conf file. -- Paul Raines (http://help.nmr.mgh.harvard.edu) On Tue, 4 Sep 2012 11:21am, Robert Adkins II wrote: More information is required. What is the WINS server running OS wise? Can you work with the IT Staff in charge of that WINS Server? -- Regards, Robert Adkins -Original Message- From: Paul Raines [mailto:rai...@nmr.mgh.harvard.edu] Sent: Tuesday, September 04, 2012 11:16 AM To: Robert Adkins II Cc: samba@lists.samba.org Subject: RE: [Samba] Changed PDC IP, all hell broke lose I am not running winbindd on the server. I am using the WINS server of my hospital which I have no control over. I have already tried deleting browse.dat (I do not see the other two files anywhere) to no avail. So my fear is that this is all happening because the WINS server is refusing to recognize the change since I cannot do anything about it. Is that the issue? Is there anyway to force a WINS server to change the IP it has a for domain master browser? -- Paul Raines (http://help.nmr.mgh.harvard.edu) On Tue, 4 Sep 2012 10:59am, Robert Adkins II wrote: It's most likely that your server has the old IP Address Cached in the wins.dat, browse.dat, browse.tdb. I recommend the following: Shutdown the windbind, nmbd and smbd services. Back up each of the above mentioned files. Delete the original above named files. Restart your services and then see if you can connect. You may also need to edit your samba configuration file to point to the new server IP Address as the PDC Master Browser. (Assuming you didn't already do that.) The problem is that your server is telling clients to attempt to find it on a network that no longer exists. -- Regards, Robert Adkins II -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Paul Raines Sent: Tuesday, September 04, 2012 10:41 AM To: samba@lists.samba.org Subject: [Samba] Changed PDC IP, all hell broke lose I had to move my RedHat 5 box acting as a PDC to a new IP address. It is running samba 3.5.10. After the move, none of my windows or linux samba clients worked anymore. I tried rejoining some to the domain, but would get error Unable to find a suitable server Join to domain 'MRIRESEARCH' is not valid The old PDC IP address is 132.183.202.95 and nothing is at that IP anymore (for 4 days now). The new IP is 172.21.21.35 I ran 'net -d 10 join' and would see it was still trying to connect to the old IP address. I tried 'net cache flush' to no avail. I shut down samba, removed every file in /var/cache/samba and still no change. It tries to go to the old IP address. On the PDC box, I increase 'os level' from 60 to 70, stopped the nmbd and smbd processes, did a 'net flush cache' and restarted nmbd and smbd. Still it fails and the nmbd log as the following. == [2012/09/04 10:09:25, 0] nmbd/nmbd.c:857(main) nmbd version 3.5.10-0.110
Re: [Samba] Changed PDC IP, all hell broke lose
Great to see! -- Regards, Robert Adkins -Original Message- From: Paul Raines [mailto:rai...@nmr.mgh.harvard.edu] Sent: Thursday, September 06, 2012 9:45 AM To: Robert Adkins II Cc: samba@lists.samba.org Subject: RE: [Samba] Changed PDC IP, all hell broke lose I emailed the admins and they said they removed the old IP address from the WINS server and that seemed to fix things. -- Paul Raines (http://help.nmr.mgh.harvard.edu) On Thu, 6 Sep 2012 9:37am, Robert Adkins II wrote: I think you can/should have them remove the PDC from their WINS entry on their end and then you can rejoin the network with the new IP Address. Outside of that, I can only suggest looking into how to send an update to a record on a WINS server from a Samba PDC. I'm unsure if that is possible as I have only run a fully Windows or a Linux/Samba with Windows Clients as a network. -- Regards, Robert Adkins -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Paul Raines Sent: Tuesday, September 04, 2012 2:24 PM To: samba@lists.samba.org Subject: Re: [Samba] Changed PDC IP, all hell broke lose It is definitely an issue with the WINS server which returns the old IP address # nmblookup -U 172.27.88.81 -R 'MRIRESEARCH#1b' querying MRIRESEARCH on 172.27.88.81 132.183.202.95 MRIRESEARCH1b SO it is not automatically picking up the IP change which happened 4 days ago and I have restarted samba on my PDC several times. The old IP is definitely not in /etc/hosts anymore or anywhere in smb.conf. It only shows up in gencache.tdb in the files /var/lib/samba even though I keep deleting that file when I restart. WINS is a total mystery to me. How is this supposed to work? -- Paul Raines (http://help.nmr.mgh.harvard.edu) On Tue, 4 Sep 2012 12:00pm, Paul Raines wrote: I have no idea what the WINS server is except that I am sure it running on Windows since they are totally Windows-based organization. So the WINS server is definitely the problem? When I talk to them and mention I am using Samba on Linux they may totally just say we don't support it and hang up. It seems a strange design that a WINS server can take precedence over my explicit password server setting in my smb.conf file. -- Paul Raines (http://help.nmr.mgh.harvard.edu) On Tue, 4 Sep 2012 11:21am, Robert Adkins II wrote: More information is required. What is the WINS server running OS wise? Can you work with the IT Staff in charge of that WINS Server? -- Regards, Robert Adkins -Original Message- From: Paul Raines [mailto:rai...@nmr.mgh.harvard.edu] Sent: Tuesday, September 04, 2012 11:16 AM To: Robert Adkins II Cc: samba@lists.samba.org Subject: RE: [Samba] Changed PDC IP, all hell broke lose I am not running winbindd on the server. I am using the WINS server of my hospital which I have no control over. I have already tried deleting browse.dat (I do not see the other two files anywhere) to no avail. So my fear is that this is all happening because the WINS server is refusing to recognize the change since I cannot do anything about it. Is that the issue? Is there anyway to force a WINS server to change the IP it has a for domain master browser? -- Paul Raines (http://help.nmr.mgh.harvard.edu) On Tue, 4 Sep 2012 10:59am, Robert Adkins II wrote: It's most likely that your server has the old IP Address Cached in the wins.dat, browse.dat, browse.tdb. I recommend the following: Shutdown the windbind, nmbd and smbd services. Back up each of the above mentioned files. Delete the original above named files. Restart your services and then see if you can connect. You may also need to edit your samba configuration file to point to the new server IP Address as the PDC Master Browser. (Assuming you didn't already do that.) The problem is that your server is telling clients to attempt to find it on a network that no longer exists. -- Regards, Robert Adkins II -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Paul Raines Sent: Tuesday, September 04, 2012 10:41 AM To: samba@lists.samba.org Subject: [Samba] Changed PDC IP, all hell broke lose I had to move my RedHat 5 box acting as a PDC to a new IP address. It is running samba 3.5.10. After the move, none of my windows or linux samba clients worked anymore. I tried rejoining some to the domain, but would get error Unable to find a suitable server Join to domain 'MRIRESEARCH' is not valid The old PDC IP address is 132.183.202.95 and nothing is at that IP anymore (for 4 days now). The new IP is 172.21.21.35 I ran 'net -d 10 join
Re: [Samba] Changed PDC IP, all hell broke lose
It's most likely that your server has the old IP Address Cached in the wins.dat, browse.dat, browse.tdb. I recommend the following: Shutdown the windbind, nmbd and smbd services. Back up each of the above mentioned files. Delete the original above named files. Restart your services and then see if you can connect. You may also need to edit your samba configuration file to point to the new server IP Address as the PDC Master Browser. (Assuming you didn't already do that.) The problem is that your server is telling clients to attempt to find it on a network that no longer exists. -- Regards, Robert Adkins II -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Paul Raines Sent: Tuesday, September 04, 2012 10:41 AM To: samba@lists.samba.org Subject: [Samba] Changed PDC IP, all hell broke lose I had to move my RedHat 5 box acting as a PDC to a new IP address. It is running samba 3.5.10. After the move, none of my windows or linux samba clients worked anymore. I tried rejoining some to the domain, but would get error Unable to find a suitable server Join to domain 'MRIRESEARCH' is not valid The old PDC IP address is 132.183.202.95 and nothing is at that IP anymore (for 4 days now). The new IP is 172.21.21.35 I ran 'net -d 10 join' and would see it was still trying to connect to the old IP address. I tried 'net cache flush' to no avail. I shut down samba, removed every file in /var/cache/samba and still no change. It tries to go to the old IP address. On the PDC box, I increase 'os level' from 60 to 70, stopped the nmbd and smbd processes, did a 'net flush cache' and restarted nmbd and smbd. Still it fails and the nmbd log as the following. == [2012/09/04 10:09:25, 0] nmbd/nmbd.c:857(main) nmbd version 3.5.10-0.110.el5_8 started. Copyright Andrew Tridgell and the Samba Team 1992-2010 [2012/09/04 10:09:25.716397, 0] nmbd/nmbd_logonnames.c:160(add_logon_names) add_domain_logon_names: Attempting to become logon server for workgroup MRIRESEARCH on subnet 172.21.21.35 [2012/09/04 10:09:25.716599, 0] nmbd/nmbd_logonnames.c:160(add_logon_names) add_domain_logon_names: Attempting to become logon server for workgroup MRIRESEARCH on subnet 192.168.0.150 [2012/09/04 10:09:25.716671, 0] nmbd/nmbd_logonnames.c:160(add_logon_names) add_domain_logon_names: Attempting to become logon server for workgroup MRIRESEARCH on subnet UNICAST_SUBNET [2012/09/04 10:09:25.716768, 0] nmbd/nmbd_become_dmb.c:337(become_domain_master_browser_wins) become_domain_master_browser_wins: Attempting to become domain master browser on workgroup MRIRESEARCH, subnet UNICAST_SUBNET. [2012/09/04 10:09:25.716828, 0] nmbd/nmbd_become_dmb.c:351(become_domain_master_browser_wins) become_domain_master_browser_wins: querying WINS server from IP 0.0.0.0 for domain master browser name MRIRESEARCH1b on workgroup MRIRESEARCH [2012/09/04 10:09:25.722744, 0] nmbd/nmbd_logonnames.c:121(become_logon_server_success) become_logon_server_success: Samba is now a logon server for workgroup MRIRESEARCH on subnet UNICAST_SUBNET [2012/09/04 10:09:25.722928, 0] nmbd/nmbd_become_dmb.c:235(become_domain_master_query_success) become_domain_master_query_success: There is already a domain master browser at IP 132.183.202.95 for workgroup MRIRESEARCH registered on subnet UNICAST_SUBNET. [2012/09/04 10:09:29.096239, 0] nmbd/nmbd_logonnames.c:121(become_logon_server_success) become_logon_server_success: Samba is now a logon server for workgroup MRIRESEARCH on subnet 172.21.21.35 [2012/09/04 10:09:29.096382, 0] nmbd/nmbd_logonnames.c:121(become_logon_server_success) become_logon_server_success: Samba is now a logon server for workgroup MRIRESEARCH on subnet 192.168.0.150 [2012/09/04 10:09:49.731244, 0] nmbd/nmbd_become_lmb.c:395(become_local_master_stage2) * Samba name server PDC-NMR is now a local master browser for workgroup MRIRESEARCH on subnet 172.21.21.35 * [2012/09/04 10:09:49.731468, 0] nmbd/nmbd_become_lmb.c:395(become_local_master_stage2) * Samba name server PDC-NMR is now a local master browser for workgroup MRIRESEARCH on subnet 192.168.0.150 * [2012/09/04 10:10:10.732440, 0] nmbd/nmbd_browsesync.c:247(domain_master_node_status_fail) domain_master_node_status_fail: Doing a node status request to the domain master browser for workgroup MRIRESEARCH at IP 132.183.202.95 failed. Cannot sync browser lists. [2012/09/04 10:10:10.732636, 0] nmbd/nmbd_browsesync.c:247(domain_master_node_status_fail) domain_master_node_status_fail: Doing a node status request to the domain master browser for workgroup MRIRESEARCH at IP 132.183.202.95 failed. Cannot sync browser lists. = Where
Re: [Samba] Changed PDC IP, all hell broke lose
More information is required. What is the WINS server running OS wise? Can you work with the IT Staff in charge of that WINS Server? -- Regards, Robert Adkins -Original Message- From: Paul Raines [mailto:rai...@nmr.mgh.harvard.edu] Sent: Tuesday, September 04, 2012 11:16 AM To: Robert Adkins II Cc: samba@lists.samba.org Subject: RE: [Samba] Changed PDC IP, all hell broke lose I am not running winbindd on the server. I am using the WINS server of my hospital which I have no control over. I have already tried deleting browse.dat (I do not see the other two files anywhere) to no avail. So my fear is that this is all happening because the WINS server is refusing to recognize the change since I cannot do anything about it. Is that the issue? Is there anyway to force a WINS server to change the IP it has a for domain master browser? -- Paul Raines (http://help.nmr.mgh.harvard.edu) On Tue, 4 Sep 2012 10:59am, Robert Adkins II wrote: It's most likely that your server has the old IP Address Cached in the wins.dat, browse.dat, browse.tdb. I recommend the following: Shutdown the windbind, nmbd and smbd services. Back up each of the above mentioned files. Delete the original above named files. Restart your services and then see if you can connect. You may also need to edit your samba configuration file to point to the new server IP Address as the PDC Master Browser. (Assuming you didn't already do that.) The problem is that your server is telling clients to attempt to find it on a network that no longer exists. -- Regards, Robert Adkins II -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Paul Raines Sent: Tuesday, September 04, 2012 10:41 AM To: samba@lists.samba.org Subject: [Samba] Changed PDC IP, all hell broke lose I had to move my RedHat 5 box acting as a PDC to a new IP address. It is running samba 3.5.10. After the move, none of my windows or linux samba clients worked anymore. I tried rejoining some to the domain, but would get error Unable to find a suitable server Join to domain 'MRIRESEARCH' is not valid The old PDC IP address is 132.183.202.95 and nothing is at that IP anymore (for 4 days now). The new IP is 172.21.21.35 I ran 'net -d 10 join' and would see it was still trying to connect to the old IP address. I tried 'net cache flush' to no avail. I shut down samba, removed every file in /var/cache/samba and still no change. It tries to go to the old IP address. On the PDC box, I increase 'os level' from 60 to 70, stopped the nmbd and smbd processes, did a 'net flush cache' and restarted nmbd and smbd. Still it fails and the nmbd log as the following. == [2012/09/04 10:09:25, 0] nmbd/nmbd.c:857(main) nmbd version 3.5.10-0.110.el5_8 started. Copyright Andrew Tridgell and the Samba Team 1992-2010 [2012/09/04 10:09:25.716397, 0] nmbd/nmbd_logonnames.c:160(add_logon_names) add_domain_logon_names: Attempting to become logon server for workgroup MRIRESEARCH on subnet 172.21.21.35 [2012/09/04 10:09:25.716599, 0] nmbd/nmbd_logonnames.c:160(add_logon_names) add_domain_logon_names: Attempting to become logon server for workgroup MRIRESEARCH on subnet 192.168.0.150 [2012/09/04 10:09:25.716671, 0] nmbd/nmbd_logonnames.c:160(add_logon_names) add_domain_logon_names: Attempting to become logon server for workgroup MRIRESEARCH on subnet UNICAST_SUBNET [2012/09/04 10:09:25.716768, 0] nmbd/nmbd_become_dmb.c:337(become_domain_master_browser_wins) become_domain_master_browser_wins: Attempting to become domain master browser on workgroup MRIRESEARCH, subnet UNICAST_SUBNET. [2012/09/04 10:09:25.716828, 0] nmbd/nmbd_become_dmb.c:351(become_domain_master_browser_wins) become_domain_master_browser_wins: querying WINS server from IP 0.0.0.0 for domain master browser name MRIRESEARCH1b on workgroup MRIRESEARCH [2012/09/04 10:09:25.722744, 0] nmbd/nmbd_logonnames.c:121(become_logon_server_success) become_logon_server_success: Samba is now a logon server for workgroup MRIRESEARCH on subnet UNICAST_SUBNET [2012/09/04 10:09:25.722928, 0] nmbd/nmbd_become_dmb.c:235(become_domain_master_query_success) become_domain_master_query_success: There is already a domain master browser at IP 132.183.202.95 for workgroup MRIRESEARCH registered on subnet UNICAST_SUBNET. [2012/09/04 10:09:29.096239, 0] nmbd/nmbd_logonnames.c:121(become_logon_server_success) become_logon_server_success: Samba is now a logon server for workgroup MRIRESEARCH on subnet 172.21.21.35 [2012/09/04 10:09:29.096382, 0] nmbd/nmbd_logonnames.c:121(become_logon_server_success) become_logon_server_success: Samba is now a logon server
Re: [Samba] Phantom Domain Master Browser
There is no wins.dat or browse.dat anywhere on my server. I am surprised to find this to be the case. I do not have a machine on my network with the IP Address in question. Regards, Robert -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Gaiseric Vandal Sent: Tuesday, July 31, 2012 9:46 AM To: samba@lists.samba.org Subject: Re: [Samba] Phantom Domain Master Browser In the /var/samba/locks directory you may have browse.dat file or wins.* (if this is a WINS server) files that have incorrect info. You should be able to name/backup these files and restart nmbd. Is the phantom master browser a samba server or a Windows machine? the Samba DC normally should win browser elections but it is not always the case. On 07/20/12 09:08, Robert Adkins II wrote: I brought up the old server and have been reviewing the log files. There is no indication of the phantom master browser existing in the old log files. -- Regards, Robert Adkins II IT Manager/Buyer Impel Industries, Inc. 586-254-5800 -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Robert Adkins II Sent: Friday, July 20, 2012 8:50 AM To: samba@lists.samba.org Subject: [Samba] Phantom Domain Master Browser There's a phantom domain master browser showing up in my Samba nmbd.log file. I keep thinking that maybe it is left over in one of the files that I transferred over from the old server to the new server and it isn't clearing itself out. Is there a way to clear that and is it possible to have a phantom browser fighting over the Domain from a copied over file? I transferred all of the Samba files found in /etc/samba to the new server. This was also an upgrade from Samba 3.2.7 to Samba 3.6.3 I have noticed some additional files in the /var/log/Samba directory as well as some additional files in the /etc/samba directory on the new server. -- Regards, Robert Adkins II IT Manager/Buyer Impel Industries, Inc. 586-254-5800 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Phantom Domain Master Browser
Nevermind. I found them. I also performed the below suggestions and the phantom IP address is still there, fighting for control of the network. -- Regards, Robert Adkins -Original Message- From: Robert Adkins II [mailto:radk...@impelind.com] Sent: Wednesday, August 29, 2012 10:54 AM To: 'gaiseric.van...@gmail.com'; 'samba@lists.samba.org' Subject: RE: [Samba] Phantom Domain Master Browser There is no wins.dat or browse.dat anywhere on my server. I am surprised to find this to be the case. I do not have a machine on my network with the IP Address in question. Regards, Robert -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Gaiseric Vandal Sent: Tuesday, July 31, 2012 9:46 AM To: samba@lists.samba.org Subject: Re: [Samba] Phantom Domain Master Browser In the /var/samba/locks directory you may have browse.dat file or wins.* (if this is a WINS server) files that have incorrect info. You should be able to name/backup these files and restart nmbd. Is the phantom master browser a samba server or a Windows machine? the Samba DC normally should win browser elections but it is not always the case. On 07/20/12 09:08, Robert Adkins II wrote: I brought up the old server and have been reviewing the log files. There is no indication of the phantom master browser existing in the old log files. -- Regards, Robert Adkins II IT Manager/Buyer Impel Industries, Inc. 586-254-5800 -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Robert Adkins II Sent: Friday, July 20, 2012 8:50 AM To: samba@lists.samba.org Subject: [Samba] Phantom Domain Master Browser There's a phantom domain master browser showing up in my Samba nmbd.log file. I keep thinking that maybe it is left over in one of the files that I transferred over from the old server to the new server and it isn't clearing itself out. Is there a way to clear that and is it possible to have a phantom browser fighting over the Domain from a copied over file? I transferred all of the Samba files found in /etc/samba to the new server. This was also an upgrade from Samba 3.2.7 to Samba 3.6.3 I have noticed some additional files in the /var/log/Samba directory as well as some additional files in the /etc/samba directory on the new server. -- Regards, Robert Adkins II IT Manager/Buyer Impel Industries, Inc. 586-254-5800 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Phantom Domain Master Browser
Two things: 1. There is no active hosts on my network using that IP Address. 2. There are entries for the Phantom Domain Master Browser, they are pointing to the following: [Domain Name]#1c {string of #'s} -Phantom Server IP Address- *Current Samba Server IP Address* [Domain Name]#1b {string of #'s} -Phantom Server IP Address- *Current Samba Server IP Address* There are no single entries with the phantom IP Address. I have also run an nmap scan of the entire network, there is nothing listed as using the Phantom IP Address, we do not use Wireless and there is nothing plugged into any of the network jacks that I am unaware of, every port is accounted for. -- Regards, Robert Adkins -Original Message- From: Dale Schroeder [mailto:d...@briannassaladdressing.com] Sent: Wednesday, August 29, 2012 1:33 PM To: Robert Adkins II Cc: Samba Subject: Re: [Samba] Phantom Domain Master Browser Robert, Assuming one of the files you found was wins.dat, is there an entry for the offending IP with a corresponding hostname? Knowing the source should surely help with troubleshooting. Dale On 08/29/2012 10:08 AM, Robert Adkins II wrote: Nevermind. I found them. I also performed the below suggestions and the phantom IP address is still there, fighting for control of the network. -- Regards, Robert Adkins -Original Message- From: Robert Adkins II [mailto:radk...@impelind.com] Sent: Wednesday, August 29, 2012 10:54 AM To: 'gaiseric.van...@gmail.com'; 'samba@lists.samba.org' Subject: RE: [Samba] Phantom Domain Master Browser There is no wins.dat or browse.dat anywhere on my server. I am surprised to find this to be the case. I do not have a machine on my network with the IP Address in question. Regards, Robert -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Gaiseric Vandal Sent: Tuesday, July 31, 2012 9:46 AM To: samba@lists.samba.org Subject: Re: [Samba] Phantom Domain Master Browser In the /var/samba/locks directory you may have browse.dat file or wins.* (if this is a WINS server) files that have incorrect info. You should be able to name/backup these files and restart nmbd. Is the phantom master browser a samba server or a Windows machine? the Samba DC normally should win browser elections but it is not always the case. On 07/20/12 09:08, Robert Adkins II wrote: I brought up the old server and have been reviewing the log files. There is no indication of the phantom master browser existing in the old log files. -- Regards, Robert Adkins II IT Manager/Buyer Impel Industries, Inc. 586-254-5800 -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Robert Adkins II Sent: Friday, July 20, 2012 8:50 AM To: samba@lists.samba.org Subject: [Samba] Phantom Domain Master Browser There's a phantom domain master browser showing up in my Samba nmbd.log file. I keep thinking that maybe it is left over in one of the files that I transferred over from the old server to the new server and it isn't clearing itself out. Is there a way to clear that and is it possible to have a phantom browser fighting over the Domain from a copied over file? I transferred all of the Samba files found in /etc/samba to the new server. This was also an upgrade from Samba 3.2.7 to Samba 3.6.3 I have noticed some additional files in the /var/log/Samba directory as well as some additional files in the /etc/samba directory on the new server. -- Regards, Robert Adkins II IT Manager/Buyer Impel Industries, Inc. 586-254-5800 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] CIFS mount intermittently unavailable: cifs_mount failed w/return code = -5
I have a debian machine called debian and a windows XP machine called server. I have a permanent mounted read-only share called \\server\doc. My /etc/fstab looks like this: //server/doc/opt/chroot/mnt/server cifs credentials=/root/.smbmount,username=medical,uid=medical,file_mode=0755,dir_mode=0755,noserverino 0 0 This works well most of the time but at times I get a input/output error when I try to access this share. My syslog shows the following: Aug 16 15:36:35 debian kernel: [1289131.676869] Status code returned 0xc0d0 NT_STATUS_REQUEST_NOT_ACCEPTED Aug 16 15:36:35 debian kernel: [1289131.676875] CIFS VFS: Send error in SessSetup = -5 Aug 16 15:36:35 debian kernel: [1289131.676899] CIFS VFS: cifs_mount failed w/return code = -5 Aug 16 15:36:46 debian kernel: [1289142.653770] Status code returned 0xc0d0 NT_STATUS_REQUEST_NOT_ACCEPTED Aug 16 15:36:46 debian kernel: [1289142.653775] CIFS VFS: Send error in SessSetup = -5 Aug 16 15:36:46 debian kernel: [1289142.653799] CIFS VFS: cifs_mount failed w/return code = -5 Aug 16 15:37:01 debian kernel: [1289158.491697] Status code returned 0xc0d0 NT_STATUS_REQUEST_NOT_ACCEPTED Aug 16 15:37:01 debian kernel: [1289158.491703] CIFS VFS: Send error in SessSetup = -5 Aug 16 15:37:01 debian kernel: [1289158.491727] CIFS VFS: cifs_mount failed w/return code = -5 Does anyone have any suggestions? Can somebody explain what return code -5 means? I have tried replacing server with its fixed IP address (192.168.0.32), but this does not help. I have even moved all the files to another location on the Windows box and recreated the share, but it still occurs. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Phantom Domain Master Browser
There's a phantom domain master browser showing up in my Samba nmbd.log file. I keep thinking that maybe it is left over in one of the files that I transferred over from the old server to the new server and it isn't clearing itself out. Is there a way to clear that and is it possible to have a phantom browser fighting over the Domain from a copied over file? I transferred all of the Samba files found in /etc/samba to the new server. This was also an upgrade from Samba 3.2.7 to Samba 3.6.3 I have noticed some additional files in the /var/log/Samba directory as well as some additional files in the /etc/samba directory on the new server. -- Regards, Robert Adkins II IT Manager/Buyer Impel Industries, Inc. 586-254-5800 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Phantom Domain Master Browser
I brought up the old server and have been reviewing the log files. There is no indication of the phantom master browser existing in the old log files. -- Regards, Robert Adkins II IT Manager/Buyer Impel Industries, Inc. 586-254-5800 -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Robert Adkins II Sent: Friday, July 20, 2012 8:50 AM To: samba@lists.samba.org Subject: [Samba] Phantom Domain Master Browser There's a phantom domain master browser showing up in my Samba nmbd.log file. I keep thinking that maybe it is left over in one of the files that I transferred over from the old server to the new server and it isn't clearing itself out. Is there a way to clear that and is it possible to have a phantom browser fighting over the Domain from a copied over file? I transferred all of the Samba files found in /etc/samba to the new server. This was also an upgrade from Samba 3.2.7 to Samba 3.6.3 I have noticed some additional files in the /var/log/Samba directory as well as some additional files in the /etc/samba directory on the new server. -- Regards, Robert Adkins II IT Manager/Buyer Impel Industries, Inc. 586-254-5800 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Migrated Server Hardware - Now Experiencing Some Client Drops
I have recently upgrade the hardware that the Samba server was running on. This also included an OS and Samba version upgrade. Old Server OpenSuSe 11.1 Samba 3.2.7 New Server OpenSuSe 12.1 Samba 3.6.3 I moved over everything located in the /etc/samba directory from the old hardware to the new hardware. I set the new server to use the same IP Address, services, hostname. The only difference between the two servers (besides hardware) is the OS and the Samba revision. It's been about two weeks now and since the switch, I have had between none and upwards of three clients losing connection to the server for a short period of time. The clients do not show anything beyond themselves and maybe one other workstation on the network for upwards of 5 minutes. I have seen the following error in the log.nmbd file: [2012/07/13 10:55:06, 0] nmbd/nmbd_browsesync.c:486(get_domain_master_name_node_status_fail) get_domain_master_name_node_status_fail: Doing a node status request to the domain master browser at IP 192.168.254.57 failed. Which has not repeated for several hours. In searching through my DHCP lease log, ip address 192.168.254.57 is no longer leased and it is not holding the hostname of the PC that had that address. My smb.conf file has the OS Level set to 65, which should be high enough to be the master browser for the network. I also have the DHCP server providing the server's address as the WINS Server and the smb.conf file has WINS Support active and I am running the Winbind server. Is there a log level that may show me more information as to what might be duking it out with the new Samba Server? (The old server is not longer connected to the network, it is available only as a last resort back-up at this time.) -- Regards, Robert Adkins -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can't get idmap connected to AD unix attribs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nick, I think what you may be looking for is the ad backend: https://www.samba.org/samba/docs/man/manpages-3/idmap_ad.8.html Since you are using tdb in your config, it is using a local database and allocates UID/GIDs on the fly...first come, first served. So a user may not get the same UID from one machine to the next. Robert On 07/10/2012 12:20 AM, Nick Triantos wrote: Hi, I'm trying to get an Ubuntu 12.04 system's Samba (3.6.3) and Winbind to map userids and groups to the unix attributes in an AD 2008 server. I can see that when I perform an ldapsearch, I'm able to read the attributes, and for one of my accounts, the id should be 1001. However, when I run 'wbinfo -i username', I get back something like 920. At one point, I was setting the idmap range to start at 900, but I've since removed that from my config, and restarted winbindd and smbd. I've also tried to 'net cache flush'. I also see wbinfo -i someuser usually returns: failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user someuser The relevant parts of my smb.conf are below. I've tried patching this together from various tuts and help pages. Any guidance would be very helpful. thanks! -Nick [global] workgroup = CORP security = ADS password server = 192.168.77.251 realm = CORP.MYCOMPANY.COM allow trusted domains = yes winbind use default domain = yes winbind nested groups = YES idmap config CORP : backend = tdb idmap config CORP : default = yes idmap config CORP : schema_mode = rfc2307 idmap config CORP : range = 1000 - idmap config * : backend = tdb encrypt passwords = true obey pam restrictions = yes client use spnego = yes client ntlmv2 auth = yes encrypt passwords = true restrict anonymous = 2 unix password sync = yes winbind enum groups = yes winbind enum users = yes winbind nss info = rfc2307 - -- Robert Freeman-Day https://launchpad.net/~presgas GPG Public Key: http://keyserver.ubuntu.com:11371/pks/lookup?op=getsearch=0xBA9DF9ED3E4C7D36 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/8O4QACgkQup357T5MfTZprwCeJ7iMF7NcxUctOd7bOAFqT4ZZ AAgAoMqnWGK5E5LWZxxMxsUaVhfbil9Y =yLz3 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] speed of samba vs Windows
-Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Steve Thompson Sent: Thursday, June 28, 2012 11:07 AM To: Todor Fassl Cc: samba@lists.samba.org Subject: Re: [Samba] speed of samba vs Windows On Thu, 28 Jun 2012, Todor Fassl wrote: Is there any reason to believe that a samba server would be slower when serving up roaming profiles than a real Windows server? In my experience, Samba is much faster than Windows on comparable hardware. From 3 to 5 times faster, depending on function. Samba is also far more versatile and configurable than Windows Server. For instance, built into Samba it's possible to configure a Recycle Bin into each and every share. This is accomplished through adding a single line to the share. To do that on Windows, it requires a registry hack, on each workstation. Maybe that can be automated, but it doesn't have anything to do with the server, it's all done on the workstation, forget to implement the registry hack, then you forget about having a Recycle Bin on that share. I can't tell you how many times that Samba configuration has saved a piece of critical data. Our Windows guy insists samba is slow but I don't believe it. He claims that when you load a roamng profile, Windows downloads only files that have changed and samba downloads everything. But he doesn't know anything about samba and I don't know where he got that from. Indeed he doesn't know anything about Samba; he's wrong. Steve I concur. -Rob -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] speed of samba vs Windows
At Thu, 28 Jun 2012 13:46:07 -0500 Todor Fassl fassl@gmail.com wrote: is it possible that unix file timestamps having a greater precision than ntfs is causing windows to see a change? I know rsync has an option to combat this. Well, I have no reason to believe that our Windows guy is correct and that Windows downloads only changed files and samba downloads the whole profile. I'm guessing he is basing that on how slow logins are. I can guarantee that he hasn't actually checked it out. He either thought it up himself or he heard it somewhere. Does anyone know if Windows does download only files that have changed? Something just occured to me... Well, maybe this is a bug in samba but probably not. When you join a machine to a domain where a time server is configured, it doesn't automatically configure the time servers on the client machine. On our network, the file server is the PDC. We have redundant BDCs which are configured as time servers in samba and are also ntp servers for the linux machines. If I boot a linux machine, I can use ntpq -p to make sure that the machine is getting data from our ntp servers. But if I go into the Windows control panel and look at Date and Time, the server listed there is time.windows.com. [Which, as it occurs to me, is also bogus in that what the heck is windows.com? If its Microsoft, why isn't the default time server time.microsoft.com?] dig time.windows.com = ;; ANSWER SECTION: time.windows.com. 3482IN CNAME time.microsoft.akadns.net. time.microsoft.akadns.net. 158 IN A 65.55.21.13 Yes. windows.com is a real live domain name, (owned by Microsoft), and time.windows.com is a real host name with actual records. And it appears to be a legit time server. Anyway, it seems to me that if you join a machine to a domain with a time server configured, it should show up in Date and Time - Internet Time - Server. But our BDCs aren't even listed there. Gawd, I hate Windows. I don't hate Microsoft or Bill Gates. He seems like a nice enough guy to me. And I don't blame him for getting to be a bzillionaire even though his software kinda sucks. But, still, I hate Windows. -- Robert Heller -- 978-544-6933 / hel...@deepsoft.com Deepwoods Software-- http://www.deepsoft.com/ () ascii ribbon campaign -- against html e-mail /\ www.asciiribbon.org -- against proprietary attachments -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Migrating to new hardware
I'm looking for confirmation that what I am about to do will work. My intent is to decommission the existing Samba PDC hardware and put in its place the new hardware. I intend on having the users see no difference, in terms of what they have/had and will continue to have available. Right now I will be copying everything from the /etc/samba directory into the same on the new server, moving from Samba 3.2x to Samba 3.6x I also intend on copying over the passwd, shadow and group files. Am I missing anything? Thanks. -- Regards, Robert Adkins II -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Migrating to new hardware
Yeah, my plan is to scoot over the netlogin and the profiles directories as well (and all of the data currently shared on the fileserver too). Thanks. -- Regards, Robert Adkins II -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Gaiseric Vandal Sent: Monday, June 04, 2012 10:07 AM To: samba@lists.samba.org Subject: Re: [Samba] Migrating to new hardware Run testparm -v - you will probably want to copy over the /var/samba/locks directory lock directory = /var/samba/locks state directory = /var/samba/locks cache directory = /var/samba/locks pid directory = /var/samba/locks You also want to make sure your netlogon and profile directories are replicated. I ran into some issues migrating from 3.0.x to 3.4.x. I am not sure if these changes are already in placed in 3.2.x. In 3.4.x. I needed to explicitly defined a unix nobody user. guest account = smb_nobody I also had to explicitly grant admin perms to the domain admins group so that they had sufficient privileges on local PC's. But I think I had made some error somewhere else, so I don't think you will encounter this. I have an ldap backend, and I found with 3.4.x or 3.5.x. that joining the machine to the domain had some issues relating to ldap attributes being created or set properly. On 06/04/12 09:30, Robert Adkins II wrote: I'm looking for confirmation that what I am about to do will work. My intent is to decommission the existing Samba PDC hardware and put in its place the new hardware. I intend on having the users see no difference, in terms of what they have/had and will continue to have available. Right now I will be copying everything from the /etc/samba directory into the same on the new server, moving from Samba 3.2x to Samba 3.6x I also intend on copying over the passwd, shadow and group files. Am I missing anything? Thanks. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] NT_STATUS_ACCESS_DENIED on previously created files
On Ubuntu, I have upgraded to the latest LTS version, which upgraded my Samba to 3.6.3 and now getting NT_STATUS_ACCESS_DENIED when trying to remove files and folders. This server MEDIA is setup as a member server to a FreeBSD PDC called MAIL using LDAP for authentication. All been working great for a long time, now from the PDC, I try mail# smbclient -U robert //media/robert WARNING: The enable privileges option is deprecated WARNING: The idmap backend option is deprecated WARNING: The idmap uid option is deprecated WARNING: The idmap gid option is deprecated WARNING: The idmap backend option is deprecated Enter robert's password: Domain=[WEBTENT] OS=[Unix] Server=[Samba 3.6.3] smb: \ mkdir test smb: \ rmdir test NT_STATUS_ACCESS_DENIED removing remote directory file \test I know I have some work to do to get rid of the warnings, but I can login to MAIL (PDC) and other Win workstations, create and remove files with no issue. It is only when logging into this member server locally or from a remote workstation. Getting this sort of thing in the logs... [2012/05/10 14:24:33.711345, 10] smbd/posix_acls.c:3412(posix_get_nt_acl) posix_get_nt_acl: called for file test [2012/05/10 14:24:33.711404, 10] smbd/posix_acls.c:2537(canonicalise_acl) canonicalise_acl: Access ace entries before arrange : [2012/05/10 14:24:33.711447, 10] smbd/posix_acls.c:2550(canonicalise_acl) canon_ace index 0. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER ace_flags = 0x0 perms r-x [2012/05/10 14:24:33.711496, 10] smbd/posix_acls.c:2550(canonicalise_acl) canon_ace index 1. Type = allow SID = S-1-22-2-512 gid 512 (Domain Admins) SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms r-x [2012/05/10 14:24:33.713525, 10] smbd/posix_acls.c:2550(canonicalise_acl) canon_ace index 2. Type = allow SID = S-1-5-21-684728786-369066487-751336906-33290 uid 16145 (robert) SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx [2012/05/10 14:24:33.715245, 10] smbd/posix_acls.c:848(print_canon_ace_list) print_canon_ace_list: canonicalise_acl: ace entries after arrange canon_ace index 0. Type = allow SID = S-1-5-21-684728786-369066487-751336906-33290 uid 16145 (robert) SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx canon_ace index 1. Type = allow SID = S-1-22-2-512 gid 512 (Domain Admins) SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms r-x canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER ace_flags = 0x0 perms r-x [2012/05/10 14:24:33.718539, 10] smbd/posix_acls.c:1124(map_canon_ace_perms) map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1f01ff [2012/05/10 14:24:33.718585, 10] smbd/posix_acls.c:1124(map_canon_ace_perms) map_canon_ace_perms: Mapped (UNIX) 140 to (NT) 1200a9 [2012/05/10 14:24:33.718627, 10] smbd/posix_acls.c:1124(map_canon_ace_perms) map_canon_ace_perms: Mapped (UNIX) 140 to (NT) 1200a9 [2012/05/10 14:24:33.718676, 10] smbd/file_access.c:76(can_access_file_acl) can_access_file_acl for file test access_mask 0x1, access_granted 0x1 access DENIED I've googled stuff like this... https://bugzilla.samba.org/show_bug.cgi?id=7521 I even tried upgrading my PDC to the latest available, 3.6.5, but nothing seems to help. Has anyone had this issue? Thanks, Robert -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba authenticating against Windows Active Directory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 05/08/2012 04:38 PM, Marcelo Pereira wrote: Hello all, I have a question regarding the integration between Samba and the Active Directory (Windows 2008). Current setup: 1. We have been using a Samba server to offer shared folder to the user in my institution. 2. The users have any kind of operational system on their machines, and they don't log in any domain server 3. The users simply map their shares at the Samba server, using their samba usernames and password. The future: 1. We have a main LDAP server (Windows 2008 Active Directory) that we want to integrate with our Samba server. 2. We would like to keep the modus operandi of the usage (i.e.: The users simply point to their shares, enter their usernames/passwords and access their files). 3. We don't want to have the samba usernames/passwords. Instead, we want the Samba to authenticate using the Active Directory. The final situation would be: 1. User turn his computer on (doesn't matter the operational system that he is using). 2. User map his samba share 3. User enter his credentials to the Samba Share 4. Samba ask the Active Directory if these credentials are valid 5. If the username/password is authenticate successfully against the Active Directory, then Samba let the user access his files. The questions: 1. At this point, the linux server has joined the domain (it's ok at this point). How can I accomplish the Samba+AD integration?? Is there any specific documentation?? Thanks, Marcelo Marcelo, I good start may be to send the list your smb.conf file. Possibly your krb5.conf as well. This is a good start doc-wise, but is a bit dated: https://wiki.samba.org/index.php/Samba__Active_Directory - -- Robert Freeman-Day https://launchpad.net/~presgas GPG Public Key: http://keyserver.ubuntu.com:11371/pks/lookup?op=getsearch=0xBA9DF9ED3E4C7D36 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+qdjMACgkQup357T5MfTaGSACfbGSzUKoOK/qbgZ9rwW2ul+85 x70AnRWAQIv2t794eDa28leSL0d61MrW =H1/g -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Preventing brute force password attacks
At Tue, 17 Apr 2012 20:32:05 + (UTC) era...@panix.com (Ed Ravin) wrote: I was hoping to set up fail2ban to block IP addresses that generate too many Samba password failures, but it needs a syslog message with the IP address of the computer that failed password authentication. Unfortunately, Samba doesn't seem to do this in my environment. Here's a sample error message: smbd[312]: smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User brutus ! I tried turning on full_audit, and I see the audit messages for successful connections, but there aren't any audit messages for login failures. I used these settings: full_audit:failure = connect full_audit:success = connect disconnect full_audit:facility = local5 full_audit:priority = notice Can Samba be configured to log authentication errors with IP addresses? Or do we need to change the source? You do understand that fail2ban works with your firewall and is meant for public internet services, such as Mail (eg Sendmail or Postfix) or HTTP or DNS. Since NETBIOS services are NOT services that should ever be used over the public internet. You should only have smbd/nmbd listening on you local LAN and not on your WAN / public Internet connection. Since your LAN will have only known local IP addresses (either statically assigned or from a limited pool of IP address), it really isn't meaningful to block these addresses. What *exactly* do you want to accomplish here? Do you really want to ban machines on your LAN from accessing your (office) server? -- Robert Heller -- 978-544-6933 / hel...@deepsoft.com Deepwoods Software-- http://www.deepsoft.com/ () ascii ribbon campaign -- against html e-mail /\ www.asciiribbon.org -- against proprietary attachments -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] UID/GID mapping consistency across at least two Linux machines
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/09/2012 04:09 PM, bakytn wrote: Here ist he global section of my smb.conf: I am not sure if I am using Winbind (I guess yes). [global] workgroup = DOMAIN realm = DOMAIN.LOCAL preferred master = no server string = SAMBA security = ADS encrypt passwords = yes log level = 1 log file = /var/log/samba/log.%m max log size = 1000 idmap uid = 3000-2 idmap gid = 3000-2 template shell = /bin/bash winbind enum groups = yes winbind enum users = yes winbind separator = + winbind use default domain = Yes winbind nested groups = Yes template homedir = /data/files/%U syslog = 0 panic action = /usr/share/samba/panic-action %d passdb backend = tdbsam obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes map to guest = bad user usershare allow guests = yes -- View this message in context: http://samba.2283325.n4.nabble.com/UID-GID-mapping-consistency-across-at-least-two-Linux-machines-tp4543255p4543701.html Sent from the Samba - General mailing list archive at Nabble.com. I have some notes on what I have done with my machines. I hope it may help you out. Just read it all over and the template files closely before just jumping on into it. https://uisapp2.iu.edu/confluence-prd/display/~rmday/Linux+Integration+with+Active+Directory - -- Robert Freeman-Day https://launchpad.net/~presgas GPG Public Key: http://keyserver.ubuntu.com:11371/pks/lookup?op=getsearch=0xBA9DF9ED3E4C7D36 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+DiG4ACgkQup357T5MfTaMKQCg0HMM00tuKtxZUMWwzWC1lOSM fxkAoLd8HO0otegVuye7dIf2c/UO1dc/ =lgc5 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Offline Caching
Am 05.02.2012 00:12, schrieb Jeremy Allison: On Sat, Feb 04, 2012 at 04:33:59PM +0100, Volker Lendecke wrote: On Sat, Feb 04, 2012 at 02:54:13PM +, Mike Howard wrote: I'm sure this has been asked before but I can't find anything recent. Using Samba4 and windows clients, the client logs include lots off 'windows has detected that offline caching is enabled on the roaming profile share...' messages. Is this an issue and if so, how do I sort it? I've found references to 'csc policy = disable' but this is not recognised in samba4 smb.conf. Probably someone needs to take the time to port this feature from the Samba3 based fileserver to the Samba4 based one. Patches welcome :-) Now, now Volker :-). This will get fixed when the source3 fileserver replaces the source4 one, which is a mandatory fix before final release of Samba4. Cheers, Jeremy. any way offline caching can be configured on the client too ( policies etc) as far i know/remember -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind authentication and wbinfo -i user no longer work after uprading to 3.6.1
I tried to add idmap config DOMAIN : default = yes and it does not help. I'm using hash. I've found some interesting things that I've included in bug 8676 https://bugzilla.samba.org/show_bug.cgi?id=8676. Robert On Wed, Dec 21, 2011 at 5:33 PM, David Roid datar...@gmail.com wrote: Been there, you can try to add either idmap config DOMAIN : default = yes, or use old-fashion idmap backend = ... + idmap uid = ... + idmap gid = ... to replace idmap config * : ..., I don't know which one actually fixed it. 2011/12/22 Dale Schroeder d...@briannassaladdressing.com Originally filed by Robert LeBlanc as Debian Bug # 652679 - http://bugs.debian.org/cgi-**bin/bugreport.cgi?bug=652679http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652679 Quote Package: winbind Version: 2:3.6.1-3 Severity: important Dear Maintainer, After upgrading to 3.6.1 I am no longer able to login to Debian using my Active Directory account. 'winbind -u', 'winbind -g', 'winbind -t' and many others work fine, but 'winbind -i user' returns 'failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user user'. Changing the verbosity of the logs, I find 'winbindd/winbindd_dual.c:1306 (fork_domain_child) fork_domain_child called without domain.'. The previous wbint_Sid2Uid struct printout shows that dom_name is NULL, but has the correct domain SID. I believe the problem may exist around there. I did upgrade the 'idmap backend = hash' to the new format 'idmap config * : backend = hash' as specifed in the man page without any luck. Name to SID and SID to name works along with user-domgroups, but user-groups does not work. 'wbinifo --group-info=group' fails with a similar error as 'wbinfo -i user'. I'm going to try to get back to 3.5.11. -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.1.0-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages winbind depends on: ii adduser 3.113 ii libc6 2.13-21 ii libcap2 1:2.22-1 ii libcomerr21.42-1 ii libgssapi-krb5-2 1.10+dfsg~alpha1-6 ii libk5crypto3 1.10+dfsg~alpha1-6 ii libkrb5-3 1.10+dfsg~alpha1-6 ii libldap-2.4-2 2.4.25-4+b1 ii libpam0g 1.1.3-6 ii libpopt0 1.16-1 ii libtalloc22.0.7-3 ii libtdb1 1.2.9-4+b1 ii libwbclient0 2:3.6.1-3 ii lsb-base 3.2-28 ii samba-common 2:3.6.1-3 ii zlib1g1:1.2.3.4.dfsg-3 Versions of packages winbind recommends: ii libpam-winbind 2:3.6.1-3 winbind suggests no packages. -- no debconf information /Quote I also have this error, and reported as follows: Robert, Same problem here, and I have not seen anyone mention this on the Samba list. Systems are fully updated and testparm does not return any errors. idmap backend is rid notated in the new format. All deprecated parameters have been removed. On my systems, I have found that full functionality returns after a reboot; however, if samba/winbind processes are restarted for any reason, AD authentication again no longer works. As with you, wbinfo -u/-g continues to work, as does getent passwd. getent group only returns linux groups. Another reboot will return winbind once again to full functionality. Even at log level 10, error messages have been hard to find among the many winbind logs. At the time of failure, the one I consistently find is in syslog: winbindd[4186]: ads_ranged_search failed with: Time limit exceeded. --**--**-- This morning, I recreated the error by restarting Samba/winbind at 07:47. The only suspicious level 10 log entries found from that timeframe are: syslog Dec 21 07:47:25 debinsp3200 winbindd[3489]: [2011/12/21 07:47:25.660769, 0] winbindd/winbindd_ads.c:1068(**lookup_groupmem) Dec 21 07:47:25 debinsp3200 winbindd[3489]: ads_ranged_search failed with: Time limit exceeded smbd [2011/12/21 07:47:10.102879, 1] lib/serverid.c:197(serverid_** deregister) Deleting serverid.tdb record failed: NT_STATUS_NOT_FOUND [2011/12/21 07:47:10.103603, 1] smbd/server.c:303(remove_**child_pid) Could not remove pid 3491 from serverid.tdb [2011/12/21 07:47:10.104114, 1] smbd/server.c:317(remove_**child_pid) Could not find child 3491 -- ignoring [2011/12/21 07:48:10.174369, 1] lib/serverid.c:197(serverid_** deregister) Deleting serverid.tdb record failed: NT_STATUS_NOT_FOUND [2011/12/21 07:48:10.175075, 1] smbd/server.c:303(remove_**child_pid) Could not remove pid 3499 from serverid.tdb [2011/12/21 07:48:10.490994, 1] smbd/server.c:317(remove_**child_pid) Could not find child 3499 -- ignoring net ads testjoin indicates that the join is good. [global] workgroup = DOMAIN
Re: [Samba] Winbind authentication and wbinfo -i user no longer work after uprading to 3.6.1
What backend are you using? I can't get a single authentication to work whether I reboot or not. The new or old syntax for hash does not work for me. I get a segfault in the hash module when compiled as shared modules. I've mentioned all that in the bug report. Robert On Thu, Dec 22, 2011 at 9:31 AM, Dale Schroeder d...@briannassaladdressing.com wrote: That is correct - it did not fix the problem - old or new idmap syntax. Any time I restart the processes, such as after a config change, winbind auth fails. getent group yields the syslog error shown in the original post. wbinfo -i user fails even though user appears in getent passwd. Reboot the system and everything is functioning again until the next time nmbd/smbd/winbind are restarted, after which winbind is nonfunctioning once again. Dale On 12/22/2011 9:02 AM, David Roid wrote: Didn't work? I just installed another opensuse 12.1, with Samba 3.6.1 using following idmap settings: idmap config * : range = ... idmap config * : backend = ... idmap config DOM : range = ... idmap config DOM : default = yes idmap config DOM : backend = ... then join the domain, no problem at all. 2011/12/22 Dale Schroeder d...@briannassaladdressing.com David, thanks for the help, but I'm afraid that workaround does not work for me either. Robert, thanks for furnishing all that useful info to bugzilla. Jeremy, thanks for for the update on https://bugzilla.samba.org/show_bug.cgi?id=8384. I feel like I'm at the Academy Awards. Merry Christmas to all. [];o{P Dale On 12/21/2011 11:42 PM, Robert LeBlanc wrote: I tried to add idmap config DOMAIN : default = yes and it does not help. I'm using hash. I've found some interesting things that I've included in bug 8676 https://bugzilla.samba.org/show_bug.cgi?id=8676. Robert On Wed, Dec 21, 2011 at 5:33 PM, David Roid datar...@gmail.com wrote: Been there, you can try to add either idmap config DOMAIN : default = yes, or use old-fashion idmap backend = ... + idmap uid = ... + idmap gid = ... to replace idmap config * : ..., I don't know which one actually fixed it. 2011/12/22 Dale Schroeder d...@briannassaladdressing.com Originally filed by Robert LeBlanc as Debian Bug # 652679 - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652679 Quote Package: winbind Version: 2:3.6.1-3 Severity: important Dear Maintainer, After upgrading to 3.6.1 I am no longer able to login to Debian using my Active Directory account. 'winbind -u', 'winbind -g', 'winbind -t' and many others work fine, but 'winbind -i user' returns 'failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user user'. Changing the verbosity of the logs, I find 'winbindd/winbindd_dual.c:1306 (fork_domain_child) fork_domain_child called without domain.'. The previous wbint_Sid2Uid struct printout shows that dom_name is NULL, but has the correct domain SID. I believe the problem may exist around there. I did upgrade the 'idmap backend = hash' to the new format 'idmap config * : backend = hash' as specifed in the man page without any luck. Name to SID and SID to name works along with user-domgroups, but user-groups does not work. 'wbinifo --group-info=group' fails with a similar error as 'wbinfo -i user'. I'm going to try to get back to 3.5.11. -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.1.0-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages winbind depends on: ii adduser 3.113 ii libc6 2.13-21 ii libcap2 1:2.22-1 ii libcomerr21.42-1 ii libgssapi-krb5-2 1.10+dfsg~alpha1-6 ii libk5crypto3 1.10+dfsg~alpha1-6 ii libkrb5-3 1.10+dfsg~alpha1-6 ii libldap-2.4-2 2.4.25-4+b1 ii libpam0g 1.1.3-6 ii libpopt0 1.16-1 ii libtalloc22.0.7-3 ii libtdb1 1.2.9-4+b1 ii libwbclient0 2:3.6.1-3 ii lsb-base 3.2-28 ii samba-common 2:3.6.1-3 ii zlib1g1:1.2.3.4.dfsg-3 Versions of packages winbind recommends: ii libpam-winbind 2:3.6.1-3 winbind suggests no packages. -- no debconf information /Quote I also have this error, and reported as follows: Robert, Same problem here, and I have not seen anyone mention this on the Samba list. Systems are fully updated and testparm does not return any errors. idmap backend is rid notated in the new format. All deprecated parameters have been removed. On my systems, I have found that full functionality returns after a reboot; however, if samba/winbind processes are restarted for any reason, AD authentication again no longer works. As with you, wbinfo -u/-g continues to work, as does getent passwd. getent group only returns linux groups. Another reboot will return winbind
Re: [Samba] Samba 4 success on openSUSE 12.1
Am 29.11.2011 19:58, schrieb steve: samba -b Samba version: 4.0.0alpha18-GIT-5c53926 Build environment: Build host: Linux hh3 3.1.0-1.2-desktop #1 SMP PREEMPT Thu Nov 3 14:45:45 UTC 2011 (187dde0) i686 i686 i386 GNU/Linux openSUSE 12.1 i586 Hi everyone. After. ./source4/setup/provision --realm=hh3.site --domain=HH1 --adminpass=SOMEPASSWORD --server-role='domain controller' The wiki howto is for DNS seems to be wrong. I had to do this: Copy /usr/local/samba/private/named.conf to /etc/named.conf.samba4 Copy /usr/local/samba/private/dns/hh3.site.zone to /var/lib/named/master edit /etc/named.conf.samba4 to point to /var/lib/named: one hh3.site. IN { type master; file /var/lib/named/master/hh3.site.zone; edit /etc/named.conf to include: include /etc/named.conf.samba4; as the last line in the file. Is this correct? On restarting bind there are still errors: Nov 29 19:54:15 hh3 named[4038]: command channel listening on 127.0.0.1#953 Nov 29 19:54:15 hh3 named[4038]: couldn't add command channel ::1#953: address not available Nov 29 19:54:15 hh3 named[4038]: managed-keys-zone ./IN: loading from master file managed-keys.bind failed: file not found looks like pure bind failure perhaps related to dnssec are youre running a chroot bind ? perhaps its looking on the wrong place for the file, try locate managed-keys.bind( if locate is installed ) to find it, or try to create it http://o-o-s.de/?p=2966 says for i.e. for debian echo include \/etc/bind/bind.keys\; /etc/bind/named.conf touch /var/cache/bind/managed-keys.bind but that may different with suse attention ! look other bind sites Nov 29 19:54:15 hh3 named[4038]: managed-keys-zone ./IN: loaded serial 0 DNS and Kerberos are working fine. Are these errors to do with Samba4? Thanks Steve. -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 success on openSUSE 12.1
Am 29.11.2011 20:37, schrieb Robert Schetterer: Am 29.11.2011 19:58, schrieb steve: samba -b Samba version: 4.0.0alpha18-GIT-5c53926 Build environment: Build host: Linux hh3 3.1.0-1.2-desktop #1 SMP PREEMPT Thu Nov 3 14:45:45 UTC 2011 (187dde0) i686 i686 i386 GNU/Linux openSUSE 12.1 i586 Hi everyone. After. ./source4/setup/provision --realm=hh3.site --domain=HH1 --adminpass=SOMEPASSWORD --server-role='domain controller' The wiki howto is for DNS seems to be wrong. I had to do this: Copy /usr/local/samba/private/named.conf to /etc/named.conf.samba4 Copy /usr/local/samba/private/dns/hh3.site.zone to /var/lib/named/master edit /etc/named.conf.samba4 to point to /var/lib/named: one hh3.site. IN { type master; file /var/lib/named/master/hh3.site.zone; edit /etc/named.conf to include: include /etc/named.conf.samba4; as the last line in the file. Is this correct? On restarting bind there are still errors: Nov 29 19:54:15 hh3 named[4038]: command channel listening on 127.0.0.1#953 Nov 29 19:54:15 hh3 named[4038]: couldn't add command channel ::1#953: address not available Nov 29 19:54:15 hh3 named[4038]: managed-keys-zone ./IN: loading from master file managed-keys.bind failed: file not found looks like pure bind failure perhaps related to dnssec are youre running a chroot bind ? perhaps its looking on the wrong place for the file, try locate managed-keys.bind( if locate is installed ) to find it, or try to create it http://o-o-s.de/?p=2966 says for i.e. for debian echo include \/etc/bind/bind.keys\; /etc/bind/named.conf touch /var/cache/bind/managed-keys.bind but that may different with suse attention ! look other bind sites studied some faqs , this file should be autocreated if the related dir is writable restart bind ( named ) and look if the log shows the failure up again Nov 29 19:54:15 hh3 named[4038]: managed-keys-zone ./IN: loaded serial 0 DNS and Kerberos are working fine. Are these errors to do with Samba4? Thanks Steve. -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 success on openSUSE 12.1
Am 29.11.2011 20:50, schrieb steve: studied some faqs , this file should be autocreated if the related dir is writable restart bind ( named ) and look if the log shows the failure up again Yep. Still there: Nov 29 20:49:23 hh3 named[5000]: managed-keys-zone ./IN: loading from master file managed-keys.bind failed: file not found Nov 29 20:49:23 hh3 named[5000]: managed-keys-zone ./IN: loaded serial 0 Nov 29 20:49:23 hh3 named[4952]: Starting name server BIND ..done Nov 29 20:49:23 hh3 named[5000]: running What is the directory that should be writeable? Cheers Steve. named11828 3.2 1.5 116332 48032 ?Ssl Nov22 360:27 /usr/sbin/named -t /var/lib/named -u named sorry i have only a older suse to look at try look/cd at /var/lib/named if using chroot then try touch managed-keys-zone or in there or some subfolder ( depend on your conf ) perhaps you need chmod named:named managed-keys-zone after all , try ask on a suse list, suse people should easy answer this stuff -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Re : Problem with Winbind
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/17/2011 06:09 AM, djamel boussebha wrote: Hi; I would like to set the file /etc/krb5.keytab for apache : # net ads keytab add HTTP -U compte_admin_dom1 Processing principals to add... Enter administrateur's password: # ktutil ktutil: l slot KVNO Principal - ktutil: The file is empty ? May be that this problem is linked to the command net ads ? because when I try to join the AD : # net ads join -U administrat...@p9bis.neoplus.laposte.poc Enter administrat...@p9bis.neoplus.laposte.poc's password: Failed to join domain: failed to find DC for domain P9BIS.NEOPLUS.LAPOSTE.POC But with rpc it works : # net rpc join -U administrat...@p9bis.neoplus.laposte.poc Enter administrat...@p9bis.neoplus.laposte.poc's password: Joined domain P9BIS. When I execute : # net ads info - U administrateur Failed to get server's current time! LDAP server: 187.0.17.104 LDAP server name: CINVW067.p9bis.neoplus.laposte.poc Realm: P9BIS.NEOPLUS.LAPOSTE.POC Bind Path: dc=P9BIS,dc=NEOPLUS,dc=LAPOSTE,dc=POC LDAP port: 389 Server time: Thu, 01 Jan 1970 01:00:00 CET KDC server: 187.0.17.104 And # net rpc info -U administrateur Enter administrateur's password: Domain Name: P9BIS Domain SID: S-1-5-21-254703050-2859693384-3493432365 Sequence number: 1 Num users: 50 Num domain groups: 0 Num local groups: 12 The 2 commands # wbinfo -u and wbinfo -g no returns any values for users/groups ? The kinit works fine : # kinit administrat...@p9bis.neoplus.laposte.poc Password for administrat...@p9bis.neoplus.laposte.poc: # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrat...@p9bis.neoplus.laposte.poc Valid starting ExpiresService principal 11/17/11 12:05:00 11/17/11 22:05:03 krbtgt/p9bis.neoplus.laposte@p9bis.neoplus.laposte.poc renew until 11/18/11 12:05:00 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached Impossible to join the AD serveur with ads : # net ads testjoin Join to domain is not valid: Operations error # net rpc testjoin Join to 'P9BIS' is OK How make work correctly the ads and how get the list of users of the AD domain ? Any help would be very appreciated. Regards --- En date de : Mer 16.11.11, djamel boussebha dbousse...@yahoo.fr a écrit : De: djamel boussebha dbousse...@yahoo.fr Objet: Problem with Winbind À: samba@lists.samba.org samba@lists.samba.org, foedi...@eva.mpg.de foedi...@eva.mpg.de, AndrewPhilipoff aphilip...@medicine.ucsf.edu Date: Mercredi 16 novembre 2011, 17h24 Hi; wbinfo can not get the user names and group names of my AD domain (Windows 2008 SP2) The result for wbinfo -t is ok : checking the trust secret for domain P9BIS via RPC calls succeeded But when i try to get wbinfo -n USER1 or wbinfo -r USER1 it shows this error message: Could not lookup name USER1 I use Samba version : 3.5.12. Any help would be very appreciated... thanks to anyone! I noticed the server time has the year 1970. The ads methods use kerberos and that is time sensitive. Get the accurate date/time and things should start working for you. Perhaps have it sync with a time server. Robert - -- Robert Freeman-Day https://launchpad.net/~presgas GPG Public Key: http://keyserver.ubuntu.com:11371/pks/lookup?op=getsearch=0xBA9DF9ED3E4C7D36 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7FOnEACgkQup357T5MfTZ5IgCg0kqoEoWaDT2ayt2XjKW5RJs0 +LEAnAgyCHQw5JtlXHxrX6EuZ2VHaBbC =tSUp -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] R: Re: Dos/Unix newline translating
on Debian it is possible that you are using the orginal VI. On RedHat you must be using ViM (VI Improved). Do you have vim on Debian ? --- Robert GRASSO System engineer CEDRAT S.A. 15 Chemin de Malacher - Inovallée - 38246 MEYLAN cedex - FRANCE Phone: +33 (0)4 76 90 50 45 - Fax: +33 (0)4 56 38 08 30 mailto:robert.gra...@cedrat.com - http://www.cedrat.com -Message d'origine- De : samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] De la part de Riccardo Castellani Envoyé : 9 novembre 2011 11:56 À : jd...@yahoo.com; samba@lists.samba.org Objet : [Samba] R: Re: Dos/Unix newline translating But I have another server with RedHat and Samba 3.0.10 configured in the same way, but I can view correctly text files which I move to RedHat server. Messaggio originale Da: jd...@yahoo.com Data: 9-nov-2011 11.42 A: samba@lists.samba.orgsamba@lists.samba.org Ogg: Re: [Samba] Dos/Unix newline translating From: Riccardo Castellani ric.castell...@alice.it if I create a text file in my Windows XP client and I copy it to /temporary folder, then I open it by VI editor into my Debian server and I see '^M' at the end of every row. How can I solve problem ? Problem references to Dos/Unix newline translating ? Windows uses '\r\n' and Unix uses '\n'... Either configure your Windows text editor to use \n, or use dos2unix or use sed, etc... A simple google search would have pointed to you to something like: http://www.cyberciti.biz/faq/howto-unix-linux-convert-dos-newl ines-cr-lf-unix-text-format/ JD -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] R: Re: Dos/Unix newline translating
on Debian it is possible that you are using the orginal VI. On RedHat you must be using ViM (VI Improved). Do you have vim on Debian ? --- Robert GRASSO System engineer CEDRAT S.A. 15 Chemin de Malacher - Inovallée - 38246 MEYLAN cedex - FRANCE Phone: +33 (0)4 76 90 50 45 - Fax: +33 (0)4 56 38 08 30 mailto:robert.gra...@cedrat.com - http://www.cedrat.com -Message d'origine- De : samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] De la part de Riccardo Castellani Envoyé : 9 novembre 2011 11:56 À : jd...@yahoo.com; samba@lists.samba.org Objet : [Samba] R: Re: Dos/Unix newline translating But I have another server with RedHat and Samba 3.0.10 configured in the same way, but I can view correctly text files which I move to RedHat server. Messaggio originale Da: jd...@yahoo.com Data: 9-nov-2011 11.42 A: samba@lists.samba.orgsamba@lists.samba.org Ogg: Re: [Samba] Dos/Unix newline translating From: Riccardo Castellani ric.castell...@alice.it if I create a text file in my Windows XP client and I copy it to /temporary folder, then I open it by VI editor into my Debian server and I see '^M' at the end of every row. How can I solve problem ? Problem references to Dos/Unix newline translating ? Windows uses '\r\n' and Unix uses '\n'... Either configure your Windows text editor to use \n, or use dos2unix or use sed, etc... A simple google search would have pointed to you to something like: http://www.cyberciti.biz/faq/howto-unix-linux-convert-dos-newl ines-cr-lf-unix-text-format/ JD -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] NT4 SP3 PDC with MS Exchange 5.5 to Samba 3.x ldapbac ked PDC and MS Exchange 5.5 still
Am 28.10.2011 20:00, schrieb Chris Smith: On Fri, Oct 28, 2011 at 1:51 PM, Derek Werthmuller dwert...@ctg.albany.edu wrote: I did consider this, though the issue is what do I do with the existing NT4 PDC - I can demote this to BDC but from the samba docs samba PDC and Windows BDC is not supported. And I don't think it can demote the PDC to server role. There is no supported NT4 PDC demotion scenario. But via registry hack I think you can demote to server and then become a member server. And Exchange 5.5 can run on member server. for info long time ago i tested exchange 5.5 / win2000 server working with a samba pdc controller it worked like charme, but thats years ago these days you shouldnt use such setups, there are a lot of other solutions, based on open source or ms solutions exchange 5.5 is too much outdated I'm also trying to be very careful not to make substantial changes to the exchange host - I need that working for a short while longer. That's one reason for dealing with the VM's. I'll be able to test these changes in a separate virtual environment. Just would be nice to know if anyone has actually done this and, if doable, what the caveats and gotchas were. -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba with nfs mount in path and MS Office App's
Review all of your permissions and confirm that those permissions are the same for all users having this issues on the server that is sharing the NFS share. I have a feeling that this is a share/permissions issue as much as it could be an NFS share issue. -- Regards, Robert Adkins -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of free...@gmx.ch Sent: Wednesday, October 12, 2011 10:30 AM To: samba@lists.samba.org Subject: [Samba] samba with nfs mount in path and MS Office App's Hi Listmembers Problem: Windows Clients having problems with Microsoft Office App's (Excel, Word) when the files are on the Samba Share documents (which is mapped through a Windows Drive Letter on the client). Two clients have MS Office 2003. They can open doc Documents but when they want to save it error messages are appearing (message about to less space on drive, but this is a false errormessage). Saving of documents does not work and MS Office crashes. Sometimes Word is crashing already when the user opens a document. Same with XLS document. One client has MS Office 2010. He can open and save changes in Microsoft Office Documents. But saving changes, even small ones, are taking 30 seconds. Clients which are using Open Office having no problems. They can even open and saving the MS Office document without Problem. Also with other Applications there are no problems (ex. opening pdf documents, txt documents with notepad etc.). So the problems occurs only while working with this share documents and using Microsoft Office. I've got another share on the same Samba Server named personal. The Microsoft Office clients have no problems on this share. The only difference is that the path from personal share in smb.conf is not a NFS Mount but a location on the harddisk of the server itselve (ext3 partition). So the problem has something to do with using Samba shares which have their path on NFS Mounts. System environment: Centos 5.x Server Samba Version 3.0.33 ***Samba Config [global] workgroup = OfficeLAN server string = qube2 lanman auth = Yes client NTLMv2 auth = Yes time server = Yes add machine script = /usr/sbin/useradd -d /dev/null -g samba-clients -s /bin/false -M %u logon script = %U.bat logon drive = M: logon home = \\%N\profiles\%U logon path = domain logons = Yes os level = 65 preferred master = Yes domain master = Yes wins server = 10.0.10.12 wins support = Yes ldap ssl = no admin users = @sysadmin printer admin = @sysadmin cups options = raw [documents] comment = documents path = /home/nfs_qube2/documents force user = admin read only = No guest ok = Yes *** The documents share is on a NFS Mount which is mounted in /etc/fstab 10.0.10.13:/vol/nfs_qube2/office-data /home/nfs_qube2 nfs rw,bg,vers=3,tcp,timeo=600,rsize=32768,wsize=32768,hard,intr Thanks for any advice -- NEU: FreePhone - 0ct/min Handyspartarif mit Geld-zurück-Garantie! Jetzt informieren: http://www.gmx.net/de/go/freephone -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba and AD integration
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/19/2011 10:16 AM, Bruno Martins wrote: Hello everyone. I am running Samba on a Debian system, and I'm currently getting the following error on the logs: [2011/09/19 15:06:36.708281, 1] smbd/sesssetup.c:454(reply_spnego_kerberos) Username GALILEU-F\bmartins is invalid on this system Being GALILEU-F my Windows domain and bmartins my username. However, both 'wbinfo -g' and 'wbinfo -u' are working fine. Also, 'kinit (...)' works. My smb.conf: [global] workgroup = GALILEU-F realm = GALILEU-F.GALILEU.PT server string = Samba Server security = ADS auth methods = winbind password server = 192.168.0.2 username map = /etc/samba/smbusers client NTLMv2 auth = Yes log file = /var/log/samba/log.%m max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 printcap name = cups dns proxy = No wins server = 192.168.0.2 idmap uid = 20-30 idmap gid = 20-30 winbind use default domain = Yes winbind trusted domains only = Yes cups options = raw My krb5.conf: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = GALILEU-F.GALILEU.PT dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [realms] GALILEU-F.GALILEU.PT = { kdc = jupiter.galileu-f.galileu.pt admin_server = jupiter.galileu-f.galileu.pt default_domain = galileu-f.galileu.pt } [domain_realm] .jupiter.galileu-f.galileu.pt = GALILEU-F.GALILEU.PT .galileu-f.galileu.pt = GALILEU-F.GALILEU.PT [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } And... /etc/nsswitch.conf: # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc Name Service Switch' for information about this file. passwd: compat winbind group: compat winbind shadow: compat hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 networks: files protocols: db files services: db files ethers: db files rpc:db files netgroup: nis Can someone please give me a light on this? Best regards, Bruno Martins Bruno, You are using the option winbind use default domain = Yes, so AD users should be able to access with just their username and there should be no need to pre-pend the domain and backslash. Robert - -- Robert Freeman-Day https://launchpad.net/~presgas GPG Public Key: http://keyserver.ubuntu.com:11371/pks/lookup?op=getsearch=0xBA9DF9ED3E4C7D36 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk53XnMACgkQup357T5MfTZcugCgvNMoqvTIPIlHdkov7i/ThBvK x94AniXBk960e1L4ompA1nW+Wm+qZvAI =yDia -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Dual Authentication: Local and Active Directory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yes, linux should be able to auth local and AD users. You would need to make sure /etc/nsswitch.conf and your pam modules are configured correctly. At the very least, nsswitch should look similar to this: passwd: compat winbind group: compat winbind shadow: compat winbind Pam is a bit more complicated and you should read up on your distribution's documentation or really know what you are doing. However if you are running RHEL/Fedora, you could get it going with one command (all on one line): authconfig --update --enablepamaccess --enablelocauthorize --enablekrb5 - --enablewinbind --enablewinbindauth --enablewinbindoffline --enablemkhomedir So, this command sets up pam access with local authentication/authorization as well as AD kerberized authentication and AD winbind authorizaton. New users will have a home directory created and it allows the opening for cached offline logins for AD people. Hope that gets you started, Robert On 09/16/2011 06:59 PM, Aaron Clausen wrote: I was wondering if it was possible to get a Samba server that was acting as an AD member server to also be able to authenticate local users, or is stuck just serving AD users? - -- Robert Freeman-Day https://launchpad.net/~presgas GPG Public Key: http://keyserver.ubuntu.com:11371/pks/lookup?op=getsearch=0xBA9DF9ED3E4C7D36 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk52AaIACgkQup357T5MfTYGJgCdH5PcP2f6a9eGLqnwmnDrV8By 4rsAn3dYjulQzNfuvwCpW9/O9QHHONMq =esal -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Bash completion file(s) for samba utils...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Though this is a pretty nifty start ease things regarding the net commands, I think the man pages need to have all the commands documented in it first. I know that even with the completion files, I would still need to refer to the man pages or the googles for specific syntax. I know some functions I would like to see documented more are things like keytab management. Robert On 09/10/2011 07:56 PM, Linda Walsh wrote: I was wondering if anyone already had completion files for samba utils like 'net' wbinfo...etc... I can never remember all the params, I keep wanting to hit tab to autocomplete for options like I can on many other sys utils. So I started looking at examples of existing completion files and started cobbling one together... if no one else has some (which would be great!), I'll probably continue work on this in a spare cycle every once in a while, or if anyone wants to add to it, I'd appreciate additions... Other utils do host and user name lookup when the param or field being auto-completed needs such -- similar features would be nice in this one, but it's my first attempt at writing autocompletion for anything, To use it, just 'source it' (i.e.: . filename or source filename). It just has 1st level and a few 2nd level cmds at this point, so it's pretty basic, but it's already helpful, so I thought I toss it out for others to use/enhance/abuse.. etc. I'm working w/samba 3.5.11 and bash 4.1, so it's may have some specifics to those versions. It doesn't have any of the ads sub commands in it, as my current version doesn't have ads compiled in. I don't know if alphabetizing the compgen lists is needed (would certainly allow search optimizations optimization if so), but am trying for alphabetizing the response lists...(but it may be unnecessary). --- -linda - -- Robert Freeman-Day https://launchpad.net/~presgas GPG Public Key: http://keyserver.ubuntu.com:11371/pks/lookup?op=getsearch=0xBA9DF9ED3E4C7D36 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5suaYACgkQup357T5MfTbjPwCgi7XDeh+BS77K1hZ0bucWzr98 OnkAnjysXRNjug0QEMoSjxjN09eM65Sl =Yq8A -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] cant see data in share
On my home Samba server, I had to switch the authentication from Share Level to User Level. When I did that, my MacBook Pro with OSX 10.7 (Lion) was able to enter the shares and access all of the files. Prior to that, I could see that the shares existed, but was unable to access them. All that I received was a cryptic error message. -- Regards, Robert Adkins II -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of John Kappeser Sent: Wednesday, August 24, 2011 1:05 PM To: samba@lists.samba.org Subject: [Samba] cant see data in share Hi all, i have a little problem. I installed on openSuse 11.4 samba 3.5.7 with standard config and only one share: [tools] path = /tools read only = No writable = Yes So, i can connect via my imac osx 10.6 to my home Dir and see the files in there. I can connect to the share tools too, but all data in there i cant see. The same from Windows pc. Here a snippet from log.smbd: [2011/08/24 18:44:14.359785, 0] smbd/dir.c:304(dptr_close) Invalid key 0 given to dptr_close What does it mean? I know samba very good, but with this version (3.5.7) i have a lot of trouble... Thanx a lot. Diese E-Mail und eventuell beigefügte Anhänge enthalten vertrauliche Informationen, die rechtlich besonders geschützt sein können. Diese Informationen sind ausschließlich für die als Adressaten genannten Personen bestimmt. Wenn Sie nicht der angeschriebene Empfänger sind oder diese E-Mail durch einen Übertragungsfehler erhalten haben, informieren Sie uns bitte sofort per E-Mail, Telefon oder Fax und löschen danach vorliegende E-Mail. Das unbefugte Kopieren dieser E-Mail, ihrer eventuell beigefügten Anhänge sowie die unbefugte Weitergabe der enthaltenen Informationen an Dritte sind nicht gestattet. Wir danken für Ihre Hilfe. This e-mail message together with its attachments, if any, is confidential and may contain information subject to legal privilege. The information contained in this e-mail or its attachments is intended solely for the persons named as addressees. If you are not the intended recipient or have received this e-mail in error, please advise us immediately by e-mail, telephone or fax and delete this message. Any unauthorised copying of this message or unauthorised distribution of the information contained herein is prohibited. Thank you for your co-operation. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] windows 7 cannot connect
No, you do not need to turn off all of that on Windows 7. I have had no issues with connecting 7 different Windows 7 Professional workstations into my network. Most of the systems here are running Windows XP Professional and are joined to the domain. The only issue that I have had is joining the Windows 7 systems into the domain. I understand that it might be possible, but I haven't had the time to really dig into that. There might be some authentication elements within smb.conf to adjust to allow the Windows 7 systems to authenticate users on the network, but I may have made those adjustments quite some time ago in order to allow Windows 95, 98, NT 4.0 and Windows 2000 to all join the domain in their various ways. All you need is to have the Windows 7 machines in the workgroup of the Domain or the workgroup, then create individual user accounts on the Windows 7 machines that mirror the account user IDs and passwords on the Samba server. Regards, Robert Adkins II -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Gregory Carter Sent: Tuesday, August 09, 2011 2:51 PM To: samba@lists.samba.org Subject: Re: [Samba] windows 7 cannot connect On 08/09/2011 01:42 PM, Marc Fromm wrote: I just set up my first windows 7 desktop. My condolences. When I try to map a drive to the red hat linux samba share it complains that the server cannot perform the requested operation. Windows XP machines work with no problem. First, I would remove all security contexts from the Windows 7 workstation. Turn the firewall off. Turn off your virus software/security software. Try again. The linux samba information: [root@finaid45 samba]$ rpm -qa | grep smb pam_smb-1.1.7-7.2.1 libsmbclient-3.0.33-3.29.el5_6.2 gnome-vfs2-smb-2.16.2-8.el5 [root@finaid45 samba]$ rpm -qa | grep samba samba-client-3.0.33-3.29.el5_6.2 samba-common-3.0.33-3.29.el5_6.2 samba-3.0.33-3.29.el5_6.2 system-config-samba-1.2.41-5.el5 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Very slow samba performance on Centos 6
Wouldn't it be better to rerun these tests, not from the Ramdisk, but from a network connection to more closely resemble what the results will be when in a production environment? Doing such tests years back did show that FTP will typically be faster than Samba, due to the difference in overhead costs. Samba isn't a service like FTP, it has to negotiate SMB packets, interpret the requests/commands and then communicate that to the system it is running on. I haven't played with CIFS, but I imagine that it to would have a similar or potentially greater overhead than Samba itself. -- Regards, Robert Adkins II -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of vg_ us Sent: Thursday, August 04, 2011 2:12 PM To: volker.lende...@sernet.de Cc: samba@lists.samba.org Subject: Re: [Samba] Very slow samba performance on Centos 6 -- From: Volker Lendecke volker.lende...@sernet.de Sent: Thursday, August 04, 2011 11:01 AM To: vg_ us vg...@hotmail.com Cc: samba@lists.samba.org Subject: Re: [Samba] Very slow samba performance on Centos 6 On Thu, Aug 04, 2011 at 10:49:50AM -0400, vg_ us wrote: I have 2 identical Dell r510 servers with 10gig card, running centos 6 with samba-3.5.4-68.el6_0.2.x86_64. I setup 16G ramdisk samba share on both and ran cp from local ramdisk to samba ramdisk mount. If I cp 12 1-gig files, I get combined 100MB/s transfer rate. Single file cp maxes out at about 15MB/s. Ftp transfer give me over 300MB/s. Running with 9000 MTU. Most smb.conf is default. I even disabled atime and tried ext2 and xfs on ramdisk. Any help will be greatly appreciated. What client application are you using? If it is a cifsfs kernel mount, you might see such artifacts. Please retry with the smbclient(1) application. If that is also slow, we need to investigate further. I re-ran some of the tests with following result: Ftp ramdisk-to-ramdisk: 13572 MB, 32.8 secs - 413.8 MB/s Ftp ramdisk-to-hardisk: 13572 MB, 62.8 secs - 222.4 MB/s Smbclient ramdisk-to-ramdisk: 13572 MB 40 secs - 339 MB/s Smbclient ramdisk-to-harddisk: 13572 MB 64 secs - 212 MB/s cifsfs mount ramdisk-to-ramdisk: 13572 MB 289.8 - 47MB/s cifsfs mounts are really slow, so what happens when linux, windows and mac clients map/mount the share? Are they gonna be this slow? Any way to speed it up? Thanks - Vadim -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] VFS Objects Recycle questions
I have a need to setup the recycle vfs object on our server. On my test server, I have all of the shares on a single drive and have put the following into each share: vfs_objects = recycle recycle:repository = [Actual Path and Partition that the share is located] recycle:directory_mode = 770 recycle:keeptree = Yes recycle:touch_mtime = Yes recycle:versions = Yes It works like a charm. All of the files when deleted from each share are dumped into the RecycleBin share, I have created a new share just for the RecycleBin that I have also mounted that I can perform a final delete on the files located within. On the live server, there are several partitions with shares split across the several partitions. The setup is the same, in terms of having the above entered into the individual shares and the RecycleBin for each share is located on the same partition/mount point that the share is located. Example: [share1] wide links = no writeable = yes path = /mnt/disk2/share1 write list = @share1 force group = share1 comment = Job Files and Related valid users = @share1 create mode = 770 user = @share1 directory mode = 770 vfs_objects = recycle recycle:repository = /mnt/disk2/sharebin/%u recycle:directory_mode = 770 recycle:keeptree = Yes recycle:touch_mtime = Yes recycle:versions = Yes [sharebin] wide links = no writeable = yes path = /mnt/disk2/sharebin write list = @share1 force directory mode = 770 force group = share1 sync always = yes force create mode = 770 comment = Location of Recycle Bin valid users = @share1 create mode = 770 user = @share1 directory mode = 770 Everything else matches, the folders exist, the folder permissions are the same, it's just a no go on relinking the files on a delete command from the share1 share. -- Regards, Robert -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] VFS Objects Recycle questions
Please disregard. It started working, out of the blue. (Yes, I had previously initiated my changes, forced a restart and even waited a good handful of minutes before performing a test delete.) -- Regards, Robert Adkins II -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Robert Adkins II Sent: Wednesday, July 27, 2011 9:27 AM To: samba@lists.samba.org Subject: [Samba] VFS Objects Recycle questions I have a need to setup the recycle vfs object on our server. On my test server, I have all of the shares on a single drive and have put the following into each share: vfs_objects = recycle recycle:repository = [Actual Path and Partition that the share is located] recycle:directory_mode = 770 recycle:keeptree = Yes recycle:touch_mtime = Yes recycle:versions = Yes It works like a charm. All of the files when deleted from each share are dumped into the RecycleBin share, I have created a new share just for the RecycleBin that I have also mounted that I can perform a final delete on the files located within. On the live server, there are several partitions with shares split across the several partitions. The setup is the same, in terms of having the above entered into the individual shares and the RecycleBin for each share is located on the same partition/mount point that the share is located. Example: [share1] wide links = no writeable = yes path = /mnt/disk2/share1 write list = @share1 force group = share1 comment = Job Files and Related valid users = @share1 create mode = 770 user = @share1 directory mode = 770 vfs_objects = recycle recycle:repository = /mnt/disk2/sharebin/%u recycle:directory_mode = 770 recycle:keeptree = Yes recycle:touch_mtime = Yes recycle:versions = Yes [sharebin] wide links = no writeable = yes path = /mnt/disk2/sharebin write list = @share1 force directory mode = 770 force group = share1 sync always = yes force create mode = 770 comment = Location of Recycle Bin valid users = @share1 create mode = 770 user = @share1 directory mode = 770 Everything else matches, the folders exist, the folder permissions are the same, it's just a no go on relinking the files on a delete command from the share1 share. -- Regards, Robert -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] VFS Objects Recycle questions / Round Two
It's working, for at least three user accounts, but it isn't working for all user accounts. If I attempt to delete a file through Samba while using my login, the file just disappears, it isn't relinked into the RecycleBin. However, if other accounts perform a delete through Samba, the file is relinked into the RecycleBin. Any ideas? -- Regards, Robert Adkins II -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Robert Adkins II Sent: Wednesday, July 27, 2011 1:22 PM To: samba@lists.samba.org Subject: Re: [Samba] VFS Objects Recycle questions Please disregard. It started working, out of the blue. (Yes, I had previously initiated my changes, forced a restart and even waited a good handful of minutes before performing a test delete.) -- Regards, Robert Adkins II -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Robert Adkins II Sent: Wednesday, July 27, 2011 9:27 AM To: samba@lists.samba.org Subject: [Samba] VFS Objects Recycle questions I have a need to setup the recycle vfs object on our server. On my test server, I have all of the shares on a single drive and have put the following into each share: vfs_objects = recycle recycle:repository = [Actual Path and Partition that the share is located] recycle:directory_mode = 770 recycle:keeptree = Yes recycle:touch_mtime = Yes recycle:versions = Yes It works like a charm. All of the files when deleted from each share are dumped into the RecycleBin share, I have created a new share just for the RecycleBin that I have also mounted that I can perform a final delete on the files located within. On the live server, there are several partitions with shares split across the several partitions. The setup is the same, in terms of having the above entered into the individual shares and the RecycleBin for each share is located on the same partition/mount point that the share is located. Example: [share1] wide links = no writeable = yes path = /mnt/disk2/share1 write list = @share1 force group = share1 comment = Job Files and Related valid users = @share1 create mode = 770 user = @share1 directory mode = 770 vfs_objects = recycle recycle:repository = /mnt/disk2/sharebin/%u recycle:directory_mode = 770 recycle:keeptree = Yes recycle:touch_mtime = Yes recycle:versions = Yes [sharebin] wide links = no writeable = yes path = /mnt/disk2/sharebin write list = @share1 force directory mode = 770 force group = share1 sync always = yes force create mode = 770 comment = Location of Recycle Bin valid users = @share1 create mode = 770 user = @share1 directory mode = 770 Everything else matches, the folders exist, the folder permissions are the same, it's just a no go on relinking the files on a delete command from the share1 share. -- Regards, Robert -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Integrate Samba with Active Directory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/19/2011 07:12 PM, Jonathan Buzzard wrote: Bruno Martins wrote: [SNIP] Good night Robert, My Domain Controller is running Windows Server 2003 R2 X64, so I may not be affected by those bulletins By the way, thanks for noticing. Unless I am reading the release notes incorrectly, if you use the samba3x packages in CentOS 5.6 which gets you 3.5.4 with security patches as opposed to the plain samba packages which only get you a hideously old 3.0.x then the NTLM V2 issue goes away as samba supports it. If you are doing anything with AD and are using CentOS 5.x, then I cannot stress the value in upgrading to 5.6 and swapping the samba packages for the samba3x packages. Basically the samba3x packages get you the same samba as RHEL/CentOS 6, which makes shifting your file servers to CentOS 6 in due course much easier. JAB. JAB is right on that one. There are still NTLMv2 issues with even 2003 and samba 3.0.x. Besides, people should use a currently supported version anyway (...thanking RH for FINALLY stopping backport of patches to the ancient 3.0.x code!!!): http://wiki.samba.org/index.php/Samba3_Release_Planning Robert - -- Robert Freeman-Day https://launchpad.net/~presgas GPG Public Key: http://keyserver.ubuntu.com:11371/pks/lookup?op=getsearch=0xBA9DF9ED3E4C7D36 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk4m1y4ACgkQup357T5MfTaPhwCdE9llnvFepXUcvkArqLR7nplz IdAAniPEMRQyo+3L0oEl4cQibTpX8ODp =CW3P -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Integrating samba with existing AD
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/20/2011 04:44 AM, Thibaut POUZET wrote: Hi everyone, I am currently trying to set-up a samba server in my network in order to replace the existing windows samba server. It's been now two weeks that I am struggling with a vicious problem, and I cannot see any issue right now. Before I loose all my hairs, I am sharing with you this problem : hopefully, someone will have a tip for me. The software involved : Server Linux CentOS 5.6 Windows 2003 Serveur R2 with working AD and another DNS server working just fine. # rpm -qa | grep samba samba-3.0.33-3.29.el5_6.2 samba-common-3.0.33-3.29.el5_6.2 samba-client-3.0.33-3.29.el5_6.2 # rpm -qa | grep krb pam_krb5-2.2.14-18.el5 pam_krb5-2.2.14-18.el5 krb5-libs-1.6.1-55.el5_6.1 krb5-devel-1.6.1-55.el5_6.1 krb5-workstation-1.6.1-55.el5_6.1 krb5-libs-1.6.1-55.el5_6.1 The smb.conf http://pastebin.com/9iCd1meR The krb5.conf http://pastebin.com/nJ2DuBFi In the nsswich.conf passwd: files ldap winbind shadow: files ldap group: files ldap winbind The problem (Everything seems to work just fine ): # kinit -V thibaut Password for thib...@work-network.com: Authenticated to Kerberos v5 # net join -S pwdsrv -U Thibaut Thibaut's password: Using short domain name -- WORK DNS update failed! Joined 'smbsrv' to realm 'WORK-NETWORK.COM' wbinfo -u wbinfo -g getent passwd getent group = All of them returns all I want (users and groups, with locals for the last two commands) # smbclient -L localhost -U Thibaut Password: Domain=[WORK] OS=[Unix] Server=[Samba 3.0.33-3.29.el5_6.2] Sharename Type Comment - --- IPC$IPC IPC Service (Server blabla) thibaut Disk Home Directories Domain=[WORK] OS=[Unix] Server=[Samba 3.0.33-3.29.el5_6.2] Server Comment ---- SMBSRVServeur blabla WorkgroupMaster ---- WORK . and that's all. The windows clients can connect and see some shares (I guess thank's to passthru), for instance I can see my home folder and the printers folders, but not the others as with smbclient. Furthermore, Even if I can see the roots folders, I cannot parse them : I am prompted a login+password form when I try to enter the Thibaut folder, for instance. I think I am connected as a guest user, but I am not sure of that. And when I try to access the folder Thibaut, I got some logs : [2011/07/20 09:50:38, 2] lib/access.c:check_access(323) Allowed connection from (a.b.c.d) [2011/07/20 09:50:38, 2] smbd/service.c:make_connection_snum(617) user 'WORK\thibaut' (from session setup) not permitted to access this share (thibaut) So where am I going wrong ? L Thibaut. I would first migrate from the no longer supported 3.0.x codebase to something supported by the samba team: http://wiki.samba.org/index.php/Samba3_Release_Planning I wrote up a quicky migration how-to so that people can move from the samba packages to RHEL's introduced samba3x packages. Perhaps that can help you move over: https://uisapp2.iu.edu/iukc-prd/pages/viewpage.action?pageId=137093 Robert - -- Robert Freeman-Day https://launchpad.net/~presgas GPG Public Key: http://keyserver.ubuntu.com:11371/pks/lookup?op=getsearch=0xBA9DF9ED3E4C7D36 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk4m2m4ACgkQup357T5MfTY6QQCfQMi/ZzNbOIGu7VnAzkbEPWO9 bpIAoJ2bEMrax0GftjvG618//WNCc23W =1eYc -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Integrate Samba with Active Directory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/19/2011 01:11 PM, Jonathan Buzzard wrote: Bruno Martins - GALILEU LISBOA wrote: Hello guys, I am setting up a Samba server (based on CentOS 5.6) on my company which will act as a print and file server. Also, it has dropbox installed. I have set up everything regarding to CUPS and Samba itself, but I'm not being able to integrate my shares with Active Directory. All I want is that access control to Samba shares is made through Active Directory users and their respective passwords, and not through Unix-style users and groups. Is this possible? Some configuration files: /etc/nsswitch.conf - http://pastebin.com/rPgXSL6G /etc/samba/smb.conf - http://pastebin.com/9uffAyjV /etc/krb5.conf - http://pastebin.com/9zJFQR6J Can someone please give me some lights on this? A quick looks shows a lack of an idmap setup in the smb.conf. You say you are using CentOS 5.6, in which case I strongly recommend that you use the samba3x packages over the plain samba packages if you are not doing so already Here is a example based on what I use with CentOS 5.6 using the samba3x packages. Note that I have the rfc2307 information set in the AD for all the users. I have a whole bunch of other options as well to do with CTDB, GPFS and other bits and bobs as well. However these are not relevant to getting it working. On the AD side you need to set the UID, home directory and primary group in the Unix Attributes tab, and then in the Member Of tab you need to add the user to the primary group that you set in the Unix Attriubutes tab and make that their primary group. All the groups need a GID setting in their Unix Attributes tab as well. The important thing about the idmap setting is that you must have a plain tdb backend (or something else that is allocatable) and the range must not overlap with the range for the domain or it does not work. Not quite sure why that is because in my setting all accounts exist in the AD with appropriate Unix attributes. Took me ages to work that nugget of information out. JAB. [global] netbios name = nemo security = ads workgroup = CAMPUS realm = CAMPUS.MYCORP.COM password server = * preferred master = no encrypt passwords = yes kerberos method = secrets only # deal with NSS and the whole UID/SID id mapping stuff idmap backend = tdb idmap uid = 200 - 299 idmap gid = 200 - 299 idmap config CAMPUS : backend = ad idmap config CAMPUS : schema_mode = rfc2307 idmap config CAMPUS : readonly = yes idmap config CAMPUS : range = 500 - 199 idmap cache time = 120 idmap negative cache time = 20 winbind nss info = rfc2307 winbind expand groups = 2 winbind nested groups = yes winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind refresh tickets = yes winbind offline logon = false You will also want to keep in mind some incompatibilities if your AD is pretty new (2008 or higher). See the following for more info: http://support.microsoft.com/kb/954387 http://support.microsoft.com/kb/957441 - -- Robert Freeman-Day https://launchpad.net/~presgas GPG Public Key: http://keyserver.ubuntu.com:11371/pks/lookup?op=getsearch=0xBA9DF9ED3E4C7D36 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk4lzhgACgkQup357T5MfTZlEACgnzh2dDdLA/NImyeKAtSmNwp+ YakAmwU54AxIcvpDyBBKB9INYQ4p0J+F =5w+q -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Connecting to domain authenticated share from non-domain machine
On Thu, 2011-07-07 at 10:48 +0100, Robert Horton wrote: I've got a domain controller and two file servers (A B) connected to a domain using the ldapsam backend. The domain controller and fileserver A are running Samba 3.5.4 (from RHEL6) and fileserver B is running Samba 3.0.33 (from RHEL5). Other machines are able to join the domain as expected and between machines in the domain I am able to connect to shares as expected. The problem is with connecting to shares from a machine which is not part of the domain - this works with the Samba 3.0.33 fileserver but not with the Samba 3.5.4 one. Any ideas why this might be? Turns out you need to specify the domain as part of the username, eg smbclient -U DOMAIN\user '\\server\share' Rob -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba and Active Directory 2008
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/11/2011 10:09 AM, Keith wrote: I was wondering if anyone has had any luck getting samba working with a Windows 2008 domain? I've got mine working for the most part except for UID lookups. I've got identity management for unix installed on on the windows box and have several users configured with custom home directories, login shell, and UID on the Unix attributes tab. My samba server is joined to the domain, wbinfo -u and -g both provide a list of users and groups. When i run getent passwd i get a list of local users and domain users. With the domain users it pulls the home directory and login shell just fine from active directory, but i cant get it to pull the UID. I've got it setup and working using RID, which is ok, but we would rather get it working with the UID. I'm using samba version 3.5.4 and here is a copy of the global settings workgroup=test realm=pizza.com security=ads password server = password-server.pizza.com idmap uid = 1 - 2 idmap guid = 1 - 2 idmap backend = rid:pizza.com=1-2 winbind use default domain = yes winbind enum users = yes winbind refresh tickets = yes client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes restrict anonymous = 2 winbind nss info = rfc2307 client ldap sasl wrapping = sign Any help would be greatly appreciated. Thanks Keith Have you also edited your /etc/nsswitch.conf file to pull those entries properly? You should at least have it looking like below: passwd: compat winbind group: compat winbind shadow: compat - -- Robert Freeman-Day https://launchpad.net/~presgas GPG Public Key: http://keyserver.ubuntu.com:11371/pks/lookup?op=getsearch=0xBA9DF9ED3E4C7D36 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk4bEVYACgkQup357T5MfTbSqQCcDtAAg1/PR4mc4Q5urgUoOcP4 LCEAn10m5/LFF/Ttvu/13OGYUvD3AbOM =zDL1 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Connecting to domain authenticated share from non-domain machine
Hi, I've got a domain controller and two file servers (A B) connected to a domain using the ldapsam backend. The domain controller and fileserver A are running Samba 3.5.4 (from RHEL6) and fileserver B is running Samba 3.0.33 (from RHEL5). Other machines are able to join the domain as expected and between machines in the domain I am able to connect to shares as expected. The problem is with connecting to shares from a machine which is not part of the domain - this works with the Samba 3.0.33 fileserver but not with the Samba 3.5.4 one. Any ideas why this might be? I also notice that things like net rpc user produce no output on machines other than the domain controller - does this indicate a problem or is it normal? Thanks, Rob -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net ads user info .vs. wbinfo -g ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06/20/2011 12:44 PM, John McNulty wrote: The group names from these two commands display differently. For example: $ net ads user info my-name -U my-name . . Systems Engineering EU $ wbinfo -g . . systemsengineeringeu.write Why is this different? Regards, John John, The net command is a close relative to the net command for windows. It will display information in a format more like windows or ldap-like output. If you do this type of net command on your samba install: net ads search (SAMAccountName=adusername) -P you will get all the entries from active directory, similar to the output from ADSIedit. The -P allows you to use your samba machine's credentials (if it is joined to the domain). net ads search ((objectCategory=computer)(name=*rhel*)) -P Allows ldap-like searching. wbinfo and winbindd allow translation from windows account formats to unix-like account formats. This is why the outputs are different. If you were to do a getent passwd aduser you will get a direct entry that is as if it was from /etc/passwd. It is actually getting info from winbindd and translating it on the fly. Hope that helps differentiate them. Robert - -- Robert Freeman-Day https://launchpad.net/~presgas GPG Public Key: http://keyserver.ubuntu.com:11371/pks/lookup?op=getsearch=0xBA9DF9ED3E4C7D36 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk4Af7EACgkQup357T5MfTZE2wCfbOebJzIGvrlJp+vSNJ/MOKv+ QF8An3NOKExf9gusbJfsZr/R13Heemwt =bdGG -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] UID mapping
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06/15/2011 10:29 AM, Jonathan Buzzard wrote: On Tue, 2011-06-14 at 23:41 +, Peter Shevchenko wrote: [SNIP] I have been working on exactly this problem. I looked into the rfc2307scheme extensions and it looked like a lot of trouble. The samba HowTo has this to say about it. The use of this method is messy. The information provided in the following is for guidance only and is very definitely not complete. This method does work; it is used in a number of large sites and has an acceptable level of performance. see samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html That is *not* the method I was suggesting to use. I was suggesting using the idmap_ad backend and winbind directly. No ldap or similar in sight excepting that AD is ldap. This is the configuration that I use in smb.conf # deal with NSS and the whole UID/SID id mapping stuff idmap backend = tdb idmap uid = 200 - 299 idmap gid = 200 - 299 idmap config LIFESCI-AD : backend = ad idmap config LIFESCI-AD : schema_mode = rfc2307 idmap config LIFESCI-AD : readonly = yes idmap config LIFESCI-AD : range = 500 - 199 idmap cache time = 120 idmap negative cache time = 20 winbind nss info = rfc2307 winbind expand groups = 2 winbind nested groups = yes winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind refresh tickets = yes winbind offline logon = false With nsswitch.conf looking like passwd: files winbind shadow: files group: files winbind I would say the documentation on how to get his working is not great, the biggest stumbling block being the need for the non overlapping range for the plain tdb backend which is all required despite the fact it is never used. Yes you need to have winbind running at all times for it to work but it does work. JAB. The environment I work in did not fully implement the rfc schema. I would use the hash idmap backend: http://www.samba.org/samba/docs/man/manpages-3/idmap_hash.8.html - -- Robert Freeman-Day https://launchpad.net/~presgas GPG Public Key: http://keyserver.ubuntu.com:11371/pks/lookup?op=getsearch=0xBA9DF9ED3E4C7D36 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk35BYAACgkQup357T5MfTYwFACgtaTV82agesB7NdUOskJJtP3V il8AoIEzjcTbql+mrbqGeprErmJZCN0c =xjsP -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Braindead Autoreply filters... WAS Re: samba Digest, Vol 102, Issue 8
Am 09.06.2011 21:46, schrieb Charles Marcus: On 2011-06-09 2:00 PM, Robert Schetterer rob...@schetterer.org wrote: Am 09.06.2011 15:46, schrieb Charles Marcus: It would be nice if one of the list moms would immediately unsubscribe AND PERMANENTLY BAN idiots who use braindead autoreply filters. This should be official list policy for ALL email lists... just like do not top post *g ? Don't be stupid Robert... there are times when top-posting is perfectly acceptable, and that was one of them (ie, when the content of the quote is irrelevant). that was a joke, i am not a fantic ,do no top poster, but related to autoresponders, i am sure list/mailadmins everywhere do their best to avoid spreading unneeded or unwanted mail, but in real world, there will never be a way to catch it all so everybody should be cooled about that, ok wish idiots to hell , perhaps gives sombody fresh air sometimes but in real world ,spread this anger over mail list may also be an unwanted mail so i recommend, mail the listadmin, and accept the world as it is go fishing etc sometimes... ( Joke ! ) -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Braindead Autoreply filters... WAS Re: samba Digest, Vol 102, Issue 8
Am 09.06.2011 15:46, schrieb Charles Marcus: It would be nice if one of the list moms would immediately unsubscribe AND PERMANENTLY BAN idiots who use braindead autoreply filters. This should be official list policy for ALL email lists... just like do not top post *g ? On 2011-06-08 2:00 PM, samba-requ...@lists.samba.org wrote: Subject: Re: [Samba] samba Digest, Vol 102, Issue 7 From: Andrew McNaughton and...@nleducation.org.uk I am currently on annual leave. I will be back in the office on Friday 10th June 2011. If you have an urgent matter needing attention, it may be prudent to contact the ITSC main number 01236 757600. Thanks. -- Andrew McNaughton ICT Network Support Officer Learning Leisure Services North Lanarkshire Council -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba vs Linux file permissions
John, For the [chemgroup] share try [chemgroup] comment = Chemistry Group Share path = /home/chemgroup valid users = @chemgroup write list = @chemgroup browseable = no ;;writeable = yes ;;printable = no force group = @chemgroup ;; note your post left out the '@'-sign create mask = 0660 directory mask = 0770 and for the [homes] share try [homes] comment = Home Directories browseable = no ;;read only = no create mask = 0640 directory mask = 0750 ;;valid users = %S valid users = %U write list = %U I found that using %U works best so long as you don't have older Windows (e.g. Wfwg). Also specifying write list specifically gives 'username' write capabilities consistent with your security policy on the underlying volume. And, is /lab/chemgroup a local disk volume or a remote NSF volume? Doing a double mount SMB -- NFS -- Local Vol is not recommended owing to the way NFS itself handles permissions. Also I would recommend that you consider upgrading to the latest 3.5.X branch of Samba and consider enabling ACLs and extended User Attributes on the underlying volumes. Although adding Posix ACls does add complexity to the mix in the end you get a more secure environment and less Windows-to-Linux permission problems and confusion. Bob --bs On Thu, 2011-06-02 at 10:36 -0400, John Maher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello, I cannot find anything in the documentation or mailing list that addresses this oddity. I've installed Samba Version 3.4.7 on Ubuntu Server 10.04, and I'm utterly confused by samba's behavior regarding permissions. Users on the server have home directories in /home/chemgroup/username. (chemgroup is actually a symlink to another volume mounted at /labs/chemgroup.) Permissions on /lab/chemgroup are: drwxrwx---username chemgroup /labs/chemgroup Permissions on /lab/group/username are: drwxr-x---username chemgroup /labs/chemgroup/username Clearly, username has rights to write to /home/chemgroup/username, and can do so just fine via ssh. The Samba share is configured as follows: [chemgroup] comment = Chemistry Group Share path = /home/chemgroup valid users = @chemgroup public = no browseable = no writeable = yes printable = no force group = chemgroup create mask = 0660 directory mask = 0770 Note, username is a member of chemgroup. username can connect to \\server\chemgroup and can create new files and directories there. And username can navigate to the username folder within chemgroup. BUT, here's where it gets weird . . . username can create a new file within the chemgroup\username folder, but they cannot even change the name of the file they just created. And they can't delete the file they just created (and couldn't rename). This same behavior is even presented with Home directories, with the homes section looking like this: [homes] comment = Home Directories browseable = no read only = no create mask = 0640 directory mask = 0750 valid users = %S Thank you for any help or guidance. John - -- * - - - - * - - - - * - - - - * - - - - * - - - - * - - - - * - - - - * John Maher Senior Systems and Network Administrator Department of Biochemistry Molecular Biology and Department of Chemistry University of Massachusetts - Amherst voice: 413-577-3120 fax: 413-545-4490 OpenPGP Key ID: 0x2970A144 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk3nn9kACgkQG+X1pClwoUQ4MwCaA0LA6XGt9mkOtkHwUfOrkrud 184AoKf+YL0oNNB3caqtEyvbLFe07i/H =Q2wx -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba vs Linux file permissions
John, Yes, I agree that you should not install from source--I meant to imply if you could get a deb package for your Ubuntu Server 10.10. I did not enable ACLs and User Extended Attributes until I installed the first iteration of the Samba 3.5 branch on my Fedora 13 server (I'm about to upgrade to Fedora 15) so I am not sure what issues you might have using Samba 3.4.7. Using the User Extended Attributes are convenient for two purposes: 1) it allows Samba to store the DOS Attributes (ReadOnly, Archive, Hidden, and I think a few others) in a separate xattr. This frees you from having to manage these attributes using the Linux permission bits. 2) It allows Samba to store the full NT ACLs as an xattr. The initial NT ACLs will be based on the POSIX ACLs which should also be enabled. You can enable ACLs and User Extended Attributes on a share-by-share basis. I would start off by creating a test volume (if you can carve one out of your LVM) and creating a test share with it in Samba. For example, here my my configuration for a group share: [Shared] comment = Public Share on %h path = /home/shared valid users = +domadmins, +domusers, +domguests write list = +domadmins, +domusers force group = domusers ; create mask = 0664 ; force create mode = 0660 ; directory mask = 0002 ; force directory mode = 0770 inherit permissions = yes inherit acls = yes map acl inherit = yes acl group control = yes ea support = yes vfs object = acl_xattr recycle store dos attributes = yes map archive = no map hidden = no map system = no map readonly = no The mount configuration in /etc/fstabs is: /dev/mapper/vg1-home/home ext3defaults,acl,user_xattr 1 2 And the POSIX ACls on /home/shared: # getfacl shared # file: shared # owner: root # group: users # flags: -s- user::rwx group::rwx group:users:rwx group:domadmins:rwx group:domusers:rwx mask::rwx other::--- default:user::rwx default:group::rwx default:group:users:rwx default:group:domadmins:rwx default:group:domusers:rwx default:mask::rwx default:other::--- I like the fact that I no longer have to give the Linux Other group any permission whatsoever even for my public shared group. There is alot here that you will need to bone-up on but give it a try and let us know if you run into any problems. Good luck, Bob --bs On Thu, 2011-06-02 at 10:36 -0400, John Maher wrote: John Maher john at chem.umass.edu Fri Jun 3 09:37:14 MDT 2011 And, is /lab/chemgroup a local disk volume or a remote NSF volume? Doing a double mount SMB -- NFS -- Local Vol is not recommended owing to the way NFS itself handles permissions. Bob, I forgot to respond to this part. No, I'm not using NSF. That mount point is an LVM logical volume on a single RAID5 array. Also I would recommend that you consider upgrading to the latest 3.5.X branch of Samba and consider enabling ACLs and extended User Attributes on the underlying volumes. Although adding Posix ACls does add complexity to the mix in the end you get a more secure environment and less Windows-to-Linux permission problems and confusion. There's resistance in my department to install applications using source rather than Ubuntu packages. For now, I need to stick with the version we have unless it becomes clear that the version change would make the difference. I've been wondering about extended User Attributes and whether or not they are worth the effort. It sounds like you believe they are worth it. I'll look into it. Thanks. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba vs Linux file permissions
Quoting John Maher (john at chem.umass.edu): -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello, I cannot find anything in the documentation or mailing list that addresses this oddity. I've installed Samba Version 3.4.7 on Ubuntu Server 10.04, and I'm utterly confused by samba's behavior regarding permissions. Users on the server have home directories in /home/chemgroup/username. (chemgroup is actually a symlink to another volume mounted at /labs/chemgroup.) Permissions on /lab/chemgroup are: How about looking in logfiles (first with log level to 3)? Thanks for responding. I changed log level to 3 and was able to see an NT_STATUS_ACCESS_DENIED error when trying to change the name of a file I just created. John, To get back to your issue at hand...Can we see the output of your logs--the entire delete/rename transactions? Is this server a PDC, BDC or other? Are there any Windows server part of this domain? Are you using winbind? What is the output of wbinfo -i username? Bob --bs -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba vs Linux file permissions
John, Were you using Samba 3.4.6 prior to this? If so, here is the release note for 3.4.7: = Release Notes for Samba 3.4.7 March 8, 2010 = This is a security release in order to address CVE-2010-0728. o CVE-2010-0728: In Samba releases 3.5.0, 3.4.6 and 3.3.11, new code was added to fix a problem with Linux asynchronous IO handling. This code introduced a bad security flaw on Linux platforms if the binaries were built on Linux platforms with libcap support. The flaw caused all smbd processes to inherit CAP_DAC_OVERRIDE capabilities, allowing all file system access to be allowed even when permissions should have denied access. Regardless if it was working under 3.4.6 you may have had a different and more serious kind of security problem :-0 Unfortunately I do not see this as a simple mis-configuration of your server at this point. The error is being emitted after the smbd/open.c call to try and open the file. It errors out on trying to open the file for renaming. [2011/06/03 13:29:55, 3] smbd/vfs.c:974(check_reduced_name) reduce_name: jmaher/orig_name reduced to /labs/chemgroup/jmaher/orig_name [2011/06/03 13:29:55, 3] smbd/reply.c:6030(rename_internals) Could not open rename source jmaher/orig_name: NT_STATUS_ACCESS_DENIED Unfortunately as I do not have an Ubuntu Server 10.04 I can not experiment with this to help pinpoint an answer for you. Sorry. BTW, what is shown under the workstations Properties--Security tab for the file in question (and when the directory perms are drwxr-x---)? Do all of the SIDs resolve properly? You may also try posting the error log using log level = 9 for even more detail--this might also show the SID to UID/GID mappings. Bob --bs On 06/03/2011 01:18 PM, Robert W. Smith wrote: ... John, To get back to your issue at hand...Can we see the output of your logs--the entire delete/rename transactions? Bob, thanks for your continued interest and help. Here is log level = 3 output when trying to change a file within the /labs/chemgroup/jmaher directory from the name orig_name to new_name: -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind issue with Windows 2008 R2 - domain trusts
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06/01/2011 04:24 PM, Terry wrote: On Wed, Jun 1, 2011 at 3:21 PM, Terry td3...@gmail.com wrote: Hello, I have a problem that just propped up after our windows admin did some work. �He introduced some new domain controllers and upgraded the domain to 2008 R2. �The primary domain that our linux boxes are in seems to work, it's trusted domains. �Here's an example domain: FOO.BAR.LOCAL The boxes are in the FOO domain and I can getent passwd and see accounts in there fine. �I used to be able see accounts in BAR as well but now can't. I am using samba-3.0.33-3.29.el5_5.1 on RHEL5.2. Here's an error I see in the logs. �Not sure Jun �1 15:16:01 omadvdss01a winbindd[10772]: [2011/06/01 15:16:01, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790) Jun �1 15:16:01 omadvdss01a winbindd[10772]: � rpc_api_pipe: Remote machine foodc03.foo.bar.local pipe \NETLOGON fnum 0x3returned critical error. Error was NT_STATUS_PIPE_DISCONNECTED That domain controller referenced in the logs is a new DC he added. All windows operations appear to be normal. Thoughts? Thanks! Sorry for replying to my own post so early here. I removed that domain controller from my smb.conf and that appears to have fixed things. Anyone have an idea on what the issue could be? Terry, The version of samba is quite old and unsupported upstream by the samba team. There were many issues with that version and 2008 AD controllers. RHEL 5.5 on up uses a more up to date version of samba and you can migrate to that. Red Hat's release notes detail it a bit more. There still may be ntlmv2 issues, but as long as there is kerberos access, things should be okay. - -- Robert Freeman-Day https://launchpad.net/~presgas GPG Public Key: http://keyserver.ubuntu.com:11371/pks/lookup?op=getsearch=0xBA9DF9ED3E4C7D36 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk3nk9IACgkQup357T5MfTawZwCfedWvHYQC1SPwqHmw8QPB9n+h a6oAoLnslQNyG24ipnFxfoiefI+g2gX+ =1au8 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] winbind problem with BUILTIN?
I shut my Samba PDC and all members down for some PC rearranging and now having an issue with one member server on Ubuntu 10.12 with Samba 3.5.4 after restarting all. It would not connect, I tried to remove the computer name from LDAP and re-join the domain, that was successfully joined and the entry reappears in LDAP, but it times out when trying to connect to that host via the network or smbclient on the local box. All other workstations (Win2003, WinXP) and the PDC (FreeBSD Unix) are working perfectly. Since it is timing out, I tried the IP address with smbclient and browsing and it works. For some reason, my /etc/resolv.conf was empty, so I fixed, but still timing out. So, I looked at Winbind and found a potential issue with BUILTIN?... [2011/04/12 17:37:49.028871, 10] winbindd/winbindd_util.c:846(find_lookup_domain_from_sid) calling find_domain_from_sid [2011/04/12 17:37:49.029439, 10] winbindd/winbindd_cache.c:418(wcache_fetch_seqnum) wcache_fetch_seqnum: BUILTIN not found [2011/04/12 17:37:49.029462, 10] winbindd/winbindd_cache.c:4709(wcache_store_ndr) could not fetch seqnum for domain BUILTIN [2011/04/12 17:37:56.047749, 6] winbindd/winbindd.c:768(new_connection) accepted socket 22 [2011/04/12 17:37:56.047883, 10] winbindd/winbindd.c:620(process_request) process_request: request fn INTERFACE_VERSION [2011/04/12 17:37:56.047909, 3] winbindd/winbindd_misc.c:352(winbindd_interface_version) [ 5304]: request interface version [2011/04/12 17:37:56.047952, 10] winbindd/winbindd.c:716(winbind_client_response_written) winbind_client_response_written[5304:INTERFACE_VERSION]: deliverd response to client [2011/04/12 17:37:56.048022, 10] winbindd/winbindd.c:620(process_request) process_request: request fn WINBINDD_PRIV_PIPE_DIR [2011/04/12 17:37:56.048045, 3] winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir) [ 5304]: request location of privileged pipe [2011/04/12 17:37:56.048101, 10] winbindd/winbindd.c:716(winbind_client_response_written) winbind_client_response_written[5304:WINBINDD_PRIV_PIPE_DIR]: deliverd response to client [2011/04/12 17:37:56.048191, 6] winbindd/winbindd.c:816(winbind_client_request_read) closing socket 22, client exited [2011/04/12 17:37:56.048233, 6] winbindd/winbindd.c:768(new_connection) accepted socket 22 [2011/04/12 17:37:56.048276, 10] winbindd/winbindd.c:593(process_request) process_request: Handling async request 5304:SID_TO_GID [2011/04/12 17:37:56.048298, 3] winbindd/winbindd_sid_to_gid.c:47(winbindd_sid_to_gid_send) sid to gid S-1-5-21-4199262639-1984306771-3339216219-512 [2011/04/12 17:37:56.048347, 10] lib/gencache.c:345(gencache_get_data_blob) Returning expired cache entry: key = IDMAP/SID2GID/S-1-5-21-4199262639-1984306771-3339216219-512, value = , timeout = Wed Dec 31 19:00:00 1969 [2011/04/12 17:37:56.048387, 10] winbindd/winbindd_util.c:843(find_lookup_domain_from_sid) find_lookup_domain_from_sid(S-1-5-21-4199262639-1984306771-3339216219-512) [2011/04/12 17:37:56.048414, 10] winbindd/winbindd_util.c:853(find_lookup_domain_from_sid) calling find_our_domain [2011/04/12 17:37:57.609408, 0] winbindd/winbindd.c:195(winbindd_sig_term_handler) Got sig[15] terminate (is_parent=1) I tried emptying the contents of /var/cache/samba, still no help. Here is smb.conf on the problem PC, which noting has changed since it last worked... [global] netbios name = MEDIA server string = Media Server %v - Music, Videos and Photos workgroup = WEBTENT realm = WEBTENT security = DOMAIN log level = 10 syslog = 0 log file = /var/log/samba/%m max log size = 50 smb ports = 139 name resolve order = wins bcast hosts printcap name = CUPS wins server = 192.168.1.21 ldap suffix = dc=webtent,dc=org ldap machine suffix = ou=Computers ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap admin dn = cn=Manager,dc=webtent,dc=org idmap backend = ldap:ldap://mail.webtent.org idmap uid = 1-2 idmap gid = 1-2 snip shares Can someone help me determine the next step in tracking down this issue? Or, how I could start all over with this box (already tried re-join)? Thanks, Robert -- Robert rob...@webtent.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba+kerberos problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/10/2011 11:58 PM, Jian Li wrote: Hi, I get some problem with samba when working on kerberos, would you give me some advise? thanks /etc/samba/smb.conf: [global] workgroup = EXAMPLE #use kerberos keydtab = yes realm =LAB.BOS.REDHAT.COM security = ads #security = user server signing = auto kerberos method = system keytab [public] path = /tmp/test read only = no writable = yes [root@hp-xw6600-01 ~]# kinit -k root [root@hp-xw6600-01 ~]# mount.cifs //intel-sugarbay-dh-01.rhts.eng.rdu.redhat.com/public /mnt -o sec=krb5,user=root,uid=root [root@hp-xw6600-01 ~]# ls /mnt ls: reading directory /mnt: Permission denied We should get some extra info about your environment: What version of Samba/mount.cifs is hp-xw6600-01 using? What is the cifs server running, Win (version) or Lin and if Lin, what version of Samba? Finally, what is the KDC, Win (version) or Lin? - -- Robert Freeman-Day https://launchpad.net/~presgas GPG Public Key: http://keyserver.ubuntu.com:11371/pks/lookup?op=getsearch=0xBA9DF9ED3E4C7D36 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk2i+pwACgkQup357T5MfTYzNACff3BFZw2418ckVT5ruFaZtqOx vaIAn0RbUyLm5Sru17LQoDR2am+saNF9 =FmRE -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [Announce] Samba 3.5.7, 3.4.12 and 3.3.15 Security Re leases Available
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bob, A good thing I do is search the release history. I do a google search similar to this one: smb.conf changes site:samba.org/samba/history This, in combination with testparm -sv Gives me a good idea of what is up. Thanks, Robert On 03/18/2011 09:27 AM, Hoover, Tony wrote: When I upgrade a major revision (3.4.x - 3.5.x ), I always get a listing from testparm -v before and after the upgrade to make sure that a parameter (that I didn't specify in the config) didn't change it's default setting. -- Tony Hoover, Network Administrator KSU - Salina, College of Technology and Aviation (785) 826-2660 Don't Blend in... -- -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Eckert, Robert D Sent: Thursday, March 17, 2011 11:01 AM To: 'Jeremy Allison'; 'Chris Smith' Cc: 'sa...@samba.org'; 'samba-annou...@samba.org'; 'samba-techni...@samba.org' Subject: Re: [Samba] [Announce] Samba 3.5.7, 3.4.12 and 3.3.15 Security Releases Available Greetings, Can I go directly from 3.4.7 to the new 3.5.8 without installing any intermediate versions? Or is there a different route I should follow? Thank you for your help, -Bob %% Bob Eckert Principal Applications/Systems Analyst Indiana University Information Technology Services WebTech Team 2711 East 10th Street - E5 150.25 Bloomington, IN 47408 Email: eck...@indiana.edu Voice: (812) 855-7209 Fax: (812) 856-5242 � -Original Message- From: samba-announce-boun...@lists.samba.org [mailto:samba-announce-boun...@lists.samba.org] On Behalf Of Jeremy Allison Sent: Monday, February 28, 2011 11:37 AM To: Chris Smith Cc: sa...@samba.org; samba-annou...@samba.org; samba-techni...@samba.org Subject: Re: [Samba] [Announce] Samba 3.5.7, 3.4.12 and 3.3.15 Security Releases Available On Mon, Feb 28, 2011 at 10:15:23AM -0500, Chris Smith wrote: On Mon, Feb 28, 2011 at 8:35 AM, Karolin Seeger ksee...@samba.org wrote: Samba 3.5.7, 3.4.12 and 3.3.15 are security releases in order to address CVE-2011-0719. Will there be a new 3.5.7 Jumbo Patch available for those using it with 3.5.6 and strict allocate? Or does the current 3.5.6 Jumbo Patch work fine with 3.5.7 (I'm assuming it's not included as there was no mention of any other fixes in the release notes)? Both patches should work fine together. As per our policy, security fix releases contain no other changes than the security bugfix. Just take the 3.5.7 release and apply the jumbo patch on top of it, as you did with 3.5.6. A 3.5.8 will be released soon with all the pending patches we were planning the next release before it got preempted by the security fix. Hope this helps, Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba - -- Robert Freeman-Day LSP Services - UNIX/Linux 2711 E. 10th St. Bloomington, IN 47405 GPG Public Key: http://keyserver.ubuntu.com:11371/pks/lookup?op=getsearch=0xBA9DF9ED3E4C7D36 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAk2DZIkACgkQup357T5MfTZhMQCghdARSoepZCVuUmTP3/xO9A0d a08An3trNZV0ql+Toi811oysa6UTmj4a =Ihlq -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [Announce] Samba 3.5.7, 3.4.12 and 3.3.15 Security Releases Available
Greetings, Can I go directly from 3.4.7 to the new 3.5.8 without installing any intermediate versions? Or is there a different route I should follow? Thank you for your help, -Bob %% Bob Eckert Principal Applications/Systems Analyst Indiana University Information Technology Services WebTech Team 2711 East 10th Street - E5 150.25 Bloomington, IN 47408 Email: eck...@indiana.edu Voice: (812) 855-7209 Fax: (812) 856-5242 -Original Message- From: samba-announce-boun...@lists.samba.org [mailto:samba-announce-boun...@lists.samba.org] On Behalf Of Jeremy Allison Sent: Monday, February 28, 2011 11:37 AM To: Chris Smith Cc: sa...@samba.org; samba-annou...@samba.org; samba-techni...@samba.org Subject: Re: [Samba] [Announce] Samba 3.5.7, 3.4.12 and 3.3.15 Security Releases Available On Mon, Feb 28, 2011 at 10:15:23AM -0500, Chris Smith wrote: On Mon, Feb 28, 2011 at 8:35 AM, Karolin Seeger ksee...@samba.org wrote: Samba 3.5.7, 3.4.12 and 3.3.15 are security releases in order to address CVE-2011-0719. Will there be a new 3.5.7 Jumbo Patch available for those using it with 3.5.6 and strict allocate? Or does the current 3.5.6 Jumbo Patch work fine with 3.5.7 (I'm assuming it's not included as there was no mention of any other fixes in the release notes)? Both patches should work fine together. As per our policy, security fix releases contain no other changes than the security bugfix. Just take the 3.5.7 release and apply the jumbo patch on top of it, as you did with 3.5.6. A 3.5.8 will be released soon with all the pending patches we were planning the next release before it got preempted by the security fix. Hope this helps, Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Should krb.conf and krb5.conf have entries for multiple domain controllers?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/28/2011 09:29 PM, Robinson, Eric wrote: There are three DCs in my Windows AD domain, but I have noticed that only one of them is referenced in my krb.conf and krb5.conf. Should there be a reference to one or two of the other domain controllers? If the DC goes down, how will my Samba/Winbind servers authenticate? -- Eric Robinson Eric, There should be no problem putting each DC in your krb.conf file. It does allow for failover for kerberos. In your smb.conf file you will also want to list the servers in your password server parameter, separated by spaces. Depending on how your samba/winbind is implemented, and the default way most windows domain member machines work, is that they will go to kerberos first then go to lanman/ntlm/ntlmv2. Robert - -- Robert Freeman-Day https://launchpad.net/~presgas GPG Public Key: http://keyserver.ubuntu.com:11371/pks/lookup?op=getsearch=0xBA9DF9ED3E4C7D36 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1s+8AACgkQup357T5MfTavTQCgtr2iYkBpIaAGwGvgu0ZwCb5t 45cAoIePLwkKfp/+SXR6IS+6iXH+AoUj =2sXL -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Trouble Using Samba 3.5.6 in ADS Domain
Hy List, i try to use a newly installed Samba 3.5.6 in an ADS Domain. firstly i configured kerberos, it works. I can kinit administrator, klist, works. secondly i configured samba: smb.conf: --- cut --- workgroup = KINDER netbios name = DSCHUNGEL realm = KINDER.LAN security = ADS wins server = 192.168.120.15 passdb backend = tdbsam load printers = yes printing = cups printcap name = cups socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 create mask = 0775 directory mask = 0775 dos charset = ISO8859-1 idmap backend = ad winbind nss info = rfc2307 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nested groups = Yes idmap uid = 2500-2 idmap gid = 2500-2 template shell = /bin/bash dns proxy = no encrypt passwords = true preferred master = no template homedir = /home/%U enhanced browsing = no --- cut --- After net ads join -U administrator i can query Users from ads with wbinfo -u and groups witch wbinfo -g The next step will be that Users can login to the Server. nsswitch.conf: --- cut --- passwd: compat winbind group: compat winbind shadow: compat winbind --- cut --- But a getent passwd dont shows me users from the ADS. Is anything missing? I've done it with this article: http://www.enterprisenetworkingplanet.com/netos/article.php/3487081/Join-Samba-3-to-Your--Active-Directory-Domain.htm Any hints? Thanks a lot Robert -- Robert Einsle rob...@einsle.de http://www.einsle.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Is it a good idea/required to run winbind
We've been running a samba service for many years but have stuck using 3.0.24. Every version I tried after 3.0.24 seemed to have reliability problems. But if every version since 3.0.24 was broken I assume someone would have noticed by now :-). So I'm guessing we're doing somethng idiosyncratic and/or stupid.. The config we have is that our samba server (solaris) is getting uid/gid info using NSS from ldap. But all the users are also in an ADS domain which is synchronised with the ldap servers by an identity management system. So we do authentication from ADS. The relevant parts of the config are netbios name = xxx security = ADS realm = yyy.domain password level = 0 local master = no domain master = no encrypt passwords = yes The samba server was joined to the domain using net ads join. We were running smbd and nmbd but not winbind (since we werent using samba for NSS). And that worked fine up through 3.0.24 After 3.0.24, it stopped working reliably. From memory the server kept dropping out of the domain. I enquired on this list about the problems we were having and the best advice I received was that winbind was now a required service. So I tried using winbind and it seemed to work better, but still not completely reliably. So we just stayed on 3.0.24 Recently changes to the domain mean that we will need to run a recent version of samba. So I've been looking into upgrading. I ran up a copy of 3.5.6 using winbind. But testing indicated that it didn't appear to be respecting secondary groups for the users. It was picking up the primary group for a user ie the one in the password file. But not the secondary groups (specified in /etc/group). Then someone suggested trying without winbind. And that seems to be working OK. But my question is, is there something that I need to be using winbind for. The documentation is a little confusing. I can't find anything that says categorically that winbind is necessary. But the winbind man page says Even if winbind is not used for nsswitch, it still provides a service to smbd, ntlm_auth and the pam_winbind.so PAM module, by managing connections to domain controllers And chapter 24 of the how to says Fact: Winbind is needed to handle users who use workstations that are NOT part of the local domain. But that appears to be to avoid name clashes. Here we're using a unified namespace (from NSS) so name clashes shouldn't be a problem. So was the earlier recommendation I received that winbind was compulsory either incorrect or outdated? Various documentation implies that using winbind without idmap guid (in netlogon proxy only mode) should work the same as not using winbind. In both cases they will pick up user info via NSS. So why is the behaviour different when using winbind and not using winbind === Robert Cohen Systems Desktop Services Division of Information R.G Menzies Building Building 2 The Australian National University Canberra ACT 0200 Australia T: +61 2 6125 8389 F: +61 2 6125 7699 http://www.anu.edu.au CRICOS Provider #00120C === -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Initializing a Samba3 ldapsam
On Mon, 2011-02-21 at 21:08 +1300, Mike Brady wrote: I have spent the last few days attempting to get a Samba3 PDC/BDC setup with an LDAP SAM and need some clarification on exactly what should/can be initialized in the LDAP SAM. As my main sources of information/inspiration I have been using http://http://wiki.samba.org/index.php/Replicated_Failover_Domain_Controller_and_file_server_using_LDAP and the smbldap-tools source code, but have also been reading Samba by Example and the Samba How-tos. Unfortunately there are inconsistencies that I can not resolve. The short version of the question is - is there a full specification (preferably in the form of an LDIF file) of everything that can/should be initialized in the LDAP SAM? The longer version is: 1) Both the Wiki and smbldap-tools have sambaGroupType set to 5 for the BUILTIN groups. I found this reference saying that the sambaGroupType should be 4 for BUILTIN groups. http://samba.2283325.n4.nabble.com/LDAP-backend-and-sambaGroupType-for-builtin-groups-td2446893.html Which is correct? 2) The Wiki page has all the BUILTIN groups with full domain SIDs, but smbldap-tools has what I think are the correct SID for these groups. Which is correct? e.g. for Account Operators the Wiki has S-1-5-21-3809161173-2687474671-1432921517-548 and smbldap-tools has S-1-5-32-548. 3) http://support.microsoft.com/kb/243330 has a long list of the well known SIDs, many of which do not make sense in a Samba domain, but is there a full list of all the ones that do make sense for Samba and what the LDAP SAM should be initialized to to implement them? Thanks Mike This message was sent using IMP, the Internet Messaging Program. Mike, Try this from the Official Samba How-To http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html In the section in the section, Default Users, Groups, and Relative Identifiers. The only three _required_ groups are: Domain Admins, RID=512 Domain Users, RID=513 Domain Guests, RID=514 In addition to these groups I also have the following domain users just for completeness: Domain Administrator, RID=500 Domain Guest, RID=501 The builtin groups (RIDS=544 through 533) are not listed as required, but you can put them in your ldapsam backend. You will have to add them with, sambaGroupType=4, if you want them to show up in usermgr.exe. If I have got the correct understanding, SIDs that start with S-1-2-21 will be domain SIDs and will be followed by the domain sid and then a RID. The SIDs that start with S-1-2-32 are for local SIDs (machine local users and groups) and should be put in a machine local backend (at least when I get the time I will look into putting them into a local tdbsam on the local server). Unfortunately, as you have found, you have to piece together a lot of different sources to find the correct working solution for your specific situation. Although I have a working ldapsam backend I wish I could take the time and recreate and redo my Samba Domain with the knowledge that I have gained over the past three plus years (that I have incorporated LDAP). However, I can find the time to try and normalize my old LDIF files and format them with what I think a minimal Samba Domain should contain and send them to you but these will most likely be specific just to a Samba3+LDAP domain (I have no intention of going to Samba4 any time soon). Bob --bs -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba